OSQuery Training
  • ℹī¸Info
    • What is OSQuery?
  • đŸ–Ĩī¸Installation Guides
    • đŸĨDebian + Ubuntu Based Systems
    • 🎩Red Hat, CentOS and Fedora Systems
    • đŸĒŸWindows Based Systems
  • 🔰Using OSQuery
    • Basic Queries
  • 💠FleetDM Guides
    • FleetDM Setup
    • Joining Hosts to Fleet
    • Creating New Queries on Fleet
  • 📗Lesson 1
    • Mespinoza/Pysa Ransomware
    • Hunting Mespinoza/Pysa
  • 📙Lesson 2
    • Pay2Key Ransomware
    • Hunting Pay2Key
Powered by GitBook
On this page
  1. Lesson 2

Hunting Pay2Key

Guide on how to successfully hunt down a Pay2Key infected Windows machine.

PreviousPay2Key Ransomware

Last updated 3 years ago

Like lesson 1, search for encrypted files in any of the Users directories by using common encrypted extensions for Pay2Key. ".Pay2Key" or ".enc" are the most common extensions to look for when it comes to Pay2Key ransomware.

SELECT * FROM file WHERE path LIKE "C:\Users\%%" AND filename LIKE "%.enc"

Check champuser's user directory for any ransomware messages that include "MESSAGE.TXT" as that will be included in the filename of any ransom message dropped on a Pay2Key infected Windows machine.

SELECT * FROM file WHERE path LIKE "C:\Users\champuser\%%" AND filename LIKE "%MESSAGE.TXT"

Next, look for any files in either the Windows Temp directory, IME directory, or users directory for anything pertaining to the word "cobalt". The Pay2Key ransomware launches from an executable that contains the word "cobalt" and can leave logs with that word in it as well.

SELECT * FROM file WHERE path LIKE "C:\Users\champuser\%%" AND filename LIKE "cobalt%%"

From these files, find out the time they were modified and pull logs from that time to see suspicious logs (April 19, 2022, around 12:46 AM GMT).

SELECT * FROM windows_eventlog WHERE channel="Security" AND datetime LIKE "2022-04-19T00:46%%";
SELECT * FROM windows_eventlog WHERE channel="Application" AND datetime LIKE "2022-04-19T00:46%%";
SELECT * FROM windows_eventlog WHERE channel="System" AND datetime LIKE "2022-04-19T00:46%%"

From these logs, it can be seen "champuser" was logged into and Windows Defender was turned off during that time period. The status of Windows Firewall may also be in question if it was turned off, check the status of it with the following query.

SELECT * FROM windows_security_products WHERE name="Windows Firewall"

Lastly, search for prefect files, as it is possible that some executables that were ran on this compromised system were deleted after execution. Use the following query to search for Pay2Key files in the Windows prefetch directory.

SELECT * FROM file WHERE path LIKE "C:\Windows\Prefetch\cobalt%%" or path LIKE "C:\Windows\Prefetch\psexe%%"
📙
Successful .enc Extension Query
"SALAM_MESSAGE.txt" on champuser Desktop
Pay2Key Logs Found at "Cobalt.Client.exe.log"
Windows Logs Showing Login of Champuser and Windows Defender Being Turned Off During Attack
Windows Firewall State Set to "Off"
"COBALT.CLIENT.EXE" and "PSEXESVC.EXE" Prefetch Files Found