Hunting Pay2Key

Guide on how to successfully hunt down a Pay2Key infected Windows machine.

Like lesson 1, search for encrypted files in any of the Users directories by using common encrypted extensions for Pay2Key. ".Pay2Key" or ".enc" are the most common extensions to look for when it comes to Pay2Key ransomware.

SELECT * FROM file WHERE path LIKE "C:\Users\%%" AND filename LIKE "%.enc"
Successful .enc Extension Query

Check champuser's user directory for any ransomware messages that include "MESSAGE.TXT" as that will be included in the filename of any ransom message dropped on a Pay2Key infected Windows machine.

SELECT * FROM file WHERE path LIKE "C:\Users\champuser\%%" AND filename LIKE "%MESSAGE.TXT"
"SALAM_MESSAGE.txt" on champuser Desktop

Next, look for any files in either the Windows Temp directory, IME directory, or users directory for anything pertaining to the word "cobalt". The Pay2Key ransomware launches from an executable that contains the word "cobalt" and can leave logs with that word in it as well.

SELECT * FROM file WHERE path LIKE "C:\Users\champuser\%%" AND filename LIKE "cobalt%%" 
Pay2Key Logs Found at "Cobalt.Client.exe.log"

From these files, find out the time they were modified and pull logs from that time to see suspicious logs (April 19, 2022, around 12:46 AM GMT).

SELECT * FROM windows_eventlog WHERE channel="Security" AND datetime LIKE "2022-04-19T00:46%%";
SELECT * FROM windows_eventlog WHERE channel="Application" AND datetime LIKE "2022-04-19T00:46%%";
SELECT * FROM windows_eventlog WHERE channel="System" AND datetime LIKE "2022-04-19T00:46%%"
Windows Logs Showing Login of Champuser and Windows Defender Being Turned Off During Attack

From these logs, it can be seen "champuser" was logged into and Windows Defender was turned off during that time period. The status of Windows Firewall may also be in question if it was turned off, check the status of it with the following query.

SELECT * FROM windows_security_products WHERE name="Windows Firewall"
Windows Firewall State Set to "Off"

Lastly, search for prefect files, as it is possible that some executables that were ran on this compromised system were deleted after execution. Use the following query to search for Pay2Key files in the Windows prefetch directory.

SELECT * FROM file WHERE path LIKE "C:\Windows\Prefetch\cobalt%%" or path LIKE "C:\Windows\Prefetch\psexe%%"
"COBALT.CLIENT.EXE" and "PSEXESVC.EXE" Prefetch Files Found

Last updated