a1project

Also known as: a1project

The locker is written in C/C++/ASM.
It supports all systems starting from Windows 2003, has a separate binary for ESXi, and uses a unified encrypted file format across all systems.
WINDOWS:
• Two encryption modes: patch-based and file header.
• Extensive configuration settings: from ignoring specific paths/extensions to terminating services/processes, unlocking occupied files, working with network shares, and more.
• Arguments available for shutting down Hyper-V virtual machines, deleting backups, network scanning with logged-in user tokens.
• Each build includes an obfuscated PowerShell script.
• Execution is password-protected.
• The locker itself is shellcode for x86/x64; if you have custom execution methods, we can provide the shellcode.
ESXI:
• Encrypts files in patches, with configurable path exclusions.
The default configuration is pre-set to avoid disrupting Windows/ESXi/Linux systems.

Our commission is 20% of payouts

Introduction

The locker is written in C/C++/ASM.
It supports all systems starting from Windows 2003, has a separate binary for ESXi, and uses a unified encrypted file format across all systems.
WINDOWS:
• Two encryption modes: patch-based and file header.
• Extensive configuration settings: from ignoring specific paths/extensions to terminating services/processes, unlocking occupied files, working with network shares, and more.
• Arguments available for shutting down Hyper-V virtual machines, deleting backups, network scanning with logged-in user tokens.
• Each build includes an obfuscated PowerShell script.
• Execution is password-protected.
• The locker itself is shellcode for x86/x64; if you have custom execution methods, we can provide the shellcode.
ESXI:
• Encrypts files in patches, with configurable path exclusions.
The default configuration is pre-set to avoid disrupting Windows/ESXi/Linux systems.

Our commission is 20% of payouts

Activities and Tactics

Information pending cataloguing.

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • PowerDuke:
  • SHUTTERSPEED:
  • POWERSTATS:
  • Power Loader:
  • POWERSOURCE:
  • Windows Remote Desktop:
  • PowerRAT:
  • CrossRat:

Attribution and Evidence

Information pending cataloguing.

References

References pending cataloguing.