Upon execution, the ransomware performs the following actions:
It remains idle for a short period before connecting to a Command & Control (C2) server (historically https://onion1.host/cd/copy/gate.php ) to upload the victim's computer name, username, running processes, and hardware info. Merry X-Mas.rar
.MERRY , .RARE1 , .PEGS1 , .MRCR1 , and .RMCM1 . 1. Attack Vector & Distribution Attack Vector & Distribution The file is a
The file is a malicious archive associated with the Merry Christmas (or Merry X-Mas) ransomware, a threat first identified in early January 2017. Malware Profile: Merry X-Mas Ransomware First Spotted: January 3, 2017. Target OS: Windows. Developer Alias: "ComodoSecurity". Developer Alias: "ComodoSecurity"
Emails disguised as court attendance notifications.
Victims are lured into clicking links that download a ZIP or RAR archive (like Merry X-Mas.rar ). Inside is often a malicious executable (e.g., COMPLAINT.pdf.exe ) or a Word document with a malicious macro. 2. Execution & Technical Behavior