General

  • Target

    VirusShare_a5d0e995d43232bd4b3d73f8899b7ef0

  • Size

    662KB

  • Sample

    240205-jztjwsdbgq

  • MD5

    a5d0e995d43232bd4b3d73f8899b7ef0

  • SHA1

    46e06085c542f69ca2a78bba9f4eaa0ad77b1713

  • SHA256

    597ae8a86df361a4d18a381b80b3be8968f3d8fc187a48cddbb27653217bf674

  • SHA512

    c65757fc305586930c1cc5dd0a712b3a071fdd89b357328a28fea208dcdd67c9717b7de4678e525652a324d976b2588105bda82575d2cb7b7682b6730e9c4fdb

  • SSDEEP

    12288:vKPvdIQ/slCcdrN8VfeP/hUmQ2jqh+aCKpQKEskUjeWhjZrwPqQRc:a6OslWVfeP/s2j8+aCGHFZnOc

Score
10/10

Malware Config

Extracted

Path

C:\ProgramData\ulbiyui.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion

Targets

    • Target

      VirusShare_a5d0e995d43232bd4b3d73f8899b7ef0

    • Size

      662KB

    • MD5

      a5d0e995d43232bd4b3d73f8899b7ef0

    • SHA1

      46e06085c542f69ca2a78bba9f4eaa0ad77b1713

    • SHA256

      597ae8a86df361a4d18a381b80b3be8968f3d8fc187a48cddbb27653217bf674

    • SHA512

      c65757fc305586930c1cc5dd0a712b3a071fdd89b357328a28fea208dcdd67c9717b7de4678e525652a324d976b2588105bda82575d2cb7b7682b6730e9c4fdb

    • SSDEEP

      12288:vKPvdIQ/slCcdrN8VfeP/hUmQ2jqh+aCKpQKEskUjeWhjZrwPqQRc:a6OslWVfeP/s2j8+aCGHFZnOc

    Score
    10/10
    • CTB-Locker

      Ransomware family which uses Tor to hide its C2 communications.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v13

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

2
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Tasks