Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
29-03-2024 07:29
General
-
Target
1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe
-
Size
2.0MB
-
MD5
1c37c947943a928e5378931ca23d3379
-
SHA1
570eead825c666609b7f7d94de4ff90a86cacb94
-
SHA256
217d101b037020cbcdd9fb7e67b2dae7ed3e8467b0dad1ca1ac0a160dc39fb48
-
SHA512
70b16ed622c6cbf75e1e20c08f6415e0ed055c1b1ac9528e98713079bc93eefde4c67a06b8ba20265eafeeb7eb25c21c20f6d74ad00896533638ef6759683ace
-
SSDEEP
49152:0/PdqNddtNfBTXtF7tcEXwNBn+fxl7LI4mfe7mEttebsA8EnqN2U:0/PQNdjjtF7rSn+7LCfLE/eJH
Score
10/10
Malware Config
Extracted
Path
C:\Program Files (x86)\readme.txt
Family
conti
Ransom Note
All of your files are currently encrypted by CONTI strain.
As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly.
If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value.
To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge.
You can contact our team directly for further instructions through our website :
TOR VERSION :
(you should download and install TOR browser first https://torproject.org)
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
HTTPS VERSION :
https://contirecovery.best
YOU SHOULD BE AWARE!
Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible.
---BEGIN ID---
WIzXR2lGvuQk29m1PY7u4rlctcqqD9r7P8cxcChaQuFbVn9c3SEhznrejtQj3jBf
---END ID---
URLs
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.best
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Renames multiple (4630) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops desktop.ini file(s) 38 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1c37c947943a928e5378931ca23d3379_JaffaCakes118.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A1FFFE2A-FCA2-46FB-AB3E-856A1E7D212E}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A1FFFE2A-FCA2-46FB-AB3E-856A1E7D212E}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0FC48C72-9C18-47C6-8B58-44674A6F05C7}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0FC48C72-9C18-47C6-8B58-44674A6F05C7}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{204EE53C-B0C6-465C-A10E-C7D01BB1DC56}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{204EE53C-B0C6-465C-A10E-C7D01BB1DC56}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EBE0BD6A-49EE-4877-9DF3-2402C31847DC}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EBE0BD6A-49EE-4877-9DF3-2402C31847DC}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9F15D746-ED0B-4572-94AE-1166A292DB55}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9F15D746-ED0B-4572-94AE-1166A292DB55}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2A07542A-1109-4887-882A-BF29A37D8CD5}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2A07542A-1109-4887-882A-BF29A37D8CD5}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2AF7EC3A-8A71-4E82-A340-0C14FAF5465F}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2AF7EC3A-8A71-4E82-A340-0C14FAF5465F}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1DFBBAE0-E294-4355-95C6-36BFB92E0C52}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1DFBBAE0-E294-4355-95C6-36BFB92E0C52}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C4095CEB-C8A5-4EF2-B87A-10A0EE0A7922}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C4095CEB-C8A5-4EF2-B87A-10A0EE0A7922}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{68599A65-ABD7-47E8-9515-79BD8AE1303A}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{68599A65-ABD7-47E8-9515-79BD8AE1303A}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{91297E19-2CAD-413F-A07A-377C39D7CDFE}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{91297E19-2CAD-413F-A07A-377C39D7CDFE}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4C666236-5F6A-4AEB-853C-1D58C067D79C}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4C666236-5F6A-4AEB-853C-1D58C067D79C}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{45A30E27-E172-4F14-BA8C-41653AB26A7F}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{45A30E27-E172-4F14-BA8C-41653AB26A7F}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F3A6DF31-F853-49AE-8216-CCA97D39DF0D}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F3A6DF31-F853-49AE-8216-CCA97D39DF0D}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A1706141-E98C-4DD8-B93C-0DF9ACA0A9B6}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A1706141-E98C-4DD8-B93C-0DF9ACA0A9B6}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A32BE965-B73A-4EA7-8E0B-7DBEE93FB2E5}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A32BE965-B73A-4EA7-8E0B-7DBEE93FB2E5}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{836E661F-607C-451E-A4A6-8F8E4A56E87A}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{836E661F-607C-451E-A4A6-8F8E4A56E87A}'" delete3⤵
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FF70A0D6-E5D2-4C1C-817F-7E56D7E90DC7}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FF70A0D6-E5D2-4C1C-817F-7E56D7E90DC7}'" delete3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\readme.txtFilesize
1KB
MD58f6296784a2d2a437c579768503f8737
SHA1937b7bab4c20d01d8c9d324c830a14f73cb534a8
SHA256946ca299d775712a93ca6d5daf44b96c986385a584001bf40730eebe86df9071
SHA512f798844b0b44ee8baeba06caf9ac994bc8ad454a9923894567f04154eeeaccd5a171262bf8d0f69356cbed40356f194bf0d7d069ab3c7ba6741642d1e0b0673d
-
memory/1600-0-0x0000000002250000-0x000000000244B000-memory.dmpFilesize
2.0MB
-
memory/1600-1-0x0000000000400000-0x0000000000605000-memory.dmpFilesize
2.0MB
-
memory/1600-258-0x0000000000400000-0x0000000000605000-memory.dmpFilesize
2.0MB
-
memory/1600-1538-0x0000000000400000-0x0000000000605000-memory.dmpFilesize
2.0MB
-
memory/1600-3271-0x0000000000400000-0x0000000000605000-memory.dmpFilesize
2.0MB
-
memory/1600-6461-0x0000000000400000-0x0000000000605000-memory.dmpFilesize
2.0MB
-
memory/1600-6486-0x0000000000400000-0x0000000000605000-memory.dmpFilesize
2.0MB