conti | 95776f31cbcac08eb3f3e9235d07513a6d7a6bf9f1b7f3d400b2cf0afdb088a7

General

Target

k.elf
Size

1.5MB
Sample

240428-ybn2tsff8v
MD5

cfb6d21ffe7c4279f761f2351c0810ee
SHA1

ee827023780964574f28c6ba333d800b73eae5c4
SHA256

95776f31cbcac08eb3f3e9235d07513a6d7a6bf9f1b7f3d400b2cf0afdb088a7
SHA512

c24342fe718d9cd8be98741cb7962b39cdf887b855ac0d7d6c0bbdd346fffd3f1dd1bdb91728bd16efe61456792fcc70b17e6f98cc052e229d186f1d7a28a9b8
SSDEEP

24576:t4mEitdoHarsfZqy5hEiefNvF6pVuQYGM:tdE2dxrUqy5ep5F6mQlM

Score

10^/10

Malware Config

Extracted

Path

/readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. If you don't know who we are - just "Google it." As you already know, all of your data has been encrypted by our software. It cannot be recovered by any means without contacting our team directly. DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However, if you want to try - we recommend choosing the data of the lowest value. DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. DON'T TRY TO CONTACT feds or any recovery companies. We have our informants in these structures, so any of your complaints will be immediately directed to us. So if you will hire any recovery company for negotiations or send requests to the police/FBI/investigators, we will consider this as a hostile intent and initiate the publication of whole compromised data immediately. To prove that we REALLY CAN get your data back - we offer you to decrypt two random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/ykCDUCsFcCYo8BNSsvH2TZTvCnEUM30XKoeCZiXUQEjPnzp1nee2ivFY0hAf7frb YOU SHOULD BE AWARE! We will speak only with an authorized person. It can be the CEO, top management, etc. In case you are not such a person - DON'T CONTACT US! Your decisions and action can result in serious harm to your company! Inform your supervisors and stay calm!

URLs

http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/ykCDUCsFcCYo8BNSsvH2TZTvCnEUM30XKoeCZiXUQEjPnzp1nee2ivFY0hAf7frb

Targets

- Target
  
  k.elf
- Size
  
  1.5MB
- MD5
  
  cfb6d21ffe7c4279f761f2351c0810ee
- SHA1
  
  ee827023780964574f28c6ba333d800b73eae5c4
- SHA256
  
  95776f31cbcac08eb3f3e9235d07513a6d7a6bf9f1b7f3d400b2cf0afdb088a7
- SHA512
  
  c24342fe718d9cd8be98741cb7962b39cdf887b855ac0d7d6c0bbdd346fffd3f1dd1bdb91728bd16efe61456792fcc70b17e6f98cc052e229d186f1d7a28a9b8
- SSDEEP
  
  24576:t4mEitdoHarsfZqy5hEiefNvF6pVuQYGM:tdE2dxrUqy5ep5F6mQlM
Score

10^/10

conti persistence ransomware evasion
- Conti Ransomware
  Ransomware generally thought to be a successor to Ryuk.
  ransomware conti
- Renames multiple (11437) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes journal logs
  Deletes systemd journal logs. Likely to evade detection.
  evasion
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  persistence
- Deletes log files
  Deletes log files on the system.
- Reads MAC address of network interface
  Fetches the MAC address of active network interfaces. May be used to detect known values for hypervisors.
  evasion
- Reads network interface configuration
  Fetches information about one or more active network interfaces.
- Reads network transmission queue length
  Fetches the value of the tranmission queue length of the network interface (relevant for DDoS attacks).
behavioral1 behavioral2