ctblocker | 4a0b83817f7e10ccaf4f73a8317c132fef767f646b5669e28d509c935910ef79 | Triage

Sharing

General

Target

0b040905485bcc34a06f2e9ad2f04917_JaffaCakes118
Size

766KB
Sample

240501-d5zefafa2s
MD5

0b040905485bcc34a06f2e9ad2f04917
SHA1

b09140f7d7441e8585d9ca379a5a915357af82af
SHA256

4a0b83817f7e10ccaf4f73a8317c132fef767f646b5669e28d509c935910ef79
SHA512

0f1a854af2e5423f50b124bf274905569e8e4c03eee91e2e23c384234e2b19c8f249b117f033f1ee59f6214d7ca9a2554189f4af009d0bb929feb9c952648052
SSDEEP

12288:5pezD/g+2FEvIuAOGA6ZEL+X+JLBI+ULp3g7lFVBMbLPNqnsb65yP/hizdOGrld9:5p0/p4eAxxOTI+Mhg7lKHVqsUyPpGdOG

Score

10^/10

ctblocker linux ransomware

Malware Config

Targets

- Target
  
  Fattura 00384788-0849838.pdf.exe
- Size
  
  867KB
- MD5
  
  921023d253b6dfac1eaabe38f3b36a45
- SHA1
  
  82ae601f2eb5202a5314feffb2a9bd07c5f33327
- SHA256
  
  a2deb60615b3bd20beeb9253547a41c0a970139bfb59d9f88854b8b61880ead1
- SHA512
  
  86229692b51a24e3f29aec482f6aca2109cf98031011a5bc71b756ee1417fe0200c179bde3adfd9dd72dcb5edd553abb98a5c6845b1c42d3e7672038fb7bc115
- SSDEEP
  
  24576:+XH+j3CgxpmJI+QhQ3r+HVqQUEHpGzOUPZ:Jj3CgxpNhN16EHpCx
Score

10^/10

ctblocker ransomware
- CTB-Locker
  Ransomware family which uses Tor to hide its C2 communications.
  ransomware ctblocker
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  883eff06ac96966270731e4e22817e11
- SHA1
  
  523c87c98236cbc04430e87ec19b977595092ac8
- SHA256
  
  44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82
- SHA512
  
  60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390
- SSDEEP
  
  96:UPDYcJ+nx4vVp76JX7zBlkCg21Fxz4THxtrqw1at0JgwLEjo+OB3yUVCdl/wNj+l:UPtkuWJX7zB3kGwfy0nyUVsxCjOMb1u
Score

3^/10
behavioral3 behavioral4
- Target
  
  NsResize.dll
- Size
  
  60KB
- MD5
  
  9c655b0c142db0494026c1ebb1b3923f
- SHA1
  
  2dbebe42968e78200688e40ab5b8d25bf8e0b4df
- SHA256
  
  ef2d114896f07fc20aed5c3045754de0103813aa31bedb188262cec6fb3263dd
- SHA512
  
  51d7efab18f6909daf61534befa2e20eec437c24114f7c21b383004806d4b8869dc12395a972965c89dbeb66fe0282833207b5aa93ec7f085ca7054d0a0d9f1d
- SSDEEP
  
  768:qGFZmKGqWJ0hYkuyws9yon9dmkVL8L+vR/2nArYDRjrn9To+:q6mfmYkuX3onDmkVLm+o7DB9To
Score

3^/10
behavioral5 behavioral6
- Target
  
  default_hash.js
- Size
  
  136B
- MD5
  
  06a09bda9d5dd7dba611b2dd460d545e
- SHA1
  
  73946d0150e298464b8a55a107bb22be6368029c
- SHA256
  
  c062646586359c92950920a9e5a51bcec73afeb863dc01337a88adadc789f05e
- SHA512
  
  b104418ebc3eabf7a3d4aae3a23bdeea63d0118f56397e3763318397baa0b59ed5756a354a922c2c6206636ab761197e379e6fa5b4aa7cf2a60c24416a2ad459
Score

1^/10
behavioral10 behavioral7 behavioral8 behavioral9

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

Defacement

Resource Development

Reconnaissance

Tasks

static1

behavioral1

ctblockerransomware

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10