Overview

overview

10

Static

static

3

1c7ed964dd...18.exe

windows7-x64

10

1c7ed964dd...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06-05-2024 12:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1c7ed964dddd78ee5e8d3427e39fb613_JaffaCakes118.exe

  • Size

    731KB

  • MD5

    1c7ed964dddd78ee5e8d3427e39fb613

  • SHA1

    e34a8c0d58ffe8228ccd18adcab3bd155012f7bb

  • SHA256

    9f108d3210afe4fd08c411caa2cd5540c7d1501b419018c193d30eccca8b02df

  • SHA512

    e2995588fd9b0a02e19f1eb9443d507b6160ae34a6e6d5b7d8749ae895eceda19cdf55c24d1b563bb8841c6dc05fdcf8a8b857f5ccfdede7ebbeeee8d8d3546b

  • SSDEEP

    12288:164z/NTF6hT2H72/3DTYFC24a10Yw54xs0FzNiqosdA6F5mSZ/:gWF6hTCq3YFD4eosa6/

Score
10/10
ctblockerdefense_evasionexecutionimpactransomware

Malware Config

Extracted

Path

C:\ProgramData\uowhmkm.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://kurrmpfx6kgmsopm.onion.cab or http://kurrmpfx6kgmsopm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://kurrmpfx6kgmsopm.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://kurrmpfx6kgmsopm.onion.cab

http://kurrmpfx6kgmsopm.tor2web.org

http://kurrmpfx6kgmsopm.onion

Signatures

  • CTB-Locker

    Ransomware family which uses Tor to hide its C2 communications.

    ransomwarectblocker
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:600
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      2⤵
        PID:796
      • C:\Windows\system32\wbem\wmiprvse.exe
        C:\Windows\system32\wbem\wmiprvse.exe -Embedding
        2⤵
          PID:2480
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          2⤵
            PID:1400
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          1⤵
          • Sets desktop wallpaper using registry
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          PID:1068
          • C:\Users\Admin\AppData\Local\Temp\1c7ed964dddd78ee5e8d3427e39fb613_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\1c7ed964dddd78ee5e8d3427e39fb613_JaffaCakes118.exe"
            2⤵
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2916
            • C:\Users\Admin\AppData\Local\Temp\1c7ed964dddd78ee5e8d3427e39fb613_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\1c7ed964dddd78ee5e8d3427e39fb613_JaffaCakes118.exe"
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:3024
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {EF34EEA5-5277-4495-A3DF-1F08CC9DF6F0} S-1-5-18:NT AUTHORITY\System:Service:
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2900
          • C:\Users\Admin\AppData\Local\Temp\ppxpdxm.exe
            C:\Users\Admin\AppData\Local\Temp\ppxpdxm.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2588
            • C:\Users\Admin\AppData\Local\Temp\ppxpdxm.exe
              "C:\Users\Admin\AppData\Local\Temp\ppxpdxm.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2744
              • C:\Windows\SysWOW64\vssadmin.exe
                vssadmin delete shadows all
                4⤵
                • Interacts with shadow copies
                PID:540
              • C:\Users\Admin\AppData\Local\Temp\ppxpdxm.exe
                "C:\Users\Admin\AppData\Local\Temp\ppxpdxm.exe" -u
                4⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:688
                • C:\Users\Admin\AppData\Local\Temp\ppxpdxm.exe
                  "C:\Users\Admin\AppData\Local\Temp\ppxpdxm.exe"
                  5⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of SetWindowsHookEx
                  PID:576

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft Help\pefdnyl
          Filesize

          654B

          MD5

          8b4619aa565267bf16f28340978e9928

          SHA1

          8505b8c5308183bd1076999df86cf30ca702220f

          SHA256

          39c2e9f2360e1b0d10363fb8282fa93033ac5afeed0dd2780e87c9d8e572b79c

          SHA512

          653b7a7433d8bc0c685b6822d382c024a2b2377067de3ec9a3dcbd6f5407a4eaaca7b916f50249c795c78e53509a3a2ec37a9c81948e09b017d8af9111b8eab0

          Download Submit

        • C:\ProgramData\Microsoft Help\pefdnyl
          Filesize

          654B

          MD5

          736edc9dbd53ff854dbc2c35d542c2fa

          SHA1

          8c97d682a074624c9d80803e957eb17e3cd2ac5f

          SHA256

          9209483ef2fe34904d9c17591b83088c6b4be99f7d8d380b700ce0e91a0d1d06

          SHA512

          c2f2476f6852ef85ea1040724674094086369bda814a3419828d0bfebe0d228aacced0d325b80a1fcd3b50dc646988536403d1c0a0e91d454d78b9d543cba16b

          Download Submit

        • C:\ProgramData\Microsoft Help\pefdnyl
          Filesize

          654B

          MD5

          49e1e80a70d54b5c9ab5dda075789b6e

          SHA1

          9f48e5366e5c8c7c43e8f0536b78364f5b3f20d0

          SHA256

          0d16f981268cd6f9f7cfbcb11798968da9522466611e4adee85ff0811e02b545

          SHA512

          fdb82c43553de8c9d67a1602fdc23c10cfb70b75c16759e6cab037b64aaa2f48959c0b02f63e32525ce713ca85deef9e240593c2ea9b4400b3901097b2693cb6

          Download Submit

        • C:\ProgramData\uowhmkm.html
          Filesize

          63KB

          MD5

          7ed884c431ea451d4b40c30e12d24074

          SHA1

          06f117551da98ca09a57681b87e7244703751ff6

          SHA256

          a110b2aed572905b4037187b6e84a38984d7e8d162961cd1c8ca00c0cbf3bbd3

          SHA512

          c2785fc3d0e75b691120a3022fd298c83888bc7c5e3320d2c2fb2c33cd61d82bc12ba0d039ac109d29c384de3623608aab2dd8fad7b46fe5f207f62530b0472a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\ppxpdxm.exe
          Filesize

          731KB

          MD5

          1c7ed964dddd78ee5e8d3427e39fb613

          SHA1

          e34a8c0d58ffe8228ccd18adcab3bd155012f7bb

          SHA256

          9f108d3210afe4fd08c411caa2cd5540c7d1501b419018c193d30eccca8b02df

          SHA512

          e2995588fd9b0a02e19f1eb9443d507b6160ae34a6e6d5b7d8749ae895eceda19cdf55c24d1b563bb8841c6dc05fdcf8a8b857f5ccfdede7ebbeeee8d8d3546b

          Download Submit

        • memory/576-1294-0x0000000000C10000-0x0000000000E5B000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/576-1293-0x0000000000C10000-0x0000000000E5B000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/600-30-0x0000000000520000-0x0000000000597000-memory.dmp

          Filesize

          476KB

          Download

        • memory/600-26-0x0000000000520000-0x0000000000597000-memory.dmp

          Filesize

          476KB

          Download

        • memory/600-27-0x0000000000520000-0x0000000000597000-memory.dmp

          Filesize

          476KB

          Download

        • memory/600-29-0x0000000000520000-0x0000000000597000-memory.dmp

          Filesize

          476KB

          Download

        • memory/600-35-0x0000000000520000-0x0000000000597000-memory.dmp

          Filesize

          476KB

          Download

        • memory/600-37-0x0000000000520000-0x0000000000597000-memory.dmp

          Filesize

          476KB

          Download

        • memory/600-33-0x0000000000520000-0x0000000000597000-memory.dmp

          Filesize

          476KB

          Download

        • memory/600-40-0x0000000000520000-0x0000000000597000-memory.dmp

          Filesize

          476KB

          Download

        • memory/600-1258-0x0000000000520000-0x0000000000597000-memory.dmp

          Filesize

          476KB

          Download

        • memory/2744-1271-0x00000000006D0000-0x000000000091B000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/2744-22-0x00000000006D0000-0x000000000091B000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/2744-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2744-1281-0x00000000006D0000-0x000000000091B000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/3024-1-0x0000000000400000-0x00000000004A5000-memory.dmp

          Filesize

          660KB

          Download

        • memory/3024-8-0x00000000008B0000-0x0000000000AFB000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/3024-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3024-12-0x0000000000400000-0x00000000004A4600-memory.dmp

          Filesize

          657KB

          Download

        • memory/3024-4-0x0000000000400000-0x00000000004A5000-memory.dmp

          Filesize

          660KB

          Download

        • memory/3024-7-0x0000000000690000-0x00000000008AA000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/3024-6-0x0000000000400000-0x00000000004A5000-memory.dmp

          Filesize

          660KB

          Download