General

  • Target

    5ace8c5d5f2afdb9fd8d43b648a43b55_JaffaCakes118

  • Size

    774KB

  • Sample

    240519-w5xjysbf43

  • MD5

    5ace8c5d5f2afdb9fd8d43b648a43b55

  • SHA1

    46b827870da857bfaf099c5c9f44dd1657a9672b

  • SHA256

    1278fce7d3446e34bc6c46b7262ddb63c34c848696d428a24c896b9c700c1203

  • SHA512

    cddf5692b06d3578c7f35257db712aa7ad9c38ba304d09a8a86304fb77d06917ff9270ffdb5bb56ce5290b81cd8c8deae3b539db73c95b62f5f1b5283ad4dd51

  • SSDEEP

    12288:LhxkIZmxyBvy6IoxXB6oVZvX9QgvI9SJrydXCf6WWfr7BIr5keieo3uwlsHCd0+d:txk+KyBcoxx5Z/6gISBFf9IIuj+Qgc

Malware Config

Extracted

Path

C:\ProgramData\nxvokvc.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion

Targets

    • Target

      Uw Factuur 0092-0287492-39238.pdf.exe

    • Size

      804KB

    • MD5

      88a509f4974b099b9a18c97e93d23f6b

    • SHA1

      215f031e777464de6a253be0c520c6ce815bdf88

    • SHA256

      5930f3589545070d4ab4e09c857db89b9b60e882d12ee6dc0b7213e37d32a50e

    • SHA512

      f9b378d7819f7087ef6abf276c59acf8b528d675e69f1da6d63b6690fb3d9f241c5702ae7e23f35bd21547bfe5e3202c2c5879326003caacc817d3ddc1b0cb4f

    • SSDEEP

      12288:7W02CHYwXcuevg6KILXB6iVZdXlQgBI7SJrydLCf6WsfrZBIr5kei+o3cw5s7CRH:7ACHnXcEILxtZtSg+SBzf9uIuvMqkk

    • CTB-Locker

      Ransomware family which uses Tor to hide its C2 communications.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/InstallOptions.dll

    • Size

      14KB

    • MD5

      eee2912bd1ee421cf1f1dfb1cc327d97

    • SHA1

      c5d3741ddb195718c9b17923eb6abfb7a732bdc1

    • SHA256

      e560384c5298ee2123e8340e716b2c4680f51b4d0347995ba3290dbd1130c6c0

    • SHA512

      1808a068386c790d8ad5096d9fededcfa6e5688e3a68f2499418456c9cafd7b837c811298e6570212155b4a3d6038c1749cfcd9d1b86f090f66d1a5301adecb2

    • SSDEEP

      192:qcOqh13v5z+dHeMR2QwHu5S9i/yULWWBZYJCSJyejPK72dwF7dBKEw:qcD13v5SdHeMRRKkwsejP+BV

    Score
    3/10
    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      883eff06ac96966270731e4e22817e11

    • SHA1

      523c87c98236cbc04430e87ec19b977595092ac8

    • SHA256

      44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

    • SHA512

      60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

    • SSDEEP

      96:UPDYcJ+nx4vVp76JX7zBlkCg21Fxz4THxtrqw1at0JgwLEjo+OB3yUVCdl/wNj+l:UPtkuWJX7zB3kGwfy0nyUVsxCjOMb1u

    Score
    3/10
    • Target

      403-16.htm

    • Size

      1KB

    • MD5

      9d02dc79e5a6215c2931e56925a8bebc

    • SHA1

      17f413e8eddea932d0088a4a86c43fc8d06c8c7a

    • SHA256

      30c45a56c91ecfd5b654ad172fddc84e5d930e18f5031c778223651c5348d612

    • SHA512

      7f64b11eee14c4e13d084211bd4848cdb27471dde064fad7ac787b7307a85b5b8c953d40b26b8db410bad2b268d6bd94e4e4cb8be6c299cd32e5818988ac22db

    Score
    1/10
    • Target

      403-18.htm

    • Size

      1KB

    • MD5

      56dc72e6d4312b109ec4862c045d00d6

    • SHA1

      35cb8a074b875326de6d4206feb631479c47e782

    • SHA256

      0246ad30d0589512453a988e290c7c0a3d3a74dfaa7213f3716ef3ebf7c0b4d3

    • SHA512

      7c7a1b996fec2e28b30533b297517bd5d621f0b7beac69b87c08742146028c6dfc9e34f3e391226d72f7723e54a3833877dca09b820299497ea7167395f1869b

    Score
    1/10
    • Target

      404.htm

    • Size

      1KB

    • MD5

      c9bc5da6fd95dd59b3d1e69c3bc97d40

    • SHA1

      ff4b92b0c8d12a77d12853be583c85fad9b4ebd7

    • SHA256

      cd201762f1c25dc56952abcb7d09a2463aca29a67872ea1cf732ca244a66867e

    • SHA512

      2677a2cf9f066afb73f2cade9840655c9e592273d2870b74bd1d28f9a899e10a47d127871f9b7f0e817e7bfb93ace30bb62c90a66001eed6ca75bbe29682d156

    Score
    1/10
    • Target

      Linker.dll

    • Size

      20KB

    • MD5

      d4347e5ece1d7cc8a2fffb1afef7ea32

    • SHA1

      4a656426fdc156a914494cef7f8fc437d6ca28dc

    • SHA256

      6f7a21dd4e3539e81113a54f5f1ab70fb3e5457033e923fbb95fdb80b7c433cd

    • SHA512

      0923dd987ef862f4341643627c68fdf276a749aa647c29509d72ec9ee77accb79a5fde7e1387696534e096c8c1714ce694c9c826faff2a06178b7068e7d48d56

    • SSDEEP

      384:EgK68Njc9SBE4iKYQqxLCwvC11oMgLiEW0OU+l6y5:EgdPuE4AxLCwvC11oMg5Y

    Score
    3/10
    • Target

      Warn If RGB.jsx

    • Size

      3KB

    • MD5

      ae91301a596819d2abe479e3d5bcf3f7

    • SHA1

      c1effcc1b453ee3060d95334fae707d309732dee

    • SHA256

      866ac76bce63b709c4a74c8ddeeb943064b51834abcb84994c9e49f66a42195c

    • SHA512

      0cf8612875d2f5e4b75df043ee450ffa4f6091ab9a6b5d4dab851757c31a86c3edbb4385a59f4a7c2ac3c6926d6309529c92cb0c7d0e3c4f0f907e6fe48767d9

    Score
    3/10
    • Target

      asyncqueue.js

    • Size

      4KB

    • MD5

      97c2cce0b8038bd21abaf457b50f8112

    • SHA1

      ac6fc6496817e98c7701fc9afc5e0b6eb78d74bb

    • SHA256

      f59ee97d7d97c887e5da91778ce8d3583b1e448680581e1796312d017e699059

    • SHA512

      874ff6ce0ca3ed1a57e379e91a9ff94e3893b3ceb9e7c1b6bf715565347c14e3e8b8a3bdeb86ae55a9ce9d67eeb3dd6289e63b756dbb4b1db91ef08a88798fc3

    • SSDEEP

      96:cwsXcQH3oHD2ttYv4RyArN8bgThcwgxoAkKtNHY:ocQH3wKt988TpmVY

    Score
    3/10
    • Target

      compare-with-callbacks.js

    • Size

      1KB

    • MD5

      2c6f5684ce8e64e2ac4d106ec6c361dd

    • SHA1

      78f431b04243778cf02f29c63ec1f10e464bde6a

    • SHA256

      1d552bba9fdb2557c0a0b55c79eb322852df0e6a0bcb3b48cfbdd335f32b3552

    • SHA512

      0e53cd5e0c943e9c2014b8b778811b4aa83610347f7156ef4b5f616a13a7d29552f72087fe8a956c1c9464af224dcf113232d65e913049e8be8966aa7f2887a6

    Score
    3/10
    • Target

      head.js

    • Size

      25B

    • MD5

      19ebe25a2df3c27bfc3c692ba7ce9158

    • SHA1

      f7f5514d24f03611b055af2fc9a541ecf579142e

    • SHA256

      f5f9b7e1859d47775dfe65573624e84f1e2d6f9c2a3a08f684b8148cefb720e8

    • SHA512

      76c4e82aa9bf6d64c956788eacb9c8bc13db2e626c44a548ab7a49dda9569ea06b48dc46b92e725ce2ab4a7a7124cf01565923adbc7a4c529ac429184639659b

    Score
    3/10

MITRE ATT&CK Matrix ATT&CK v13

Execution

Windows Management Instrumentation

1
T1047

Command and Scripting Interpreter

4
T1059

JavaScript

4
T1059.007

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

5
T1112

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Tasks