Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    136s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/07/2024, 07:46

General

  • Target

    520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe

  • Size

    1.6MB

  • MD5

    520d488564da102f5482fcfdcdbd266a

  • SHA1

    45deee8360e5af17ca04f4bc0fd2c52ae92eb9f0

  • SHA256

    e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7

  • SHA512

    e2c4f46dcf40b8f03bc9fbe0f0cecf933d2825788b0e9f270e7e7ae8a60174d1b7fc778870aa7ce7ba5cb464f28cc5842d043fc93535921749d186e414f51906

  • SSDEEP

    49152:IF/dnNIXDMIHun5tfySS2wMyw4jVrAGuM2:

Malware Config

Extracted

Path

C:\ProgramData\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- gufrazxanJ7rgxARuOTCYpFqVJnyoZuShdALs3PjCnANuWY0pSpb7JFDTaK78q9g ---END ID---
URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Signatures

  • Conti Ransomware

    Ransomware generally thought to be a successor to Ryuk.

  • Renames multiple (7319) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F1454A4D-2AF3-49D4-9045-335EED1EFD8C}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3144
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F1454A4D-2AF3-49D4-9045-335EED1EFD8C}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2416
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\readme.txt

    Filesize

    867B

    MD5

    0e1b5789055ef20f16251ac1358b8b27

    SHA1

    70f73dbf8592e379d7b2c702d77d0d41cc516016

    SHA256

    651bb8f94deeabeddfa0685742425902ae1a2fce599d0f7d20979832eb2b5080

    SHA512

    e3d38553e076fda1da0474854493ac05342ed248187512f7e26335c608b05a25f514ae8e9006319c5da6d0c97a4bc93182a51e1f37a9b713378604db8ada067a

  • memory/2452-18407-0x0000000000DC0000-0x00000000011D0000-memory.dmp

    Filesize

    4.1MB

  • memory/2452-18410-0x0000000000DC0000-0x00000000011D0000-memory.dmp

    Filesize

    4.1MB

  • memory/2452-17-0x0000000000DC0000-0x00000000011D0000-memory.dmp

    Filesize

    4.1MB

  • memory/2452-1-0x0000000000DC0000-0x00000000011D0000-memory.dmp

    Filesize

    4.1MB

  • memory/2452-11009-0x0000000000DC0000-0x00000000011D0000-memory.dmp

    Filesize

    4.1MB

  • memory/2452-18404-0x0000000000DC0000-0x00000000011D0000-memory.dmp

    Filesize

    4.1MB

  • memory/2452-9-0x0000000000DC0000-0x00000000011D0000-memory.dmp

    Filesize

    4.1MB

  • memory/2452-18406-0x0000000000DC0000-0x00000000011D0000-memory.dmp

    Filesize

    4.1MB

  • memory/2452-18411-0x0000000000DC0000-0x00000000011D0000-memory.dmp

    Filesize

    4.1MB

  • memory/2452-0-0x0000000000DC0000-0x00000000011D0000-memory.dmp

    Filesize

    4.1MB

  • memory/2452-18412-0x0000000000DC0000-0x00000000011D0000-memory.dmp

    Filesize

    4.1MB

  • memory/2452-18413-0x0000000000DC0000-0x00000000011D0000-memory.dmp

    Filesize

    4.1MB

  • memory/2452-18414-0x0000000000DC0000-0x00000000011D0000-memory.dmp

    Filesize

    4.1MB

  • memory/2452-18417-0x0000000000DC0000-0x00000000011D0000-memory.dmp

    Filesize

    4.1MB

  • memory/2452-18419-0x0000000000DC0000-0x00000000011D0000-memory.dmp

    Filesize

    4.1MB

  • memory/2452-18422-0x0000000000DC0000-0x00000000011D0000-memory.dmp

    Filesize

    4.1MB