blackmatter | 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c

General

Target

5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe
Size

80KB
MD5

5c66cd4f21254f83663819138e634dd9
SHA1

6626cae85970e6490b8b0bf9da9aa4b57a79bb62
SHA256

2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c
SHA512

093e1fb491d73ee240f1b0084bda233ef272618b56e61ed8602a57dec7b241b3f80a4a1749ff46d141399e71dd6127c9a8893c9d8d24c6aa48b0479a7ab42a2a
SSDEEP

768:JHVfahoICS4AI4kyPh2qFSpAM0zHTMoXsLipP4+1Kkxwz5m7HEzETWOUP9LXzTN:/nICS4A79p2qFTM2HT02F4mHI5msOq

Score

10^/10

blackmatter ransomware

Malware Config

Extracted

Path

C:\Users\il0ExfkEX.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen sensitive data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/EWX33VYY3IGOXSG5ZZ2 >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/EWX33VYY3IGOXSG5ZZ2

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter
Renames multiple (155) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\il0ExfkEX.bmp"	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\il0ExfkEX.bmp"	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
564	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe
564	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe
564	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe
564	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe
564	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe
564	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\Desktop	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\Desktop\WallpaperStyle = "10"	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
564	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe
564	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe
564	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe
564	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeBackupPrivilege	564	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe
Token: SeDebugPrivilege	564	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe
Token: 36	564	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe
Token: SeImpersonatePrivilege	564	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	564	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	564	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe
Token: 33	564	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe
Token: SeManageVolumePrivilege	564	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	564	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe
Token: SeRestorePrivilege	564	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe
Token: SeSecurityPrivilege	564	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	564	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	564	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe
Token: SeShutdownPrivilege	564	5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe
Token: SeBackupPrivilege	2648	vssvc.exe
Token: SeRestorePrivilege	2648	vssvc.exe
Token: SeAuditPrivilege	2648	vssvc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\il0ExfkEX.README.txt

Filesize
1KB

MD5
896f61d321c4af276b7a80be14715992

SHA1
feca31af9616ac09d73900d32a8dc8d08fce51e6

SHA256
8553b63516ebbad0ce0653b3e21831b5dd114584ec49f6f413ad928ee68e6c21

SHA512
81fd91036800c12a66e9c352a70293734f5d4355c6c2fbf39446602655f596ac3afc150a4c0494c804a4226aba55aa65f031bd0957f79ffd131e5329fb0ec82e

Download Submit
memory/564-1-0x00000000026A0000-0x00000000026B0000-memory.dmp

Filesize
64KB

Download
memory/564-0-0x00000000026A0000-0x00000000026B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing