Overview

overview

10

Static

static

3

6e169583da...18.dll

windows7-x64

10

6e169583da...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25-07-2024 04:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6e169583dad1106fb369fd9b6ebc0beb_JaffaCakes118.dll

  • Size

    212KB

  • MD5

    6e169583dad1106fb369fd9b6ebc0beb

  • SHA1

    c4bc5650e26855bc7b54da693ffbbb90c088268e

  • SHA256

    4594624a828fe7704559f90a45cf1db38a22ddb5e856a2003f15a3789d75e1ce

  • SHA512

    11c62dec0223d7249fe8f5b2716582703fe9c052d80772358c8b0f3aa27607940f446fc7146731a9f7a8e14541ee3b99848db7679199ab96d948c0c0a079aa3d

  • SSDEEP

    3072:9qKXlgNpgKCfzCLfDLG9dRdHkWqmXKipBAI/xRfvDMTo2tc:zKgVfGLfPG9dE4pBAoxuc

Score
10/10
conticredential_accessdiscoveryransomwarestealer

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.best YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- g1lTzZjVPrqCZPVYj1UwpeupnaGidaVdVAVF8QyXhd5MeNX2bcl2zZYyzkMNUVUh ---END ID---
URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.best

Signatures

  • Conti Ransomware

    Ransomware generally thought to be a successor to Ryuk.

    ransomwareconti
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Renames multiple (7977) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Drops desktop.ini file(s) 46 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6e169583dad1106fb369fd9b6ebc0beb_JaffaCakes118.dll
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    PID:2952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\readme.txt
    Filesize

    866B

    MD5

    ae30e9269406967db4e36be1231511d4

    SHA1

    7fc889481c6aeb0af0205f6a94db453c84ca5f8c

    SHA256

    5740eed1371ce7484a6a19561bc01071caf1d0f718c410d21799d4a2b226ebf2

    SHA512

    a1a6cbad88de73ac495e357de43d51ef6936c8e6e3c6260970011149d3eccbf58fee39fabe82d6ce1fe11518ce5ef9e4fc113cb84dc9c59544d8fd11d708fdff

    Download Submit