conti | 4594624a828fe7704559f90a45cf1db38a22ddb5e856a2003f15a3789d75e1ce

Analysis

max time kernel
137s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e169583dad1106fb369fd9b6ebc0beb_JaffaCakes118.dll
Size

212KB
MD5

6e169583dad1106fb369fd9b6ebc0beb
SHA1

c4bc5650e26855bc7b54da693ffbbb90c088268e
SHA256

4594624a828fe7704559f90a45cf1db38a22ddb5e856a2003f15a3789d75e1ce
SHA512

11c62dec0223d7249fe8f5b2716582703fe9c052d80772358c8b0f3aa27607940f446fc7146731a9f7a8e14541ee3b99848db7679199ab96d948c0c0a079aa3d
SSDEEP

3072:9qKXlgNpgKCfzCLfDLG9dRdHkWqmXKipBAI/xRfvDMTo2tc:zKgVfGLfPG9dE4pBAoxuc

Score

10^/10

conti credential_access discovery ransomware stealer

Malware Config

Extracted

Path

C:\ProgramData\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.best YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- g1lTzZjVPrqCZPVYj1UwpeupnaGidaVdVAVF8QyXhd5MeNX2bcl2zZYyzkMNUVUh ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.best

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Renames multiple (7373) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt	regsvr32.exe

Drops desktop.ini file(s) 31 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	regsvr32.exe
File opened for modification	C:\Program Files\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	regsvr32.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\psfontj2d.properties	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-140.png	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\readme.txt	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\da-dk\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\adobe_sign_tag.png	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ppd.xrm-ms	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\readme.txt	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sl_get.svg	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\ui-strings.js	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-ma\ui-strings.js	regsvr32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_sent.gif	regsvr32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\README.html	regsvr32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\EScript.api	regsvr32.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\am.pak	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\dot_2x.png	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sk-sk\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ca-es\ui-strings.js	regsvr32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ja-jp\ui-strings.js	regsvr32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\mobile.css	regsvr32.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-phn.xrm-ms	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\vlc.mo	regsvr32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\dnsns.jar	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png	regsvr32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-awt-j2se-1.3.2.jar	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcr.x3d	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sqlpdw.xsl	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ko.pak.DATA	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nb-no\ui-strings.js	regsvr32.exe
File created	C:\Program Files\Java\jdk-1.8\include\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXT	regsvr32.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Sybase.xsl	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\readme.txt	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\bun.png	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office15\pkeyconfig-office.xrm-ms	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_removeme-default_18.svg	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ug.pak	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-ms	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ppd.xrm-ms	regsvr32.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SAMPLES\readme.txt	regsvr32.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\VisualElements\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveDrop32x32.gif	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity.png	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png	regsvr32.exe
File created	C:\Program Files (x86)\Reference Assemblies\readme.txt	regsvr32.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL110.XML	regsvr32.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\de-DE\readme.txt	regsvr32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunec.jar	regsvr32.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\readme.txt	regsvr32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe
4960	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6e169583dad1106fb369fd9b6ebc0beb_JaffaCakes118.dll
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Discovery

Browser Information Discovery

T1217

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\readme.txt

Filesize
866B

MD5
ae30e9269406967db4e36be1231511d4

SHA1
7fc889481c6aeb0af0205f6a94db453c84ca5f8c

SHA256
5740eed1371ce7484a6a19561bc01071caf1d0f718c410d21799d4a2b226ebf2

SHA512
a1a6cbad88de73ac495e357de43d51ef6936c8e6e3c6260970011149d3eccbf58fee39fabe82d6ce1fe11518ce5ef9e4fc113cb84dc9c59544d8fd11d708fdff

Download Submit