ctblocker | cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27

General

Target

102c9d8d99c9f453053d1f49620df11f_JaffaCakes118
Size

802KB
Sample

241003-xqsg5a1glm
MD5

102c9d8d99c9f453053d1f49620df11f
SHA1

47ab2f2f660832e3a38f6dee882431a5a2404729
SHA256

cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27
SHA512

adbe66cb6be6cbc082cda769caed32bd8bd8c514dfc229c54ea173385cfa4ff713b60327f550e27229732f2c1382e0038fe40c8ba16a5d0f5d44314a3a70a04e
SSDEEP

12288:FgORozerFqm6tU2L6kwt0Z9YlU+iyKAqYpBuT+ZlI4O3dRvUC8yr3e9JKjv6JfPf:FZRFxVYJL7jYlU3vAqYphHcLmwCdSRkj

Score

10^/10

Malware Config

Extracted

Path

C:\ProgramData\pjhsmgj.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion

Targets

- Target
  
  102c9d8d99c9f453053d1f49620df11f_JaffaCakes118
- Size
  
  802KB
- MD5
  
  102c9d8d99c9f453053d1f49620df11f
- SHA1
  
  47ab2f2f660832e3a38f6dee882431a5a2404729
- SHA256
  
  cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27
- SHA512
  
  adbe66cb6be6cbc082cda769caed32bd8bd8c514dfc229c54ea173385cfa4ff713b60327f550e27229732f2c1382e0038fe40c8ba16a5d0f5d44314a3a70a04e
- SSDEEP
  
  12288:FgORozerFqm6tU2L6kwt0Z9YlU+iyKAqYpBuT+ZlI4O3dRvUC8yr3e9JKjv6JfPf:FZRFxVYJL7jYlU3vAqYphHcLmwCdSRkj
Score

10^/10

ctblocker defense_evasion discovery execution impact ransomware
- CTB-Locker
  Ransomware family which uses Tor to hide its C2 communications.
  ransomware ctblocker
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/UserInfo.dll
- Size
  
  4KB
- MD5
  
  d9a3fc12d56726dde60c1ead1df366f7
- SHA1
  
  f531768159c14f07ac896437445652b33750a237
- SHA256
  
  401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
- SHA512
  
  6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/coelenterates.dll
- Size
  
  382KB
- MD5
  
  f2ce2e755d4f18546550ae4a7f2a6626
- SHA1
  
  2d4c874c00dc8006a75bd8e700d77952a08d101f
- SHA256
  
  aa237a70b8b8c08f00bb26fa5c9529b2a41e20222c18d40244459baad2fed3c7
- SHA512
  
  5cb452aaf18ee58bb49fd03581c58f8edd5d9c9c087f95b29638069c6fa5ea08999fc29bee8c95d3f346e979a9fa42f59a01e41f1019c5ea58725ef2567e9855
- SSDEEP
  
  6144:Vv/FxTWxCtqpFpoHJKP9THXKyRo95uTLfkcvd4HIReF:5/FxTWE8pFpopKP1X3RUALHvd4oI
Score

3^/10

discovery
behavioral5 behavioral6