Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

102c9d8d99...18.exe

windows7-x64

10

102c9d8d99...18.exe

windows10-2004-x64

7

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...es.dll

windows7-x64

3

$PLUGINSDI...es.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2024, 19:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    102c9d8d99c9f453053d1f49620df11f_JaffaCakes118.exe

  • Size

    802KB

  • MD5

    102c9d8d99c9f453053d1f49620df11f

  • SHA1

    47ab2f2f660832e3a38f6dee882431a5a2404729

  • SHA256

    cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27

  • SHA512

    adbe66cb6be6cbc082cda769caed32bd8bd8c514dfc229c54ea173385cfa4ff713b60327f550e27229732f2c1382e0038fe40c8ba16a5d0f5d44314a3a70a04e

  • SSDEEP

    12288:FgORozerFqm6tU2L6kwt0Z9YlU+iyKAqYpBuT+ZlI4O3dRvUC8yr3e9JKjv6JfPf:FZRFxVYJL7jYlU3vAqYphHcLmwCdSRkj

Score
10/10
ctblockerdefense_evasiondiscoveryexecutionimpactransomware

Malware Config

Extracted

Path

C:\ProgramData\pjhsmgj.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion

Signatures

  • CTB-Locker

    Ransomware family which uses Tor to hide its C2 communications.

    ransomwarectblocker
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 15 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:592
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      2⤵
        PID:1708
      • C:\Windows\system32\wbem\wmiprvse.exe
        C:\Windows\system32\wbem\wmiprvse.exe -Embedding
        2⤵
          PID:2912
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Sets desktop wallpaper using registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of UnmapMainImage
        PID:1212
        • C:\Users\Admin\AppData\Local\Temp\102c9d8d99c9f453053d1f49620df11f_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\102c9d8d99c9f453053d1f49620df11f_JaffaCakes118.exe"
          2⤵
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2980
          • C:\Users\Admin\AppData\Local\Temp\102c9d8d99c9f453053d1f49620df11f_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\102c9d8d99c9f453053d1f49620df11f_JaffaCakes118.exe"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3004
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {767C615B-4767-4933-B60A-0C3BD25F12AF} S-1-5-18:NT AUTHORITY\System:Service:
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2848
        • C:\Users\Admin\AppData\Local\Temp\shwavsm.exe
          C:\Users\Admin\AppData\Local\Temp\shwavsm.exe
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2912
          • C:\Users\Admin\AppData\Local\Temp\shwavsm.exe
            "C:\Users\Admin\AppData\Local\Temp\shwavsm.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2400
            • C:\Windows\SysWOW64\vssadmin.exe
              vssadmin delete shadows all
              4⤵
              • System Location Discovery: System Language Discovery
              • Interacts with shadow copies
              PID:1088
            • C:\Users\Admin\AppData\Local\Temp\shwavsm.exe
              "C:\Users\Admin\AppData\Local\Temp\shwavsm.exe" -u
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2420
              • C:\Users\Admin\AppData\Local\Temp\shwavsm.exe
                "C:\Users\Admin\AppData\Local\Temp\shwavsm.exe"
                5⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of SetWindowsHookEx
                PID:1884

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft Help\ckozqpg
        Filesize

        654B

        MD5

        4bded89bc7ce48879a6efb32c94f58f7

        SHA1

        82945c9dcd50abceeb3df145d559de2a7f0a0852

        SHA256

        2dea8862bd9b6384b831e4695781b82b2fd5d9f9d5797f12f8c370a49b14f50d

        SHA512

        5e6215f02d92ffe1170c18a393a73b503cd1d190c8ae6b1526a87fe0ad323742b82e76d6a641c287b05889cdd64db65ebbad5ac1036fef4e6c66e09dff293e24

        Download Submit

      • C:\ProgramData\Microsoft Help\ckozqpg
        Filesize

        654B

        MD5

        91738bc8d59f8e75d4b82192abc552d6

        SHA1

        8e114316549771f291b271a158da4c8a46f48cde

        SHA256

        36e2413e78349eb0acd51079a7a1375f51e385a74f884ff77560cdad50524ca8

        SHA512

        6c6546ed7eae075884dbe590d6be4c352e3932bda86afbed574012e2b5a5f915be097c0a3260129a999a40a1a69af34a2ba37b409242135464f3b45c66e68d23

        Download Submit

      • C:\ProgramData\pjhsmgj.html
        Filesize

        63KB

        MD5

        8c30685f63195c05a333d6eddf54ba9c

        SHA1

        23ad6c8128a372a3bcc00e4101f30216f57bb6f3

        SHA256

        e32783b537cb4e6882b2bd88c75ff352b2f9c52f8f24354790e177cab425b851

        SHA512

        dac2987c5e7e05d11bf07fd0792f5ca5e23362f01ef135e58ba1262408bf04e51331b668f5d29e62ce1ee65e407c736f8f09f954e4c4e7ee6bbdcef6aa9c3223

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\shwavsm.exe
        Filesize

        802KB

        MD5

        102c9d8d99c9f453053d1f49620df11f

        SHA1

        47ab2f2f660832e3a38f6dee882431a5a2404729

        SHA256

        cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27

        SHA512

        adbe66cb6be6cbc082cda769caed32bd8bd8c514dfc229c54ea173385cfa4ff713b60327f550e27229732f2c1382e0038fe40c8ba16a5d0f5d44314a3a70a04e

        Download Submit

      • C:\Users\Admin\AppData\Roaming\READ-ME-FIRST.TXT
        Filesize

        654KB

        MD5

        344689f5946142895cc657fb63041440

        SHA1

        b59c03f39c9dca8ce57dc505d155b54ab0571166

        SHA256

        73d6024f6026b7bc77010a5a957e70910ecce31fddc9f09bf2d5d3256f0c0a1c

        SHA512

        0796f9f3c91938d386bd2cb7d251535e71a8f3ef345cb9d4dba5dd3115a03321692b768e9f7010f76268ca9e5939f83ffbad106d5928a08af8f3f9bfd7862975

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-18\desktop.ini
        Filesize

        129B

        MD5

        a526b9e7c716b3489d8cc062fbce4005

        SHA1

        2df502a944ff721241be20a9e449d2acd07e0312

        SHA256

        e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

        SHA512

        d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

        Download Submit

      • \Users\Admin\AppData\Local\Temp\nsjE8DB.tmp\UserInfo.dll
        Filesize

        4KB

        MD5

        d9a3fc12d56726dde60c1ead1df366f7

        SHA1

        f531768159c14f07ac896437445652b33750a237

        SHA256

        401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

        SHA512

        6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

        Download Submit

      • \Users\Admin\AppData\Local\Temp\nsjE8DB.tmp\coelenterates.dll
        Filesize

        382KB

        MD5

        f2ce2e755d4f18546550ae4a7f2a6626

        SHA1

        2d4c874c00dc8006a75bd8e700d77952a08d101f

        SHA256

        aa237a70b8b8c08f00bb26fa5c9529b2a41e20222c18d40244459baad2fed3c7

        SHA512

        5cb452aaf18ee58bb49fd03581c58f8edd5d9c9c087f95b29638069c6fa5ea08999fc29bee8c95d3f346e979a9fa42f59a01e41f1019c5ea58725ef2567e9855

        Download Submit

      • memory/592-1300-0x0000000000390000-0x0000000000407000-memory.dmp

        Filesize

        476KB

        Download

      • memory/592-77-0x0000000000390000-0x0000000000407000-memory.dmp

        Filesize

        476KB

        Download

      • memory/592-91-0x0000000000390000-0x0000000000407000-memory.dmp

        Filesize

        476KB

        Download

      • memory/592-88-0x0000000000390000-0x0000000000407000-memory.dmp

        Filesize

        476KB

        Download

      • memory/592-76-0x0000000000390000-0x0000000000407000-memory.dmp

        Filesize

        476KB

        Download

      • memory/592-85-0x0000000000390000-0x0000000000407000-memory.dmp

        Filesize

        476KB

        Download

      • memory/592-87-0x0000000000390000-0x0000000000407000-memory.dmp

        Filesize

        476KB

        Download

      • memory/592-83-0x0000000000390000-0x0000000000407000-memory.dmp

        Filesize

        476KB

        Download

      • memory/592-79-0x0000000000390000-0x0000000000407000-memory.dmp

        Filesize

        476KB

        Download

      • memory/592-80-0x0000000000390000-0x0000000000407000-memory.dmp

        Filesize

        476KB

        Download

      • memory/1884-1362-0x00000000006D0000-0x000000000091B000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1884-1363-0x00000000006D0000-0x000000000091B000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2400-1323-0x0000000000870000-0x0000000000ABB000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2400-72-0x0000000000400000-0x00000000004A4600-memory.dmp

        Filesize

        657KB

        Download

      • memory/2400-1312-0x0000000000870000-0x0000000000ABB000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2400-73-0x0000000000870000-0x0000000000ABB000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2400-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3004-21-0x0000000000400000-0x00000000004A5000-memory.dmp

        Filesize

        660KB

        Download

      • memory/3004-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3004-25-0x0000000000400000-0x00000000004A5000-memory.dmp

        Filesize

        660KB

        Download

      • memory/3004-32-0x0000000000730000-0x000000000094A000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/3004-33-0x0000000000950000-0x0000000000B9B000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/3004-31-0x0000000000400000-0x00000000004A5000-memory.dmp

        Filesize

        660KB

        Download

      • memory/3004-19-0x0000000000400000-0x00000000004A5000-memory.dmp

        Filesize

        660KB

        Download