Overview

overview

10

Static

static

3

Abrechnung53534.exe

windows7-x64

10

Abrechnung53534.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    27c76f06a50dbe2028788167363b5dd3_JaffaCakes118

  • Size

    707KB

  • Sample

    241009-avlttaxhmb

  • MD5

    27c76f06a50dbe2028788167363b5dd3

  • SHA1

    952a5318d35b0426199ec53be7e8b5e52439d94d

  • SHA256

    c8b7d76b904d86567e05ea52486147d3a00db05dd12fd172486aa31d0f8c124f

  • SHA512

    3de6b7035b58101fd65e67083dfeabd1e69027dc8da66eb0d50c17d0f8e9429cf55e8a06d022311f2da3f4356ac1fae5ec8ccc4283cc9d00a51b1d2693c2b4fb

  • SSDEEP

    12288:4ukw9vd9s52tz67Tn/dHbiaPzvPOy1nv8efWj/caUSB0+A+Pm1saHp:dX9vAn7/d+aPzOknvXO/50+A+SVp

Score
10/10
ctblockerdefense_evasiondiscoveryexecutionimpactransomware

Malware Config

Extracted

Path

C:\ProgramData\esufwfj.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion

Targets

    • Target

      Abrechnung53534.exe

    • Size

      728KB

    • MD5

      c55825824295fb010050e0a8929088dd

    • SHA1

      e3047fa2e4128af1ca2cd5a854a9772421ab185e

    • SHA256

      0a77fc85a49ed22e8a829c57253cffff4af89a690cec2125ebdb53be09f64e86

    • SHA512

      7be00b8a624438b37d7d10b5327accb94e9ed0ab68ff809fd4a18699bf1f64cb6700827431225be366cf2ef4410c90ce314e2256b55bcc474a208de6e2f0b6d8

    • SSDEEP

      12288:cLgIvdjsT2N167Tn/VHbiaPzvLOyx1v2ef0j/uakSB0aA+PmLgaYM:eDvCD7/V+aPzSe1vto/T0aA+a5

    Score
    10/10
    ctblockerdefense_evasiondiscoveryexecutionimpactransomware

    • CTB-Locker

      Ransomware family which uses Tor to hide its C2 communications.

      ransomwarectblocker

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks