ctblocker | 9005436ea8f7c0dede260d1b249540c94a02431afe4d26956b4199705577ea62

General

Target

39c0e005cd2892a7b315081f9db6dc37_JaffaCakes118.exe
Size

742KB
MD5

39c0e005cd2892a7b315081f9db6dc37
SHA1

e9c2dda548ca0f53939d8bbf9228a92977964341
SHA256

9005436ea8f7c0dede260d1b249540c94a02431afe4d26956b4199705577ea62
SHA512

e5b258b62685152ba0387a280a27957c6cd78848d31a7cd65089c0c8dbd0d59d65089f702fe0dd8e759a27c2974219f9c170ba67c6457a4725a8b09dc69ce77e
SSDEEP

12288:T2359uMww1bLO6ejFn8KL8XdChu/FiMZgi7hLEsOYt4ZmwjHCmac95RDOqruN2mE:S5p126wFn8KL8tz4MZHVLJtimSimHROY

Score

10^/10

ctblocker defense_evasion discovery execution impact ransomware

Malware Config

Extracted

Path

C:\ProgramData\xzhmwel.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://fizxfsi3cad3kn7v.onion.cab or http://fizxfsi3cad3kn7v.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://fizxfsi3cad3kn7v.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://fizxfsi3cad3kn7v.onion.cab

http://fizxfsi3cad3kn7v.tor2web.org

http://fizxfsi3cad3kn7v.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation	qrzxbjl.exe

Executes dropped EXE 2 IoCs

pid	Process
2520	qrzxbjl.exe
2644	qrzxbjl.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	qrzxbjl.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-tbgsyea.bmp"	Explorer.EXE

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-tbgsyea.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-tbgsyea.bmp	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	39c0e005cd2892a7b315081f9db6dc37_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qrzxbjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qrzxbjl.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2336	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	qrzxbjl.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	qrzxbjl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	qrzxbjl.exe

Modifies data under HKEY_USERS 23 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c34f52c4-69ed-11ef-8041-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{0ffd567e-69b6-11ef-9713-ea7747d117e6}\MaxCapacity = "2047"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00630033003400660035003200630034002d0036003900650064002d0031003100650066002d0038003000340031002d003800300036006500360066003600650036003900360033007d00000030002c007b00300066006600640035003600370065002d0036003900620036002d0031003100650066002d0039003700310033002d006500610037003700340037006400310031003700650036007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c34f52c4-69ed-11ef-8041-806e6f6e6963}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c34f52c4-69ed-11ef-8041-806e6f6e6963}\MaxCapacity = "14116"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{0ffd567e-69b6-11ef-9713-ea7747d117e6}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{0ffd567e-69b6-11ef-9713-ea7747d117e6}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2980	39c0e005cd2892a7b315081f9db6dc37_JaffaCakes118.exe
2520	qrzxbjl.exe
2520	qrzxbjl.exe
2520	qrzxbjl.exe
2520	qrzxbjl.exe
2644	qrzxbjl.exe
2644	qrzxbjl.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	qrzxbjl.exe
Token: SeDebugPrivilege	2520	qrzxbjl.exe
Token: SeShutdownPrivilege	1204	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2644	qrzxbjl.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2644	qrzxbjl.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2644	qrzxbjl.exe
2644	qrzxbjl.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1204	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2520	2472	taskeng.exe	31
PID 2472 wrote to memory of 2520	2472	taskeng.exe	31
PID 2472 wrote to memory of 2520	2472	taskeng.exe	31
PID 2472 wrote to memory of 2520	2472	taskeng.exe	31
PID 2520 wrote to memory of 616	2520	qrzxbjl.exe	9
PID 616 wrote to memory of 2020	616	svchost.exe	33
PID 616 wrote to memory of 2020	616	svchost.exe	33
PID 616 wrote to memory of 2020	616	svchost.exe	33
PID 2520 wrote to memory of 1204	2520	qrzxbjl.exe	21
PID 2520 wrote to memory of 2336	2520	qrzxbjl.exe	34
PID 2520 wrote to memory of 2336	2520	qrzxbjl.exe	34
PID 2520 wrote to memory of 2336	2520	qrzxbjl.exe	34
PID 2520 wrote to memory of 2336	2520	qrzxbjl.exe	34
PID 2520 wrote to memory of 2644	2520	qrzxbjl.exe	36
PID 2520 wrote to memory of 2644	2520	qrzxbjl.exe	36
PID 2520 wrote to memory of 2644	2520	qrzxbjl.exe	36
PID 2520 wrote to memory of 2644	2520	qrzxbjl.exe	36

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:616
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:2020

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1204
- C:\Users\Admin\AppData\Local\Temp\39c0e005cd2892a7b315081f9db6dc37_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\39c0e005cd2892a7b315081f9db6dc37_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2980

C:\Windows\system32\taskeng.exe
taskeng.exe {AD2E7BB7-8969-48AE-BAD1-82D3A9E13FB4} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Users\Admin\AppData\Local\Temp\qrzxbjl.exe
  C:\Users\Admin\AppData\Local\Temp\qrzxbjl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows all
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2336
- - C:\Users\Admin\AppData\Local\Temp\qrzxbjl.exe
    "C:\Users\Admin\AppData\Local\Temp\qrzxbjl.exe" -u
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

1

T1006

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\cymblee

Filesize
654B

MD5
1205126e91eabfc41d301a25c5b2892c

SHA1
94173996ac7fa998088d48faa7a1d149963c95eb

SHA256
dd404097310d56b0c614e4643d6ad90531bc842062e7106f623de1f4129d0b2f

SHA512
74cd71573628256ac55920d7327e8f5931e1a72794add0ffe3b91f9d1d3f862e1da16fc865647d874238b0d13bda97790ea0a5cea6ce76f836b58aefad8755d1

Download Submit
C:\ProgramData\Adobe\cymblee

Filesize
654B

MD5
f0492c61b213c0506c0b58db47526f39

SHA1
c04e74a6e0a26c659152c8400a049ddd89a473b6

SHA256
4ca08aaa1661103f70b1e5ae274f778a9d6d3f34a37d9f145ed4104e8df84b36

SHA512
2213cb2afe15739247e63b2eea9e8600f55a7006c75320de92029f0de780fec77251b150f8743d4e795e6f66da3e737b47035114a36ca80e54e65dcec437d97c

Download Submit
C:\ProgramData\Adobe\cymblee

Filesize
654B

MD5
7f79d7d3cdef0b85b8f4853efc624bf8

SHA1
c61c89d7ee5f4673154010edc3888097ea8135dc

SHA256
2bdc19eaa9cfe4be5fddc684155f61111ef6dfc8cb4735a2eb6217fe6b078c24

SHA512
8a6172b09306e9e28aa0757cb6e22725e21476f4c93e7e16adf9e9baf63aaabc3472d3eb2dccf06a76112d1e05bc3e1d99320080977f3cd8fc083785ac99e6c3

Download Submit
C:\ProgramData\xzhmwel.html

Filesize
63KB

MD5
c82f54419c62e1897e086193d4437662

SHA1
af1177e52d0d96860ce11a50602f81a03ce43346

SHA256
0a2b37a21a925ba0db30b5f748968a1fa5574b650bff5f097d64ed39ceee742a

SHA512
99794c0391b6f46a926358972a653c91a79cd2805e16a7693506e8c78871828ee05b48692c8d14a86c7a8326432da3300c778940b745710158a23a293be74156

Download Submit
C:\Users\Admin\AppData\Local\Temp\qrzxbjl.exe

Filesize
742KB

MD5
39c0e005cd2892a7b315081f9db6dc37

SHA1
e9c2dda548ca0f53939d8bbf9228a92977964341

SHA256
9005436ea8f7c0dede260d1b249540c94a02431afe4d26956b4199705577ea62

SHA512
e5b258b62685152ba0387a280a27957c6cd78848d31a7cd65089c0c8dbd0d59d65089f702fe0dd8e759a27c2974219f9c170ba67c6457a4725a8b09dc69ce77e

Download Submit
memory/616-13-0x0000000000160000-0x00000000001D7000-memory.dmp

Filesize
476KB

Download
memory/616-1254-0x0000000000160000-0x00000000001D7000-memory.dmp

Filesize
476KB

Download
memory/616-39-0x0000000000160000-0x00000000001D7000-memory.dmp

Filesize
476KB

Download
memory/616-14-0x0000000000160000-0x00000000001D7000-memory.dmp

Filesize
476KB

Download
memory/616-17-0x0000000000160000-0x00000000001D7000-memory.dmp

Filesize
476KB

Download
memory/616-20-0x0000000000160000-0x00000000001D7000-memory.dmp

Filesize
476KB

Download
memory/616-27-0x0000000000160000-0x00000000001D7000-memory.dmp

Filesize
476KB

Download
memory/616-16-0x0000000000160000-0x00000000001D7000-memory.dmp

Filesize
476KB

Download
memory/616-22-0x0000000000160000-0x00000000001D7000-memory.dmp

Filesize
476KB

Download
memory/616-24-0x0000000000160000-0x00000000001D7000-memory.dmp

Filesize
476KB

Download
memory/2520-10-0x00000000014C0000-0x000000000170B000-memory.dmp

Filesize
2.3MB

Download
memory/2520-1277-0x00000000014C0000-0x000000000170B000-memory.dmp

Filesize
2.3MB

Download
memory/2520-1266-0x00000000014C0000-0x000000000170B000-memory.dmp

Filesize
2.3MB

Download
memory/2644-1282-0x00000000026F0000-0x000000000293B000-memory.dmp

Filesize
2.3MB

Download
memory/2644-1281-0x00000000026F0000-0x000000000293B000-memory.dmp

Filesize
2.3MB

Download
memory/2644-1306-0x00000000026F0000-0x000000000293B000-memory.dmp

Filesize
2.3MB

Download
memory/2644-1307-0x00000000026F0000-0x000000000293B000-memory.dmp

Filesize
2.3MB

Download
memory/2644-1309-0x00000000026F0000-0x000000000293B000-memory.dmp

Filesize
2.3MB

Download
memory/2644-1317-0x00000000026F0000-0x000000000293B000-memory.dmp

Filesize
2.3MB

Download
memory/2980-3-0x0000000002600000-0x000000000281A000-memory.dmp

Filesize
2.1MB

Download
memory/2980-1250-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2980-2-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2980-0-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2980-4-0x0000000002820000-0x0000000002A6B000-memory.dmp

Filesize
2.3MB

Download
memory/2980-1-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads