Overview

overview

10

Static

static

3

Factuur 00...df.exe

windows7-x64

10

Factuur 00...df.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3f94abbd4364ef5f17dac6211b4e67f2_JaffaCakes118

  • Size

    693KB

  • Sample

    241013-nkn33syfjl

  • MD5

    3f94abbd4364ef5f17dac6211b4e67f2

  • SHA1

    9e8a22912a23c6efa358f20d6e86cc6b77634c74

  • SHA256

    f681f08b89b710b8d32d08a6569629a6403459aa5256cc68e0e3d2b86934a221

  • SHA512

    a0d973bb1a4b4f816bc22851d6a8ac7f578cdbe67cddec39aec6e6639cd4484b80b58642f9b9821970cbf4bf221c43a38388260dd93c3566406d80cd01f39360

  • SSDEEP

    12288:2yi5zcMZ13XNEK5s37Hs7bOnCxrKzptvC0bNr/BWoo0PaAhyt/imgc0fYAChCJmr:2yi5zpZZWqs37HsGC8BRZWLWa6UisMrY

Score
10/10
ctblockerdefense_evasiondiscoveryexecutionimpactransomware

Malware Config

Extracted

Path

C:\ProgramData\axwcwrc.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion

Targets

    • Target

      Factuur 00078454556-00398583.pdf.exe

    • Size

      760KB

    • MD5

      73b5b2675d4391fe6c59cc596bcd2a04

    • SHA1

      4a598519786f3646d459ede621337e08d67c1b3f

    • SHA256

      34400196b5de7adde8de4f2d8a5aadd350d1ce06910b9d44c1a17969c42b1b69

    • SHA512

      9b0f5bf43ae7b001a40f9d2742c2558e6961e3058bd67ec92108cbe75dc088ec3cbc8afeb3bd88bb0d9042db36b66cc1cff1054235fdb3ae4d1b659f0e86114f

    • SSDEEP

      12288:BDcMXv3/NEK7s37/shbOnMxrUzbtvC0nNr/Bqoo0Pamhyx/iugcGfAAChCJeTlV3:VpX/uqs37/s4MKrRZqLWaE6iUSDX2b

    Score
    10/10
    ctblockerdefense_evasiondiscoveryexecutionimpactransomware

    • CTB-Locker

      Ransomware family which uses Tor to hide its C2 communications.

      ransomwarectblocker

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks