Overview

overview

10

Static

static

3

6d83d702fa...18.exe

windows7-x64

10

6d83d702fa...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    23-10-2024 06:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6d83d702fad47bf24a04c4b3e2c9d930_JaffaCakes118.exe

  • Size

    714KB

  • MD5

    6d83d702fad47bf24a04c4b3e2c9d930

  • SHA1

    e706a46e3bbb821e8f4aec1f3e488be1504b855b

  • SHA256

    8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07

  • SHA512

    62cda9516333dfe92d4099f2cc25d8e434ac23abc28dbd522695b200a4a1545473a6a419bd9ac8fadb54283980a82f37d1faa2ab32df92a9d10e74750c58499d

  • SSDEEP

    12288:mSuYrHkpL3KyptgMzPez1OkvHj3CfL0PzGJRZLB3LE:X1kpL3KyAWPez1fD3mLIzGvZt3LE

Score
10/10
ctblockerdefense_evasiondiscoveryexecutionimpactransomware

Malware Config

Extracted

Path

C:\ProgramData\ilimarf.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://43qzvceo6ondd6wt.onion.cab or http://43qzvceo6ondd6wt.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://43qzvceo6ondd6wt.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://43qzvceo6ondd6wt.onion.cab

http://43qzvceo6ondd6wt.tor2web.org

http://43qzvceo6ondd6wt.onion

Signatures

  • CTB-Locker

    Ransomware family which uses Tor to hide its C2 communications.

    ransomwarectblocker
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:592
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      2⤵
        PID:1708
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Sets desktop wallpaper using registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\6d83d702fad47bf24a04c4b3e2c9d930_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\6d83d702fad47bf24a04c4b3e2c9d930_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:620
        • C:\Users\Admin\AppData\Local\Temp\6d83d702fad47bf24a04c4b3e2c9d930_JaffaCakes118.exe
          C:\Users\Admin\AppData\Local\Temp\6d83d702fad47bf24a04c4b3e2c9d930_JaffaCakes118.exe
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2440
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {09CEABB9-1E23-4EFB-9DB5-CD9B00AAE206} S-1-5-18:NT AUTHORITY\System:Service:
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Users\Admin\AppData\Local\Temp\amfztod.exe
        C:\Users\Admin\AppData\Local\Temp\amfztod.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2860
        • C:\Users\Admin\AppData\Local\Temp\amfztod.exe
          C:\Users\Admin\AppData\Local\Temp\amfztod.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2100
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin delete shadows all
            4⤵
            • System Location Discovery: System Language Discovery
            • Interacts with shadow copies
            PID:1636
          • C:\Users\Admin\AppData\Local\Temp\amfztod.exe
            "C:\Users\Admin\AppData\Local\Temp\amfztod.exe" -u
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2020
            • C:\Users\Admin\AppData\Local\Temp\amfztod.exe
              C:\Users\Admin\AppData\Local\Temp\amfztod.exe
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              PID:756

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Adobe\jyufvtj
      Filesize

      654B

      MD5

      cf8fc87d343dfcb11a48951c8df7ac1d

      SHA1

      5eddbe11146fa0cb63c3c884e460ec3df1e7cc24

      SHA256

      904efffb61470bcbfb9e906982e97f225fb6c6fbc84969cfd9e2664b285d2266

      SHA512

      e55e0c3cc7493516a4b589afb2209254e9209da2edbd16199950667a939524b15716b9e8cfd3f5acd455c27f58d921a65aaeb02341246d256f870db18102628a

      Download Submit

    • C:\ProgramData\Adobe\jyufvtj
      Filesize

      654B

      MD5

      edc1c607689156c2b18f9e6ba56598d1

      SHA1

      3c483091c905886d7680fdfcdeeb5f06b0311a97

      SHA256

      b8f63654d1ccb134e0e5c01b453ed4a9e35545f29f5971dd1e74cd7437c29bf4

      SHA512

      133be7e6fbff0e8d92cfc986af135bb442b79590d897085b20eab58305d5b7f47328d8113f7b3fc9c18af5da1197dc524c0b3972c90a75b3a2ecf8e4501a7b76

      Download Submit

    • C:\ProgramData\ilimarf.html
      Filesize

      62KB

      MD5

      62b211e35c49a20833d33cfba2fec03d

      SHA1

      4441b778329da77b7e931317a353e1472cd2be00

      SHA256

      ce78539a54e83d04d005a019aa73d3c6fd54adce41ec176ea21e82cb6e8e6346

      SHA512

      7d40f577ae35d8e812cc077f03b4c6d5a60f3ffa5b04afe6f6b22c27506787b7ad8ad14cfa6d9ae7e3937b1d737c28309725cfc64b3b0f1b760e9d82664f7386

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\amfztod.exe
      Filesize

      714KB

      MD5

      6d83d702fad47bf24a04c4b3e2c9d930

      SHA1

      e706a46e3bbb821e8f4aec1f3e488be1504b855b

      SHA256

      8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07

      SHA512

      62cda9516333dfe92d4099f2cc25d8e434ac23abc28dbd522695b200a4a1545473a6a419bd9ac8fadb54283980a82f37d1faa2ab32df92a9d10e74750c58499d

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-18\desktop.ini
      Filesize

      129B

      MD5

      a526b9e7c716b3489d8cc062fbce4005

      SHA1

      2df502a944ff721241be20a9e449d2acd07e0312

      SHA256

      e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

      SHA512

      d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

      Download Submit

    • memory/592-41-0x0000000000300000-0x0000000000377000-memory.dmp

      Filesize

      476KB

      Download

    • memory/592-53-0x0000000000300000-0x0000000000377000-memory.dmp

      Filesize

      476KB

      Download

    • memory/592-38-0x0000000000300000-0x0000000000377000-memory.dmp

      Filesize

      476KB

      Download

    • memory/592-42-0x0000000000300000-0x0000000000377000-memory.dmp

      Filesize

      476KB

      Download

    • memory/592-1253-0x0000000000300000-0x0000000000377000-memory.dmp

      Filesize

      476KB

      Download

    • memory/592-45-0x0000000000300000-0x0000000000377000-memory.dmp

      Filesize

      476KB

      Download

    • memory/592-49-0x0000000000300000-0x0000000000377000-memory.dmp

      Filesize

      476KB

      Download

    • memory/592-47-0x0000000000300000-0x0000000000377000-memory.dmp

      Filesize

      476KB

      Download

    • memory/592-40-0x0000000000300000-0x0000000000377000-memory.dmp

      Filesize

      476KB

      Download

    • memory/620-0-0x00000000003A0000-0x00000000003A4000-memory.dmp

      Filesize

      16KB

      Download

    • memory/756-1291-0x0000000028C00000-0x0000000028E4B000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/2100-33-0x0000000000400000-0x00000000004A4600-memory.dmp

      Filesize

      657KB

      Download

    • memory/2100-34-0x0000000028BA0000-0x0000000028DEB000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/2100-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2100-1259-0x0000000028BA0000-0x0000000028DEB000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/2440-11-0x0000000000400000-0x0000000001400000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/2440-3-0x0000000000400000-0x0000000001400000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/2440-5-0x0000000000400000-0x0000000001400000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/2440-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2440-12-0x00000000289E0000-0x0000000028BFA000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2440-15-0x0000000000401000-0x00000000004A5000-memory.dmp

      Filesize

      656KB

      Download

    • memory/2440-13-0x0000000028C00000-0x0000000028E4B000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/2440-9-0x0000000000400000-0x0000000001400000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/2440-1-0x00000000001B0000-0x00000000002AA000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/2860-18-0x0000000000400000-0x0000000000405000-memory.dmp

      Filesize

      20KB

      Download