Overview

overview

10

Static

static

3

8002e12ee3...18.exe

windows7-x64

10

8002e12ee3...18.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8002e12ee374b2cb136757a46116244b_JaffaCakes118

  • Size

    742KB

  • Sample

    241030-vdpvcsxhlp

  • MD5

    8002e12ee374b2cb136757a46116244b

  • SHA1

    08afb20b09ebbeb30939389edc7e53b6f4c1fc57

  • SHA256

    feb609be0898e8da070811eb70ec98de0d64e9d28d5eebec7e75088c6159218f

  • SHA512

    0a58b3deb7dc752c407024c2644d6f237b21d3a9a61317cfc64db69f0371e4d75a4a5527c4146374a006e9792c487ba051018beb76aa5e6e1257d3dc7cb3eab1

  • SSDEEP

    12288:494e4oMww1bLO6ejFn8KL8XdChu/FiMZgi7hLEsOYt4ZmwjHCmac95RDOqruN2mE:hes126wFn8KL8tz4MZHVLJtimSimHROY

Score
10/10
ctblockerdefense_evasiondiscoveryexecutionimpactransomware

Malware Config

Extracted

Path

C:\ProgramData\pypafpb.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://fizxfsi3cad3kn7v.onion.cab or http://fizxfsi3cad3kn7v.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://fizxfsi3cad3kn7v.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://fizxfsi3cad3kn7v.onion.cab

http://fizxfsi3cad3kn7v.tor2web.org

http://fizxfsi3cad3kn7v.onion

Targets

    • Target

      8002e12ee374b2cb136757a46116244b_JaffaCakes118

    • Size

      742KB

    • MD5

      8002e12ee374b2cb136757a46116244b

    • SHA1

      08afb20b09ebbeb30939389edc7e53b6f4c1fc57

    • SHA256

      feb609be0898e8da070811eb70ec98de0d64e9d28d5eebec7e75088c6159218f

    • SHA512

      0a58b3deb7dc752c407024c2644d6f237b21d3a9a61317cfc64db69f0371e4d75a4a5527c4146374a006e9792c487ba051018beb76aa5e6e1257d3dc7cb3eab1

    • SSDEEP

      12288:494e4oMww1bLO6ejFn8KL8XdChu/FiMZgi7hLEsOYt4ZmwjHCmac95RDOqruN2mE:hes126wFn8KL8tz4MZHVLJtimSimHROY

    Score
    10/10
    ctblockerdefense_evasiondiscoveryexecutionimpactransomware

    • CTB-Locker

      Ransomware family which uses Tor to hide its C2 communications.

      ransomwarectblocker

    • Ctblocker family

      ctblocker

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks