Overview

overview

10

Static

static

3

8002e12ee3...18.exe

windows7-x64

10

8002e12ee3...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-10-2024 16:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8002e12ee374b2cb136757a46116244b_JaffaCakes118.exe

  • Size

    742KB

  • MD5

    8002e12ee374b2cb136757a46116244b

  • SHA1

    08afb20b09ebbeb30939389edc7e53b6f4c1fc57

  • SHA256

    feb609be0898e8da070811eb70ec98de0d64e9d28d5eebec7e75088c6159218f

  • SHA512

    0a58b3deb7dc752c407024c2644d6f237b21d3a9a61317cfc64db69f0371e4d75a4a5527c4146374a006e9792c487ba051018beb76aa5e6e1257d3dc7cb3eab1

  • SSDEEP

    12288:494e4oMww1bLO6ejFn8KL8XdChu/FiMZgi7hLEsOYt4ZmwjHCmac95RDOqruN2mE:hes126wFn8KL8tz4MZHVLJtimSimHROY

Score
10/10
ctblockerdefense_evasiondiscoveryexecutionimpactransomware

Malware Config

Extracted

Path

C:\ProgramData\pypafpb.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://fizxfsi3cad3kn7v.onion.cab or http://fizxfsi3cad3kn7v.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://fizxfsi3cad3kn7v.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://fizxfsi3cad3kn7v.onion.cab

http://fizxfsi3cad3kn7v.tor2web.org

http://fizxfsi3cad3kn7v.onion

Signatures

  • CTB-Locker

    Ransomware family which uses Tor to hide its C2 communications.

    ransomwarectblocker
  • Ctblocker family
    ctblocker
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:600
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      2⤵
        PID:2208
      • C:\Windows\system32\wbem\wmiprvse.exe
        C:\Windows\system32\wbem\wmiprvse.exe -Embedding
        2⤵
          PID:2620
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Sets desktop wallpaper using registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of UnmapMainImage
        PID:1248
        • C:\Users\Admin\AppData\Local\Temp\8002e12ee374b2cb136757a46116244b_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\8002e12ee374b2cb136757a46116244b_JaffaCakes118.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:828
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {C712F4C5-74E5-4C9F-953A-D35D9CE5506F} S-1-5-18:NT AUTHORITY\System:Service:
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2340
        • C:\Users\Admin\AppData\Local\Temp\fxfcfub.exe
          C:\Users\Admin\AppData\Local\Temp\fxfcfub.exe
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2068
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin delete shadows all
            3⤵
            • System Location Discovery: System Language Discovery
            • Interacts with shadow copies
            PID:1328
          • C:\Users\Admin\AppData\Local\Temp\fxfcfub.exe
            "C:\Users\Admin\AppData\Local\Temp\fxfcfub.exe" -u
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            PID:2028

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\rplgrxh
        Filesize

        654B

        MD5

        ae136ee4dd75e0dca443ccf53fe62ddd

        SHA1

        33a61c631a90647f3993cb042029855216db619a

        SHA256

        8b199f33c82cf5862f9dce0aa6506f6e83c10bccaabe1e2c02eec949b66ae345

        SHA512

        946c4f78c53441392299de9c4131fb9f04fa67e8c2a0ec9d2d6ea4f7fcc7bb67a1bbe1e34cc5bcd28df649e35ddb08673dd5258929fdc0a8f54be7d090f40ff6

        Download Submit

      • C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\rplgrxh
        Filesize

        654B

        MD5

        423fd08a6e73a46ef5f5360a50828aa3

        SHA1

        c41f4b015015d830d7fbe7ee3e2a13cd8141e7ab

        SHA256

        b12934a9d2f67658e93d21ff613e0dbfbf8b0b2e68663c9e2c72728c411f48ea

        SHA512

        a2b133767c308bfb90a729344332e90d2e377ce56ce484f647e98980808a464454833e13f7fe08018b6d29be1b4195ac98e3baec7631858794895ee04d696c75

        Download Submit

      • C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\rplgrxh
        Filesize

        654B

        MD5

        2b11fceed789c6c293d4b3573a63dc3c

        SHA1

        ade5a24e97ec5415ba41562d2abd8fbcb2410bf2

        SHA256

        4bf95c98eca7287240e62b451ace86bc3e09e01732e45438fe6b863d17460620

        SHA512

        9b2a7fbd09159f68d4f2e372e2a1aa72e998ff463b97eb22840773dbdc2175fb567822952be897a277290a89d3ed9bab30a2cbaf243cc6097c3a569b3e399c99

        Download Submit

      • C:\ProgramData\pypafpb.html
        Filesize

        63KB

        MD5

        e0e73fc681536235baf013bb17c77f20

        SHA1

        8d3b12ff20cf10211cd297f1d4ed1be35193e3f1

        SHA256

        5de048fdee51ae94fd6232475d7e5e6883cd1e8953e8db6bc72fe6904604b5a2

        SHA512

        a0f9415b8123780a8b602004c54b264a263d0fb77c3d7c9c56d21905b5583b69d13fe6ce2def6911ba723db66d25b8d7e680bbeb065b3518da841d3bc2ba1915

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\fxfcfub.exe
        Filesize

        742KB

        MD5

        8002e12ee374b2cb136757a46116244b

        SHA1

        08afb20b09ebbeb30939389edc7e53b6f4c1fc57

        SHA256

        feb609be0898e8da070811eb70ec98de0d64e9d28d5eebec7e75088c6159218f

        SHA512

        0a58b3deb7dc752c407024c2644d6f237b21d3a9a61317cfc64db69f0371e4d75a4a5527c4146374a006e9792c487ba051018beb76aa5e6e1257d3dc7cb3eab1

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-18\desktop.ini
        Filesize

        129B

        MD5

        a526b9e7c716b3489d8cc062fbce4005

        SHA1

        2df502a944ff721241be20a9e449d2acd07e0312

        SHA256

        e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

        SHA512

        d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

        Download Submit

      • memory/600-1238-0x0000000000530000-0x00000000005A7000-memory.dmp

        Filesize

        476KB

        Download

      • memory/600-14-0x0000000000530000-0x00000000005A7000-memory.dmp

        Filesize

        476KB

        Download

      • memory/600-13-0x0000000000530000-0x00000000005A7000-memory.dmp

        Filesize

        476KB

        Download

      • memory/600-16-0x0000000000530000-0x00000000005A7000-memory.dmp

        Filesize

        476KB

        Download

      • memory/600-20-0x0000000000530000-0x00000000005A7000-memory.dmp

        Filesize

        476KB

        Download

      • memory/600-28-0x0000000000530000-0x00000000005A7000-memory.dmp

        Filesize

        476KB

        Download

      • memory/600-17-0x0000000000530000-0x00000000005A7000-memory.dmp

        Filesize

        476KB

        Download

      • memory/600-22-0x0000000000530000-0x00000000005A7000-memory.dmp

        Filesize

        476KB

        Download

      • memory/600-24-0x0000000000530000-0x00000000005A7000-memory.dmp

        Filesize

        476KB

        Download

      • memory/828-1234-0x0000000000400000-0x00000000004BC000-memory.dmp

        Filesize

        752KB

        Download

      • memory/828-3-0x0000000002460000-0x000000000267A000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/828-0-0x0000000000270000-0x0000000000271000-memory.dmp

        Filesize

        4KB

        Download

      • memory/828-4-0x0000000002680000-0x00000000028CB000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/828-1-0x0000000002280000-0x0000000002281000-memory.dmp

        Filesize

        4KB

        Download

      • memory/828-2-0x0000000000400000-0x00000000004BC000-memory.dmp

        Filesize

        752KB

        Download

      • memory/2028-1292-0x0000000002810000-0x0000000002A5B000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2028-1265-0x0000000002810000-0x0000000002A5B000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2028-1266-0x0000000002810000-0x0000000002A5B000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2028-1290-0x0000000002810000-0x0000000002A5B000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2028-1291-0x0000000002810000-0x0000000002A5B000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2028-1293-0x0000000002810000-0x0000000002A5B000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2028-1294-0x0000000002810000-0x0000000002A5B000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2028-1298-0x0000000002810000-0x0000000002A5B000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2068-1260-0x0000000001490000-0x00000000016DB000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2068-1250-0x0000000001490000-0x00000000016DB000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2068-10-0x0000000001490000-0x00000000016DB000-memory.dmp

        Filesize

        2.3MB

        Download