ctblocker | 597ae8a86df361a4d18a381b80b3be8968f3d8fc187a48cddbb27653217bf674

General

Target

a5d0e995d43232bd4b3d73f8899b7ef0_JaffaCakes118.exe
Size

662KB
MD5

a5d0e995d43232bd4b3d73f8899b7ef0
SHA1

46e06085c542f69ca2a78bba9f4eaa0ad77b1713
SHA256

597ae8a86df361a4d18a381b80b3be8968f3d8fc187a48cddbb27653217bf674
SHA512

c65757fc305586930c1cc5dd0a712b3a071fdd89b357328a28fea208dcdd67c9717b7de4678e525652a324d976b2588105bda82575d2cb7b7682b6730e9c4fdb
SSDEEP

12288:vKPvdIQ/slCcdrN8VfeP/hUmQ2jqh+aCKpQKEskUjeWhjZrwPqQRc:a6OslWVfeP/s2j8+aCGHFZnOc

Score

10^/10

ctblocker defense_evasion discovery execution impact ransomware

Malware Config

Extracted

Path

C:\ProgramData\pjhsmgj.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Ctblocker family
ctblocker
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\Geo\Nation	shwavsm.exe

Executes dropped EXE 2 IoCs

pid	Process
1680	shwavsm.exe
628	shwavsm.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	shwavsm.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-mfaduzd.bmp"	Explorer.EXE

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-mfaduzd.bmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-mfaduzd.txt	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shwavsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shwavsm.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1980	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	shwavsm.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	shwavsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	shwavsm.exe

Modifies data under HKEY_USERS 23 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c8aa3be4-69ed-11ef-97c9-806e6f6e6963}\MaxCapacity = "14116"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c8aa3be4-69ed-11ef-97c9-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2d3224fe-69b6-11ef-a892-ea7747d117e6}\MaxCapacity = "2047"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00630038006100610033006200650034002d0036003900650064002d0031003100650066002d0039003700630039002d003800300036006500360066003600650036003900360033007d00000030002c007b00320064003300320032003400660065002d0036003900620036002d0031003100650066002d0061003800390032002d006500610037003700340037006400310031003700650036007d0000000000	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c8aa3be4-69ed-11ef-97c9-806e6f6e6963}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2d3224fe-69b6-11ef-a892-ea7747d117e6}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2d3224fe-69b6-11ef-a892-ea7747d117e6}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1744	a5d0e995d43232bd4b3d73f8899b7ef0_JaffaCakes118.exe
1680	shwavsm.exe
1680	shwavsm.exe
1680	shwavsm.exe
1680	shwavsm.exe
628	shwavsm.exe
628	shwavsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1680	shwavsm.exe
Token: SeDebugPrivilege	1680	shwavsm.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
628	shwavsm.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
628	shwavsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
628	shwavsm.exe
628	shwavsm.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1240	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 1680	1532	taskeng.exe	31
PID 1532 wrote to memory of 1680	1532	taskeng.exe	31
PID 1532 wrote to memory of 1680	1532	taskeng.exe	31
PID 1532 wrote to memory of 1680	1532	taskeng.exe	31
PID 1680 wrote to memory of 616	1680	shwavsm.exe	9
PID 616 wrote to memory of 3012	616	svchost.exe	32
PID 616 wrote to memory of 3012	616	svchost.exe	32
PID 616 wrote to memory of 3012	616	svchost.exe	32
PID 1680 wrote to memory of 1240	1680	shwavsm.exe	21
PID 1680 wrote to memory of 1980	1680	shwavsm.exe	33
PID 1680 wrote to memory of 1980	1680	shwavsm.exe	33
PID 1680 wrote to memory of 1980	1680	shwavsm.exe	33
PID 1680 wrote to memory of 1980	1680	shwavsm.exe	33
PID 1680 wrote to memory of 628	1680	shwavsm.exe	35
PID 1680 wrote to memory of 628	1680	shwavsm.exe	35
PID 1680 wrote to memory of 628	1680	shwavsm.exe	35
PID 1680 wrote to memory of 628	1680	shwavsm.exe	35

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:616
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:3012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of UnmapMainImage
PID:1240
- C:\Users\Admin\AppData\Local\Temp\a5d0e995d43232bd4b3d73f8899b7ef0_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a5d0e995d43232bd4b3d73f8899b7ef0_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1744

C:\Windows\system32\taskeng.exe
taskeng.exe {E64B0477-568E-40D1-AF12-C023405C3EFF} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Users\Admin\AppData\Local\Temp\shwavsm.exe
  C:\Users\Admin\AppData\Local\Temp\shwavsm.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows all
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1980
- - C:\Users\Admin\AppData\Local\Temp\shwavsm.exe
    "C:\Users\Admin\AppData\Local\Temp\shwavsm.exe" -u
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

1

T1006

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\ckozqpg

Filesize
654B

MD5
667631b142818005c73ca24e03211f82

SHA1
7b853422aff846777d9998365f66c8c0f8441442

SHA256
fd3a6bbacdec27d2272f5bfc26527bd21102d99fa92d24ebe2db6779b4093482

SHA512
7359c94adfe7f5d0fae2892a7dfabca28da9fb060a1a013e727a841fa5b9095bdfda6ffa7b6d8da26e959f23846e4c7867a7fb756c90a675cc67ecd056b2d8b4

Download Submit
C:\ProgramData\Microsoft\ckozqpg

Filesize
654B

MD5
86d0b68a1c486cd492f5339f933d3538

SHA1
da228c9b05bc4bdca94593935760667503dab0af

SHA256
6502eda9691eda75a407ba604a7c7de9490e597777af6b06737765e4bed763bb

SHA512
eab929b9809d7be708ad4bbd5a21595dd103b50c2db691b4e21741a0538a86b57ef0bc6a339f7fc28a06d5b3842e5792c10c3e57f24dc2b54206ffc77d8e5f93

Download Submit
C:\ProgramData\Microsoft\ckozqpg

Filesize
654B

MD5
efbbc8b8555cb7a2f5bfb38663c75cc5

SHA1
e245d9ccc70f30d8cbbbfa9f6860c63bd2ef7f98

SHA256
13bf2812c72c74c5792d2887b529fe1cc1ac798c89fdb968970dd95e9ca51409

SHA512
b11d08de3b847becb175885ad3066103d0bdb990e61d987f13c73c23a183d15f17b9ef871234f83cd8b1dc7a087f610d0b74893f8f53e862983148b9ea596938

Download Submit
C:\ProgramData\Microsoft\ckozqpg

Filesize
654B

MD5
40fda96bcc8cab4ef48ec8c713349067

SHA1
6340e7ec70a11cd4d948d70698b64b12f8f01620

SHA256
d81a965a71aef580cca12f633c567fa363616982b3f641ffc169af5972d34fdb

SHA512
e5996f2f0647da06bf231d9794a35edd75e85b51008ee32aaaa1f4962517f57ac14fc15d58b7a63d708615201b441e8938f0699020931c252fbd04c95f2857cd

Download Submit
C:\ProgramData\pjhsmgj.html

Filesize
62KB

MD5
9864bc03ce6cbce5db40fd19068b3ed9

SHA1
e7a95c8cff286b90ef4016047399b87d5443e334

SHA256
3a0eafb547d7c6d26929f7515c2f5352f5c752dd5369d0bc04f4a502a9f88d35

SHA512
47f59e4241f45635422e426e51af2110458ce8cbe02564b78d5c6819b191eb274398e93ce53d040ce71cc3226b3878b83ff09a61827f4d75ccbe494d636df416

Download Submit
C:\Users\Admin\AppData\Local\Temp\shwavsm.exe

Filesize
662KB

MD5
a5d0e995d43232bd4b3d73f8899b7ef0

SHA1
46e06085c542f69ca2a78bba9f4eaa0ad77b1713

SHA256
597ae8a86df361a4d18a381b80b3be8968f3d8fc187a48cddbb27653217bf674

SHA512
c65757fc305586930c1cc5dd0a712b3a071fdd89b357328a28fea208dcdd67c9717b7de4678e525652a324d976b2588105bda82575d2cb7b7682b6730e9c4fdb

Download Submit
F:\$RECYCLE.BIN\S-1-5-18\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
memory/616-1219-0x00000000001F0000-0x0000000000267000-memory.dmp

Filesize
476KB

Download
memory/616-9-0x00000000001F0000-0x0000000000267000-memory.dmp

Filesize
476KB

Download
memory/616-14-0x00000000001F0000-0x0000000000267000-memory.dmp

Filesize
476KB

Download
memory/616-19-0x00000000001F0000-0x0000000000267000-memory.dmp

Filesize
476KB

Download
memory/616-21-0x00000000001F0000-0x0000000000267000-memory.dmp

Filesize
476KB

Download
memory/616-24-0x00000000001F0000-0x0000000000267000-memory.dmp

Filesize
476KB

Download
memory/616-127-0x00000000001F0000-0x0000000000267000-memory.dmp

Filesize
476KB

Download
memory/616-17-0x00000000001F0000-0x0000000000267000-memory.dmp

Filesize
476KB

Download
memory/616-13-0x00000000001F0000-0x0000000000267000-memory.dmp

Filesize
476KB

Download
memory/616-11-0x00000000001F0000-0x0000000000267000-memory.dmp

Filesize
476KB

Download
memory/628-1249-0x0000000000780000-0x00000000009CB000-memory.dmp

Filesize
2.3MB

Download
memory/628-1244-0x0000000000780000-0x00000000009CB000-memory.dmp

Filesize
2.3MB

Download
memory/628-1245-0x0000000000780000-0x00000000009CB000-memory.dmp

Filesize
2.3MB

Download
memory/628-1248-0x0000000000780000-0x00000000009CB000-memory.dmp

Filesize
2.3MB

Download
memory/628-1247-0x0000000000780000-0x00000000009CB000-memory.dmp

Filesize
2.3MB

Download
memory/628-1250-0x0000000000780000-0x00000000009CB000-memory.dmp

Filesize
2.3MB

Download
memory/628-1251-0x0000000000780000-0x00000000009CB000-memory.dmp

Filesize
2.3MB

Download
memory/628-1252-0x0000000000780000-0x00000000009CB000-memory.dmp

Filesize
2.3MB

Download
memory/1680-1242-0x0000000000910000-0x0000000000B5B000-memory.dmp

Filesize
2.3MB

Download
memory/1680-6-0x0000000000910000-0x0000000000B5B000-memory.dmp

Filesize
2.3MB

Download
memory/1680-1231-0x0000000000910000-0x0000000000B5B000-memory.dmp

Filesize
2.3MB

Download
memory/1744-0-0x0000000000770000-0x000000000098A000-memory.dmp

Filesize
2.1MB

Download
memory/1744-1-0x0000000000990000-0x0000000000BDB000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads