{
	"id": "fe8793a3-da6a-45f3-9e51-278468994f34",
	"created_at": "2026-04-06T01:32:06.408262Z",
	"updated_at": "2026-04-10T03:21:25.04982Z",
	"deleted_at": null,
	"sha1_hash": "d35519ff6c50c5c5849cecdde81eb04f776b50db",
	"title": "Conti ransomware source code investigation - part 2.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3519322,
	"plain_text": "Conti ransomware source code investigation - part 2.\r\nBy cocomelonc\r\nPublished: 2022-04-11 · Archived: 2026-04-06 01:26:18 UTC\r\n﷽\r\nHello, cybersecurity enthusiasts and white hackers!\r\nThis post is the second part of my own Conti ransomware source code investigation.\r\nfirst part\r\nIn the last part, I wrote about encryption/hashing methods and bypassing AV-engines. Today I will consider network\r\nconnections and filesystem and some identified IoCs.\r\nnetwork connectionsPermalink\r\nFirst of all, let’s go back a little to the logic of the encryptor:\r\nhttps://cocomelonc.github.io/investigation/2022/04/11/malw-inv-conti-2.html\r\nPage 1 of 16\n\nAs you can see when the encryption mode is ALL_ENCRYPT or NETWORK_ENCRYPT , the malware retrieves info about\r\nnetwork.\r\nLet’s go to definition of StartScan :\r\nLet’s go to deep into logic of network_connections.\r\nGetCurrentIpAddress is just get info about current IP address:\r\nhttps://cocomelonc.github.io/investigation/2022/04/11/malw-inv-conti-2.html\r\nPage 2 of 16\n\nFunction GetSubnets uses GetIpNetTable API which is called to restore the ARP table of the infected system. For\r\nearch entry the specified IPv4 addresses are checked against the following masks:\r\nIf the current ARP matches of this masks ( 172.*, 192.168.*, 10.*, 169.* ) the subnet is extracted and added to\r\nthe subnet’s queue:\r\nhttps://cocomelonc.github.io/investigation/2022/04/11/malw-inv-conti-2.html\r\nPage 3 of 16\n\nhttps://cocomelonc.github.io/investigation/2022/04/11/malw-inv-conti-2.html\r\nPage 4 of 16\n\nFunction ScanHosts tries a connection to IPv4 on the SMB port (445) using the TCP protocol:\r\nIf connection is successfull, saves the valid IP’s via AddHost :\r\nhttps://cocomelonc.github.io/investigation/2022/04/11/malw-inv-conti-2.html\r\nPage 5 of 16\n\nin a queue:\r\nAnd what about HostHandler :\r\nhttps://cocomelonc.github.io/investigation/2022/04/11/malw-inv-conti-2.html\r\nPage 6 of 16\n\nand PortScanHandler :\r\nhttps://cocomelonc.github.io/investigation/2022/04/11/malw-inv-conti-2.html\r\nPage 7 of 16\n\nHostHandler waits for some valid IP in the IP’s queue and for each IP enum the shares using the NetShareEnum\r\nAPI:\r\nhttps://cocomelonc.github.io/investigation/2022/04/11/malw-inv-conti-2.html\r\nPage 8 of 16\n\nAnd PortScanHandler (1) repeat the scan via ScanHosts (2) each 30 sec. (3):\r\nSo, what happens when calls network_scanner::StartScan ?\r\n1. Add 172.*, 192.168.*, 10.*, 169.* subnet addresses to queue.\r\n2. Create two threads.\r\n3. First thread via HostHandler enum the shares.\r\n4. Second thread via PortScanHandler tries to connect SMB 445 port, for earh successfully connection, saves\r\nvalid IPs and scan every 30 sec:\r\nhttps://cocomelonc.github.io/investigation/2022/04/11/malw-inv-conti-2.html\r\nPage 9 of 16\n\nConcluding the execution, the WaitForSingleObject API is invoked on each thread to wait for the completion of\r\noperations before closing the main process and CloseHandle for cleanup:\r\nprocess killerPermalink\r\nhttps://cocomelonc.github.io/investigation/2022/04/11/malw-inv-conti-2.html\r\nPage 10 of 16\n\nThe logic of the prockiller.cpp is simple. It enum through all processes and if it’s not equal to explorer.exe\r\nthen adds it’s PID to the queue:\r\nfilesystemPermalink\r\nIn the filesystem module there is a function filesystem::EnumirateDrives which, as the name implies, scan\r\ndrives:\r\nhttps://cocomelonc.github.io/investigation/2022/04/11/malw-inv-conti-2.html\r\nPage 11 of 16\n\nAs you can see it uses GetLogicalDriveStringsW API.\r\nThe logic of this function is used in the final enumeration during encryption. The malware uses a whitelist for both\r\ndirectories and files to avoid the encryption of unnecessary data. The following directories names and file names are\r\navoided during the enumeration process:\r\nhttps://cocomelonc.github.io/investigation/2022/04/11/malw-inv-conti-2.html\r\nPage 12 of 16\n\nhttps://cocomelonc.github.io/investigation/2022/04/11/malw-inv-conti-2.html\r\nPage 13 of 16\n\nyara rulesPermalink\r\nLet’s go to upload locker.exe to VirusTotal:\r\nhttps://cocomelonc.github.io/investigation/2022/04/11/malw-inv-conti-2.html\r\nPage 14 of 16\n\nhttps://www.virustotal.com/gui/file/e1b147aa2efa6849743f570a3aca8390faf4b90aed490a5682816dd9ef10e473/detection\r\n57 of 69 AV engines detect this sample as malware\r\nYara rule for Conti:\r\nrule Conti\r\n{\r\n meta:\r\n author = \"kevoreilly\"\r\n description = \"Conti Ransomware\"\r\n cape_type = \"Conti Payload\"\r\n strings:\r\n $crypto1 = {8A 07 8D 7F 01 0F B6 C0 B9 ?? 00 00 00 2B C8 6B C1 ?? 99 F7 FE 8D [2] 99 F7 FE 88 ?? FF 83 EB 0\r\n $website1 = \"https://contirecovery.info\" ascii wide\r\n $website2 = \"https://contirecovery.best\" ascii wide\r\n condition:\r\n uint16(0) == 0x5A4D and any of them\r\n}\r\nI hope this post spreads awareness to the blue teamers of this interesting malware techniques, and adds a weapon to\r\nthe red teamers arsenal.\r\nfirst part\r\nWSAStartup\r\nWSAAdressToStringA\r\nCreateToolhelp32Snapshot\r\nCloseHandle\r\nStrStrIW\r\nhttps://cocomelonc.github.io/investigation/2022/04/11/malw-inv-conti-2.html\r\nPage 15 of 16\n\nCreateThread\r\nWaitForSingleObject\r\nNetShareEnum\r\nGetLogicalDriveStringsW\r\nThis is a practical case for educational purposes only.\r\nThanks for your time happy hacking and good bye!\r\nPS. All drawings and screenshots are mine\r\nSource: https://cocomelonc.github.io/investigation/2022/04/11/malw-inv-conti-2.html\r\nhttps://cocomelonc.github.io/investigation/2022/04/11/malw-inv-conti-2.html\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cocomelonc.github.io/investigation/2022/04/11/malw-inv-conti-2.html"
	],
	"report_names": [
		"malw-inv-conti-2.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775439126,
	"ts_updated_at": 1775791285,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d35519ff6c50c5c5849cecdde81eb04f776b50db.pdf",
		"text": "https://archive.orkl.eu/d35519ff6c50c5c5849cecdde81eb04f776b50db.txt",
		"img": "https://archive.orkl.eu/d35519ff6c50c5c5849cecdde81eb04f776b50db.jpg"
	}
}