Analysis
-
max time kernel
20s -
max time network
17s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-04-2024 18:33
Behavioral task
behavioral1
Sample
bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe
-
Size
2.4MB
-
MD5
bfaeb628eb811839395ca7bf5ef866a5
-
SHA1
0146e8ec67756f5ec6d349dc6ac6a1633f360341
-
SHA256
17c184859f0ba6c44db4b486aeb091ad2dae5f6078816a9b03bc71ad78d97d41
-
SHA512
cc19310cedebb89891bda9e29b85b6196eee6f50897c73e32d1b4f4b3a0c057fee7363e713e3514eac9eeab1e02b441817ea9ce49169d123db46e7c47f83ca1e
-
SSDEEP
49152:33j638rQukLXGqRYv+RlbImz4vX9f+pRLftA4n5JxJutIp0C+TYfuosy7WVYpVJe:3KJ3RSmzIX9W/LftT5Jx4IpOTYfuosyM
Score
10/10
Malware Config
Signatures
-
Detecting the common Go functions and variables names used by Snatch ransomware 2 IoCs
resource yara_rule behavioral2/memory/3936-2-0x0000000000F00000-0x00000000013B6000-memory.dmp family_snatch behavioral2/memory/3936-9792-0x0000000000F00000-0x00000000013B6000-memory.dmp family_snatch -
Snatch Ransomware
Ransomware family generally distributed through RDP bruteforce attacks.
-
Renames multiple (7959) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO RESTORE YOUR FILES.TXT bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HOW TO RESTORE YOUR FILES.TXT bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/3936-2-0x0000000000F00000-0x00000000013B6000-memory.dmp upx behavioral2/memory/3936-9792-0x0000000000F00000-0x00000000013B6000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-180.png bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\ui-strings.js.yhlgaopimd bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons.png bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ppd.xrm-ms bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-pl.xrm-ms.yhlgaopimd bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OMML2MML.XSL.yhlgaopimd bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SplashWideTile.scale-100_contrast-black.png bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Archive.zip bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\HOW TO RESTORE YOUR FILES.TXT bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\HOW TO RESTORE YOUR FILES.TXT bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\typing\bubble\HOW TO RESTORE YOUR FILES.TXT bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\ui-strings.js.yhlgaopimd bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\EmptyVideoProjectCreations_LightTheme.png bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-32_altform-unplated.png bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-256_contrast-white.png bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_altform-unplated_contrast-white.png bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ru-ru\ui-strings.js bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TITLE.XSL bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_TileSmallSquare.scale-100.png bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\js\url-polyfill.min.js bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-256.png bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp5.scale-200.png bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hr-hr\ui-strings.js bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\HOW TO RESTORE YOUR FILES.TXT bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms.yhlgaopimd bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-150_contrast-white.png bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\tr_get.svg bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\HOW TO RESTORE YOUR FILES.TXT bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\HOW TO RESTORE YOUR FILES.TXT bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-24.png bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalStoreLogo.scale-200_contrast-black.png bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_altform-unplated_contrast-black.png bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\ui-strings.js bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File created C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\HOW TO RESTORE YOUR FILES.TXT bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-pl.xrm-ms.yhlgaopimd bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\am-ET\View3d\3DViewerProductDescription-universal.xml bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\HOW TO RESTORE YOUR FILES.TXT bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_TileMediumSquare.scale-200.png bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\manifest.xml bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-72_altform-lightunplated.png bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\HOW TO RESTORE YOUR FILES.TXT bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\HOW TO RESTORE YOUR FILES.TXT bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-ms.yhlgaopimd bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Spiral.png bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\jopt-simple.md.yhlgaopimd bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-80.png.yhlgaopimd bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\personaspybridge.js bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\CardViewIcon.png.yhlgaopimd bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-checkmark.png bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Wide310x150Logo.scale-400.png bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchStoreLogo.scale-125_contrast-black.png bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\HOW TO RESTORE YOUR FILES.TXT bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\HOW TO RESTORE YOUR FILES.TXT bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-phn.xrm-ms bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\remove.svg.yhlgaopimd bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ug.pak.DATA.yhlgaopimd bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-400.png bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\virgo_mycomputer_folder_icon.svg bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\HOW TO RESTORE YOUR FILES.TXT bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2264 sc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3936 wrote to memory of 1888 3936 bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe 86 PID 3936 wrote to memory of 1888 3936 bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe 86 PID 1888 wrote to memory of 2264 1888 cmd.exe 88 PID 1888 wrote to memory of 2264 1888 cmd.exe 88 PID 1888 wrote to memory of 1556 1888 cmd.exe 89 PID 1888 wrote to memory of 1556 1888 cmd.exe 89 PID 3936 wrote to memory of 1868 3936 bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe 90 PID 3936 wrote to memory of 1868 3936 bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bfaeb628eb811839395ca7bf5ef866a5_JaffaCakes118.exe"1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pyffwwoqrufuelun.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\system32\sc.exeSC QUERY3⤵
- Launches sc.exe
PID:2264
-
-
C:\Windows\system32\findstr.exeFINDSTR SERVICE_NAME3⤵PID:1556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qmwojotcmwnetyei.bat2⤵PID:1868
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD510b249845fedf9528d16de30d071f9d1
SHA1d50aff3a228b2dc935f3362d5aae0dee1dbd017d
SHA256d6f681398080b92fa4dbe601f3b63637b972eb04e340d08668d3a1d6d79a1a57
SHA512c817ed36476c7e388c390a299e64d55b636c4f834cfb702bb58355d42f1c824966360da444b2b33a87d70c0b547adab18b2afb410c9d13af48436bf8e9a2d96d
-
Filesize
43B
MD555310bb774fff38cca265dbc70ad6705
SHA1cb8d76e9fd38a0b253056e5f204dab5441fe932b
SHA2561fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d
SHA51240e5a5e8454ca3eaac36d732550e2c5d869a235e3bbc4d31c4afa038fe4e06f782fa0885e876ad8119be766477fdcc12c1d5d04d53cf6b324e366b5351fc7cd4