Overview
overview
10Static
static
10ed6e716945...18.dll
windows7-x64
10ed6e716945...18.dll
windows10-1703-x64
10ed6e716945...18.dll
windows10-2004-x64
10ed6e716945...18.dll
windows11-21h2-x64
10ed6e716945...18.dll
android-10-x64
ed6e716945...18.dll
android-11-x64
ed6e716945...18.dll
android-13-x64
ed6e716945...18.dll
android-9-x86
ed6e716945...18.dll
macos-10.15-amd64
1ed6e716945...18.dll
debian-12-armhf
ed6e716945...18.dll
debian-12-mipsel
ed6e716945...18.dll
debian-9-armhf
ed6e716945...18.dll
debian-9-mips
ed6e716945...18.dll
debian-9-mipsel
ed6e716945...18.dll
ubuntu-18.04-amd64
ed6e716945...18.dll
ubuntu-20.04-amd64
Resubmissions
30-04-2024 05:29
240430-f6xncade75 1011-04-2024 13:06
240411-qb4taafb9w 1011-04-2024 12:33
240411-pq9seaeg2z 10Analysis
-
max time kernel
439s -
max time network
1161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-04-2024 13:06
Behavioral task
behavioral1
Sample
ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll
Resource
win11-20240214-en
Behavioral task
behavioral5
Sample
ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll
Resource
android-x64-20240221-en
Behavioral task
behavioral6
Sample
ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll
Resource
android-x64-arm64-20240221-en
Behavioral task
behavioral7
Sample
ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll
Resource
android-33-x64-arm64-20240229-en
Behavioral task
behavioral8
Sample
ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll
Resource
android-x86-arm-20240221-en
Behavioral task
behavioral9
Sample
ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll
Resource
macos-20240410-en
Behavioral task
behavioral10
Sample
ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll
Resource
debian12-armhf-20240221-en
Behavioral task
behavioral11
Sample
ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll
Resource
debian12-mipsel-20240221-en
Behavioral task
behavioral12
Sample
ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral13
Sample
ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral14
Sample
ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral15
Sample
ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral16
Sample
ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll
Resource
ubuntu2004-amd64-20240221-en
General
-
Target
ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll
-
Size
56KB
-
MD5
ed6e7169456ef1f41f6a45812dda7d98
-
SHA1
c82733e2d394b272db6cbf49aa8a1207c8d9fb87
-
SHA256
85b53edb2e3476bdb29f98bd19c56baa0205e6620917e654cbe81c9745d6193d
-
SHA512
0e7d3dbe68de4301501df68b1eeb36bf68ca3ea61091710352f68f09f8f9b8b96888ccb2419330b2fbd7b592bd98b583aaea818345c87d591b9b0a96845b8d87
-
SSDEEP
768:65h+QW4yKs5INTjabOSQwrPG12nFb5GnVWs6k:63XWNKQ2jnSQyNnFbgN
Malware Config
Signatures
-
MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\f: rundll32.exe -
Drops file in Program Files directory 2 IoCs
Processes:
rundll32.exedescription ioc process File created \??\c:\Program Files\RecoveryManual.html rundll32.exe File created \??\c:\Program Files (x86)\RecoveryManual.html rundll32.exe -
Modifies registry class 5 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\.F30D4911\shell\Open\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\.F30D4911 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\.F30D4911\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\.F30D4911\shell\Open rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\.F30D4911\shell\Open\command\ = "explorer.exe RecoveryManual.html" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 4320 rundll32.exe 4320 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exedescription pid process Token: SeRestorePrivilege 4320 rundll32.exe Token: SeDebugPrivilege 4320 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3004 wrote to memory of 4320 3004 rundll32.exe rundll32.exe PID 3004 wrote to memory of 4320 3004 rundll32.exe rundll32.exe PID 3004 wrote to memory of 4320 3004 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll,#12⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4320
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD559abc02f56079701be867faa7d8b248a
SHA1df3c0773e44f091e9da442e2df6afb5c143b238e
SHA256aef108a215d5d14845c893b685a50bdff740be593660d10396894ec5a30e3a60
SHA512756d9296b57661143ca5950ba96dec6099cdfb79dd7f52f9368d42affa13058c0830af2ff5ef3b8589a9d411502eb0a3590ff6450fe65fe1a3e5a04652785629