Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 05:34
Static task
static1
Behavioral task
behavioral1
Sample
f75e92b4cf12745c63966bb50c82e4be_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f75e92b4cf12745c63966bb50c82e4be_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f75e92b4cf12745c63966bb50c82e4be_JaffaCakes118.exe
-
Size
921KB
-
MD5
f75e92b4cf12745c63966bb50c82e4be
-
SHA1
e58678781548262b653b34bbf3f55339d53f28cb
-
SHA256
a1b504b8e34200d8029f6d75491d517e460162cb9df438257ee4ed85f61c18bc
-
SHA512
2d66d1868e44956c00593d7d19d70b14475571dcd9b5eee9d15ac4fa3d473ce3a05c598c57ea31707b4deaa3469ed046b85f4e9c3f04430e652eda4d6a4f6038
-
SSDEEP
24576:SnkXEg1ZlhKG+WWZtCpDCE5Ie534SCeTpOl13lHlI:SkXEg1ZlIzZtCpGE5j5oSHOlxRlI
Malware Config
Extracted
C:\GET_YOUR_FILES_BACK.txt
http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion
http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion
Signatures
-
Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
-
Renames multiple (155) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1539987827.png" reg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4232 powershell.exe 4232 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4232 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
f75e92b4cf12745c63966bb50c82e4be_JaffaCakes118.exepowershell.exedescription pid process target process PID 3028 wrote to memory of 4232 3028 f75e92b4cf12745c63966bb50c82e4be_JaffaCakes118.exe powershell.exe PID 3028 wrote to memory of 4232 3028 f75e92b4cf12745c63966bb50c82e4be_JaffaCakes118.exe powershell.exe PID 3028 wrote to memory of 4232 3028 f75e92b4cf12745c63966bb50c82e4be_JaffaCakes118.exe powershell.exe PID 4232 wrote to memory of 5188 4232 powershell.exe reg.exe PID 4232 wrote to memory of 5188 4232 powershell.exe reg.exe PID 4232 wrote to memory of 5188 4232 powershell.exe reg.exe PID 4232 wrote to memory of 5272 4232 powershell.exe rundll32.exe PID 4232 wrote to memory of 5272 4232 powershell.exe rundll32.exe PID 4232 wrote to memory of 5272 4232 powershell.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f75e92b4cf12745c63966bb50c82e4be_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f75e92b4cf12745c63966bb50c82e4be_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$a = [System.IO.File]::ReadAllText(\"C:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\1539987827.png /f3⤵
- Sets desktop wallpaper using registry
PID:5188
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False3⤵PID:5272
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59cd17876488bd2c2b81b965620b9aa14
SHA1f5305680ebd56c1eebc1797c6a7ce93117c3423c
SHA25608152eb79c4f4b16badb06fe231da164570b62999357c8da8659e6d024f11127
SHA5127eea1d69e706ef86c0d2343630bc3553b2d5418523d2e4aabcc66d1c0ea3754351ed4c0ab6c185eabbd313f5333d56182c0a9e873aa05b1c5e514e9a3dfceb8d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82