Overview

overview

10

Static

static

3

05a3099482...18.exe

windows7-x64

10

05a3099482...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    28-04-2024 16:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05a30994821845197be5d1ebb616dbbb_JaffaCakes118.exe

  • Size

    328KB

  • MD5

    05a30994821845197be5d1ebb616dbbb

  • SHA1

    0bf4c283b2ecac2d8d94074248403d89754c688f

  • SHA256

    73a2ed1606f22e828554948d7f79dd99f2858bc3465e5065abcbf90d98583b3c

  • SHA512

    6bcffb9ec948aee21851e299a8a96a6c795c5546fad7d2f737ceb5f6d782975551b0f77e8e6c91450d5ee881f8e8d35eceb1944101eb94656b42a1e72c1e6073

  • SSDEEP

    6144:a9zyYnK/Poydbl3rFLRN8kAZyubtSiTsflsyAC9RM4ATGtMHoLm:8sgKdrBRMdSOCPbxL

Score
10/10
teslacryptpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ffxne.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/ACE6B632AF418E66 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/ACE6B632AF418E66 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/ACE6B632AF418E66 If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/ACE6B632AF418E66 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/ACE6B632AF418E66 http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/ACE6B632AF418E66 http://yyre45dbvn2nhbefbmh.begumvelic.at/ACE6B632AF418E66 Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/ACE6B632AF418E66
URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/ACE6B632AF418E66

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/ACE6B632AF418E66

http://yyre45dbvn2nhbefbmh.begumvelic.at/ACE6B632AF418E66

http://xlowfznrg4wf7dli.ONION/ACE6B632AF418E66

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (421) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\05a30994821845197be5d1ebb616dbbb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\05a30994821845197be5d1ebb616dbbb_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2052
    • C:\Windows\faginhwrqwlh.exe
      C:\Windows\faginhwrqwlh.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1800
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2652
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:1304
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1240
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1240 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:216
      • C:\Windows\System32\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2280
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\FAGINH~1.EXE
        3⤵
          PID:2696
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\05A309~1.EXE
        2⤵
        • Deletes itself
        PID:2664
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2608
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:2276

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Indicator Removal

    1
    T1070

    File Deletion

    1
    T1070.004

    Modify Registry

    3
    T1112

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Inhibit System Recovery

    1
    T1490

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ffxne.html
      Filesize

      12KB

      MD5

      77a465457a39337ab016e5a681fb67fd

      SHA1

      f0ed9afeccae8169632e534d17ffe46695f950be

      SHA256

      cdc5937c1ac0c277858fac1e4cf55106c0dae9fcc3ceb59d56005888ee3d10cc

      SHA512

      d6cf9c3ac2d47fa7415848e56d2d153b77d40353ab3b538543cd2c9e383d7edb072d2c016f6f5cccd2bb7a3dd325bd1c867dd7e3d7eb4d85227b42ed6296582e

      Download Submit
    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ffxne.png
      Filesize

      64KB

      MD5

      4dbea1200516c292070bf51150588b67

      SHA1

      e199e1e8f6d63f53c3757287dc6bc0333612cf4e

      SHA256

      9eae9b5c0d27109f757c1ac55e0b5cab19657ec1b8824d0a88b75c6f936dc0dd

      SHA512

      c47c309eb3da8ebb46144f7c629cd6d30e0230257e7dbfa8db524365de6ad279c2c1b7b222eb92a25a03bf566b3aad4a6e563ea5b928a75b30d4133ca878329f

      Download Submit
    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+ffxne.txt
      Filesize

      1KB

      MD5

      60920ef3a3e050c2aac4ab5d946ff394

      SHA1

      0879c511540c40a5a27b27e2903ea7010c45f172

      SHA256

      43fab12278d58c17b9b81afb7d9a6677a9af0bef7de07bbd112f4f6159c8ff38

      SHA512

      d27f883a2cd02104337873a2dea2a39748e9903f8ebbe6682d8e996458011035cd6f31e058d4c23c8ab87b259673d766992249efb7d3995fe77fe8a511cb414e

      Download Submit
    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
      Filesize

      11KB

      MD5

      6516e0fb6a39ed7d7aa0d7eff747638b

      SHA1

      56822f20e9d62a63b1746b226a0e6828d4fb35df

      SHA256

      0045868ba3c3cdd79f751d349cfd30d0696354739bac9e87105bf53f7a432a05

      SHA512

      e615ccdafba74e9f0476b202a38be0135d4ab35e1d8e9ec222fe28eae2183fe9d0020be86cb04811f6c984e88f52e2e9a42afc0ae594cae31d2f3325e87d1dc6

      Download Submit
    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
      Filesize

      109KB

      MD5

      5f435e5dc91b7b866acfcf48a7cc365d

      SHA1

      fa24e61df0fdeb923777d8998053e81c17e65e25

      SHA256

      47effc60f6badb6dd4917b643e4c4460a355c58098f637dcd3ee5784b3c4a96c

      SHA512

      1ebac398ddc58cbc97989a34acd65e485cf429736ba613efc051581851191ef5fb1f3eee4b201f994e60cf4cdce2f9338c3e8ee6b75c310033289c051cba3b7e

      Download Submit
    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
      Filesize

      173KB

      MD5

      3d85dda986581cb7ac087b3845ee2267

      SHA1

      3bed2614931052685178302c31421a283a7f1868

      SHA256

      f3f6b93b924bb84ef75dd44517d006ff6d3bebe6035c46c063a507f9cee6b3a4

      SHA512

      e974b22d6055caae66701d84ea26c9f9be88f6c5645d67093ead2285fd90b7257eef8721719668d9ae000f1ddb8ac286e5a8c771a02fe7d8c38536006dbc1614

      Download Submit
    • C:\Windows\faginhwrqwlh.exe
      Filesize

      328KB

      MD5

      05a30994821845197be5d1ebb616dbbb

      SHA1

      0bf4c283b2ecac2d8d94074248403d89754c688f

      SHA256

      73a2ed1606f22e828554948d7f79dd99f2858bc3465e5065abcbf90d98583b3c

      SHA512

      6bcffb9ec948aee21851e299a8a96a6c795c5546fad7d2f737ceb5f6d782975551b0f77e8e6c91450d5ee881f8e8d35eceb1944101eb94656b42a1e72c1e6073

      Download Submit
    • memory/1800-2819-0x0000000000400000-0x0000000000496000-memory.dmp
      Filesize

      600KB

      Download
    • memory/1800-15-0x00000000004F0000-0x0000000000576000-memory.dmp
      Filesize

      536KB

      Download
    • memory/1800-6024-0x0000000000400000-0x0000000000496000-memory.dmp
      Filesize

      600KB

      Download
    • memory/1800-6030-0x0000000003050000-0x0000000003052000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1800-6043-0x0000000000400000-0x0000000000496000-memory.dmp
      Filesize

      600KB

      Download
    • memory/1800-6052-0x0000000000400000-0x0000000000496000-memory.dmp
      Filesize

      600KB

      Download
    • memory/1800-6058-0x0000000000400000-0x0000000000496000-memory.dmp
      Filesize

      600KB

      Download
    • memory/2052-16-0x0000000001CB0000-0x0000000001D36000-memory.dmp
      Filesize

      536KB

      Download
    • memory/2052-14-0x0000000000400000-0x0000000000496000-memory.dmp
      Filesize

      600KB

      Download
    • memory/2052-1-0x0000000000400000-0x0000000000496000-memory.dmp
      Filesize

      600KB

      Download
    • memory/2052-0-0x0000000001CB0000-0x0000000001D36000-memory.dmp
      Filesize

      536KB

      Download
    • memory/2276-6031-0x0000000000160000-0x0000000000162000-memory.dmp
      Filesize

      8KB

      Download