Overview

overview

10

Static

static

3

0cf1a52d92...18.exe

windows7-x64

10

0cf1a52d92...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-05-2024 00:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0cf1a52d9205a6a1a3db34255efae61d_JaffaCakes118.exe

  • Size

    309KB

  • MD5

    0cf1a52d9205a6a1a3db34255efae61d

  • SHA1

    5de09f3fc2f2d710da0f78dab3fb59113b2f54f6

  • SHA256

    729747338ce60f7438281ca11f62912b470bf79a37774dde8b9c556d954b56b8

  • SHA512

    984c721f6c038dbfe8287ae230b00b58a7f1ff67367b57cf84c0987e8be93020c9a132a1cb4f5755144b27494a52d732411e0ccf0efa2bd3cd7a9af230e384e0

  • SSDEEP

    6144:spxIWdiWj0ER8J64BgXtruOzyX7dEh1TXlXN39kzaPCe/:snIWdim0ER8J64Bg9ruOeJiNXjtkzj2

Score
10/10
cerberdiscoveryevasionransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_READ_THIS_FILE_SW893_.txt

Ransom Note
CERBER RANS0MWARE --- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! --- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: --- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/0EC9-1E6F-CA99-0099-3863 Note! This page is available via "Tor Browser" only. --- Also you can use temporary addresses on your personal page without using "Tor Browser". --- 1. http://p27dokhpz2n7nvgr.1pglcs.top/0EC9-1E6F-CA99-0099-3863 2. http://p27dokhpz2n7nvgr.1cewld.top/0EC9-1E6F-CA99-0099-3863 3. http://p27dokhpz2n7nvgr.12t3rn.top/0EC9-1E6F-CA99-0099-3863 4. http://p27dokhpz2n7nvgr.1js3tl.top/0EC9-1E6F-CA99-0099-3863 5. http://p27dokhpz2n7nvgr.1ajohk.top/0EC9-1E6F-CA99-0099-3863 --- Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://p27dokhpz2n7nvgr.onion/0EC9-1E6F-CA99-0099-3863

http://p27dokhpz2n7nvgr.1pglcs.top/0EC9-1E6F-CA99-0099-3863

http://p27dokhpz2n7nvgr.1cewld.top/0EC9-1E6F-CA99-0099-3863

http://p27dokhpz2n7nvgr.12t3rn.top/0EC9-1E6F-CA99-0099-3863

http://p27dokhpz2n7nvgr.1js3tl.top/0EC9-1E6F-CA99-0099-3863

http://p27dokhpz2n7nvgr.1ajohk.top/0EC9-1E6F-CA99-0099-3863

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Blocklisted process makes network request 5 IoCs
  • Contacts a large (1095) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0cf1a52d9205a6a1a3db34255efae61d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0cf1a52d9205a6a1a3db34255efae61d_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Users\Admin\AppData\Local\Temp\0cf1a52d9205a6a1a3db34255efae61d_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\0cf1a52d9205a6a1a3db34255efae61d_JaffaCakes118.exe
      2⤵
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1352
      • C:\Windows\SysWOW64\netsh.exe
        C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
        3⤵
        • Modifies Windows Firewall
        PID:2204
      • C:\Windows\SysWOW64\netsh.exe
        C:\Windows\system32\netsh.exe advfirewall reset
        3⤵
        • Modifies Windows Firewall
        PID:2656
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_READ_THIS_FILE_Q5RI9YO2_.hta"
        3⤵
        • Blocklisted process makes network request
        • Modifies Internet Explorer settings
        PID:2348
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_READ_THIS_FILE_SW893_.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:2424
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:2416
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im "0cf1a52d9205a6a1a3db34255efae61d_JaffaCakes118.exe"
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2080
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 1 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:292
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1984
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
    1⤵
      PID:1696

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar4B3A.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit

    • C:\Users\Admin\Desktop\_READ_THIS_FILE_Q5RI9YO2_.hta
      Filesize

      74KB

      MD5

      a66da95a2ba88e60b6a6aaa2405cdecc

      SHA1

      97782a1bd8235dd86cea9d2c29db24143557157e

      SHA256

      efb486f93f7b691af1a500e7f419f8a2f829bbf00a71ebf73a48a551a2490b2e

      SHA512

      f6e1f40dd427d05f1130915d103e938fd3bec4789be7e983930a9a7bc5171f1a8a671da895d842497a7bdcd9a5fe582e914d0f2e7d336c38ed6c49eb75fad5b4

      Download Submit

    • C:\Users\Admin\Desktop\_READ_THIS_FILE_SW893_.txt
      Filesize

      1KB

      MD5

      e0d1f2447463aa10625d35dfa58546ff

      SHA1

      1ddf6db4ad385f5d95db0c6a52f3e223dac4139c

      SHA256

      1dd3ed84447ea5e60c4d0e5d0b215b2f913971670e6dfe513036912d2ca712f7

      SHA512

      baaf26a00bde3ecb3c1b02dfd07f82b4251c49151749a4727ac12b1cdec4c1db2d239e536c6adbf615f8df160dad6e4776d53da39d732353914361417d0f5966

      Download Submit

    • C:\Users\Admin\Desktop\_READ_THIS_FILE_VSSMZS_.jpeg
      Filesize

      150KB

      MD5

      bf58d28f22d6e6ddc3760caad27b8a7e

      SHA1

      e80165a9cdee98e809b21f431896bcfeb905a93b

      SHA256

      3628a44be4c40f3fd0bb5f3c1f43270bc9251385302faace6f3e60933bbba788

      SHA512

      9e49b04e3ba74403aebf2843e7144c335cf2df3a9d1b1fd9dd2b0aedadb886ae6493163781a50aa939c2ceb7feabaa62132a43665c23a66bcedb51ade7d46d2e

      Download Submit

    • memory/1352-9-0x00000000011D0000-0x0000000001208000-memory.dmp

      Filesize

      224KB

      Download

    • memory/1352-7-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/1352-8-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/1352-10-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/1352-13-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/1352-17-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/1352-77-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/1352-2-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/1352-319-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/1352-103-0x0000000000560000-0x0000000000562000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1984-104-0x0000000000160000-0x0000000000162000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2412-0-0x00000000011D0000-0x0000000001208000-memory.dmp

      Filesize

      224KB

      Download

    • memory/2412-5-0x00000000011D0000-0x0000000001208000-memory.dmp

      Filesize

      224KB

      Download

    • memory/2412-6-0x0000000000020000-0x0000000000023000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2412-1-0x0000000000020000-0x0000000000023000-memory.dmp

      Filesize

      12KB

      Download