Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
04-05-2024 11:23
General
-
Target
128288b15bfc1adbb1fa5e30154d1a22_JaffaCakes118.exe
-
Size
312KB
-
MD5
128288b15bfc1adbb1fa5e30154d1a22
-
SHA1
1973d1e928f2bbc67644b772f4ca7c453a503753
-
SHA256
ea366505a9ffb1007fc9abb732c0a9c418df6abdf5c4b27b15ceb4595fd1a878
-
SHA512
15d17a1892d55f22c5a6d6fe11abc14d2c71f577e0cb513a7d6b6861d6fd10ec685dd115e0ace0002e1a34fec4b11891e8b2112e501cd17d46dae326b11e7f3d
-
SSDEEP
6144:LmKDzqaykFTZ8w5OAIfw6mkgVA/fSBVOBrKNudQm7dn8e6E:LmK3qaowwrfzHSBVmKAz7dn8
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+vlnsc.txt
teslacrypt
http://po4dbsjbneljhrlbvaueqrgveatv.bonmawp.at/62E246D0E2E0296
http://u54bbnhf354fbkh254tbkhjbgy8258gnkwerg.tahaplap.com/62E246D0E2E0296
http://w6bfg4hahn5bfnlsafgchkvg5fwsfvrt.hareuna.at/62E246D0E2E0296
http://xlowfznrg4wf7dli.ONION/62E246D0E2E0296
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (893) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\128288b15bfc1adbb1fa5e30154d1a22_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\128288b15bfc1adbb1fa5e30154d1a22_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\128288b15bfc1adbb1fa5e30154d1a22_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\128288b15bfc1adbb1fa5e30154d1a22_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\vmghdxirutnw.exeC:\Windows\vmghdxirutnw.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\vmghdxirutnw.exeC:\Windows\vmghdxirutnw.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT5⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffe638646f8,0x7ffe63864708,0x7ffe638647186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,15825514376307942616,6769598447093374021,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,15825514376307942616,6769598447093374021,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,15825514376307942616,6769598447093374021,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15825514376307942616,6769598447093374021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2880 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15825514376307942616,6769598447093374021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2888 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,15825514376307942616,6769598447093374021,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,15825514376307942616,6769598447093374021,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15825514376307942616,6769598447093374021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15825514376307942616,6769598447093374021,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15825514376307942616,6769598447093374021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15825514376307942616,6769598447093374021,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:16⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\VMGHDX~1.EXE5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\128288~1.EXE3⤵
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5c42938dda345451045d6062952ff3c65
SHA1812ab98242ab84d084efa4356bd3f7355fb5ca59
SHA256347d845a4992f19ab47b60223001957a0f747380aa690fbc2873f387542afbbb
SHA512489d8ffafc8ea202f614af4f931f3e19810874d2c8649db7af0b4a8a200a0bb16e64a5431bdba6c60ecdd40e2cdaca4b9115ac85bdec1d67cf4ea25276cac78d
-
Filesize
64KB
MD570a209557e8dc67206e6632c74b69c3c
SHA10c07e843251fe41a6eb09cc4fb08d7d97841b208
SHA2564d4013f29c54029dadf645376394fb39f41fddc0ea5f7c15b6c20a496e19a383
SHA512e8f8553a1dd22933f34c0e6f6f32f3d64c9382c161d9b9ad9409452ead84032a45bee773e3b45f156ab94706efc20fe0fdd5511c770ebf5a9633d45fd8cfa64d
-
Filesize
1KB
MD5355fc75e5ea4323b3836610c812528e5
SHA1a4f5888bb44dcd3eacfc16a2c4259c787acf0adf
SHA256847fab00a65984c7f5cac7bbddbb175087218a3ceb1ba92556b18e0d62afdd32
SHA5124fbdbecc055e8194b5a1bd028f375466d7198505ef76d2191c5a9b7c8aba3f2c7ab756484352c0ad9f47f7bcaa898f2449e15ec1d4b91602a60b84a4fa134c21
-
Filesize
560B
MD56720c1f1499c7ed9d690ee0388840ad1
SHA1621998db2953ece4ac8105a05feeefd949b34fe2
SHA2564f6a7bdb47fa77bba0ec88f20c610c24d1f888a55c52c4eafbcf5fcc04141e15
SHA5125a55acab3cbef850a6a9682dddbd5f98e7e55311fd6a69d94a0daa1080fe2e5d1ab3ca6bae6e48f54a0bac263331817a257ec0bd32471dce69303622770be843
-
Filesize
560B
MD57a0d79d931b4906fcb0e45faf10e8dd8
SHA1e153ad86da8b332ec330581d8281b85b2f41257a
SHA2569f0b12098000644550a9ec09faecd0333343e7d9915e2ba810ba949f6e055f68
SHA512c3cc34411c3565ece28f3e887a7afc18062982747018302e4fe05c8ccee9622fa32dac9e22feda792c3eea2a5ad486b0c4a144012a9bd986e5c98a8426aa80e0
-
Filesize
416B
MD544d2a763ed6a0295f598b6bebfbf3edd
SHA1b1648ccdf8731beda9a83b0bcd6c7dc7c273aebc
SHA256030ed7c70e12541039459cef613edf62c393b6fb112171e96cab174a9e558541
SHA51211cc0e95842cd65ffa69ca576130f863eb75cb908575048fce2737d0695b08443831ac967ad1fab1fc67ade9d4622aa4f88fa6ecaa15b01fd012937b79dcd0bd
-
Filesize
152B
MD5a9e55f5864d6e2afd2fd84e25a3bc228
SHA1a5efcff9e3df6252c7fe8535d505235f82aab276
SHA2560f4df3120e4620555916be8e51c29be8d600d68ae5244efad6a0268aabc8c452
SHA51212f45fa73a6de6dfe17acc8b52b60f2d79008da130730b74cc138c1dcd73ccc99487165e3c8c90dc247359fde272f1ec6b3cf2c5fcb04e5093936144d0558b75
-
Filesize
152B
MD5dbac49e66219979194c79f1cf1cb3dd1
SHA14ef87804a04d51ae1fac358f92382548b27f62f2
SHA256f24ed6c5bf4b734a9af4d64e14a80a160bea569f50849f70bf7b7277c4f48562
SHA512bb314d61f53cf7774f6dfb6b772c72f5daf386bc3d27d2bb7a14c65848ee86e6c48e9c5696693ded31846b69b9372a530175df48494e3d61a228e49d43401ad1
-
Filesize
6KB
MD590226d01507ce276ed3ae3aef90ebf86
SHA1afa3951ce91eebb922348d24597bdc62ae1e155e
SHA256608dbfae5dc078557f488564e989882ab1e48c857dda2a931b730add6eca6269
SHA51294c0243af7f9bf293af01ccbe657efbe1bf266d1dced265e102cc53769a5b0620b3b640d4694677e376e9bd0240e8a5324abbbb315d139ebb08de8827c55951a
-
Filesize
5KB
MD5b35daa0098f9f2935ebc5e514de6cfe4
SHA13d09265ca2788be00066229683dd9ae03bf1b356
SHA256b88ceb5836e7c32428367cc1ebdb8e7e1706d199e0fa971a7785d216c3150b7a
SHA51267add189f9730d648a50051bc94c5aa77cc152fc446b5753087ce5ec885e4442c0926a814f19c56b23b4fc63975de2414eca5ff4a5077e5ddab21f5649f289f6
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD557add061abddd55afb75d89985f105f5
SHA1f82007a2e19b953b58f73cc061e59ce1556a1487
SHA2563f21a71adcb76596d6bb490786bec2c1cff94f74161dc622c6533d54ee3d5ff0
SHA512c72a0c3b6802c82640d067a66e19a3b50e29418b68f598604faeb1b29ab76150a90c7767a32c47511f9e658af96c6fc3c340afe27f993086507b7909106242a3
-
Filesize
77KB
MD563ec4a337baa76f3af69501789310003
SHA11a2f477c5d070734b5a067e606461350d636c3c2
SHA25643cd635919ab6402b4fe7c34d12f7dd7c44facdaacc074b395b0d56b95676660
SHA5121f95ef7684380d23f1aac20a5107959a6085ecad7c68e5d0eb920e564537232c2992f05aee455fc5bed55dc9e854249cff43bd66989c2dfe84e9bc66b4e3f27e
-
Filesize
47KB
MD522338a982d1943935d6a64250949c17d
SHA1951001836b8da614b8d846e577021ab7eb3d4547
SHA25663167b9f9bc5bb6cbad49f823e3192f9f89fdfcd625d077ad7ca71ac35dad4ca
SHA5126cd00a89fa855e4ea5eca7302f1319efb5c1771b84b431fab2c6ec299441e108db5fe2496c183ca5fc7aaffda398b1c2b5c6c10129ba17ac41e88334fc3a531a
-
Filesize
75KB
MD57b5856cf37cc7359e75b49579555fc8a
SHA127e359515eefd095c4138db5749371484cf305e5
SHA2565e0d2534fb66a643bb4c01fe1ec435b44f075f376dca74504be8e3c569c06acb
SHA5126b8a5a2969cb3c5960fc05e9e9a34427bec3aedbd1ef46de29c10b9af6bf286ab4ef8c4a28c1bdb51fb47e9b49021d6fcb53182b776239ee36271bb751aec18d
-
Filesize
312KB
MD5128288b15bfc1adbb1fa5e30154d1a22
SHA11973d1e928f2bbc67644b772f4ca7c453a503753
SHA256ea366505a9ffb1007fc9abb732c0a9c418df6abdf5c4b27b15ceb4595fd1a878
SHA51215d17a1892d55f22c5a6d6fe11abc14d2c71f577e0cb513a7d6b6861d6fd10ec685dd115e0ace0002e1a34fec4b11891e8b2112e501cd17d46dae326b11e7f3d
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
848KB
