globeimposter | cac09c5751194795eb27b2daf641bee4afbcb1638095d7055e89c9c505af038f

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
05-05-2024 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19771cc7d4a738eb3e879d7a537dc260_JaffaCakes118.exe
Size

159KB
MD5

19771cc7d4a738eb3e879d7a537dc260
SHA1

eb8b05f48826a090c3f84d468d3986a121bc0cd5
SHA256

cac09c5751194795eb27b2daf641bee4afbcb1638095d7055e89c9c505af038f
SHA512

688c47b760c6ba14ede8c1e5bb708e5ade001b0e866c6a87139a452fe9cca0d0bd88967ad4ed80f0129d30e7c7fdb9d839c5e0f051a28bceaec9c776f26df549
SSDEEP

3072:fydfi5NYbjCOqGRhEkH8f4n3fIfkBo6Yn3EWejU:fyhi5N+OOLRikH8fEgsLYUO

Score

10^/10

globeimposter persistence ransomware

Malware Config

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

19771cc7d4a738eb3e879d7a537dc260_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Roaming\\19771cc7d4a738eb3e879d7a537dc260_JaffaCakes118.exe"	19771cc7d4a738eb3e879d7a537dc260_JaffaCakes118.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

19771cc7d4a738eb3e879d7a537dc260_JaffaCakes118.exe

description	ioc	process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini	19771cc7d4a738eb3e879d7a537dc260_JaffaCakes118.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2752 taskkill.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

19771cc7d4a738eb3e879d7a537dc260_JaffaCakes118.exe

pid process

3024 19771cc7d4a738eb3e879d7a537dc260_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2752 taskkill.exe

pid	process
2752	taskkill.exe

pid	process
3024	19771cc7d4a738eb3e879d7a537dc260_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2752	taskkill.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

19771cc7d4a738eb3e879d7a537dc260_JaffaCakes118.exe

description	pid	process	target process
PID 3024 wrote to memory of 2752	3024	19771cc7d4a738eb3e879d7a537dc260_JaffaCakes118.exe	taskkill.exe
PID 3024 wrote to memory of 2752	3024	19771cc7d4a738eb3e879d7a537dc260_JaffaCakes118.exe	taskkill.exe
PID 3024 wrote to memory of 2752	3024	19771cc7d4a738eb3e879d7a537dc260_JaffaCakes118.exe	taskkill.exe
PID 3024 wrote to memory of 2752	3024	19771cc7d4a738eb3e879d7a537dc260_JaffaCakes118.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\19771cc7d4a738eb3e879d7a537dc260_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19771cc7d4a738eb3e879d7a537dc260_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /T /PID 3024
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3024-3-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3024-2-0x0000000000270000-0x0000000000370000-memory.dmp

Filesize
1024KB

Download
memory/3024-32-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3024-31-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download