Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
08-05-2024 23:04
General
-
Target
27218f3e3ad161ad86b3c599c9c7ea13_JaffaCakes118.exe
-
Size
336KB
-
MD5
27218f3e3ad161ad86b3c599c9c7ea13
-
SHA1
b4eb82e32f83b49e33995fbd9753480c9ef65165
-
SHA256
0ab4f1d946f9490a33caffeea59cb1804153e9cd0cfc0718150445f848d16043
-
SHA512
8b48dc4aa817faa1c32d33d5bf9860a2922cd1b7d7d94dd97c35d27264fad23f9ab64be735021c5523023bf1b548a352e8736ee4847407548921c5ab27361a85
-
SSDEEP
6144:hn2N3RE4bQWd1YUd2bLE6Bc2Oa+QdAdFAMcrew/:h83RECYUsZea+UVMcrF/
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+jdjwt.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/104763238AAE2F72
http://tes543berda73i48fsdfsd.keratadze.at/104763238AAE2F72
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/104763238AAE2F72
http://xlowfznrg4wf7dli.ONION/104763238AAE2F72
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (430) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
-
Drops startup file 3 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 52 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\27218f3e3ad161ad86b3c599c9c7ea13_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\27218f3e3ad161ad86b3c599c9c7ea13_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\27218f3e3ad161ad86b3c599c9c7ea13_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\27218f3e3ad161ad86b3c599c9c7ea13_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\uqmyhdvajtow.exeC:\Windows\uqmyhdvajtow.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\uqmyhdvajtow.exeC:\Windows\uqmyhdvajtow.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2340 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\UQMYHD~1.EXE5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\27218F~1.EXE3⤵
- Deletes itself
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5286142ccccfd074ab1b0b3af3de56595
SHA16818b56f205510aa2f55e158a58b66751a2c6f1f
SHA256f664b947b671b0fe1887399c5b1a6177dc7e004855fc296d167a595538894a39
SHA512cad7d72829aeaa46af920fd41d1f7e0144bd4601f3cf928586321d1b8603cb0bfae09b3fd96dfcae222f82a879a57a494d22eaab5db41a0938f6ce2ef471c8ca
-
Filesize
62KB
MD5960415c09623027328330a6f74cbe660
SHA1d1a13bb18dcdf911b179ae350db158d23137c986
SHA25603a71a49c6efe226c7f12943e3cc68596037566924b3238086f8177f80b54a3b
SHA51296cbfa133e7028b45f8604ff3093e1ea41cc739c1374c96bb82c19ecbf7544acf48bc5318adc34d87b7363a4be13f5c8f4068dd37eab60089c6925d6398bc1ee
-
Filesize
1KB
MD5178eefe2659bf5ff77d9ac5474a9913d
SHA1dec14d674bb3129ee9bedde06769879a05fda7d9
SHA256d7e84a869b4fa54248d18885ba4501b37f7f81a285c4deb1aae5cb9ed0940d36
SHA512e762ad81952af8845b3f4aa952f1fa1c95624fed75fca7a5b0fc37e285148f9395d5f11d5959a9971deafcb2e2c4f13eb59e3a581946ff0f72c848805edb2480
-
Filesize
11KB
MD5ee052bf3597f278d933ef96299ae5a7a
SHA120c89e28cce9c34f153f9d3b96c418b4683ad536
SHA2568afa96e8afc73c4f64179814e88303ce0ce103b5712b8e7bdacd1ae9049a4eaa
SHA5120d87c7bd2099fbf3c6abcdb3c32583cdf8259993301477926f3a9bde1251407750e0ed7b8b00a723e85f11ca3c3cc950a0f1009c14667270e71fa6b5f38bc50f
-
Filesize
109KB
MD587ff1388c65d7c053103c28f55b9200c
SHA16851bb25431111fa8d2f548a13c414b2db43f8ec
SHA2565661c0da3c6438f3ef8720601922418c6c8ec97719d7b50f0aa56d075ba4e81b
SHA512a04c6be79ad3830b517f917edeed0fe62763119f64c10c8e83cc25d591bed02be963c4a2fb510b352a14a2672e033f5043bc236180e1bb0ff078620ee245ab9d
-
Filesize
173KB
MD5661e66b4ea6865fc46be4889990429d4
SHA192a4ebfe0dd31586c2a380b1a0253f5f76854ea3
SHA256088ac1e848a59f14234a7676a583dce1063bdd85d6149dc7d52e58f27e18ee89
SHA512bb64f18bfc8c5fd455177c9a778a3d024c37f422e12c179ea7b8ca5d4fd9b84d51c75b0b4d5ed5e917ccc4fdc38ec9ddfffbee02cf659ab13d01682a49ad1380
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
344B
MD53f4bc2659ab58440983894a02423c013
SHA11b0cf7ad740f7142ac1c26fa82856c84307ca3ac
SHA2569c4fd3f211a8752c04fd74fa3367cecd9feaa890425a11faa6c29472957addac
SHA51263fc16ddc29f3709ea0983b4dfa7e28b355d5a5b6d9f65d60ee4fb6d23603f6e4a6b31198fea70fa8874943be1a91e6d320c1f2046ffda66f2cd6b1587df2b2a
-
Filesize
344B
MD51d9a6cfd59a96d9e165d59d8cd56ed26
SHA14f174f7700403eb00ba79976a5e6ac748f38f0f1
SHA2567ad599f871b9d21c1f77e09ce098b72a5e78bbbb32e50bfa041dd127595f6b01
SHA512ec9d867231ee191a0b61d6cf83e27149bb717528ddaf6a1aa696c5c9b2a2417e6a09a4703cb289e8ef210fb2c51b006b4e248eccbe1816d69c245380e44f5651
-
Filesize
344B
MD50ef9e39250bfb75fb83a693fcbefb7d4
SHA12428e81a65132a816a6222d8b39297d29cb9dd98
SHA2561f03a291a3e16994326cd7c8da4899fe793943e7b9aeba8e98eedc5d181d1527
SHA51218086dfbeedb819946231f0a669640f9e6069d62f6a1039d729c51d968dafffd42f313011abe0b3e25366b9dbc4dbb585c30357c31566873ad8297611d8beeaf
-
Filesize
344B
MD548bb15e3041fef957a7e9f4b0d1863ad
SHA10d6163b4983a632aeb6041615db16b0163d2299b
SHA2569d6f2bb3d34e9bd32c73be92105736dde2a0665228e53255e6d5beef78789388
SHA512b9d29af28a1544a1de448cfb5746ed08454e4ee47d6807d05dfbaae9dc4ccfe08c10eb7a53b80e2e1fd103cc35fbd829068386e95b81a9e911adb9d113f044a7
-
Filesize
344B
MD595954d194b030fdd9c99d0bdcaaf88f8
SHA1f6af7af9aa39c55c78b3d260ae077fcf40b7f065
SHA2567b4143f72f6b07cd1fa99bb6376bbcf899679f667c1850087e484a7b2ad35c94
SHA51285de6e421847ab861cfcc338adae2fae8c9238f8e6fcfb327cb9288d9377bfde2b94bd9f85ff64d211ea7fb79773c028486df9f6b28ebf9bf1e43d4fa1882981
-
Filesize
344B
MD53273ead0dc2b3d95bcb01cd2ffdf0fa3
SHA15f3936c69c5bdbcad31f6e9e4ec58d88d904f68b
SHA256b0d480dafe59c9daff65d7a8521cb5d0612d88d3a116a7f1e1a5c2bab6750fa4
SHA512cc6d86f31c95e515916be43e0f5386445193ff32fd3852c3e9ea47465f34b5d988489ff4e3a17633deb1b4f551c9eb68df128df7cc078be3698491ceadf6a891
-
Filesize
344B
MD5e75c6d13e34aedcabd138893b9bb3ca7
SHA1e4d110afd071c347e15881d798d8ebe1e1477bf1
SHA25613af4c66cfc2b2861a6e74056f1e1f27600466ae8a74e871ff2607aa5f9ccd24
SHA512cf3235ae3e7fc7ba92617d7185465a8f09404afed595f2917411828847dfd273c6255961170b809b1350306ca6fbbcbd328bc6698de2002ceb30c821bac61a2e
-
Filesize
344B
MD53acdff7d8613fe08012b8b58ef7ca817
SHA10e7cc4fd26f4c8faf04c55678fb7d19036f6f51b
SHA256fd79cb3cdc32c18702ae3b2a7ea63685c5066c62e1ea4a1dd49053411d844896
SHA5128341ec31bf21a63b97ed03fcbea7f863a7cb16aa110d483cc972e1367dbf5adcc85c9b00fa8c4e1e753c952650abb136fcd3299818411f120a9e2035c5ddfd4f
-
Filesize
344B
MD50e66bb8cf0972ba5c5cd35abb0ba76e7
SHA114b1b67b365801405ea9451363b1ff715c1e73ef
SHA256ceea1aad91d7cbe95a4fe626f05a16f89f770f8b287b8a567135a0c368d77664
SHA5122150f22f4098c7963b8ffab08da08972edf69e7a5964fd2e22bfc05b731308d0e91c18f0291de369eb6f1006fdd362276c6676d91b5a3fa956f764e8dc53af65
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
336KB
MD527218f3e3ad161ad86b3c599c9c7ea13
SHA1b4eb82e32f83b49e33995fbd9753480c9ef65165
SHA2560ab4f1d946f9490a33caffeea59cb1804153e9cd0cfc0718150445f848d16043
SHA5128b48dc4aa817faa1c32d33d5bf9860a2922cd1b7d7d94dd97c35d27264fad23f9ab64be735021c5523023bf1b548a352e8736ee4847407548921c5ab27361a85
-
Filesize
8KB
-
Filesize
532KB
-
Filesize
4KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
8KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
2.0MB
