20a4fd18c1fe601d46575a2767a88e786209f652daf12d1766c3757f219ecd60

General

Target

231c717aa085001e0c1ed45bdd748dac_JaffaCakes118.exe
Size

554KB
MD5

231c717aa085001e0c1ed45bdd748dac
SHA1

1fdf786fcfc1debc52e9eb3c045f85a7b3ae990e
SHA256

20a4fd18c1fe601d46575a2767a88e786209f652daf12d1766c3757f219ecd60
SHA512

1cc979c1b7687955faa338a04435dce25ca3856d8eed1e6252b0b10760d05373ebf2aaf0be28846b5cbcb470678d017da19f51a90af5158b088184b2b26d367d
SSDEEP

12288:YQjLuRE4xKR72qKoe/ZWsYUxUKQzZZQZsqtOqQ:nLueaKR72qKoe/EhdKYavQ

Score

9^/10

defense_evasion evasion execution impact persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ajijameh = "\"C:\\Windows\\ajywilok.exe\""	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	231c717aa085001e0c1ed45bdd748dac_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2488 set thread context of 1952	2488	231c717aa085001e0c1ed45bdd748dac_JaffaCakes118.exe	28
PID 1952 set thread context of 2596	1952	231c717aa085001e0c1ed45bdd748dac_JaffaCakes118.exe	29

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ajywilok.exe	explorer.exe
File created	C:\Windows\ajywilok.exe	explorer.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2648	vssadmin.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PhishingFilter	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2488	231c717aa085001e0c1ed45bdd748dac_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	384	vssvc.exe
Token: SeRestorePrivilege	384	vssvc.exe
Token: SeAuditPrivilege	384	vssvc.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 1952	2488	231c717aa085001e0c1ed45bdd748dac_JaffaCakes118.exe	28
PID 2488 wrote to memory of 1952	2488	231c717aa085001e0c1ed45bdd748dac_JaffaCakes118.exe	28
PID 2488 wrote to memory of 1952	2488	231c717aa085001e0c1ed45bdd748dac_JaffaCakes118.exe	28
PID 2488 wrote to memory of 1952	2488	231c717aa085001e0c1ed45bdd748dac_JaffaCakes118.exe	28
PID 2488 wrote to memory of 1952	2488	231c717aa085001e0c1ed45bdd748dac_JaffaCakes118.exe	28
PID 2488 wrote to memory of 1952	2488	231c717aa085001e0c1ed45bdd748dac_JaffaCakes118.exe	28
PID 2488 wrote to memory of 1952	2488	231c717aa085001e0c1ed45bdd748dac_JaffaCakes118.exe	28
PID 2488 wrote to memory of 1952	2488	231c717aa085001e0c1ed45bdd748dac_JaffaCakes118.exe	28
PID 2488 wrote to memory of 1952	2488	231c717aa085001e0c1ed45bdd748dac_JaffaCakes118.exe	28
PID 2488 wrote to memory of 1952	2488	231c717aa085001e0c1ed45bdd748dac_JaffaCakes118.exe	28
PID 2488 wrote to memory of 1952	2488	231c717aa085001e0c1ed45bdd748dac_JaffaCakes118.exe	28
PID 1952 wrote to memory of 2596	1952	231c717aa085001e0c1ed45bdd748dac_JaffaCakes118.exe	29
PID 1952 wrote to memory of 2596	1952	231c717aa085001e0c1ed45bdd748dac_JaffaCakes118.exe	29
PID 1952 wrote to memory of 2596	1952	231c717aa085001e0c1ed45bdd748dac_JaffaCakes118.exe	29
PID 1952 wrote to memory of 2596	1952	231c717aa085001e0c1ed45bdd748dac_JaffaCakes118.exe	29
PID 1952 wrote to memory of 2596	1952	231c717aa085001e0c1ed45bdd748dac_JaffaCakes118.exe	29
PID 2596 wrote to memory of 2648	2596	explorer.exe	30
PID 2596 wrote to memory of 2648	2596	explorer.exe	30
PID 2596 wrote to memory of 2648	2596	explorer.exe	30
PID 2596 wrote to memory of 2648	2596	explorer.exe	30

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\231c717aa085001e0c1ed45bdd748dac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\231c717aa085001e0c1ed45bdd748dac_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\231c717aa085001e0c1ed45bdd748dac_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\231c717aa085001e0c1ed45bdd748dac_JaffaCakes118.exe"
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\system32\explorer.exe"
    3⤵
    - Adds Run key to start application
    - Drops file in Windows directory
    - Modifies Internet Explorer Phishing Filter
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:2648

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ywynugoxasijikec\01000000

Filesize
554KB

MD5
ce799cdfb540717e13b5ddabe359cc42

SHA1
8d275189f324af52da4f4f1869b804ba31d0ffb7

SHA256
04d265d7a1148e77300ffe7994bb184efe8330ed1306648afb219af2dfa33dab

SHA512
cf1f5d155dc5e90e625f5c70765f4ea916f53c3db3625fb877b49a960b34cec3f500a9c660ce6bf50e0956619013fceb26b6e5e058278bacaa789f34bf142fdb

Download Submit
memory/1952-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1952-0-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1952-13-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1952-17-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1952-9-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1952-7-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1952-11-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1952-3-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1952-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1952-26-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1952-5-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2596-19-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/2596-20-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/2596-29-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/2596-32-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads