Analysis

  • max time kernel
    121s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    09-05-2024 01:23

General

  • Target

    27a1a9c435a7b0c6a6378df7650b40b6_JaffaCakes118.exe

  • Size

    463KB

  • MD5

    27a1a9c435a7b0c6a6378df7650b40b6

  • SHA1

    5f8d911d9de5657796249f58c0bbbbe53855965d

  • SHA256

    e1e9fbb956e75509617c8b686615bf41970a42ea12003761fbd9250025423a5c

  • SHA512

    03d0e0ced6cdab6b4d67c184084ade32a91b8f98a6c8e7d8be2a12b2b51a26c5bc8cbd4078b657cefc2e0a603b271ffc051c25b5c7e7af82b621ab800fa7c9b7

  • SSDEEP

    6144:5UdWaUY7z6hzuaPOqUjHE6QsMsDWMP/Ibw8MfWTAxbg:5UdWa5z6hzuaPOqMxQsD1P/s1OWkW

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_READ_THI$_FILE_M89EN_.txt

Ransom Note
----- !!! CERBER RANSOMWARE !!! ----- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED ----- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/91D0-20A7-32EF-0099-35E8 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.1j2ien.top/91D0-20A7-32EF-0099-35E8 2. http://p27dokhpz2n7nvgr.1nhkou.top/91D0-20A7-32EF-0099-35E8 3. http://p27dokhpz2n7nvgr.1a7wnt.top/91D0-20A7-32EF-0099-35E8 4. http://p27dokhpz2n7nvgr.1czh7o.top/91D0-20A7-32EF-0099-35E8 5. http://p27dokhpz2n7nvgr.1hpvzl.top/91D0-20A7-32EF-0099-35E8 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://p27dokhpz2n7nvgr.onion/91D0-20A7-32EF-0099-35E8

http://p27dokhpz2n7nvgr.1j2ien.top/91D0-20A7-32EF-0099-35E8

http://p27dokhpz2n7nvgr.1nhkou.top/91D0-20A7-32EF-0099-35E8

http://p27dokhpz2n7nvgr.1a7wnt.top/91D0-20A7-32EF-0099-35E8

http://p27dokhpz2n7nvgr.1czh7o.top/91D0-20A7-32EF-0099-35E8

http://p27dokhpz2n7nvgr.1hpvzl.top/91D0-20A7-32EF-0099-35E8

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Blocklisted process makes network request 5 IoCs
  • Contacts a large (1095) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 38 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27a1a9c435a7b0c6a6378df7650b40b6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\27a1a9c435a7b0c6a6378df7650b40b6_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Users\Admin\AppData\Local\Temp\27a1a9c435a7b0c6a6378df7650b40b6_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\27a1a9c435a7b0c6a6378df7650b40b6_JaffaCakes118.exe"
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Windows\SysWOW64\netsh.exe
        C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
        3⤵
        • Modifies Windows Firewall
        PID:3052
      • C:\Windows\SysWOW64\netsh.exe
        C:\Windows\system32\netsh.exe advfirewall reset
        3⤵
        • Modifies Windows Firewall
        PID:2608
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_READ_THI$_FILE_35C1GD6O_.hta"
        3⤵
        • Blocklisted process makes network request
        • Modifies Internet Explorer settings
        PID:1520
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_READ_THI$_FILE_M89EN_.txt
        3⤵
          PID:2720
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:1188
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im "27a1a9c435a7b0c6a6378df7650b40b6_JaffaCakes118.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1760
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:2740

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    1
    T1112

    Discovery

    Network Service Discovery

    1
    T1046

    System Information Discovery

    1
    T1082

    Remote System Discovery

    1
    T1018

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Cab6357.tmp
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    • C:\Users\Admin\AppData\Local\Temp\Tar6369.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    • C:\Users\Admin\Desktop\_READ_THI$_FILE_35C1GD6O_.hta
      Filesize

      75KB

      MD5

      83d089d9f3442f91eb4b4c2a34c64836

      SHA1

      70eec9977a32af8bf3c110aacb5f45f4c8d7eb9d

      SHA256

      7ea4c2039898e8880b63f35a71d5ee826c4c678505b9538ea92b7e04c35c6889

      SHA512

      299ad0033c5638b2f388b227d63eb305e26fe7481d317d427708ae742ef86685d9d44890e19862d24643c5134e5a9585671219f15f6751deff281b72a4e86926

    • C:\Users\Admin\Desktop\_READ_THI$_FILE_M89EN_.txt
      Filesize

      1KB

      MD5

      8611b52ef2e33654fc7fc81675eaa9c8

      SHA1

      53dd038673450ae241352478810eb2eeb5ef8ff1

      SHA256

      4bfe7f593def943581f11c1868366ce757bec818e3afe917911ca9c608bc20ce

      SHA512

      c1ad001db40f2ed774dea9bcacb3408ff4bcebdf28c956e054a15fd2a0c5107211a06fcd5a1aeccd3b60837e7bb2e1f976a5271995b1bfef27b9f696a0b56272

    • memory/2952-2-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

    • memory/2952-5-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

    • memory/2952-4-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

    • memory/2952-6-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

    • memory/2952-9-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

    • memory/2952-13-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

    • memory/2952-66-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

    • memory/2952-104-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB