Analysis

  • max time kernel
    118s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    10-05-2024 04:43

General

  • Target

    2d6721f92f8dd73cdb3ee1d54f136b83_JaffaCakes118.exe

  • Size

    257KB

  • MD5

    2d6721f92f8dd73cdb3ee1d54f136b83

  • SHA1

    14d0e5969fe842aee2022d5fccfda767d32da7b9

  • SHA256

    7cd86f32c825e64820ef292b9d3ef6f47a9712f21930d7c920adfb125d47490f

  • SHA512

    f2286e8cb6630cdb2956849fcf30518171be31d0d2b212827ac637375f176fd14f491c91a37e4fe27dc93bcf2e31e427812c99c28ce08ba6ebb1ff872492dc84

  • SSDEEP

    6144:es1JoqbGwDAE5XOhkZJ8etJG4pNtqjgpchxCGzo:h1JFFXJ8yJGCfmgmhxd

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___UQ2HGB_.txt

Ransom Note
Hi, I'am CERBER RANSOMWARE ;) ----- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/2467-46F7-89D4-0099-3FAA Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1cgbcv.top/2467-46F7-89D4-0099-3FAA 2. http://xpcx6erilkjced3j.16hwwh.top/2467-46F7-89D4-0099-3FAA 3. http://xpcx6erilkjced3j.1fnhyq.top/2467-46F7-89D4-0099-3FAA 4. http://xpcx6erilkjced3j.onion.cab/2467-46F7-89D4-0099-3FAA 5. http://xpcx6erilkjced3j.onion.to/2467-46F7-89D4-0099-3FAA ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://xpcx6erilkjced3j.onion/2467-46F7-89D4-0099-3FAA

http://xpcx6erilkjced3j.1cgbcv.top/2467-46F7-89D4-0099-3FAA

http://xpcx6erilkjced3j.16hwwh.top/2467-46F7-89D4-0099-3FAA

http://xpcx6erilkjced3j.1fnhyq.top/2467-46F7-89D4-0099-3FAA

http://xpcx6erilkjced3j.onion.cab/2467-46F7-89D4-0099-3FAA

http://xpcx6erilkjced3j.onion.to/2467-46F7-89D4-0099-3FAA

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Blocklisted process makes network request 5 IoCs
  • Contacts a large (1095) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d6721f92f8dd73cdb3ee1d54f136b83_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2d6721f92f8dd73cdb3ee1d54f136b83_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
      2⤵
      • Modifies Windows Firewall
      PID:548
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall reset
      2⤵
      • Modifies Windows Firewall
      PID:2896
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___EDM3XE_.hta"
      2⤵
      • Blocklisted process makes network request
      • Modifies Internet Explorer settings
      PID:2412
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___UQ2HGB_.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1820
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:332
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im "2d6721f92f8dd73cdb3ee1d54f136b83_JaffaCakes118.exe"
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1484
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 1 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1428

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Discovery

Network Service Discovery

1
T1046

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cab61B2.tmp
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

  • C:\Users\Admin\AppData\Local\Temp\Tar61D4.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

  • C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___EDM3XE_.hta
    Filesize

    75KB

    MD5

    76ce835dac4a9e07410ed9fc15d24d59

    SHA1

    078c00a07b98db635dc4f779b579affeec220de1

    SHA256

    2729c4e7b511f21e350d16a22ececc97469f2a6959be4aa29a4df4fd71eac4d6

    SHA512

    7627916c4918d4e9a3a99c5dff7fb2ad9dba9bf3a044d9d561fcedce962ebeeca753a96121e56642df370a8fa0f3ac7c1433ce9f9fd25d6e51d1e4fc63057ef4

  • C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___UQ2HGB_.txt
    Filesize

    1KB

    MD5

    4a30c3ea0c0f072c858d4f25bca25b6e

    SHA1

    131b18d57c05243279b87416d3d1c6988790f3fd

    SHA256

    4bd4d54d4b1fe757abeb85d7a0f043ed7d9f0036d303f5577b9d0f2f4736908e

    SHA512

    784decb4e773917ed0224f76346a67c3debaf5d575f333846b43c8e0a7b770ea251027038d56fe4866b9c0feb2e5955a7f71577a0a71522de8381e313616483e

  • memory/2068-0-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

  • memory/2068-1-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

  • memory/2068-2-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

  • memory/2068-3-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

  • memory/2068-90-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

  • memory/2068-92-0x0000000003660000-0x0000000003670000-memory.dmp
    Filesize

    64KB