locky | 83e8b72b3f30b2f74ddc49f2e7e510a1b6e2df2d25f2b12b359094858a4562e8

General

Target

2e1c9df86798281f7bd72a4ec576c89a_JaffaCakes118.exe
Size

371KB
MD5

2e1c9df86798281f7bd72a4ec576c89a
SHA1

63ed5d5ebc6cfeabc4159cd151494101708dd154
SHA256

83e8b72b3f30b2f74ddc49f2e7e510a1b6e2df2d25f2b12b359094858a4562e8
SHA512

46f30ab59a5e079975beb7199d68b9f283a052f28ebb9bd0b1c03961437c0bfdf6050f157faa252968875e234080535f7261b96f7c8b0d622d1b58ea1ab754ca
SSDEEP

6144:QgS/jqoVV6VCxkY4THjzgcwzI3eJv/2dg/c1NfR4aAfmKjjjjjjjjjjjj72+ai/:Qz/jhVV6VekY4DYz6svOWk1NfirfjjjP

Score

10^/10

locky locky_osiris ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	2e1c9df86798281f7bd72a4ec576c89a_JaffaCakes118.exe
File opened (read-only)	\??\F:	2e1c9df86798281f7bd72a4ec576c89a_JaffaCakes118.exe
File opened (read-only)	\??\F:	2e1c9df86798281f7bd72a4ec576c89a_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\DesktopOSIRIS.bmp"	2e1c9df86798281f7bd72a4ec576c89a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\DesktopOSIRIS.bmp"	2e1c9df86798281f7bd72a4ec576c89a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\WallpaperStyle = "0"	2e1c9df86798281f7bd72a4ec576c89a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\TileWallpaper = "0"	2e1c9df86798281f7bd72a4ec576c89a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\WallpaperStyle = "0"	2e1c9df86798281f7bd72a4ec576c89a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\TileWallpaper = "0"	2e1c9df86798281f7bd72a4ec576c89a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4440	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4440	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
988	2e1c9df86798281f7bd72a4ec576c89a_JaffaCakes118.exe
988	2e1c9df86798281f7bd72a4ec576c89a_JaffaCakes118.exe
2092	2e1c9df86798281f7bd72a4ec576c89a_JaffaCakes118.exe
2092	2e1c9df86798281f7bd72a4ec576c89a_JaffaCakes118.exe
4700	2e1c9df86798281f7bd72a4ec576c89a_JaffaCakes118.exe
4700	2e1c9df86798281f7bd72a4ec576c89a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 988 wrote to memory of 2092	988	2e1c9df86798281f7bd72a4ec576c89a_JaffaCakes118.exe	91
PID 988 wrote to memory of 2092	988	2e1c9df86798281f7bd72a4ec576c89a_JaffaCakes118.exe	91
PID 988 wrote to memory of 2092	988	2e1c9df86798281f7bd72a4ec576c89a_JaffaCakes118.exe	91
PID 2092 wrote to memory of 4700	2092	2e1c9df86798281f7bd72a4ec576c89a_JaffaCakes118.exe	92
PID 2092 wrote to memory of 4700	2092	2e1c9df86798281f7bd72a4ec576c89a_JaffaCakes118.exe	92
PID 2092 wrote to memory of 4700	2092	2e1c9df86798281f7bd72a4ec576c89a_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\2e1c9df86798281f7bd72a4ec576c89a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e1c9df86798281f7bd72a4ec576c89a_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:988
- C:\Users\Admin\AppData\Local\Temp\2e1c9df86798281f7bd72a4ec576c89a_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2e1c9df86798281f7bd72a4ec576c89a_JaffaCakes118.exe
  2⤵
  - Enumerates connected drives
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\2e1c9df86798281f7bd72a4ec576c89a_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\2e1c9df86798281f7bd72a4ec576c89a_JaffaCakes118.exe
    3⤵
    - Enumerates connected drives
    - Suspicious use of FindShellTrayWindow
    PID:4700

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x4dc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Music\OSIRIS-fb46.htm

Filesize
9KB

MD5
cb99a2cbfea99af3c59722b9c58a113e

SHA1
e3e36b9670c7ce9f76f16ecda8c53469a9790fd4

SHA256
1f8199cf1254e5d864ec92efac48bb2da7932c5259e44197668de855fd9934f6

SHA512
85583b5d9e37117b643eb20848d6dbcf7735a90d934e130039699175deed652b95c2d594a624f67f5886c4ce3ef958841289e0531beac3ac6659b49f2b461659

Download Submit
\??\c:\Users\Admin\DesktopOSIRIS.bmp

Filesize
3.8MB

MD5
3474a3c47e92793a5fa57b263a122519

SHA1
3830b0c0b1321cf1ce4f16fa3527812ae2b2ab07

SHA256
f05f409f94cc354aeceb2535d847fc4edd4938ed020f97117d61109bfa4d6278

SHA512
f218b1d413ff80e3909a43a75d430d02eb760eb8ad5c6414991cc0fd49f8b8ca1ab8c9cd5019a92d1a7fc4652402dbb836947dd37458f74de8123ba1f24adf05

Download Submit
memory/988-14-0x0000000003B40000-0x0000000003B67000-memory.dmp

Filesize
156KB

Download
memory/988-12-0x0000000003B40000-0x0000000003B67000-memory.dmp

Filesize
156KB

Download
memory/988-4-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/988-6-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/988-7-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/988-13-0x0000000003B40000-0x0000000003B67000-memory.dmp

Filesize
156KB

Download
memory/988-0-0x0000000003B80000-0x0000000003C04000-memory.dmp

Filesize
528KB

Download
memory/988-3-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/988-2-0x0000000003B80000-0x0000000003C04000-memory.dmp

Filesize
528KB

Download
memory/988-351-0x0000000003B40000-0x0000000003B67000-memory.dmp

Filesize
156KB

Download
memory/988-1-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/2092-362-0x00000000057C0000-0x00000000057E7000-memory.dmp

Filesize
156KB

Download
memory/2092-363-0x00000000057C0000-0x00000000057E7000-memory.dmp

Filesize
156KB

Download
memory/2092-364-0x00000000057C0000-0x00000000057E7000-memory.dmp

Filesize
156KB

Download
memory/2092-355-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2092-449-0x00000000057C0000-0x00000000057E7000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing