Analysis

  • max time kernel
    121s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    10-05-2024 08:45

General

  • Target

    2e4a5ee417ff54e3bbaaddd2bc5253ae_JaffaCakes118.exe

  • Size

    345KB

  • MD5

    2e4a5ee417ff54e3bbaaddd2bc5253ae

  • SHA1

    803626cc5e2550669ef109a467a41661fe006e03

  • SHA256

    5cdc64c997b2fd0086756d61eb82c329f8d35d6d2d23d74e97ce219297454812

  • SHA512

    9e6281d5d76786aa785522b07e484055f25bbc27d06b40f25c073c4b6cb9359432f64a89d3b644ab4999a78808709f2aa306fb17d10259a25d3d506eebb615a2

  • SSDEEP

    6144:j6cWd7WQ5IHkEGPcnoSFCAXewOVYsFpDSXknKk7ihw2FBTO6XuvJ91Z8cn:mcXRnoSFC0rOisrSXknKkmO27DyJ91t

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_READ_THI$_FILE_3GCP2P_.txt

Ransom Note
--- [ CERBER RANSOMWARE ] --- ! YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED ! --- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: --- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/AE43-AD27-E31C-0446-9856 Note! This page is available via "Tor Browser" only. --- Also you can use temporary addresses on your personal page without using "Tor Browser". --- 1. http://p27dokhpz2n7nvgr.1a7wnt.top/AE43-AD27-E31C-0446-9856 2. http://p27dokhpz2n7nvgr.1czh7o.top/AE43-AD27-E31C-0446-9856 3. http://p27dokhpz2n7nvgr.1hpvzl.top/AE43-AD27-E31C-0446-9856 4. http://p27dokhpz2n7nvgr.1pglcs.top/AE43-AD27-E31C-0446-9856 5. http://p27dokhpz2n7nvgr.1cewld.top/AE43-AD27-E31C-0446-9856 --- Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://p27dokhpz2n7nvgr.onion/AE43-AD27-E31C-0446-9856

http://p27dokhpz2n7nvgr.1a7wnt.top/AE43-AD27-E31C-0446-9856

http://p27dokhpz2n7nvgr.1czh7o.top/AE43-AD27-E31C-0446-9856

http://p27dokhpz2n7nvgr.1hpvzl.top/AE43-AD27-E31C-0446-9856

http://p27dokhpz2n7nvgr.1pglcs.top/AE43-AD27-E31C-0446-9856

http://p27dokhpz2n7nvgr.1cewld.top/AE43-AD27-E31C-0446-9856

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Blocklisted process makes network request 5 IoCs
  • Contacts a large (1095) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e4a5ee417ff54e3bbaaddd2bc5253ae_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2e4a5ee417ff54e3bbaaddd2bc5253ae_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Users\Admin\AppData\Local\Temp\2e4a5ee417ff54e3bbaaddd2bc5253ae_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\2e4a5ee417ff54e3bbaaddd2bc5253ae_JaffaCakes118.exe"
      2⤵
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1312
      • C:\Windows\SysWOW64\netsh.exe
        C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
        3⤵
        • Modifies Windows Firewall
        PID:3012
      • C:\Windows\SysWOW64\netsh.exe
        C:\Windows\system32\netsh.exe advfirewall reset
        3⤵
        • Modifies Windows Firewall
        PID:2592
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_READ_THI$_FILE_F26TA67X_.hta"
        3⤵
        • Blocklisted process makes network request
        • Modifies Internet Explorer settings
        PID:2240
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_READ_THI$_FILE_3GCP2P_.txt
        3⤵
          PID:2176
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:2112
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im "2e4a5ee417ff54e3bbaaddd2bc5253ae_JaffaCakes118.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1256
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:1380
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:1808
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
      1⤵
        PID:2424

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Privilege Escalation

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Defense Evasion

      Impair Defenses

      1
      T1562

      Disable or Modify System Firewall

      1
      T1562.004

      Modify Registry

      2
      T1112

      Discovery

      Network Service Discovery

      1
      T1046

      System Information Discovery

      1
      T1082

      Remote System Discovery

      1
      T1018

      Impact

      Defacement

      1
      T1491

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      • C:\Users\Admin\AppData\Local\Temp\Tar599C.tmp
        Filesize

        177KB

        MD5

        435a9ac180383f9fa094131b173a2f7b

        SHA1

        76944ea657a9db94f9a4bef38f88c46ed4166983

        SHA256

        67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

        SHA512

        1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      • C:\Users\Admin\Desktop\_READ_THI$_FILE_3GCP2P_.txt
        Filesize

        1KB

        MD5

        fb35f03ce1d2ffd8fd6e8da441e045d4

        SHA1

        336918e018d68a0e4dc5efc9ba147bd2160082f0

        SHA256

        2196c6c9f5d281e6141eb6d058c9532ce249578974791b31308ef91332a11db3

        SHA512

        67d1806c127cde035d2a57871e35bd2d49c78d7e48bf019b46de8cdbc56836551894ad8874021692954dc6c52f9b18829b26c319d9b58d3f2d443c890cbbeb22

      • C:\Users\Admin\Desktop\_READ_THI$_FILE_ARSIGJ_.jpeg
        Filesize

        150KB

        MD5

        a010294b84beb114200ea2fc42d6ade3

        SHA1

        678cd0089967e17823702fbd79326c24684a2122

        SHA256

        243e7ce289d0bb0dc0b69a4a6e45622caf41eec0bea1a55374fd25e54ea40c78

        SHA512

        f9ffc1ffa258a1e0e6ce9a8e9ef7b68ef2ba3009943e4af27b403368808ea234652b4901e8a43966114035eacdbc232972df00888ea3f41d9e4b97811b4e201a

      • C:\Users\Admin\Desktop\_READ_THI$_FILE_F26TA67X_.hta
        Filesize

        75KB

        MD5

        f40a9fe62a201d5d0ea6c04888ca991c

        SHA1

        317b6e5859bd9df9bd7a6cb46831c8412cea769f

        SHA256

        d64aea9578a36191010be0a009b01118924671bf0222666a6562a877e9afa2a7

        SHA512

        b78c9eb16ee9815948bbb99acdb372cfd227edb1525629fad13fd68f25f4ac67b9557408cd3183e19513ac66c13b0b44b0232cd827460cb6369c7dfb0a62661b

      • memory/1312-76-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/1312-6-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/1312-9-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/1312-12-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/1312-16-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/1312-318-0x00000000005B0000-0x00000000005C0000-memory.dmp
        Filesize

        64KB

      • memory/1312-96-0x00000000005B0000-0x00000000005C0000-memory.dmp
        Filesize

        64KB

      • memory/1312-317-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/1312-1-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/1312-5-0x00000000010D0000-0x0000000001130000-memory.dmp
        Filesize

        384KB

      • memory/1312-101-0x00000000005E0000-0x00000000005E2000-memory.dmp
        Filesize

        8KB

      • memory/1312-4-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/1808-102-0x00000000001E0000-0x00000000001E2000-memory.dmp
        Filesize

        8KB

      • memory/2360-3-0x0000000000160000-0x00000000001C0000-memory.dmp
        Filesize

        384KB

      • memory/2360-8-0x00000000010D0000-0x0000000001130000-memory.dmp
        Filesize

        384KB

      • memory/2360-0-0x00000000010D0000-0x0000000001130000-memory.dmp
        Filesize

        384KB