Analysis

  • max time kernel
    118s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11-05-2024 19:12

General

  • Target

    361d333fba9f9de0e51996d7b85bec12_JaffaCakes118.exe

  • Size

    463KB

  • MD5

    361d333fba9f9de0e51996d7b85bec12

  • SHA1

    f90420543dca7e67e4c89ab4e0ca37046680edcc

  • SHA256

    c1daf5d0e47641e24e6835a946933b569d23288f77d86abfc5c5c29ff7c5cd3c

  • SHA512

    8cacec85b87ade9f9451063c677c1cc34870cc626aad7bea6e60e026b602d1b59450967e787eb9143fbfb50080f0750ef7666b8ee30a9c38f78b63b0c6acbc19

  • SSDEEP

    6144:yjNU2JGxqoOMWFZ3K1n1V171wMMEiTxkbNZTZktVZZpBVx/:yjFQwoArKd1V7wMMFGbNZTZ6vXB3/

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_READ_THI$_FILE_ZK4W802_.txt

Ransom Note
----- !!! CERBER RANSOMWARE !!! ----- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED ----- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/330B-385C-E797-0099-3E61 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.1nhkou.top/330B-385C-E797-0099-3E61 2. http://p27dokhpz2n7nvgr.1a7wnt.top/330B-385C-E797-0099-3E61 3. http://p27dokhpz2n7nvgr.1czh7o.top/330B-385C-E797-0099-3E61 4. http://p27dokhpz2n7nvgr.1hpvzl.top/330B-385C-E797-0099-3E61 5. http://p27dokhpz2n7nvgr.1pglcs.top/330B-385C-E797-0099-3E61 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://p27dokhpz2n7nvgr.onion/330B-385C-E797-0099-3E61

http://p27dokhpz2n7nvgr.1nhkou.top/330B-385C-E797-0099-3E61

http://p27dokhpz2n7nvgr.1a7wnt.top/330B-385C-E797-0099-3E61

http://p27dokhpz2n7nvgr.1czh7o.top/330B-385C-E797-0099-3E61

http://p27dokhpz2n7nvgr.1hpvzl.top/330B-385C-E797-0099-3E61

http://p27dokhpz2n7nvgr.1pglcs.top/330B-385C-E797-0099-3E61

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Blocklisted process makes network request 5 IoCs
  • Contacts a large (1095) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\361d333fba9f9de0e51996d7b85bec12_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\361d333fba9f9de0e51996d7b85bec12_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Users\Admin\AppData\Local\Temp\361d333fba9f9de0e51996d7b85bec12_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\361d333fba9f9de0e51996d7b85bec12_JaffaCakes118.exe"
      2⤵
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Windows\SysWOW64\netsh.exe
        C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
        3⤵
        • Modifies Windows Firewall
        PID:1256
      • C:\Windows\SysWOW64\netsh.exe
        C:\Windows\system32\netsh.exe advfirewall reset
        3⤵
        • Modifies Windows Firewall
        PID:1708
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_READ_THI$_FILE_IIPAXJ2T_.hta"
        3⤵
        • Blocklisted process makes network request
        • Modifies Internet Explorer settings
        PID:2808
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_READ_THI$_FILE_ZK4W802_.txt
        3⤵
          PID:2736
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:488
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im "361d333fba9f9de0e51996d7b85bec12_JaffaCakes118.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:604
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:1800
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:2224

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    2
    T1112

    Discovery

    Network Service Discovery

    1
    T1046

    System Information Discovery

    1
    T1082

    Remote System Discovery

    1
    T1018

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    • C:\Users\Admin\AppData\Local\Temp\Tar6DB8.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    • C:\Users\Admin\Desktop\_READ_THI$_FILE_D8PJ_.jpeg
      Filesize

      150KB

      MD5

      1a2840b4e799b47668cae0454c4f3af9

      SHA1

      4a8dcae34c10350564b782a1908b69229fff445c

      SHA256

      996a5964e6ff651715a8a42979e6aff18af1c5550220d774f0e00cc6ad04bd5e

      SHA512

      ed5c654d41a996e8dd35a39dd0a0a99be456292ad75de3eea0341e84a21bdad591e4d18960281fe1660b3c90edbae08ec978f2f8cb8e1430ec144d7bd3242146

    • C:\Users\Admin\Desktop\_READ_THI$_FILE_IIPAXJ2T_.hta
      Filesize

      75KB

      MD5

      a5beff3092b2a1aecf89be852dd26576

      SHA1

      9ed906d58968985cc77708fa9d36c0f9d5c00869

      SHA256

      c3702701e883b77cf613442cb4fa9dcbf8da41e2215f6c9711474eb7665732af

      SHA512

      f98b18e804e53d60c0f65ec75d75b2fc57e61a6588fab966fe094bdf06af8e5a81c94669e117823b9df2f3fbd97fb33a5700898c99f54b2bbf2c60b6a0b29399

    • C:\Users\Admin\Desktop\_READ_THI$_FILE_ZK4W802_.txt
      Filesize

      1KB

      MD5

      be0e4acc0ab8c9b782e70b6c84158dd0

      SHA1

      f03a5406869a45f1d9122c9607c5c4ea3e48dd15

      SHA256

      dcbcb83b8015e007152536a5a4e47726d7927ae7f9cee6840b52868764a031db

      SHA512

      df2977c94aebaea449d39df141b661ea7568f7646d0d5e4311c5952cb3ba32a913c3efab0b12dfdd9d02888b04b7ad1bafcbc265c4a331a607d9e661b5cf5321

    • memory/1584-86-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

    • memory/1584-2-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

    • memory/1584-13-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

    • memory/1584-10-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

    • memory/1584-109-0x0000000003A40000-0x0000000003A42000-memory.dmp
      Filesize

      8KB

    • memory/1584-6-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

    • memory/1584-128-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

    • memory/1584-5-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

    • memory/1584-4-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

    • memory/2224-110-0x0000000000120000-0x0000000000122000-memory.dmp
      Filesize

      8KB