648eb39a5e77af2e2069e196a5709a93e81b29c74dbe2fa4ead4440e0f535e97

General

Target

48460c1f75469995a67349fe0766f776_JaffaCakes118.exe
Size

88KB
MD5

48460c1f75469995a67349fe0766f776
SHA1

7231c635ee7623977c79f8a44a77384a4ff4536f
SHA256

648eb39a5e77af2e2069e196a5709a93e81b29c74dbe2fa4ead4440e0f535e97
SHA512

ad2a372e96f6fbb83f0f8e213804b7c978afa7d28ac3a3a330d9dd1b103efc799824c3815593b9e4c41d05df8723445bad8040c42da121fd2330917d160c9afd
SSDEEP

1536:HN5kEXLJj+EFTctJovSdM0wPC7KZhxKOn+nJI3pD34YsXm:t5kENj+EpcUSiHK7Kf+JI3B34YsX

Score

10^/10

defense_evasion evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\INSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT

Ransom Note

All your important files were encrypted on this computer. You can verify this by click on see files an try open them. Encryption was produced using unique public key RSA-1024 generated for this computer. To decrypted files, you need to obtain private key. The single copy of the private key, with will allow you to decrypt the files, is locate on a secret server on the internet. The server will destroy the key within 78 hours after encryption completed. To retrieve the private key, you need to Contact us by email , send us an email your DECRYPT-ID-249e8940-2d38-4f5a-9b5f-7b6c97be1abe number and wait for further instructions. For you to be sure, that we can decrypt your files - you can send us a single encrypted file and we will send you back it in a decrypted form. Please do not waste your time! You have 72 hours only! After that The Main Server will double your price! E-MAILS ADRESS: [email protected] [email protected]

Emails

[email protected]

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 1 IoCs

Processes:

1C9B74EA.exe

pid process

2960 1C9B74EA.exe
Loads dropped DLL 1 IoCs

Processes:

48460c1f75469995a67349fe0766f776_JaffaCakes118.exe

pid process

612 48460c1f75469995a67349fe0766f776_JaffaCakes118.exe

pid	process
2960	1C9B74EA.exe

pid	process
612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

48460c1f75469995a67349fe0766f776_JaffaCakes118.exe1C9B74EA.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\00AE1C9B74EA = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\48460c1f75469995a67349fe0766f776_JaffaCakes118.exe\""	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\1C9B74EA = "\"C:\\Users\\Admin\\AppData\\Roaming\\1C9B74EA.exe\""	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*1C9B74EA = "\"C:\\Users\\Admin\\AppData\\Roaming\\1C9B74EA.exe\""	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\00AE1C9B74EA = "\"C:\\Users\\Admin\\AppData\\Roaming\\1C9B74EA.exe\""	1C9B74EA.exe

Drops file in Program Files directory 2 IoCs

Processes:

1C9B74EA.exe

description	ioc	process
File opened for modification	C:\Program Files\INSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT	1C9B74EA.exe
File opened for modification	C:\Program Files (x86)\INSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT	1C9B74EA.exe

Drops file in Windows directory 1 IoCs

Processes:

1C9B74EA.exe

description ioc process

File opened for modification C:\Windows\INSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT 1C9B74EA.exe
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1972 sc.exe
2652 sc.exe
2860 sc.exe
1384 sc.exe
1720 sc.exe
2208 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2212 vssadmin.exe

description	ioc	process
File opened for modification	C:\Windows\INSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT	1C9B74EA.exe

pid	process
1972	sc.exe
2652	sc.exe
2860	sc.exe
1384	sc.exe
1720	sc.exe
2208	sc.exe

pid	process
2212	vssadmin.exe

NTFS ADS 1 IoCs

Processes:

48460c1f75469995a67349fe0766f776_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\1C9B74EA.exe:Zone.Identifier	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2340 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

48460c1f75469995a67349fe0766f776_JaffaCakes118.exe1C9B74EA.exe

pid process

612 48460c1f75469995a67349fe0766f776_JaffaCakes118.exe
2960 1C9B74EA.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2644 vssvc.exe
Token: SeRestorePrivilege 2644 vssvc.exe
Token: SeAuditPrivilege 2644 vssvc.exe

pid	process
2340	NOTEPAD.EXE

pid	process
612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe
2960	1C9B74EA.exe

description	pid	process
Token: SeBackupPrivilege	2644	vssvc.exe
Token: SeRestorePrivilege	2644	vssvc.exe
Token: SeAuditPrivilege	2644	vssvc.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

48460c1f75469995a67349fe0766f776_JaffaCakes118.exe1C9B74EA.exe

description	pid	process	target process
PID 612 wrote to memory of 2212	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	vssadmin.exe
PID 612 wrote to memory of 2212	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	vssadmin.exe
PID 612 wrote to memory of 2212	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	vssadmin.exe
PID 612 wrote to memory of 2212	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	vssadmin.exe
PID 612 wrote to memory of 1384	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	sc.exe
PID 612 wrote to memory of 1384	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	sc.exe
PID 612 wrote to memory of 1384	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	sc.exe
PID 612 wrote to memory of 1384	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	sc.exe
PID 612 wrote to memory of 1972	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	sc.exe
PID 612 wrote to memory of 1972	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	sc.exe
PID 612 wrote to memory of 1972	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	sc.exe
PID 612 wrote to memory of 1972	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	sc.exe
PID 612 wrote to memory of 1720	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	sc.exe
PID 612 wrote to memory of 1720	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	sc.exe
PID 612 wrote to memory of 1720	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	sc.exe
PID 612 wrote to memory of 1720	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	sc.exe
PID 612 wrote to memory of 2208	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	sc.exe
PID 612 wrote to memory of 2208	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	sc.exe
PID 612 wrote to memory of 2208	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	sc.exe
PID 612 wrote to memory of 2208	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	sc.exe
PID 612 wrote to memory of 2652	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	sc.exe
PID 612 wrote to memory of 2652	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	sc.exe
PID 612 wrote to memory of 2652	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	sc.exe
PID 612 wrote to memory of 2652	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	sc.exe
PID 612 wrote to memory of 2860	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	sc.exe
PID 612 wrote to memory of 2860	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	sc.exe
PID 612 wrote to memory of 2860	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	sc.exe
PID 612 wrote to memory of 2860	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	sc.exe
PID 612 wrote to memory of 2960	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	1C9B74EA.exe
PID 612 wrote to memory of 2960	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	1C9B74EA.exe
PID 612 wrote to memory of 2960	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	1C9B74EA.exe
PID 612 wrote to memory of 2960	612	48460c1f75469995a67349fe0766f776_JaffaCakes118.exe	1C9B74EA.exe
PID 2960 wrote to memory of 2340	2960	1C9B74EA.exe	NOTEPAD.EXE
PID 2960 wrote to memory of 2340	2960	1C9B74EA.exe	NOTEPAD.EXE
PID 2960 wrote to memory of 2340	2960	1C9B74EA.exe	NOTEPAD.EXE
PID 2960 wrote to memory of 2340	2960	1C9B74EA.exe	NOTEPAD.EXE

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\48460c1f75469995a67349fe0766f776_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\48460c1f75469995a67349fe0766f776_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:612

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:2212

C:\Windows\SysWOW64\sc.exe
sc stop wscsvc
2⤵
- Launches sc.exe
PID:1384

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
2⤵
- Launches sc.exe
PID:1972

C:\Windows\SysWOW64\sc.exe
sc stop wuauserv
2⤵
- Launches sc.exe
PID:1720

C:\Windows\SysWOW64\sc.exe
sc stop BITS
2⤵
- Launches sc.exe
PID:2208

C:\Windows\SysWOW64\sc.exe
sc stop ERSvc
2⤵
- Launches sc.exe
PID:2652

C:\Windows\SysWOW64\sc.exe
sc stop WerSvc
2⤵
- Launches sc.exe
PID:2860

C:\Users\Admin\AppData\Roaming\1C9B74EA.exe
C:\Users\Admin\AppData\Roaming\1C9B74EA.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\INSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT
3⤵
- Opens file in notepad (likely ransom note)
PID:2340

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Windows Management Instrumentation

1

T1047

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Service Stop

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\INSTRUCTION_FOR_HELPING_FILE_RECOVERY.TXT

Filesize
1KB

MD5
9d6230ef734ae6bad2b41917d913a647

SHA1
1247ed6d83b98069af3964b03dded2d80fec9db7

SHA256
d8ce869e45e66a3926b9d1ca420e8fe3c57847d2110e0db53a54dc35763e051f

SHA512
f39fd195153737bb964209a2d7245d62cac4672e8e65379bc749f9cca9493dee5cfdefceecaf488debeb02d6a47025ff0309bb5f712fabf1f305a37e793e89ba

Download Submit
C:\Users\Admin\AppData\Roaming\26E14BA00B70A5D0AE4EBAD33D3416B0.MOLE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\1C9B74EA.exe

Filesize
88KB

MD5
48460c1f75469995a67349fe0766f776

SHA1
7231c635ee7623977c79f8a44a77384a4ff4536f

SHA256
648eb39a5e77af2e2069e196a5709a93e81b29c74dbe2fa4ead4440e0f535e97

SHA512
ad2a372e96f6fbb83f0f8e213804b7c978afa7d28ac3a3a330d9dd1b103efc799824c3815593b9e4c41d05df8723445bad8040c42da121fd2330917d160c9afd

Download Submit
memory/612-0-0x0000000000230000-0x0000000000242000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads