Analysis

  • max time kernel
    117s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 06:56

General

  • Target

    591ad86e048de0e146e95de06cde9086_JaffaCakes118.exe

  • Size

    336KB

  • MD5

    591ad86e048de0e146e95de06cde9086

  • SHA1

    743932fdb8c94eed98a5b1b1f134de8d8f8f12c6

  • SHA256

    08bceaa70981fe11a2cd2f4d24475bcc692b577f1747c092fb10b6bc20a5e1c0

  • SHA512

    e3fb3f7a85a6c49318b012834c8e7daf2a8abf782d5687d956eeec9b45ac2e63b5e94631ae9ebdb2ae3545a5ae1ef8042abbdb461c0be35891541e4a3912efa9

  • SSDEEP

    6144:1t75WZK9JIwfCQoSZxEGBN9WguHB19cJAkcsAu86FzUqyfDgO9/UGEXx4:/lWaIeDoSLpBOhHB19cJAkcst86FzULX

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_READ_THI$_FILE_WK62VB_.txt

Ransom Note
CERBER RAN$OMWARE --- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! --- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: --- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/2BB4-4D0D-1F50-0446-93CF Note! This page is available via "Tor Browser" only. --- Also you can use temporary addresses on your personal page without using "Tor Browser". --- 1. http://p27dokhpz2n7nvgr.1czh7o.top/2BB4-4D0D-1F50-0446-93CF 2. http://p27dokhpz2n7nvgr.1hpvzl.top/2BB4-4D0D-1F50-0446-93CF 3. http://p27dokhpz2n7nvgr.1pglcs.top/2BB4-4D0D-1F50-0446-93CF 4. http://p27dokhpz2n7nvgr.1cewld.top/2BB4-4D0D-1F50-0446-93CF 5. http://p27dokhpz2n7nvgr.1js3tl.top/2BB4-4D0D-1F50-0446-93CF --- Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://p27dokhpz2n7nvgr.onion/2BB4-4D0D-1F50-0446-93CF

http://p27dokhpz2n7nvgr.1czh7o.top/2BB4-4D0D-1F50-0446-93CF

http://p27dokhpz2n7nvgr.1hpvzl.top/2BB4-4D0D-1F50-0446-93CF

http://p27dokhpz2n7nvgr.1pglcs.top/2BB4-4D0D-1F50-0446-93CF

http://p27dokhpz2n7nvgr.1cewld.top/2BB4-4D0D-1F50-0446-93CF

http://p27dokhpz2n7nvgr.1js3tl.top/2BB4-4D0D-1F50-0446-93CF

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Blocklisted process makes network request 7 IoCs
  • Contacts a large (1096) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\591ad86e048de0e146e95de06cde9086_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\591ad86e048de0e146e95de06cde9086_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Users\Admin\AppData\Local\Temp\591ad86e048de0e146e95de06cde9086_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\591ad86e048de0e146e95de06cde9086_JaffaCakes118.exe"
      2⤵
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\Windows\SysWOW64\netsh.exe
        C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
        3⤵
        • Modifies Windows Firewall
        PID:2980
      • C:\Windows\SysWOW64\netsh.exe
        C:\Windows\system32\netsh.exe advfirewall reset
        3⤵
        • Modifies Windows Firewall
        PID:3008
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_READ_THI$_FILE_YTFK9ZAO_.hta"
        3⤵
        • Blocklisted process makes network request
        • Modifies Internet Explorer settings
        • Modifies system certificate store
        PID:1276
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_READ_THI$_FILE_WK62VB_.txt
        3⤵
          PID:2508
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:1104
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im "591ad86e048de0e146e95de06cde9086_JaffaCakes118.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1160
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:1056
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:2824
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
      1⤵
        PID:1652

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Privilege Escalation

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Defense Evasion

      Impair Defenses

      1
      T1562

      Disable or Modify System Firewall

      1
      T1562.004

      Modify Registry

      3
      T1112

      Subvert Trust Controls

      1
      T1553

      Install Root Certificate

      1
      T1553.004

      Discovery

      Network Service Discovery

      1
      T1046

      System Information Discovery

      1
      T1082

      Remote System Discovery

      1
      T1018

      Impact

      Defacement

      1
      T1491

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
        Filesize

        1KB

        MD5

        a266bb7dcc38a562631361bbf61dd11b

        SHA1

        3b1efd3a66ea28b16697394703a72ca340a05bd5

        SHA256

        df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

        SHA512

        0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
        Filesize

        242B

        MD5

        4a12de8e94e0d01fca39a20e0255b7e3

        SHA1

        5b8323173e44dc048e2fe41f8e85d91ec6695edb

        SHA256

        b2b43fc6193245b67fcde5825c442b4254a44bc91081e680ac19e2b43152faf2

        SHA512

        a4634c4ea1c1cb2dcd7dcff8541bdfca64879ddab83388672aad91364e075dbb8c48f730d74dd759fffcf258a472a603a1319433cd57fabbd0232db66216d7c7

      • C:\Users\Admin\AppData\Local\Temp\Tar4945.tmp
        Filesize

        177KB

        MD5

        435a9ac180383f9fa094131b173a2f7b

        SHA1

        76944ea657a9db94f9a4bef38f88c46ed4166983

        SHA256

        67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

        SHA512

        1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      • C:\Users\Admin\Desktop\_READ_THI$_FILE_WK62VB_.txt
        Filesize

        1KB

        MD5

        c918976ebe8278ab0d80b71febb90b80

        SHA1

        b3a5cf8e10e6e8402212c7dfca327b3f91310d44

        SHA256

        cb44a7500f8322698466291e1509324416107402fa7bca7430f048f903d733a9

        SHA512

        fa387c68909b27c179ad5e69290ae03115817b6c4bd88a1c4b1cac828ddad7c4ad965cee71ed9fa7d0ae53fc3e6ae3ea9c3639d909547d6670f051302c5877d0

      • C:\Users\Admin\Desktop\_READ_THI$_FILE_YTFK9ZAO_.hta
        Filesize

        75KB

        MD5

        5e3db41cb512dd5a6710bc1435b3f2cd

        SHA1

        ace89790d9883198dd72990b8abfe857aac0b574

        SHA256

        62d01b774d28ea29c0c19b7e267fa594a73af4768c5bbdc0e2fa5fed3aecc4bf

        SHA512

        07e33e9aa87558ad07d50c4e4e4c02047774677bd9a45a3d1f1bf4e47d4df59301ed625ae2d08e61280b84262ca145e51572cc30370ee100556fd7d129de8015

      • C:\Users\Admin\Desktop\_READ_THI$_FILE_ZF2Y_.jpeg
        Filesize

        150KB

        MD5

        0bc9727cff24c794f2fe1f0b67290ad1

        SHA1

        28c81dd39c37bbaf20a32374823089f18deca063

        SHA256

        f192849042ee602d944cdc3ace78998bec25d813d964fa29355ab88431b9d441

        SHA512

        5022509114c2df316736c77dd51011a59c16109044f52397e3740d3b48e2f179f09205616b9931b1b45725013ee155db67f8ef61990d803da309b350c69f390e

      • memory/1960-6-0x0000000000100000-0x0000000000151000-memory.dmp
        Filesize

        324KB

      • memory/1960-0-0x0000000000100000-0x0000000000151000-memory.dmp
        Filesize

        324KB

      • memory/1960-4-0x00000000004B0000-0x0000000000501000-memory.dmp
        Filesize

        324KB

      • memory/2316-3-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/2316-92-0x0000000002840000-0x0000000002842000-memory.dmp
        Filesize

        8KB

      • memory/2316-12-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/2316-7-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/2316-63-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/2316-1-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/2316-10-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/2316-14-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/2316-5-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/2316-363-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/2824-93-0x0000000000180000-0x0000000000182000-memory.dmp
        Filesize

        8KB