Analysis

  • max time kernel
    120s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    20-05-2024 08:56

General

  • Target

    5e39796740d470869174eaecd70706af_JaffaCakes118.exe

  • Size

    504KB

  • MD5

    5e39796740d470869174eaecd70706af

  • SHA1

    76afe1f1de09e25adcbf675f68b2b0370ad37aac

  • SHA256

    f93057ea3b4ac606408e145b212d5b257744920dde857e0f3ced57520c22a8fb

  • SHA512

    5b48dacb64f3373121a83aedef476854db2331533fe28f98f50b6128b7f22a0c25bf2a497daccb3662b7d6872f1a3e4156b1e3e4edf2da19d35aa63c99e3af25

  • SSDEEP

    6144:c867hSKXt8UaTxPMhvXoIdUbYgiE9ZrH16Ov1rN2s4JI/yUICVL8VfaDCFToWQH:y7G5xP+L6kZE9VV6O1MUgfaOzQH

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_READ_THIS_FILE_1CWOQW_.txt

Ransom Note
CERBER RANS0MWARE --- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! --- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: --- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/9AC1-4B1F-CB72-0446-9A8E Note! This page is available via "Tor Browser" only. --- Also you can use temporary addresses on your personal page without using "Tor Browser". --- 1. http://p27dokhpz2n7nvgr.1a7wnt.top/9AC1-4B1F-CB72-0446-9A8E 2. http://p27dokhpz2n7nvgr.1czh7o.top/9AC1-4B1F-CB72-0446-9A8E 3. http://p27dokhpz2n7nvgr.1hpvzl.top/9AC1-4B1F-CB72-0446-9A8E 4. http://p27dokhpz2n7nvgr.1pglcs.top/9AC1-4B1F-CB72-0446-9A8E 5. http://p27dokhpz2n7nvgr.1cewld.top/9AC1-4B1F-CB72-0446-9A8E --- Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://p27dokhpz2n7nvgr.onion/9AC1-4B1F-CB72-0446-9A8E

http://p27dokhpz2n7nvgr.1a7wnt.top/9AC1-4B1F-CB72-0446-9A8E

http://p27dokhpz2n7nvgr.1czh7o.top/9AC1-4B1F-CB72-0446-9A8E

http://p27dokhpz2n7nvgr.1hpvzl.top/9AC1-4B1F-CB72-0446-9A8E

http://p27dokhpz2n7nvgr.1pglcs.top/9AC1-4B1F-CB72-0446-9A8E

http://p27dokhpz2n7nvgr.1cewld.top/9AC1-4B1F-CB72-0446-9A8E

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Blocklisted process makes network request 5 IoCs
  • Contacts a large (1095) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e39796740d470869174eaecd70706af_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5e39796740d470869174eaecd70706af_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:108
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
      2⤵
      • Modifies Windows Firewall
      PID:3008
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall reset
      2⤵
      • Modifies Windows Firewall
      PID:2660
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_READ_THIS_FILE_RLGL4_.hta"
      2⤵
      • Blocklisted process makes network request
      • Modifies Internet Explorer settings
      PID:1608
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_READ_THIS_FILE_1CWOQW_.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1572
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2504
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im "5e39796740d470869174eaecd70706af_JaffaCakes118.exe"
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1108
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 1 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1152
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:2376
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
    1⤵
      PID:2776

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    2
    T1112

    Discovery

    Network Service Discovery

    1
    T1046

    System Information Discovery

    1
    T1082

    Remote System Discovery

    1
    T1018

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Cab62EA.tmp
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    • C:\Users\Admin\AppData\Local\Temp\Tar62FC.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    • C:\Users\Admin\Desktop\_READ_THIS_FILE_1CWOQW_.txt
      Filesize

      1KB

      MD5

      4b8dd5c665b33e0e7c9e3af7af7739eb

      SHA1

      46f875ee81556d86b2b38621a9cc678fffcc0cce

      SHA256

      2fff97a380288524175d428329259fa1439ebd99bf3701fec5b42a79435c2ba5

      SHA512

      9014979e8fed3627efcf07e87322b646a68f7e6edce93ca2801f2e042b9d8fbd106a46549520ddab9763b4dfc0ce3ba6f5ff464e0b4a964eacccef00c9d864c6

    • C:\Users\Admin\Desktop\_READ_THIS_FILE_DYYC3Q3_.jpeg
      Filesize

      150KB

      MD5

      a1b425c6faf4f89b84d0f904e32f09b4

      SHA1

      bc8c8d2b1192eb791042d50475022f20534a7742

      SHA256

      b7db21726b8840a94bb197996df0523e512d73db7b0101c3a935dc163c19f17a

      SHA512

      58ba2d33d1b8b9f79246016447a8d2667b25638d4b2573b480a29167450bc864d1f1db1b1f40683dda28f1b2792107878e12b4d4c57c0da35bdb323ac2e71fc3

    • C:\Users\Admin\Desktop\_READ_THIS_FILE_RLGL4_.hta
      Filesize

      74KB

      MD5

      4de51fc221a1d71ced51dc5c0fa58c3a

      SHA1

      66167fd73869f4c8211460ffbc8337a17bed330d

      SHA256

      24cb8ff225a7bb68369b603cccfb60c87412c39395994412df017a8378e18597

      SHA512

      24e5a462c979d8c738cd7048ec36628cda2338507ff2afe44e80c5686c21686fbec3cdb549352a5ea1ae78f813ca4e43c65ea31d611b4eabab9d0b87d41841fd

    • memory/108-89-0x0000000000400000-0x0000000000484000-memory.dmp
      Filesize

      528KB

    • memory/108-0-0x0000000002580000-0x00000000025FB000-memory.dmp
      Filesize

      492KB

    • memory/108-6-0x00000000003E0000-0x00000000003E1000-memory.dmp
      Filesize

      4KB

    • memory/108-4-0x0000000000400000-0x0000000000484000-memory.dmp
      Filesize

      528KB

    • memory/108-96-0x0000000009C00000-0x0000000009C02000-memory.dmp
      Filesize

      8KB

    • memory/108-3-0x00000000003E0000-0x00000000003E1000-memory.dmp
      Filesize

      4KB

    • memory/108-2-0x0000000002580000-0x00000000025FB000-memory.dmp
      Filesize

      492KB

    • memory/108-1-0x00000000003E0000-0x00000000003E1000-memory.dmp
      Filesize

      4KB

    • memory/108-294-0x0000000000400000-0x0000000000484000-memory.dmp
      Filesize

      528KB

    • memory/2376-97-0x0000000000160000-0x0000000000162000-memory.dmp
      Filesize

      8KB