Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 13:23
Static task
static1
Behavioral task
behavioral1
Sample
676734b55087daccd1b51407c9954cec_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
676734b55087daccd1b51407c9954cec_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
676734b55087daccd1b51407c9954cec_JaffaCakes118.exe
-
Size
241KB
-
MD5
676734b55087daccd1b51407c9954cec
-
SHA1
a80e54f2e0c319babf82bf681d555757c2dfd5f5
-
SHA256
a2277ccbce73460705a3365a8152c2308b663a2877b5710d2a4a150dea9f7f45
-
SHA512
7f66a2e69e652f16f50add5311865042afab6786e6070d3ca9022eea4a6c2c30fd795a9e75657c01a076eb685c7f90bc35097a20885f547deb11587443568081
-
SSDEEP
3072:BOqBEFWcUU1nvPpFuoBtjO/ULu/UIUUq8bRObuSq2rlJ77lDcK4+2NvvZv8Y:B3EFMa5xq/UC/Ugsr3lJ77FPmZ
Malware Config
Extracted
C:\PerfLogs\KRAB-DECRYPT.txt
http://gandcrabmfe6mnef.onion/8be2d3f87839adb3
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (275) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
676734b55087daccd1b51407c9954cec_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe -
Drops startup file 2 IoCs
Processes:
676734b55087daccd1b51407c9954cec_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\KRAB-DECRYPT.txt 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\7839aa5e7839adb041e.lock 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
676734b55087daccd1b51407c9954cec_JaffaCakes118.exedescription ioc process File opened (read-only) \??\J: 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened (read-only) \??\K: 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened (read-only) \??\L: 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened (read-only) \??\N: 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened (read-only) \??\O: 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened (read-only) \??\P: 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened (read-only) \??\V: 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened (read-only) \??\A: 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened (read-only) \??\G: 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened (read-only) \??\H: 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened (read-only) \??\I: 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened (read-only) \??\T: 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened (read-only) \??\U: 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened (read-only) \??\Q: 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened (read-only) \??\W: 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened (read-only) \??\X: 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened (read-only) \??\Y: 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened (read-only) \??\Z: 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened (read-only) \??\B: 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened (read-only) \??\E: 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened (read-only) \??\M: 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened (read-only) \??\R: 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened (read-only) \??\S: 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe -
Drops file in Program Files directory 39 IoCs
Processes:
676734b55087daccd1b51407c9954cec_JaffaCakes118.exedescription ioc process File created C:\Program Files\7839aa5e7839adb041e.lock 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\DisconnectMount.AAC 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\UninstallMove.xltx 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\UninstallUnregister.vstm 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\ConvertProtect.wm 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\EnterInstall.vdw 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\ExportCompress.bmp 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\SplitHide.dwfx 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\UnblockResolve.ex_ 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\CloseSwitch.au3 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\ConfirmRevoke.jfif 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\EnableInitialize.jpg 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\ProtectSync.html 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\RenameUnblock.jpeg 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\WriteSelect.nfo 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\TestNew.ADT 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File created C:\Program Files (x86)\7839aa5e7839adb041e.lock 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\ApproveUpdate.easmx 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\ConvertFromGroup.m4a 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\LockPop.dib 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\MountPing.css 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\OpenInitialize.html 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\SubmitInvoke.jpeg 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\UseAdd.asx 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\OutBackup.vsdx 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File created C:\Program Files\KRAB-DECRYPT.txt 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\CompleteLock.php 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\DisconnectComplete.M2V 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\ExitSwitch.cr2 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\FormatConvertFrom.vsx 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\MergeCompare.aiff 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\SyncExport.png 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File created C:\Program Files (x86)\KRAB-DECRYPT.txt 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\GetReset.emf 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\InstallResize.tiff 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\MoveDisconnect.kix 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\SendReceive.emf 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\StopUnlock.doc 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe File opened for modification C:\Program Files\SubmitUnlock.cfg 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
676734b55087daccd1b51407c9954cec_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
676734b55087daccd1b51407c9954cec_JaffaCakes118.exepid process 4768 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe 4768 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe 4768 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe 4768 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4800 wmic.exe Token: SeSecurityPrivilege 4800 wmic.exe Token: SeTakeOwnershipPrivilege 4800 wmic.exe Token: SeLoadDriverPrivilege 4800 wmic.exe Token: SeSystemProfilePrivilege 4800 wmic.exe Token: SeSystemtimePrivilege 4800 wmic.exe Token: SeProfSingleProcessPrivilege 4800 wmic.exe Token: SeIncBasePriorityPrivilege 4800 wmic.exe Token: SeCreatePagefilePrivilege 4800 wmic.exe Token: SeBackupPrivilege 4800 wmic.exe Token: SeRestorePrivilege 4800 wmic.exe Token: SeShutdownPrivilege 4800 wmic.exe Token: SeDebugPrivilege 4800 wmic.exe Token: SeSystemEnvironmentPrivilege 4800 wmic.exe Token: SeRemoteShutdownPrivilege 4800 wmic.exe Token: SeUndockPrivilege 4800 wmic.exe Token: SeManageVolumePrivilege 4800 wmic.exe Token: 33 4800 wmic.exe Token: 34 4800 wmic.exe Token: 35 4800 wmic.exe Token: 36 4800 wmic.exe Token: SeIncreaseQuotaPrivilege 4800 wmic.exe Token: SeSecurityPrivilege 4800 wmic.exe Token: SeTakeOwnershipPrivilege 4800 wmic.exe Token: SeLoadDriverPrivilege 4800 wmic.exe Token: SeSystemProfilePrivilege 4800 wmic.exe Token: SeSystemtimePrivilege 4800 wmic.exe Token: SeProfSingleProcessPrivilege 4800 wmic.exe Token: SeIncBasePriorityPrivilege 4800 wmic.exe Token: SeCreatePagefilePrivilege 4800 wmic.exe Token: SeBackupPrivilege 4800 wmic.exe Token: SeRestorePrivilege 4800 wmic.exe Token: SeShutdownPrivilege 4800 wmic.exe Token: SeDebugPrivilege 4800 wmic.exe Token: SeSystemEnvironmentPrivilege 4800 wmic.exe Token: SeRemoteShutdownPrivilege 4800 wmic.exe Token: SeUndockPrivilege 4800 wmic.exe Token: SeManageVolumePrivilege 4800 wmic.exe Token: 33 4800 wmic.exe Token: 34 4800 wmic.exe Token: 35 4800 wmic.exe Token: 36 4800 wmic.exe Token: SeBackupPrivilege 652 vssvc.exe Token: SeRestorePrivilege 652 vssvc.exe Token: SeAuditPrivilege 652 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
676734b55087daccd1b51407c9954cec_JaffaCakes118.exedescription pid process target process PID 4768 wrote to memory of 4800 4768 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe wmic.exe PID 4768 wrote to memory of 4800 4768 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe wmic.exe PID 4768 wrote to memory of 4800 4768 676734b55087daccd1b51407c9954cec_JaffaCakes118.exe wmic.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\676734b55087daccd1b51407c9954cec_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\676734b55087daccd1b51407c9954cec_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4800
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:652
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PerfLogs\KRAB-DECRYPT.txtFilesize
8KB
MD5a4e304f52d404858bf9315a2ecc10e24
SHA1d35db2625e655ba9dfb2a3b51996128cd40b5af7
SHA2561cb3f5b2ce80d6a6c6c7d2ce1c69736be1ada46429df4cb2a73a0ea7a239ac06
SHA51224be5430b87109265255774055a26126be91c740ad3ee7b40bab97613c7790b6a671b9947e20bd26a73ee7b85d8585aae04015a5ccf38c0d245f946cc49beaab
-
memory/4768-1-0x0000000000600000-0x0000000000700000-memory.dmpFilesize
1024KB
-
memory/4768-2-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/4768-722-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/4768-729-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/4768-730-0x0000000000600000-0x0000000000700000-memory.dmpFilesize
1024KB
-
memory/4768-731-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB