Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
23-05-2024 11:12
General
-
Target
6ac062d21f08f139d9f3d1e335e72e22_JaffaCakes118.exe
-
Size
98KB
-
MD5
6ac062d21f08f139d9f3d1e335e72e22
-
SHA1
9e967a759e894a83c4b693e81c031d7214a8e699
-
SHA256
564154a2e3647318ca40a5ffa68d06b1bd40b606cae1d15985e3d15097b512cd
-
SHA512
0a02068f6e22a41f4037d01882e32fc7bacf515818cf4f721960b987393da6b1d32ff4aa1b5fa73d546908cb85ded211061b37f4731ed643b8182909008a6892
-
SSDEEP
1536:0bPX/gJxDFgu02gM+LXbtQ5IxWwbglROAnbFmYVKCKclF:0cxz1gxXSNwbYcYVKhYF
Score
10/10
Malware Config
Extracted
Path
C:\PerfLogs\# How to Decrypt Files-S9HRF.html
Ransom Note
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Decryption Instructions</title>
<style>
a {
color: #04a;
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
body {
background-color: #e7e7e7;
color: #222;
font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif;
font-size: 12pt;
line-height: 16pt;
}
body,
h1 {
margin: 0;
padding: 0;
}
h1 {
color: #555;
text-align: center;
padding-bottom: 1.5em;
line-height: 1.2;
}
h2 {
color: #555;
text-align: center;
line-height: 1.2;
}
ol li {
padding-bottom: 13pt;
}
.container {
background-color: white;
border: 2pt solid #C7C7C7;
margin: 3%;
min-width: 600px;
padding: 5% 10%;
color: #444;
}
.header {
border-bottom: 2pt solid #c7c7c7;
padding-bottom: 5%;
}
.hr {
display: block;
height: 2pt;
margin-top: 1.5%;
margin-bottom: 1.5%;
overflow: hidden;
width: 100%;
}
.info {
border: 1px solid #888;
background-color: #E4E4E4;
padding: 0.5em 3em;
margin: 1em 0;
}
.text {
text-align: justify;
}
.lsb{
display: none;
margin: 3%;
text-align: center;
}
.ls {
cursor: pointer;
border: 1px solid #888;
border-radius: 3px;
padding: 0 0.5em;
margin: 0.2em 0.1em;
line-height: 2em;
display: inline-block;
}
.ls:hover {
background-color: #D0D0D0;
}
.l {
display: none;
}
.lu {
display: none;
}
#change_language {
float: right;
display: none;
}
</style>
</head>
<body onload='javascript:onPageLoaded()'>
<div class='lsb'>
</div>
<div class='container'>
<div class="text l l-en" style='display:block'>
<br>
<div>
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAL8AAAEICAMAAAA5jNVNAAAAeFBMVEX///8AAAD8/PxQUFCJiYk0NDSenp5TU1M9PT329vb6+vrv7+/z8/Pl5eXKyspfX18oKCjCwsKPj4/o6Oivr699fX1xcXGioqLa2tq7u7uTk5PS0tI6OjogICCCgoJoaGh1dXUXFxeqqqpHR0cODg4cHBxaWlotLS1/4KDGAAAHlUlEQVR4nO2daVciPRCFaRpkRzYXXNCGUf7/P3zldUZn6O6bSmrDc3I/a/IASaVSqVQ6HQWt55v97rpcLIo/el4cXnr77eNYoztBjZZ3L78KpPJqO/WmbNZks8PoX6p226437ZnuV0ca+9fvsB95M39ptqri4D91vfUGP6m7GabAf+rBey5MVunw/+t17Ug/e2XSu36CyY0A/Uk7j6ncvRKiP2lvjj9fhKkiVN6b0k9vRelPujLEX1bi+EUxMJvHPQX6k+Ym9OtSCd9mDD2+qeEXxa26X7dVpP9QqexQ3OniF8Vhpon/oI1fFH3FD2CAr/kBTPD1PoCkwwM1nGjgb6zwP6yQghmd2+EXxYs4/qyy5C9Wwvjjgyl+UQjv7eX95ZBENwSGc/ePDoKxxvv47qvypne1Xc5n6/lye9W7KavYFnZi+N1Ij7nsbdfTMxPYna43u7hI0VKKP2rhetlMWq33eH03oLe0EFrGIkZPuQn6v7OHitraqwz/O7k/ms3obqixC5ENJXXH8hrhdm1om7gnARs0pX1Zgzh73aXFTR/4/LSO4pfLGckYsV3pGaWX9yRLsSO0fMvlp8RoU3/lJaHtRx4+xXamrzOE1q95/AS/jeNoEUYny4YS2ufNsEmw/QGn+fDo5xqI8DfE+AEmwQNd/gr5GOqCMQOCtl8i4BrcWyRPsGnoTPpdAL/TCR0CJq8BQc9HKMwR8lBS/eiQ48lcW74UmsOJwYhQszdC+MHA5DHtfDU0ewU32IERlLTCj59wo5IRmkBwL8mEBgzzQRC/07nGnaUcTQbWXqnJ+6nAXEtYZ0bY+DP9wpqwo3iIt9SB4SP79Qdd6Xg3Cw+fUhg/NAOit0gjbH3EYmNfwiYoegDh3/NZHD+0BsQOILwkahz04yhlbI/Y99E4YMNbsUh7J9oYUXgGx31leDZtVPjxRibOXcEpPjr5dlPYZ5y3C8P0OsMnMICiYrl4+GtlC+LklhgfDg9/rUQ17MTFTDq4dekr4Xe6cAmLmQAvqKGeFj/2uYb0CYDPLPTS3rEFpa8Aa6F2YoX7pcf6YOBnoZcjOH5GHdPDKHD6so9EgOAujJ5UA5vRTDKFPuiCuuyP+qgZzSxffKJEnXh49dW8bIBdIOo3B/deleYdOjyBqSMXmmGZmHmb4MJJXYGh86y3+ga7HhAtNzxQ0M1xhy5oRZt6OF1J99IcjprRktNHcBKp5ocHDBAt6OdnPj++O9g3beMEtxFvuleQuzArheYBwUUwIRIcJWhAaSmJ0AZoem8nQQNKCxxA71PX/Afiln3S4IV5RQIZXVB4C0YyHnAIat+0xJEPygKAly/5wP+/wgsAZfHBB1/S50Zx/JTecQvaV41HMDOUEsPy5R/DX/+O0IKn+9AJHJxQrB90HxbqFUyg805ZfaAF66tfEIWrD4Ufuj9aof9vsWNPe19+GAKqb76758L8vfo/yAp3/177835NcPf19lT/B1nB7ou3s7/uwL++fGV+X2V+X2V+X2V+X2V+X2V+X2V+X2V+XzXyHwflBWrQlNXQxP80Ut7jpqlxZ9/Erx9jSBOVn3XjU1GZ31eZ31eZ31eZ31eZ31eZ31eZ31eZ31eZ31fW/N35ditZBdOW//F3Gt2NWMKxJf/krys0K6GcFUP++T+Fm4YyFybt+GtJnCLTwIy/oSOJS0tW/I0ZMAK/gBF/y+VDvhmy4W+7AXJkv0xgwr9uLRl3zTWjFvyoTje3JrgFP7xBzcz9NuDHFeN+8W4+6/Pj+9PckxF9/kAVLmbhEXX+cD1Y1ghS5w8UjDuJc/1Hm5/0wgRjFdPmJz2GR7mB4MM/puBzyvYp81OqORec6hfK/MRXAtJNqDI/8S3IdC9ImZ/4wkr6BVBlflj04lvp9QuU+Qmr10npN4Au4/tPN6DK/EHn7VPpPqgyP/El3XQPSJmf+LRfev0LZX7SSxOcQJC2/1aR+NMvUGrzU97jKF6T8dX5Se8MMe5vq++/CB4E5/7qBex/WRt4/fhD8Adg1Y7T5w++ZcE6BjCIvwWei7n0+FVnhB8sufT4YSCGcvnxW7gL5pausTl/aa3+wi4cZ3T+1VK6mP8WnBF/c+X6J/7D3Fbnp9OGGlwC+Ibn77UaJkOJZ9EN8x/O1rGDSNUXQ/6zBAiZt2QN+c9jiSI5QHb8NRPEiPp/y46/dg4p8h63Y/4P8+TXmr9+Cv+T8n+aKrBJPAZtxt8QyYooHu/P39SRgAU142+KRAuU/TXz3xralLjUasXfnETzc/zn5hwmfuFKI/5x8+MT/NcWjfhbwrg/Zv/YVsGWbUFt+FvLt7ItqA1/a/lNtgW14W8vIMy1oDb87WkcXAtqwj+uWvm5PqgJPzgE41pQ7/gt14Ka8KMsCOYu3oIfvj/A3MVb8OMTMF4YzoIfJ/HxdvEW/DiJj3eDwYAfv/9TlKwrJAb8uPY404Uw4A9lELAevzHg3x+HSH3W6xP5/rKvMr+vMr+vMr+vMr+vMr+vMr+vMr+vMr+vMr+vMr+vMr+vMr+vfjp/0wXRJv7jqneJWjVdLGji/0nK/L7K/L7K/L7K/L7K/L7K/L7K/L7K/L7K/L76DxuakMqfwNR4AAAAAElFTkSuQmCC" alt="LockLogo" />
</div>
<br>
<p><samp># All your files has been encrypted by "KRAKEN CRYPTOR".</samp></p>
<p><samp># Read the following instructions carefully to decrypt your files.</samp></p>
<br>
<div class="info">
-----BEGIN KRAKEN ENCRYPTED UNIQUE KEY-----
<br>
i+btTwvM3RJn0gPGBAyd/RK01cEMn9yP2Xi8Qnb1X9kqTlVd2RqW9X7buqpcWKOm<br>O+cdUhJ3Id4SNEBWHuyHedqhZrNfIYNIBtUPAmv2ej2bFM8o12a0M15aUyDd9qqi<br>t7ialpmlpf9HjjoinDc2wVgPQZ6JbatVEQtPQtdm1g/qD1yKsQcjFj2xH8rNNpjc<br>nK9H9RXEoGmdmMPppL49/k3kzCvHU+j/x3C8jDiElKImhB0aG7JZkC+sjGvacFDr<br>f2oBJULl4oZM4dbCySQ3ULWSdTGc9etjl9pl7W3WLX9ipHK826OpLMtoDmSVq0wi<br>Ldx35wgjPuE5ayzTVTn8bEyqDC+pfbd1VLRLi6kTDAtAQEnkykzKx3nWPATAxiDp<br>qUZZgMwmGk1ozMYxGEueKFmRirBSPZ/rI8EXYW5mWigUbXgo8i2iTLuU8F3qO9ag<br>w2NbmUjFbPCYEzgY8DBq1bcLTVQ3GmrQnli6LImCcRsfDHTgCN9hs1980xYqOTF0<br>4iOSxSNbgiMXDG3JeIpMQ218MCVnIszxO+9NiQdwF9pdf+HhvoHeY+r9fsgxB2DY<br>eOFzg3VG2h8CnuQfYT5SbaGgZtEtdHtzNPnn5YzOhbTO/Z7tYeP6FxDUhG3c5lk1<br>PcKsRXTo7GprJ5uvpqUA/6c7aGGaAv0pmO1/bhAC1hqiBp5WDGfX03Dhe2w9qKfZ<br>i6FREbMfscqpqmyNbizsPVvH4vJ2JQ==
<br>
-----END KRAKEN ENCRYPTED UNIQUE KEY-----
</div>
<br>
Extension
<div class="info">
.S9HRF
</div>
<br>
<p style="color: #D91E18;">What happened to my computer?</p>
<hr>
<p>All of your files such as documents, images, videos and other files with the different names and extensions are encrypted by "KRAKEN CRYPTOR"!</p>
<p>Don't delete .S9HRF files! there are not virus and are your files, but encrypted!</p>
<p>The speed, power and complexity of this encryption have been high and if you are now viewing this guide.</p>
<p>It means that "KRAKEN CRYPTOR" immediately removed form your system!</p>
<p>No way to recovery your files without "KRAKEN DECRYPTOR" software and your computer "UNIQUE KEY"!</p>
<p>You need to buy it from us because only we can help you!</p>
<br>
<p style="color: #D91E18;">How can recovery my files?</p>
<hr>
<p>We guarantee that you can recover all your files soon safely.</p>
<p>You can decrypt one of your encrypted smaller file for free in the first contact with us.</p>
<p>For the decryption service, we also need your "KRAKEN ENCRYPTED UNIQUE KEY" you can see this in the top!</p>
<p>Are you want to decrypt all of your encrypted files? If yes! You need to pay for decryption service to us!</p>
<p>After your payment made, all of your encrypted files has been decrypted.</p>
<br>
<p style="color: #D91E18;">How much is need to pay?</p>
<hr>
<p>You need to pay (0.256 BTC), payment only can made as Bitcoins.</p>
<p>This links help you to understand whats is a Bitcoins and how it work.</p>
<p><a href="https://wikipedia.org/wiki/Bitcoin">https://en.wikipedia.org/wiki/Bitcoin</a></p>
<p><font size="3" color="red"> This price is for the contact with us in first week otherwise it will increase.</font></p>
<br>
<p style="color: #D91E18;">Where can buy Bitcoins?</p>
<hr>
<p>The easiest way to buy Bitcoins is LocalBitcoins website.</p>
<p>You must register on this site and click "BUY Bitcoins" then choose your country to find sellers and their prices.</p>
<p><a href="https://localBitcoins.com">https://localBitcoins.com</a></p>
<br>
<p>Other places to buy Bitcoins in exchange for other currencies worldwide:</p>
<p><a href="https://www.bestbitcoinexchange.io/">https://www.bestbitcoinexchange.io</a></p>
<br>
<p style="color: #D91E18;">How to contact you?</p>
<hr>
<p>We use best and easy way to communications. It's email support, you can see our emails below.</p>
<p>Please send your message with same subject to both address.</p>
<br>
E-Mail
<div class="info">
[email protected]
</div>
<br>
Alternative
<div class="info">
[email protected]
</div>
<br>
<p style="color: #D91E18;">Attention</p>
<hr>
<ul type="disc">
<li>DON'T MODIFY OR RENAME ENCRYPTED FILES.</li>
<li>DON'T MODIFY "KRAKEN ENCRYPT UNIQUE KEY".</li>
<li>DON'T USE THIRD PARTY, PUBLIC TOOLS/SOFTWARE TO DECRYPT YOUR FILES, THIS CAUSE DAMAGE YOUR FILES PERMANENTLY.</li>
<li>DON'T ASK PEOPLE OR DATA RECOVERY CENTERS, THEY ARE MAY ADD EXTRA CHARGE.</li>
</ul>
<br>
<p><b>Additional</b></p>
<hr>
<ul type="square">
<li>Project "KRAKEN CRYPTOR" doesn't damage any of your files, this action is reversible if you follow the instructions above.</li>
<li>Also, our policy is obvious: "NO PAYMENT, NO DECRYPT".</li>
</ul>
</div>
</div>
</body>
</html>
Signatures
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Modifies registry class 5 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ac062d21f08f139d9f3d1e335e72e22_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6ac062d21f08f139d9f3d1e335e72e22_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\eventvwr.exe"C:\Windows\System32\eventvwr.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\krakentemp0000.exe"C:\Users\Admin\AppData\Local\Temp\krakentemp0000.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exe"tasklist" /V /FO CSV4⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.1 -n 3 > NUL&&del /Q /F /S "C:\Users\Admin\AppData\Local\Temp\krakentemp0000.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 35⤵
- Runs ping.exe
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PerfLogs\# How to Decrypt Files-S9HRF.htmlFilesize
9KB
MD583ef98ab324a835586867432b720b477
SHA1e18847b5508efff9d5d5def52f13633ec6cc37d6
SHA256bb238a1ba75a264d80ba8eb6162f3ac4654ae370e7604c9111edf10a95c70a03
SHA512b09878ebdd7474144a20d294e6e41f32884373bff3f2abc6758da0ce22f94d9123540bf906f4e7304b4d1ebfba9b1caa5ad6d64c3a8e720c02b1eacd1e201c19
-
C:\Users\Admin\AppData\Local\Temp\krakentemp0000.exeFilesize
91KB
MD5b8665cf00d32352ee83ceb189595a753
SHA1669605b2968e3eca80c9366f973dc589057227e5
SHA2567e0ee0e707db426eaf25bd0924631db969bb03dd9b13addffbcc33311a3b9aa7
SHA512de6ec58e018a8db2538c0e5ae3942ea3ec370a9724e2f734e5c3898d8867213f25116a7793309e87c04548d1180aeb7d57bda37c0d60c4f3d2fa390e509f1a28
-
memory/2648-6-0x0000000000190000-0x00000000001D0000-memory.dmpFilesize
256KB
-
memory/2648-426-0x0000000000190000-0x00000000001D0000-memory.dmpFilesize
256KB
-
memory/2836-0-0x000007FEF5DFE000-0x000007FEF5DFF000-memory.dmpFilesize
4KB
-
memory/2836-2-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmpFilesize
9.6MB
-
memory/2836-5-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmpFilesize
9.6MB