teslacrypt | 39a70938288eacf5eab1002150cb06a8299475ad6064fb131aa6e9118c66b4bc

General

Target

6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
Size

340KB
MD5

6bcc066e2a81f34c7e052895001f44c6
SHA1

6f892ec0287ace1c4c7c86e3945b44de6c9d3ba8
SHA256

39a70938288eacf5eab1002150cb06a8299475ad6064fb131aa6e9118c66b4bc
SHA512

b11b924dfda23d28019879acbd790778049f4f711134b0003967408b28532544745d12081a9da538f9ecd84f3791b621d3d9c1b4a62699b22d7c56274a1f9f2c
SSDEEP

6144:2//b5dx5w2hahQGvPmZ8n0SylbvO+MeTHLlj9HhRbr3ET4b7ODRJT0luqig:SddvwdhHvPmZiyIXgLl3ZoMq4wO

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\PerfLogs\Recovery+nqtin.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/CC3754BDC8FDF6C 2. http://tes543berda73i48fsdfsd.keratadze.at/CC3754BDC8FDF6C 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/CC3754BDC8FDF6C If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/CC3754BDC8FDF6C 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/CC3754BDC8FDF6C http://tes543berda73i48fsdfsd.keratadze.at/CC3754BDC8FDF6C http://tt54rfdjhb34rfbnknaerg.milerteddy.com/CC3754BDC8FDF6C *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/CC3754BDC8FDF6C

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/CC3754BDC8FDF6C

http://tes543berda73i48fsdfsd.keratadze.at/CC3754BDC8FDF6C

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/CC3754BDC8FDF6C

http://xlowfznrg4wf7dli.ONION/CC3754BDC8FDF6C

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (610) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exeybywdbavirud.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ybywdbavirud.exe

Executes dropped EXE 2 IoCs

Processes:

ybywdbavirud.exeybywdbavirud.exe

pid process

3080 ybywdbavirud.exe
3708 ybywdbavirud.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3080	ybywdbavirud.exe
3708	ybywdbavirud.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ybywdbavirud.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wnlicofttggs = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\ybywdbavirud.exe\""	ybywdbavirud.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exeybywdbavirud.exe

description	pid	process	target process
PID 3968 set thread context of 3672	3968	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 3080 set thread context of 3708	3080	ybywdbavirud.exe	ybywdbavirud.exe

Drops file in Program Files directory 64 IoCs

Processes:

ybywdbavirud.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSmallTile.scale-400.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\BadgeLogo.scale-100_contrast-black.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoDev.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\Recovery+nqtin.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteWideTile.scale-400.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\7-Zip\Lang\Recovery+nqtin.txt	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\Recovery+nqtin.txt	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailLargeTile.scale-400.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+nqtin.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SplashScreen.scale-200_contrast-black.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\StoreLogo\Recovery+nqtin.txt	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Recovery+nqtin.html	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Doughboy.scale-125.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-125_contrast-high.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\8080_20x20x32.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailMediumTile.scale-100.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-140.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sl-SI\View3d\Recovery+nqtin.html	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_scale-200.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleSplashScreen.scale-125.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\Recovery+nqtin.txt	ybywdbavirud.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\Recovery+nqtin.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\Recovery+nqtin.html	ybywdbavirud.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\Recovery+nqtin.html	ybywdbavirud.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\Recovery+nqtin.txt	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\Recovery+nqtin.html	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCacheMini.scale-150.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.AdomdClient\Recovery+nqtin.html	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\1px.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+nqtin.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\LargeTile.scale-200.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\Recovery+nqtin.txt	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-200_contrast-high.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+nqtin.html	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-60.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\applet\Recovery+nqtin.html	ybywdbavirud.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\Recovery+nqtin.html	ybywdbavirud.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\Recovery+nqtin.txt	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Recovery+nqtin.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VGX\Recovery+nqtin.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\amd64\Recovery+nqtin.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\Recovery+nqtin.html	ybywdbavirud.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\Recovery+nqtin.txt	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-200.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Recovery+nqtin.txt	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+nqtin.txt	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookPromoTile.scale-200.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\Recovery+nqtin.html	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\19.jpg	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageLargeTile.scale-150.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-72.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80_altform-unplated.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-256.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-100_contrast-black.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\Recovery+nqtin.txt	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\Icons_Icon_Wind_sm.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sl-SI\View3d\Recovery+nqtin.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\Recovery+nqtin.html	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.scale-100.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase\Resources\Recovery+nqtin.txt	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-36_contrast-white.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\WideTile.scale-200_contrast-black.png	ybywdbavirud.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\Recovery+nqtin.png	ybywdbavirud.exe

Drops file in Windows directory 2 IoCs

Processes:

6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\ybywdbavirud.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
File created	C:\Windows\ybywdbavirud.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ybywdbavirud.exe

pid	process
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe
3708	ybywdbavirud.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exeybywdbavirud.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3672	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
Token: SeDebugPrivilege	3708	ybywdbavirud.exe
Token: SeIncreaseQuotaPrivilege	4992	WMIC.exe
Token: SeSecurityPrivilege	4992	WMIC.exe
Token: SeTakeOwnershipPrivilege	4992	WMIC.exe
Token: SeLoadDriverPrivilege	4992	WMIC.exe
Token: SeSystemProfilePrivilege	4992	WMIC.exe
Token: SeSystemtimePrivilege	4992	WMIC.exe
Token: SeProfSingleProcessPrivilege	4992	WMIC.exe
Token: SeIncBasePriorityPrivilege	4992	WMIC.exe
Token: SeCreatePagefilePrivilege	4992	WMIC.exe
Token: SeBackupPrivilege	4992	WMIC.exe
Token: SeRestorePrivilege	4992	WMIC.exe
Token: SeShutdownPrivilege	4992	WMIC.exe
Token: SeDebugPrivilege	4992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4992	WMIC.exe
Token: SeRemoteShutdownPrivilege	4992	WMIC.exe
Token: SeUndockPrivilege	4992	WMIC.exe
Token: SeManageVolumePrivilege	4992	WMIC.exe
Token: 33	4992	WMIC.exe
Token: 34	4992	WMIC.exe
Token: 35	4992	WMIC.exe
Token: 36	4992	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4992	WMIC.exe
Token: SeSecurityPrivilege	4992	WMIC.exe
Token: SeTakeOwnershipPrivilege	4992	WMIC.exe
Token: SeLoadDriverPrivilege	4992	WMIC.exe
Token: SeSystemProfilePrivilege	4992	WMIC.exe
Token: SeSystemtimePrivilege	4992	WMIC.exe
Token: SeProfSingleProcessPrivilege	4992	WMIC.exe
Token: SeIncBasePriorityPrivilege	4992	WMIC.exe
Token: SeCreatePagefilePrivilege	4992	WMIC.exe
Token: SeBackupPrivilege	4992	WMIC.exe
Token: SeRestorePrivilege	4992	WMIC.exe
Token: SeShutdownPrivilege	4992	WMIC.exe
Token: SeDebugPrivilege	4992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4992	WMIC.exe
Token: SeRemoteShutdownPrivilege	4992	WMIC.exe
Token: SeUndockPrivilege	4992	WMIC.exe
Token: SeManageVolumePrivilege	4992	WMIC.exe
Token: 33	4992	WMIC.exe
Token: 34	4992	WMIC.exe
Token: 35	4992	WMIC.exe
Token: 36	4992	WMIC.exe
Token: SeBackupPrivilege	224	vssvc.exe
Token: SeRestorePrivilege	224	vssvc.exe
Token: SeAuditPrivilege	224	vssvc.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exeybywdbavirud.exeybywdbavirud.exe

description	pid	process	target process
PID 3968 wrote to memory of 3672	3968	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 3968 wrote to memory of 3672	3968	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 3968 wrote to memory of 3672	3968	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 3968 wrote to memory of 3672	3968	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 3968 wrote to memory of 3672	3968	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 3968 wrote to memory of 3672	3968	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 3968 wrote to memory of 3672	3968	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 3968 wrote to memory of 3672	3968	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 3968 wrote to memory of 3672	3968	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
PID 3672 wrote to memory of 3080	3672	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	ybywdbavirud.exe
PID 3672 wrote to memory of 3080	3672	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	ybywdbavirud.exe
PID 3672 wrote to memory of 3080	3672	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	ybywdbavirud.exe
PID 3672 wrote to memory of 3752	3672	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	cmd.exe
PID 3672 wrote to memory of 3752	3672	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	cmd.exe
PID 3672 wrote to memory of 3752	3672	6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe	cmd.exe
PID 3080 wrote to memory of 3708	3080	ybywdbavirud.exe	ybywdbavirud.exe
PID 3080 wrote to memory of 3708	3080	ybywdbavirud.exe	ybywdbavirud.exe
PID 3080 wrote to memory of 3708	3080	ybywdbavirud.exe	ybywdbavirud.exe
PID 3080 wrote to memory of 3708	3080	ybywdbavirud.exe	ybywdbavirud.exe
PID 3080 wrote to memory of 3708	3080	ybywdbavirud.exe	ybywdbavirud.exe
PID 3080 wrote to memory of 3708	3080	ybywdbavirud.exe	ybywdbavirud.exe
PID 3080 wrote to memory of 3708	3080	ybywdbavirud.exe	ybywdbavirud.exe
PID 3080 wrote to memory of 3708	3080	ybywdbavirud.exe	ybywdbavirud.exe
PID 3080 wrote to memory of 3708	3080	ybywdbavirud.exe	ybywdbavirud.exe
PID 3708 wrote to memory of 4992	3708	ybywdbavirud.exe	WMIC.exe
PID 3708 wrote to memory of 4992	3708	ybywdbavirud.exe	WMIC.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

ybywdbavirud.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ybywdbavirud.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	ybywdbavirud.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3968

C:\Users\Admin\AppData\Local\Temp\6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\ybywdbavirud.exe
C:\Windows\ybywdbavirud.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3080

C:\Windows\ybywdbavirud.exe
C:\Windows\ybywdbavirud.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3708

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\6BCC06~1.EXE
3⤵
PID:3752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:3700

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Recovery+nqtin.html
Filesize
11KB

MD5
de7c0a10174283b7ac3d82d9daf97e6e

SHA1
2f2306d91f9c8fb2030957bf33b1aa5f687a78b7

SHA256
5879791ff87d3a91a5e14216be34a73b0c449e9ff4cf0e6cdcb9687d9718f36f

SHA512
f06c2e1941cd2b4036edfac1cbea91272a25d766faedd7a7a1de455606408b2279be202ebebad2edd459e5fb7354924842f8d051f83e280458d964ee0a822f3f

Download Submit
C:\PerfLogs\Recovery+nqtin.png
Filesize
62KB

MD5
3f6947fd199ac733977a2451e2e9bea0

SHA1
b1a00e55a99ad2c7069d8ccbf2fb047f8d1cf765

SHA256
2702fb2f81114229af8aeb4c5c90a239c520db3d23b5a3a3d904946d07b728d5

SHA512
ecbeb7fcec7fffc47508c05d5a6e2a73f96ecb9636d82ea85bd4598ce0ef1cb399bb162517b923f7b6ee1491a9041570ff5ac89e0aac1777eccd3168df1baa1c

Download Submit
C:\PerfLogs\Recovery+nqtin.txt
Filesize
1KB

MD5
58dd3f32860f928a81d4b82324864797

SHA1
c16ac792b98afd30af4ff662944abd60b20ac49e

SHA256
199959e5cb929e146532cc754444917d92e7d8dd474fc59fd3c01973557a92ca

SHA512
cff87e015d64cf6732749f2b736ec2c09511f9a31db7fe6416c8d676f1f5fa59a55b1c1a13b8d018d8a769a152b7d10c55abfc6efaae22048615d8565bc978fd

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
Filesize
560B

MD5
f53ac79b59e942c04b675f52e9fca38a

SHA1
3519fdb0b94c3e1989529b7e386c87fac9abe50f

SHA256
f09299916546af5bba0038c6eb0df48a8220aeaa1bbcb2c48a4cd02da265ff60

SHA512
71be915cb440c4463390aa4c95cebd8e58edd2f121eaa80955325c90d63915fefb0621570a766eb863da31426613bbc8ff4f8c4c1452b6f8a8e059dd27fdf5f7

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt
Filesize
560B

MD5
560fae1a04d7291b0a6408d07776acb1

SHA1
dd6f6fb38e562a1bf36958f6f5079e5cace81233

SHA256
90672c293f0a5fe834e67c7f2c883d0abeb132d176da5930cf507e6c39ba7371

SHA512
5de9fd43437458c6add37f7a6177744c7395c9e24659b3164d070259d9172c574f280dd219679db28772a4416f7f8571fb8494c8644276533bdac848d9ec25fc

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
Filesize
416B

MD5
80daba37bcfe124b8ef4815926dac82e

SHA1
70dc70ecc6ddfbb97314558861b4827d4bf7a072

SHA256
eb7b4877117262cc68ddc46fb3135d81b58a3d5ff6a6284ee660d92c8b8d8d2e

SHA512
d2db505b519f8db77474104a54b4fc02ecafb5968d6cf1bc0f6064f69c7f7fa23b810ab1b7c1b1c25b29bca6f98426808f1ca28a31047a0d60f565477af11333

Download Submit
C:\Windows\ybywdbavirud.exe
Filesize
340KB

MD5
6bcc066e2a81f34c7e052895001f44c6

SHA1
6f892ec0287ace1c4c7c86e3945b44de6c9d3ba8

SHA256
39a70938288eacf5eab1002150cb06a8299475ad6064fb131aa6e9118c66b4bc

SHA512
b11b924dfda23d28019879acbd790778049f4f711134b0003967408b28532544745d12081a9da538f9ecd84f3791b621d3d9c1b4a62699b22d7c56274a1f9f2c

Download Submit
memory/3080-11-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/3672-12-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3672-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3672-4-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3672-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3672-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3708-24-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3708-612-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3708-22-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3708-19-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3708-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3708-501-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3708-525-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3708-3786-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3708-720-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3708-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3708-16-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3708-2928-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3708-1176-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3708-1676-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3968-3-0x00000000022E0000-0x00000000022E3000-memory.dmp

Filesize
12KB

Download
memory/3968-0-0x00000000022E0000-0x00000000022E3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads