Overview

overview

10

Static

static

3

715d071a8f...18.exe

windows7-x64

10

715d071a8f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    25-05-2024 08:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    715d071a8f0a8552a002d6347a52e13a_JaffaCakes118.exe

  • Size

    268KB

  • MD5

    715d071a8f0a8552a002d6347a52e13a

  • SHA1

    b093a35a0b2faff292e497b6f4b0b4ef45d3376f

  • SHA256

    f7d8c91adc09d8fee7aef8ab5e0f5a0f0006e77da858317913196983376ab448

  • SHA512

    729666be58aa195c28d89e11e28f6c7c514324a496f4726e593efad51b46c6d5116890afeb2b0e127cf1cdcbbac0f16ed1a1f972365e6dcf4fdfd8e595556495

  • SSDEEP

    6144:KxxVTj+/q0bykF+hS/e2bm3y+7C30/VFB7koPM4GMMhhGtED0:AeiWykF+PlyVsXDUD0

Score
10/10
cerberdiscoveryevasionransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_READ_THI$_FILE_RV7GEK_.txt

Ransom Note
--- [ CERBER RANSOMWARE ] --- ! YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED ! --- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: --- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/780D-A0F8-F958-0446-9D74 Note! This page is available via "Tor Browser" only. --- Also you can use temporary addresses on your personal page without using "Tor Browser". --- 1. http://p27dokhpz2n7nvgr.1a7wnt.top/780D-A0F8-F958-0446-9D74 2. http://p27dokhpz2n7nvgr.1czh7o.top/780D-A0F8-F958-0446-9D74 3. http://p27dokhpz2n7nvgr.1hpvzl.top/780D-A0F8-F958-0446-9D74 4. http://p27dokhpz2n7nvgr.1pglcs.top/780D-A0F8-F958-0446-9D74 5. http://p27dokhpz2n7nvgr.1cewld.top/780D-A0F8-F958-0446-9D74 --- Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://p27dokhpz2n7nvgr.onion/780D-A0F8-F958-0446-9D74

http://p27dokhpz2n7nvgr.1a7wnt.top/780D-A0F8-F958-0446-9D74

http://p27dokhpz2n7nvgr.1czh7o.top/780D-A0F8-F958-0446-9D74

http://p27dokhpz2n7nvgr.1hpvzl.top/780D-A0F8-F958-0446-9D74

http://p27dokhpz2n7nvgr.1pglcs.top/780D-A0F8-F958-0446-9D74

http://p27dokhpz2n7nvgr.1cewld.top/780D-A0F8-F958-0446-9D74

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Blocklisted process makes network request 5 IoCs
  • Contacts a large (1095) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\715d071a8f0a8552a002d6347a52e13a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\715d071a8f0a8552a002d6347a52e13a_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
      2⤵
      • Modifies Windows Firewall
      PID:2876
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\system32\netsh.exe advfirewall reset
      2⤵
      • Modifies Windows Firewall
      PID:2768
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_READ_THI$_FILE_AQ8PK_.hta"
      2⤵
      • Blocklisted process makes network request
      • Modifies Internet Explorer settings
      PID:2808
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_READ_THI$_FILE_RV7GEK_.txt
      2⤵
        PID:2804
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:1756
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im "715d071a8f0a8552a002d6347a52e13a_JaffaCakes118.exe"
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1760
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 1 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:1668
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:2944
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
      1⤵
        PID:1676

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Privilege Escalation

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Defense Evasion

      Impair Defenses

      1
      T1562

      Disable or Modify System Firewall

      1
      T1562.004

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Network Service Discovery

      1
      T1046

      System Information Discovery

      1
      T1082

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Defacement

      1
      T1491

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Cab5C93.tmp
        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Tar5CA6.tmp
        Filesize

        177KB

        MD5

        435a9ac180383f9fa094131b173a2f7b

        SHA1

        76944ea657a9db94f9a4bef38f88c46ed4166983

        SHA256

        67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

        SHA512

        1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        Download Submit
      • C:\Users\Admin\Desktop\_READ_THI$_FILE_18S9_.jpeg
        Filesize

        150KB

        MD5

        0baa1082b928ed95dbc8e3fb2b3d720b

        SHA1

        06bf2b1c2c786eeb6900e4441bcb96de9da7fe0d

        SHA256

        2ce8bfc93884de484e41ccc588ae78ab5fca01657d5f4d3b4ad3691b1116f22f

        SHA512

        49ec0177653991975876407fdf53dcd3893f924b2213641d592cc03d771e2f9403ed317b2b95eb951702902794fa05c3e21e97af23c2595f172874f1ff7bd9cf

        Download Submit
      • C:\Users\Admin\Desktop\_READ_THI$_FILE_AQ8PK_.hta
        Filesize

        75KB

        MD5

        c22eb7b712631abf33ff8965fec61361

        SHA1

        f55299e238df2382c93a5d64cba364aa1a47fd2d

        SHA256

        e0d74a8f7731ea8237d62df4dfa7f8a1dadbcb89011e41fff5caf6b9189a4bae

        SHA512

        821e233635240994526e2ec631059515e3fd3b9ae06ef11e93ef316e730fbeb6557a84c11ace684f2d034d5f566dc9a6e0ba14be60b51ad8ebe75739d8b4a270

        Download Submit
      • C:\Users\Admin\Desktop\_READ_THI$_FILE_RV7GEK_.txt
        Filesize

        1KB

        MD5

        b9f2772c6320c316d57abed2c15c7380

        SHA1

        60701a73de9e922f0886abcd51fa94118b1bbedf

        SHA256

        941784e12276bba13c41f1ce2671f7b37159d8788de49a1c701a76a57877c889

        SHA512

        f83662437646d38ead23a87795c31d95947109c55c054f063e5675d6ad862b913e6c170dccbfbc1f9442027ba81b0b572cecfc5d91d37a01aea4b9662bf2e8b0

        Download Submit
      • memory/1516-6-0x0000000000400000-0x0000000000446000-memory.dmp
        Filesize

        280KB

        Download
      • memory/1516-0-0x0000000000400000-0x0000000000446000-memory.dmp
        Filesize

        280KB

        Download
      • memory/1516-63-0x0000000004610000-0x0000000004612000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1516-3-0x0000000000280000-0x0000000000281000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1516-85-0x0000000000400000-0x0000000000446000-memory.dmp
        Filesize

        280KB

        Download
      • memory/1516-2-0x00000000001E0000-0x00000000001E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1516-1-0x0000000000400000-0x0000000000446000-memory.dmp
        Filesize

        280KB

        Download
      • memory/2944-64-0x0000000000170000-0x0000000000172000-memory.dmp
        Filesize

        8KB

        Download