Analysis

  • max time kernel
    145s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    27-05-2024 02:30

General

  • Target

    779df3e9d22b688c2483a16130d3887c_JaffaCakes118.exe

  • Size

    615KB

  • MD5

    779df3e9d22b688c2483a16130d3887c

  • SHA1

    dd83fb41fc7ac424dc27c96f602bbcb352f63d48

  • SHA256

    7901ebd5dd0b9ab60dab39754ae62dcca413b4d3a6a2120af442bab86b3395f8

  • SHA512

    50522b51e0ad216f16745e131fedb861ba01e930dcc06097e9ccabca9fc72765ba980734cadfd2d6fb8015e93d5f875a531bdf12b2c1b87337cf1d54de1be1cb

  • SSDEEP

    12288:ABRpTQKGR7CeMawvztNwKkwuNd23Pn9bzX2vuZiZ7LiA7OK:AVTQz6aWs723Ptb2mZY7e81

Malware Config

Signatures

  • Locky (Lukitus variant)

    Variant of the Locky ransomware seen in the wild since late 2017.

  • Deletes itself 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\779df3e9d22b688c2483a16130d3887c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\779df3e9d22b688c2483a16130d3887c_JaffaCakes118.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:764
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\lukitus.htm
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2620 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1480
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\779df3e9d22b688c2483a16130d3887c_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      PID:2788
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:2760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    c5e819fe82bc1c57f26bc8563b32e015

    SHA1

    93cc1cbeb51b6cbb3cc0046b4ca862285600a401

    SHA256

    926d1fbd8642ad08e348d6390cf843549df98aee9e5da9e89542e4c526ec4b99

    SHA512

    5315e44e4538079c311d06658e9a4ace5c4577d9ab13ff2fe8982176a6fcc2f685b5e55b61bdf749cb295ad6041c3fec939bf3d51d78f0789ac4ace187099928

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    58a269daaa03e4064ca095d3b8904e15

    SHA1

    ed6e6537c522ac027b64100d55dc0f8e39a85105

    SHA256

    387418f55dd713b02c5615cfcafd6f70a1b3994b1a7d43578c633c9cdef897ea

    SHA512

    560d2a6ce81bc66ef84f302598f19aadee9024f5a95e8dc75a0fc3284acf7bd6f494d25b37d83eec716c6d79930cb8bbdc379aa6d54ba9be93dd9af7d07dd45f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    b0a33ab7ce2cc463d97679bf3f20ee4c

    SHA1

    e01be2a8fb1c8ef0fe0ea9ab7b57b3347d58ead8

    SHA256

    904d873ecaa6dc1b084191f0df355b135e796ee9cec2407eb8bc82b84ec869d2

    SHA512

    efd967ba159b5569805e652e5bb188f656f18709e54f56f64c2d863c00af4d1594e82e95db75bb42b3392c1d54429180e62495ed74635b390778bc6583098933

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    0a5e95427445d702cfecbb31a7c122df

    SHA1

    f926aad35b125ae1d06c405f2d6ca871f61dce0b

    SHA256

    dde2c3c90c9282623b83e5d8ed82e9cec3bbd58ac7ed2bc90f42b63c63e25e43

    SHA512

    2d6f04b6f61361cd46e59af9a398d35b85ef0eee435f0cf4969468f928d904e98286accd4fbd4afe25eb21ede9eef0fa99b39478d2746cd212920bd5560cf9f6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    a710fd5d4bab776a849fb4cee5e5127b

    SHA1

    2ba9c3b416a1c0f4aa7f275675884d0b5434c2a5

    SHA256

    cad4e1d8a9ac77765603468138c0b3038a289edf014bcd1929dcc530ad2b4a1a

    SHA512

    2612e1567612cf137e8c49c1931a7a220544e12603e280abbdd55f3a80b4fb89585fda797a3f098a2c0e5e3f0217990f39df0321c4a76c9d1aa2b7ab634aaaba

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    f734eeb7f328bb18bdeeda5dfe760878

    SHA1

    4982decd9ac6c330f8fe7056a7e3ac85bf795cb1

    SHA256

    cb4970e1e2b66a49dab4fdff4763a907026745a0c9069e65c2ea959a7352debb

    SHA512

    55e99a70b700342bf6847cba7a8ed7e0a669ecce90f71637efb938805cb8a8f0edfa6b8d94aaae0a348abb4f1655e17e64d9929b8f973b39ba4df5a90a38cc61

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    a0ef41a38feeb120d98507fb65eace6a

    SHA1

    a567fa501d0980797604c12f3019ab3413b6e371

    SHA256

    088ae4fabfc48437434f188937789691eaa476ef1bdd8633116991064f830efb

    SHA512

    95d4a598e5c574c0ac1e732f2c6d1945f4d15f85323f904e9bd962d70c9e80e1d9be9a27fe17fc82bedc7b2058924e4878f4a009a2d5ca03863bf3eb912749a2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    51260006fa28e732ecac5b81bc77b46e

    SHA1

    ec099c84f368834a33b3e4b4a0e7b080319c3fc2

    SHA256

    eab1e5a268361110574d7bdebee89f408330c54203ccf45a202e481768dfd5bb

    SHA512

    3e9295b0bcea07ce646ae896c86bb08194cfb4ccf04c435c7ef7ddad9a17c427f46c52d96e6898f93eb5bb88e26915720575065ccaaf0f3fa8b0084e9f3cd7a3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    55406da467c310022f9d485ccc8831f4

    SHA1

    553eed835f90f0c96f84c69307fd664130c103f2

    SHA256

    169191a53a50e6a7b3728aa25d15fdd241e71bf31badb738ec8ff830d666e296

    SHA512

    bcdbe963790120171634eabcbf9e329bd93321cae8cedb9c32c70d05e09056525b98f4596c6ebb952536a07cc84ed6a0bddb41a2c486f2aa90dd5ed96655d22d

  • C:\Users\Admin\AppData\Local\Temp\CabEBE8.tmp

    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

  • C:\Users\Admin\AppData\Local\Temp\TarEC39.tmp

    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

  • C:\Users\Admin\Desktop\lukitus.bmp

    Filesize

    3.7MB

    MD5

    0788ed60dc8039fb72e0ddcbd9daf9b6

    SHA1

    e2fb3322f6a64b0f154f6d076199d88ee410940d

    SHA256

    faa9df67b1a5384253946872baf3c8c2f869dd46e9d5ef0646badbf9e2b5647f

    SHA512

    0a1b810b0d5777de414b7685164abdb2ad491535ddedf0d51a55fcc6410af68e5209995f7f899ef19f312afc9d8f3a0ab9bbcd996df0a164560879e386bcb76d

  • C:\lukitus-1f05.htm

    Filesize

    8KB

    MD5

    cf9af74b2f51f3ba66df7edba136c00b

    SHA1

    86898f34fdb05b3a0d77daf3e52bd47631ce7c63

    SHA256

    c3456173ea14be04b9f566d47c7b66eba0feac00582e466462946506250bd303

    SHA512

    cf2f375e3a9cb6e27c64402e68cc033c7ed4b8c29b182746cc3f5d5d9d335bde8a2a9613cb1d3cec8105d213563dda8e17e09bd7bf65e64d31dec81e356b3299

  • memory/764-8-0x0000000000400000-0x0000000000487000-memory.dmp

    Filesize

    540KB

  • memory/764-1-0x0000000000550000-0x0000000000551000-memory.dmp

    Filesize

    4KB

  • memory/764-257-0x0000000000400000-0x0000000000487000-memory.dmp

    Filesize

    540KB

  • memory/764-0-0x000000000049B000-0x000000000049C000-memory.dmp

    Filesize

    4KB

  • memory/764-255-0x0000000002D40000-0x0000000002D42000-memory.dmp

    Filesize

    8KB

  • memory/764-250-0x0000000000400000-0x0000000000487000-memory.dmp

    Filesize

    540KB

  • memory/764-6-0x0000000000400000-0x0000000000487000-memory.dmp

    Filesize

    540KB

  • memory/764-2-0x0000000000400000-0x0000000000487000-memory.dmp

    Filesize

    540KB

  • memory/764-7-0x0000000000400000-0x0000000000487000-memory.dmp

    Filesize

    540KB

  • memory/764-4-0x0000000000400000-0x0000000000487000-memory.dmp

    Filesize

    540KB

  • memory/764-3-0x000000000049B000-0x000000000049C000-memory.dmp

    Filesize

    4KB

  • memory/2760-258-0x00000000006C0000-0x00000000006C1000-memory.dmp

    Filesize

    4KB

  • memory/2760-256-0x0000000000170000-0x0000000000172000-memory.dmp

    Filesize

    8KB

  • memory/2760-689-0x00000000006C0000-0x00000000006C1000-memory.dmp

    Filesize

    4KB