Analysis
-
max time kernel
145s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
27-05-2024 02:30
Static task
static1
Behavioral task
behavioral1
Sample
779df3e9d22b688c2483a16130d3887c_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
779df3e9d22b688c2483a16130d3887c_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
779df3e9d22b688c2483a16130d3887c_JaffaCakes118.exe
-
Size
615KB
-
MD5
779df3e9d22b688c2483a16130d3887c
-
SHA1
dd83fb41fc7ac424dc27c96f602bbcb352f63d48
-
SHA256
7901ebd5dd0b9ab60dab39754ae62dcca413b4d3a6a2120af442bab86b3395f8
-
SHA512
50522b51e0ad216f16745e131fedb861ba01e930dcc06097e9ccabca9fc72765ba980734cadfd2d6fb8015e93d5f875a531bdf12b2c1b87337cf1d54de1be1cb
-
SSDEEP
12288:ABRpTQKGR7CeMawvztNwKkwuNd23Pn9bzX2vuZiZ7LiA7OK:AVTQz6aWs723Ptb2mZY7e81
Malware Config
Signatures
-
Locky (Lukitus variant)
Variant of the Locky ransomware seen in the wild since late 2017.
-
Deletes itself 1 IoCs
pid Process 2788 cmd.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\lukitus.bmp" 779df3e9d22b688c2483a16130d3887c_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\WallpaperStyle = "0" 779df3e9d22b688c2483a16130d3887c_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\TileWallpaper = "0" 779df3e9d22b688c2483a16130d3887c_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000e404c78b57e9d9dfc5f719e122be23ca002d59a70f97d56b93ff79302f797d1c000000000e8000000002000020000000d266067a2491fee59705cf564a1766308a9e67af3e1a56113d17b6c6acd2cba5200000002c10544941c1a99b4744846b664fafedbc7d071a17864dfa0204dc27ff27510b4000000085dcb460983620868c1e717faeb8b0831776550699119911881a843442e1fc4f21a3df35b0ea58ad4208ab72be7e1102cfaf0b101914706ee84f7f9b1367978b iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80bedb3edeafda01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000452fd4f74c80dfb818a5eeb05ac9c75bb08572c85d14984ab3dd9a930aca9e54000000000e8000000002000020000000ade4e2047d10c440284dd672ef7938ca5cbe44c74ce45f5fa5acdc96a707f2e9900000005321e0c6c183800ed5754dac912e56b22cb54fb5633d38d76cd15d658bfad4043eb1446a9f87eae2e3520dfa14844b59f2748ee4e46d301f0e54e97aabf35238c5cfe92478d01dc97f35298b2a9769a862e2979e4d7ca67eb1537c61a09b65d9c4effbd3b41a2a4047d15db337ff07911bb30cef9b7eb989aead97334af8f4cfd74f7bcfd85c41812053d0edf5d8db33400000001e75036373f09697256a78fe96d4596b34e3ce26cd2d1b045fd80bfc156a47d271f477acf81bead611fc0ae507bf765f6e2886817c919c94f6409dc28aea940d iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6A6B7221-1BD1-11EF-9BF1-5630532AF2EE} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2620 iexplore.exe 2760 DllHost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2620 iexplore.exe 2620 iexplore.exe 1480 IEXPLORE.EXE 1480 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 764 779df3e9d22b688c2483a16130d3887c_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 764 wrote to memory of 2620 764 779df3e9d22b688c2483a16130d3887c_JaffaCakes118.exe 32 PID 764 wrote to memory of 2620 764 779df3e9d22b688c2483a16130d3887c_JaffaCakes118.exe 32 PID 764 wrote to memory of 2620 764 779df3e9d22b688c2483a16130d3887c_JaffaCakes118.exe 32 PID 764 wrote to memory of 2620 764 779df3e9d22b688c2483a16130d3887c_JaffaCakes118.exe 32 PID 2620 wrote to memory of 1480 2620 iexplore.exe 34 PID 2620 wrote to memory of 1480 2620 iexplore.exe 34 PID 2620 wrote to memory of 1480 2620 iexplore.exe 34 PID 2620 wrote to memory of 1480 2620 iexplore.exe 34 PID 764 wrote to memory of 2788 764 779df3e9d22b688c2483a16130d3887c_JaffaCakes118.exe 35 PID 764 wrote to memory of 2788 764 779df3e9d22b688c2483a16130d3887c_JaffaCakes118.exe 35 PID 764 wrote to memory of 2788 764 779df3e9d22b688c2483a16130d3887c_JaffaCakes118.exe 35 PID 764 wrote to memory of 2788 764 779df3e9d22b688c2483a16130d3887c_JaffaCakes118.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\779df3e9d22b688c2483a16130d3887c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\779df3e9d22b688c2483a16130d3887c_JaffaCakes118.exe"1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\lukitus.htm2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2620 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1480
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\779df3e9d22b688c2483a16130d3887c_JaffaCakes118.exe"2⤵
- Deletes itself
PID:2788
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:2760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c5e819fe82bc1c57f26bc8563b32e015
SHA193cc1cbeb51b6cbb3cc0046b4ca862285600a401
SHA256926d1fbd8642ad08e348d6390cf843549df98aee9e5da9e89542e4c526ec4b99
SHA5125315e44e4538079c311d06658e9a4ace5c4577d9ab13ff2fe8982176a6fcc2f685b5e55b61bdf749cb295ad6041c3fec939bf3d51d78f0789ac4ace187099928
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD558a269daaa03e4064ca095d3b8904e15
SHA1ed6e6537c522ac027b64100d55dc0f8e39a85105
SHA256387418f55dd713b02c5615cfcafd6f70a1b3994b1a7d43578c633c9cdef897ea
SHA512560d2a6ce81bc66ef84f302598f19aadee9024f5a95e8dc75a0fc3284acf7bd6f494d25b37d83eec716c6d79930cb8bbdc379aa6d54ba9be93dd9af7d07dd45f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b0a33ab7ce2cc463d97679bf3f20ee4c
SHA1e01be2a8fb1c8ef0fe0ea9ab7b57b3347d58ead8
SHA256904d873ecaa6dc1b084191f0df355b135e796ee9cec2407eb8bc82b84ec869d2
SHA512efd967ba159b5569805e652e5bb188f656f18709e54f56f64c2d863c00af4d1594e82e95db75bb42b3392c1d54429180e62495ed74635b390778bc6583098933
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50a5e95427445d702cfecbb31a7c122df
SHA1f926aad35b125ae1d06c405f2d6ca871f61dce0b
SHA256dde2c3c90c9282623b83e5d8ed82e9cec3bbd58ac7ed2bc90f42b63c63e25e43
SHA5122d6f04b6f61361cd46e59af9a398d35b85ef0eee435f0cf4969468f928d904e98286accd4fbd4afe25eb21ede9eef0fa99b39478d2746cd212920bd5560cf9f6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a710fd5d4bab776a849fb4cee5e5127b
SHA12ba9c3b416a1c0f4aa7f275675884d0b5434c2a5
SHA256cad4e1d8a9ac77765603468138c0b3038a289edf014bcd1929dcc530ad2b4a1a
SHA5122612e1567612cf137e8c49c1931a7a220544e12603e280abbdd55f3a80b4fb89585fda797a3f098a2c0e5e3f0217990f39df0321c4a76c9d1aa2b7ab634aaaba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f734eeb7f328bb18bdeeda5dfe760878
SHA14982decd9ac6c330f8fe7056a7e3ac85bf795cb1
SHA256cb4970e1e2b66a49dab4fdff4763a907026745a0c9069e65c2ea959a7352debb
SHA51255e99a70b700342bf6847cba7a8ed7e0a669ecce90f71637efb938805cb8a8f0edfa6b8d94aaae0a348abb4f1655e17e64d9929b8f973b39ba4df5a90a38cc61
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a0ef41a38feeb120d98507fb65eace6a
SHA1a567fa501d0980797604c12f3019ab3413b6e371
SHA256088ae4fabfc48437434f188937789691eaa476ef1bdd8633116991064f830efb
SHA51295d4a598e5c574c0ac1e732f2c6d1945f4d15f85323f904e9bd962d70c9e80e1d9be9a27fe17fc82bedc7b2058924e4878f4a009a2d5ca03863bf3eb912749a2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD551260006fa28e732ecac5b81bc77b46e
SHA1ec099c84f368834a33b3e4b4a0e7b080319c3fc2
SHA256eab1e5a268361110574d7bdebee89f408330c54203ccf45a202e481768dfd5bb
SHA5123e9295b0bcea07ce646ae896c86bb08194cfb4ccf04c435c7ef7ddad9a17c427f46c52d96e6898f93eb5bb88e26915720575065ccaaf0f3fa8b0084e9f3cd7a3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD555406da467c310022f9d485ccc8831f4
SHA1553eed835f90f0c96f84c69307fd664130c103f2
SHA256169191a53a50e6a7b3728aa25d15fdd241e71bf31badb738ec8ff830d666e296
SHA512bcdbe963790120171634eabcbf9e329bd93321cae8cedb9c32c70d05e09056525b98f4596c6ebb952536a07cc84ed6a0bddb41a2c486f2aa90dd5ed96655d22d
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
3.7MB
MD50788ed60dc8039fb72e0ddcbd9daf9b6
SHA1e2fb3322f6a64b0f154f6d076199d88ee410940d
SHA256faa9df67b1a5384253946872baf3c8c2f869dd46e9d5ef0646badbf9e2b5647f
SHA5120a1b810b0d5777de414b7685164abdb2ad491535ddedf0d51a55fcc6410af68e5209995f7f899ef19f312afc9d8f3a0ab9bbcd996df0a164560879e386bcb76d
-
Filesize
8KB
MD5cf9af74b2f51f3ba66df7edba136c00b
SHA186898f34fdb05b3a0d77daf3e52bd47631ce7c63
SHA256c3456173ea14be04b9f566d47c7b66eba0feac00582e466462946506250bd303
SHA512cf2f375e3a9cb6e27c64402e68cc033c7ed4b8c29b182746cc3f5d5d9d335bde8a2a9613cb1d3cec8105d213563dda8e17e09bd7bf65e64d31dec81e356b3299