b6090311151750643b221bf5850ff84e7e070207d8363253073ff950949b7f64

General

Target

8b2ca8a838aa48b3bf2ead558613e2f2_JaffaCakes118.exe
Size

841KB
MD5

8b2ca8a838aa48b3bf2ead558613e2f2
SHA1

da60316b1438ab05cde81c5afe8b50750f044031
SHA256

b6090311151750643b221bf5850ff84e7e070207d8363253073ff950949b7f64
SHA512

6b84c55eca3a83cdd82e5194625046a1d9f0d0ccff2d96693a4d88726e78f58fbab3f99ecfe7f1db5e34bae650055b19003002d2b2743784fb9a5dd47a96a5ad
SSDEEP

6144:9bizlGGu5kl+aJPUiMMSkOF0zQkXKujhwKbmTG9GLRCMzVnvEeg+rIaTXQMzqnh:9biRGGeGJPUtEjz8FLRCiVnvEe/rU

Score

9^/10

collection defense_evasion evasion execution impact persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	explorer.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	explorer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iwalpnov = "\"C:\\Windows\\itapupiw.exe\""	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8b2ca8a838aa48b3bf2ead558613e2f2_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ipecho.net

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2148 set thread context of 2468	2148	8b2ca8a838aa48b3bf2ead558613e2f2_JaffaCakes118.exe	28

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\itapupiw.exe	explorer.exe
File created	C:\Windows\itapupiw.exe	explorer.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2532	vssadmin.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PhishingFilter	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	explorer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2640	vssvc.exe
Token: SeRestorePrivilege	2640	vssvc.exe
Token: SeAuditPrivilege	2640	vssvc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2468	2148	8b2ca8a838aa48b3bf2ead558613e2f2_JaffaCakes118.exe	28
PID 2148 wrote to memory of 2468	2148	8b2ca8a838aa48b3bf2ead558613e2f2_JaffaCakes118.exe	28
PID 2148 wrote to memory of 2468	2148	8b2ca8a838aa48b3bf2ead558613e2f2_JaffaCakes118.exe	28
PID 2148 wrote to memory of 2468	2148	8b2ca8a838aa48b3bf2ead558613e2f2_JaffaCakes118.exe	28
PID 2148 wrote to memory of 2468	2148	8b2ca8a838aa48b3bf2ead558613e2f2_JaffaCakes118.exe	28
PID 2468 wrote to memory of 2532	2468	explorer.exe	29
PID 2468 wrote to memory of 2532	2468	explorer.exe	29
PID 2468 wrote to memory of 2532	2468	explorer.exe	29
PID 2468 wrote to memory of 2532	2468	explorer.exe	29

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	explorer.exe

C:\Users\Admin\AppData\Local\Temp\8b2ca8a838aa48b3bf2ead558613e2f2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8b2ca8a838aa48b3bf2ead558613e2f2_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\system32\explorer.exe"
  2⤵
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Drops file in Windows directory
  - Modifies Internet Explorer Phishing Filter
  - Suspicious use of WriteProcessMemory
  - outlook_win_path
  PID:2468
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2532

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

2

T1114

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\erekakalacosumiz\ytirynuh

Filesize
841KB

MD5
d01aa85c55d605fae3415bc2222989a3

SHA1
3af9196d8e6270afe81162a7d9517612216a6bd0

SHA256
b8ee45f36f3ad8f446b1a4f830baa31a601eda3ac53a021567fcfa01f15c0359

SHA512
ba623911900136ec43626997938d8f14cff37e4b5842ae588889f86339527cb3e0c45ccaa2e7bf97b836db1664eb030def653dafe2b25ad4d4d2c02e4a89d626

Download Submit
memory/2148-0-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2148-2-0x0000000000230000-0x0000000000288000-memory.dmp

Filesize
352KB

Download
memory/2148-8-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2468-4-0x0000000000080000-0x00000000000F2000-memory.dmp

Filesize
456KB

Download
memory/2468-5-0x0000000000080000-0x00000000000F2000-memory.dmp

Filesize
456KB

Download
memory/2468-7-0x0000000000080000-0x00000000000F2000-memory.dmp

Filesize
456KB

Download
memory/2468-13-0x0000000000080000-0x00000000000F2000-memory.dmp

Filesize
456KB

Download
memory/2468-19-0x0000000000080000-0x00000000000F2000-memory.dmp

Filesize
456KB

Download
memory/2468-18-0x0000000000080000-0x00000000000F2000-memory.dmp

Filesize
456KB

Download
memory/2468-20-0x0000000000080000-0x00000000000F2000-memory.dmp

Filesize
456KB

Download
memory/2468-23-0x0000000000080000-0x00000000000F2000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads