Analysis
-
max time kernel
121s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
13-06-2024 05:49
General
-
Target
a410188cf459e3beb5be623f1dc1ab75_JaffaCakes118.exe
-
Size
517KB
-
MD5
a410188cf459e3beb5be623f1dc1ab75
-
SHA1
85615da588fe978d82c6bc06e2b0d7db58a4f913
-
SHA256
509b7eacb051087d49d9357c354532cf1561f065f11d0c2b6bc24f53fb255e2e
-
SHA512
a28a42ce5ecca6b6be0068083c7fba49c76050a0e6dd92b801a0fed281140679cf0b74353c3de2298dcb2e6bf906492d9ded6be080c7c3a81472d3ee0f0e9347
-
SSDEEP
12288:zVRm47ugq9QLXzNWVn4Fkl6BQ2yLhxPtIS4GudgBXllbXtdj:zVzzzjNO4FkUQ2yL7PtIdGudqlb9dj
Malware Config
Signatures
-
Locky (Lukitus variant)
Variant of the Locky ransomware seen in the wild since late 2017.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Control Panel 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a410188cf459e3beb5be623f1dc1ab75_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a410188cf459e3beb5be623f1dc1ab75_JaffaCakes118.exe"1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\lukitus.htm2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1676 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\a410188cf459e3beb5be623f1dc1ab75_JaffaCakes118.exe"2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {FF46E258-DBEA-4B51-9AEC-C8633EF41FF1} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5ffe58015d3de81728513ca9147b70651
SHA1a3e94beeb96618f21e550907f23fbb84953619e3
SHA256e886c2a2c7f3febcc82edb684fbf41cdd8885e55626185cd3ee2ba582acc0567
SHA512760ba03e68fa02db47291750bcf581dbc5a1ebef3e1d1a856e59f261b37338d3af2df1dca6b0ceec1366316ff92020fbf1c70e54e1af0db354cb406279b1309f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5b1da605ae846b09064d7c3bc36586c1a
SHA1ccbb8fa5f3fdc65d458ab657a0a3e0aa08bfa0aa
SHA256c058e23c555545d3ae14859b2833d279d364d47d7c460222014b1515fca839c6
SHA51259985d93cf03070918b6874b8c6ff0ef9622e0c1b9fcf99f8175432c82fc179a1444865b44a098e76a9b412e877e76648be8b24e47b22c554bc708fec34a83b5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD587fdc3e340a1d5c6a020dfe4155a89dd
SHA11680fe50d1b62a1be3081b98b9260bec4818841f
SHA2567615086b7be5d16f228b5222b2e3c6e27e9ef7b8a69df011a83fefd93701ec69
SHA5122b6ea5435e481db98d20ba810d21d7fd8f14bd7aca85e9ffee87c26ae2ddad09062f863eef82f4fe79ae52cc8bbc7eb961beca9fde4b5fbeddb52a34b45936d0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD501059aa33d63f10d8c7f2a27b2ffcfaa
SHA1d39dd811449ef791d6d1ceca355a292bce6d93ed
SHA25630694396a0cb9e5f1372c47d64d19b07a7643ba309c7e8dfcad6311360541814
SHA5123bd843ce10ef3ff6b43fb2e3df619d708804f1edc42a258bae9ae32c5e5a760113fcad427d4a486098243a749c90dd9fd95abc88c71453d40c6877df870cbc45
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5ca74e9bfa052c8b88502df2ce277be08
SHA1e6b848911ff3fd063d030c6218485727a3ca14f7
SHA2567bfcb9805f934cca53c5dfeb41753e51a8030148434bfbd051e2ccc025f1da72
SHA512a4f09a7ef9ccd2bb25396a08d10ac9bbf6dbb1ab81f2d91e2deea64ddf1930e5177b9346b7e17fe0042298bb0ea4e5374b7ddc1e34e74f4b1e4c44d2d1e70590
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5ef6c860403378be34daa77b7984b363c
SHA143b0f531a71692d7408b4e0edc8a79d8ba805757
SHA2567c6872c05c2a6a5c82bcf9ef7d24b131048b5b5b431c8b4aca294f1160f4af01
SHA5123524aef3ad33527150b1d233571b7baa3f3a01295452dff8277e4469821787ab3a44da92a7a00bc680b49fe9cfaad95d2ad5ecb550d788452d053099b8cf2e9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5b4ec8168f4feaed72286ae6837100901
SHA1dfdac28cd5a11f200385c717e55a055c6fb70fe6
SHA2560753e84b8f919ddbd7e159f8e6a2855e76ab3b271070fb815766fb63cf39f10f
SHA51204000f47a80110f61324057a2cba3f79c89d98f4e56fa1226b87f953c1203e63e5af540ef850db8e69a2577fa199a33cb6af9d952cfb27306cdca3aab397d8bc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5a2a3e3b3720f1e03fe626cd7dc739523
SHA1ae59b6216cec6c5a10d491e4eb32e280dc85f718
SHA256b296cd6c6a634754a2ba86020660fc54ff80d74af4574a91b80f5f68fc0e67c2
SHA51281cdb2d1be819f615f1c56a70b6322bc0941467d7b768cd25c7200abaf15b8f688d6dea144f08b658473b5cf47d083f2435df233b0dbb56272c2556e480a2053
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD572658ca40e3c52574db30f78dff5b1ab
SHA12cf6a8b1f47191fbe33df3be3a7db58adb3bf034
SHA2569d1284de9619588d5ef2b87e91b45fe42d189c92efc24890f04ecc6771d554c8
SHA512b226ae5bec74ab016de6299991de1a5b9a5e72ed24af942a31b7a2a23ec189e1975a93549eb3d30e08601b5125ae6cb0218bfb4f5fa0fec4bd61eb1b20a6029f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5eb3d1162ec2f241c9744d891fd4472f2
SHA1da9bd6a7771bfc5aef7f3f9c75d7c29ce17cfe05
SHA256f2c97cce3b328000c0ca8f526e850baae5e5134f0ebd1c944a685f0ded85eca2
SHA5128ca0c5150d42fba4ba4bed932cc5c66514216ff70d2bf4ad2eb6c78d3d9367306cd5503d7816190db9d5610a0e3d476843ddc51d427fa88b77fa202568ad1cbb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD596ce9d1bd3649f4b6759b1c8f77da2e9
SHA16e11a7a074a5310ba01016dd49fdef315024b053
SHA2566cfe52485d8de22341eeaeeaccfab11fa8603008753ddca3b1b67c11243079da
SHA512a80066b948fafdb2d88412d2c29af28a7e8241f4f52f37c3feff4f532455a8b334170af3e85f5419bcde1dfccef53bfba54343197a80c92bc5aba39d18fdc9fc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5e15edbeec29e62b16803f42ae4a913a4
SHA111e1b6bd5f85558fe1dd308b712529acab6e60cb
SHA2565bda8fc951ee6419afee188fe7a3e4a72c28c4e9caf6f3f823ce7387a0651d34
SHA512b0948f3d19946f31b3e9d272ad9fc09cfac7f0ca9b9fbd4f747c7ffeae4b1de963d5220abd21a53b12ef163045ba80055e259a7bf5d001e0f345286a36bddf6a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD55ca1fa78c8e29c6e7d5be6e4a9d5e82f
SHA1fd64f85e78c4f03f9558eaf45cf84086a34044a3
SHA25640797f4e79f03a3a63d8bddf44f8e3594530934d32e3e2717c68fab87e4eec5a
SHA512805c796fa4f9dd52245c63a6515d51862e2c3ad0a926de364429f8d03eef210704982a60895b1e0e741a1c6f9c150d4fbd4122e5ccd7a16d3e6a32f4647d6261
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD547fd87ce0cde303a22f586ee777d7c7b
SHA179a25a56ad2152e90e4ff981c638424cb776bc03
SHA256f0ca355462cb7415d1ddad9f09f0da1c5bbef3efbc7c708aaf65b6372f451b84
SHA512c7c0f641968d4e26befe75e30eeb05ea2e46d48d950fcb62e5b72323da87c0c047d0d5f58778167ed9b97fc9a9306bd4512273ee13d0e7cae5f306b6fa35553c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD56e4c8e9cb42a08f6e8badcb5d8ac47c9
SHA1003a195ab37d99226245df9ac290df1908ffb1ed
SHA2560bb9fbeb5adc6ad190bec5eff0c2f15eb4fde7faf586bf702ded0110fdf2fb8d
SHA512b5d9f582fdead73ce623eef9d792bffa2336231ed02df0a91a10b4394eeabdd7f403c2b3da8a21e8affc6c2e191e165fb8539c3d07ef875d2ea3263778f52681
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5cdf30d4d349fb02dfb221add176d2974
SHA1f28d18318d0af4ff68f215582f75002ead13acd6
SHA25665a5f7afcc55143a2a465ae59441b12e43ddf90d6cca51522674bf7f9c254998
SHA51253b697096bbc06093c45450883dc781957113a1dca80b169f118bb42d6a2fccaf39787b2d69d188c4729867f703a60deeb333a2ab7883a602e0ff6adb64692d8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5386a89991e029d66584f2f6edd20da58
SHA10c625da9f160dd3cbcfc993decdd38afc2c27abf
SHA256f946a396e0866948e120817bf1b71e890667dd9d988a2978d0a8d42f66a32b38
SHA512e23d2d45ba4a7b0944625e95271097d061de4321b3b5eb6289a66dafe4b52a2a71a87b78209ee00dbef2d52978b8f88eab3e863e6d8339d26a1152fc6279a456
-
C:\Users\Admin\AppData\Local\Temp\Cab5535.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Tar5626.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\Desktop\lukitus.bmpFilesize
3.5MB
MD5aeeeea47671fcf1414976a9852e8eb1b
SHA1364ef2e6ac0c7c25f542881631fd545010d1f817
SHA256b07ca7936c962160d8da6025f6a73a0b6eb967f0df61e5e9e4af12d737ad98e2
SHA512e0231b8f5aa6f4ae4066e0bed29906bd1064a75397e1cdc03d3b1d476f6d79e070abf0e7ad479e897b6c5dce1cf0946386a848e7c23f85f4f6b4c1c76a0f8989
-
C:\Users\Default\lukitus-aa29.htmFilesize
8KB
MD56b40691c7a974cf4576e1643f89cd149
SHA1f1f166aba6a7a2c084af9d65d095dbbf94002621
SHA2568177e17de030d7b1823eeed9616828a520248bcc82f21d5825200d13860727f8
SHA5123e20dec0ac059cd5eaa4f38a4e01420f9e831e341af2728d6f1f2073a6a86721e9a51fc461caedff73c5976d6c3ed5f2c19ae1e7e7847c437fd1689e720299a4
-
memory/548-264-0x0000000000170000-0x0000000000172000-memory.dmpFilesize
8KB
-
memory/1132-263-0x0000000001E70000-0x0000000001E72000-memory.dmpFilesize
8KB
