Analysis

  • max time kernel
    123s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 04:35

General

  • Target

    a804d5b2613145c9aaad7b3b43eea868_JaffaCakes118.exe

  • Size

    590KB

  • MD5

    a804d5b2613145c9aaad7b3b43eea868

  • SHA1

    5bd91a4df91c139019dba734d9be2cab74a38d0b

  • SHA256

    0bb97b1adbcab84e7b9e98d2d5ba7d7f5b204dafdf2458a7e07f279f0a284c2e

  • SHA512

    570e687dc4eb4a66cea6543b80cc57092cdf3cacd86fc8493a6df10f7e2411fe895971bcee8ce87bf46f5b7a438c21d66f0e9a03ac936c780fc16dd7c7922bc6

  • SSDEEP

    12288:TJ6wdOcYExLY0ebcIZ3pxCU5/2jEa95pY0Er4L1wD88P5DmWmeyOp:TJRLe0Mco3pxCU5/2jEafpVe4L1C88xl

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Deletes itself 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Control Panel 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\a804d5b2613145c9aaad7b3b43eea868_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a804d5b2613145c9aaad7b3b43eea868_JaffaCakes118.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ykcol.htm
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2236
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2236 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2548
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\a804d5b2613145c9aaad7b3b43eea868_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      PID:2936
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2596
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {91901FD0-242B-4DC5-9F8E-36BE77F4F342} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
      2⤵
      • Interacts with shadow copies
      PID:2988
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:2844

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9578e85a20e0cb391fab75199d354b2c

    SHA1

    5cb40f1d8694be9160efc53025fd9355fd3b45a2

    SHA256

    18bb8893771b1e2de0a64fcb223636e13fc623a99867adfb471abf915e75b997

    SHA512

    fd589154d55b7087085392e4630c402ef054acea28c69d1e6bf4958d88a41ad886bfcb32670eac378d414dc4e811d36420ce4c2326bc0838776a9be666269833

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    40e3a776f65428cdf7f8dbc804bee354

    SHA1

    e219188a5346878f8dc22dfa12a4fd0d390064fe

    SHA256

    def205a56146f64774447626b0bb9eb1283ca6777bbc2ae333278a84167b5bf6

    SHA512

    c83205d2a5f2fbfc049776ad835058312f14dcd39e41d194bd1c2febd7d5622ed43f075c6c2daaa82caafccb2d360fcc259036f97bb61ea433520f9c0ecad42d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    63880f20410a6bc34a3667a1f1f15caa

    SHA1

    f0ad517696aeeb56b6637e872a3942d4fafe2b32

    SHA256

    d02cd4823c8967821de1f7a305b8fb52e0b0c172e1ff4f9a91c6dd295e56512a

    SHA512

    63e9c295655fa46d8778b29dafb0c7915b5b89115cd6a1b5bb3ac1164ad4ade305aab384eb3f398ff9920b3e41280fc8f158273eb3c761b10a9d6d3c8963194d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    226e21b1f841ecf6e869608bfe076488

    SHA1

    fb9940ff5cec568748040dd8a4aa246086bfa741

    SHA256

    ebea028d4e4bfc2f2902bc563d5b9d18f5eb3a39a75f21a8a5f4abad5fe2025d

    SHA512

    e5ba677bbd29b1e8c242d834eb04bcc82533098ee1d8e8b1b91cc8bb55b2b0a5dfd362cbf5733bc10257910665589f7fea0c04116e19bd0b53990fbc3000120e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    392f833438757d7de11e6cbcab4e15c8

    SHA1

    375d922bacbdebe310cc155d9b606f068672c651

    SHA256

    3ccb53e909e7ceecb7eb315d2b29fbfc895c255379672b3a2c70769b73fcc645

    SHA512

    87bf1dae070803d9744ec902417912adb2ef6b096e788290f82dd790475a93a0ab381eef9e9fe77b1834fdbf96166ca53a6485fcf1fd3c7ca154c45ab9c376dd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    70c7ffeb292573ba5019ef5b27b440b7

    SHA1

    dbff781cdf6d52eb6f4142732373a4e3ca4713a2

    SHA256

    8c3696908abcad1c6d33437d771857086cd6c87a80940bcd6c7ea02eea4b924c

    SHA512

    43e71110dc7d7b94be68ce0f6754fbde4d98a73c9ff06f12202fbd0be8dcc7917d8349353314d7b90a3880795ba8c945e5edd7b4d5318bb77c992dab5b30d732

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    62aa99e6af4311efbfdd3c9c444361fb

    SHA1

    df1cad63b1eca9a85dee7c8355797852e41c8a27

    SHA256

    4157a10e7a054f1e75b4319742b8c01e16ae7f70a8cd7766edd3d6a1e37e5c1c

    SHA512

    4e3f3e9f5b36d413456aeacd8742a840fbc77c8f1e92b72a6aa19ce0e23bc4826f6449dc1ce8b227df2896c387e6f0082fcd2c3445ac8f9d8225ead7ef5fde09

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fba46e94f6dbdf0241657777dcb2a073

    SHA1

    d8e4b280a4bd49649b96bafdacbfc8040fd10647

    SHA256

    cbec8ae6c840ee229970fed0191e2840ad314a4558047e1704155557211b34b8

    SHA512

    87700ecefee73e8312088a43edae2b0928ce89b4195d250c3400c143985c84c1c84d309899f2a58cce6b46c64712c4d1c519c576229d0587a34ce79f48c99a0f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9d5a1d476b9dc9ac291cbaf8bd673305

    SHA1

    b603385c88985180f0b9da14449662276ba7624d

    SHA256

    dcd76007ed7b0f2600734ee1593888e3ed306c68e3f4686247f52f463892356d

    SHA512

    7bf15ddcbbcaf7fe9d81de89aa5a5dc95b8f50515e8e43d946b98190c96caf494d0753aa3ec8dc739dd8a3e17606cfb4d313380fe3af1ffbf4d18ac55815d84e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d1d8ebaff24d91970e46ec6d4936c129

    SHA1

    b19641a0c7717d7b04be945e929b8711edcb606a

    SHA256

    90abdc907710457259b2245fac7e815ea4ce9db60834d2bf4acc94fc82d51148

    SHA512

    1ce61f31d0a8e020a7d3f2bbff94c8f1c34ddb37839437f11177488ad9f9330356eae0067334a1d036ca66b4de0fbe45f8446f6de34a452b5349af21488b50b1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    40aae20136d309b4f80f7c937f81716c

    SHA1

    27583e74aad65996a650558d186159b591fcfcf0

    SHA256

    844a673c6eedc573831aad29267cba7adc88c46451636a1b931e6b77078d02a0

    SHA512

    664ed5172528eda14797c7fbd5cc2d015ad642eb640dcd83ec9b3966a7643f537355cd442d42807c2b5dba7d491e1ca5d4c147b0d9c8c3dcf8e34d68cf1ad9c5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d87ca2917d5f5df777653a8c189d3449

    SHA1

    e12eaea4526884b284092e82c58319962d2f491f

    SHA256

    df9ac6144107ce6d76207aecadf60d15e10009093a3a86e526e260030b211e9d

    SHA512

    a83621389a8c4de0beae9db3a093d4da40a1049b3fc0c0ad772f913fe589108360f37a89fdf33555ee5428f2b2b3731fed3bc1342587fda162464b59e5e62551

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    705439694b28b40f719fae77be5ec731

    SHA1

    84eddb234c2f7f6c312abaa2d85dd3d98d575e3a

    SHA256

    a3ad7d943f3612a6d0def4d81442f3833d5f16e843a5da204d2dfd2e1bbed96c

    SHA512

    c955c0976128cae2408b5a6d914a8e7b29061b034ee0ed80174aa2e20cae91af80e6018e4976124f1a02c359fb6f34b5ad75bff2ff7c08bdb9250b5635b2455b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a40d2b2efb5316ed53b147f5c989a902

    SHA1

    251c5e1ef252a149d58f4d8020904e833e8ea3ff

    SHA256

    6d778eb71bf7816bb0a999a953d21552c5544c05943e82a27e33f94e9987fd48

    SHA512

    cb81ad2d395958b1236dbc43029eccd21b576df1ce00b178ef032a1de89647cc3a74a00e2023078bafacb5a48b7ef88f22f761451eeb2e5e43ed08fa54bd9a0f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f86255663d397f003e8f1af1c2701aa8

    SHA1

    4a7df96c02d43906cffcce23c8ea59bc2efceee9

    SHA256

    7066e46862d885e521343055fd621f5636efb5c61d9c73ccb46c6bcb743b12e2

    SHA512

    513578dc780d7ff415b35c7b77c9ce4ca08fb44745435fd4f0a19c3da519d1c0fd7de8eecf74d29bf12e7979a81001bdfa673f49fb79e68ab2f1643fa097afa6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1a21165651f025627780e9db08ec102a

    SHA1

    fae6b9cac5d734705784b447a9f9cd3834507c4f

    SHA256

    c7ced9c5a0b4a4e4fabf7c432391000afb12536218bc76d985f7e7007d5bc919

    SHA512

    5f665ebc88e9611713a79f51608e9d13b7be8a49dbe4ed5f8cdf1ab5203ab26cda68e49ec9c0b801bb763401ef88c949350a7ce53e2938ee58353b42d484cf25

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5a68d4f7fb4c3d4144d36c7646a5f7a8

    SHA1

    55b5aeb814907525c61fce346febe844a035b0b6

    SHA256

    51b466896c57a51755e1c4144487a0d8b8f65934755a80c6219a28f9bbbb3486

    SHA512

    fe13dcc0239987a29f608d589e924fd6a278471ad78735fb264b63221edc63d74a65eb875616fd16b46e0dee34c13620a03547b7b069d4605babbc9839011bbc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c045ad9a56c70f8671995932df689cda

    SHA1

    45699e49c679dc670fdc39a1da4cc6bb8f656731

    SHA256

    4e60ce8c290b38be25b53303a6c36ae178b3c219ecbb85066bb3498938f25a75

    SHA512

    8ae180b94bbbd6dbb52551b3cb03875209b59145333a2b466a519c3b54a6db0e4c8f51599609742108bd48eb7c7ce77fd7122ebfad09dfa74e56e41da9d335cb

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    30bc669981c418964aa21ba4d3ee0b1c

    SHA1

    274cc4561821dd94ba0d42979585de2de51d0999

    SHA256

    59351620c096d1a781f5364d1d4d3d3491dda06e625598ea3abadf27104445b0

    SHA512

    6088058a1bff454ab860eaa21c97d365284b0c25cd88840539b5dbba552998a2655121de55ca27ea2d35fe25ab0a18f032e135d99de8befa476ae0444fc2e0a5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    17e216b3ec77b2afb4122e746f5eafb3

    SHA1

    e9e4a07275e05949e90c9f9a4bf3b48961af8218

    SHA256

    e3cec4b7d4304bfd37e47ab9f95c10dadbb283338872471471074d338eb6fb40

    SHA512

    68744b11139224cc2356d246f9cbecf20bbd870adfb2c8b6c83a44c443f10f20e68553443cc3f67e558f05d943c7b1d779063fb80f6a3b9f30f77df60aed7b96

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ee8b44128af0c8281e5082ef20d36907

    SHA1

    d40bb408294a640c369bef39f9c37f743fd0f641

    SHA256

    1fa916db2a5ee067cbac6797d8699e09fe86a0c4095bb9506ff2437276c7bb6b

    SHA512

    44627cb011dae26d66a554ad90ec5454cfdb8d2cd8f7401a561add05eab09b475fe825706b5ea6fc7e122bd243961bb3a5f528e58ac6c68eb960a6c9e9002cd0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0d459b9f0de1d4432aa5a3a52d7b0994

    SHA1

    37fcc5b7f41fea83122c87a6a6d76793a97fe1d5

    SHA256

    6c1784389d33cbba2e4a646909fd76c8a47c843d7e36058d527d0ee4f7babdc0

    SHA512

    9faa035be6ea7d9a45d7a81bdf6dad6507d422dc7c79e9d4007beb83d770a1857c11b15391980f04eb82e8acea2d77fef2b4c8d2ad23d51a2e683407ffc95edc

  • C:\Users\Admin\AppData\Local\Temp\CabCC0.tmp

    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

  • C:\Users\Admin\AppData\Local\Temp\TarDA2.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\Desktop\ykcol.bmp

    Filesize

    3.8MB

    MD5

    dc67c81f714003f754de438937bc7d94

    SHA1

    ff5c39f181ba19567b0a8d2ec11feacaac75e08b

    SHA256

    b65432fd8e9950a1d0a7b88c7a1f91afa5e933de97914745b8ca74c6bcebd6d0

    SHA512

    f79dccc4bfc45ca25d4235630971fb6dab23ecab8a8779080df6d9226590696989e3cac27bf7b58576ba005998fbb6ba82d481e2c6337f8da00cc10b2a6c7e2b

  • C:\Users\Default\ykcol-6d62.htm

    Filesize

    9KB

    MD5

    bedfb5f5c458b6d90b48e73817aba683

    SHA1

    0888c6808904572df85ba57c68f5f3f8c8be7bf2

    SHA256

    ad02ef46d11d97b4e2c3001ad72303279c5d3bbda5b6be021f12a79bfc0015da

    SHA512

    dd760247933b576906c86b639a5b055e0f207c7e9e5ca9b9c71a9547c8ce5ac28a07e5f323be44ed94a8d2d030f81f5dd78923029f3d5d9368c10bffea8d38c4

  • memory/2512-4-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2512-1-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2512-151-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2512-274-0x0000000002990000-0x0000000002992000-memory.dmp

    Filesize

    8KB

  • memory/2512-276-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2512-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2512-3-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

  • memory/2512-2-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

  • memory/2844-275-0x0000000000120000-0x0000000000122000-memory.dmp

    Filesize

    8KB