locky | 613948eba26190b11250c6ce115f1c99712f79d5234269354a32d6052a873fbf

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a876e3afe76dec729de810f4110f9877_JaffaCakes118.exe
Size

640KB
MD5

a876e3afe76dec729de810f4110f9877
SHA1

d465504e258440f3c13d9b691bd9f761ef73006c
SHA256

613948eba26190b11250c6ce115f1c99712f79d5234269354a32d6052a873fbf
SHA512

e20417af913c2f3d4fdb0b8a01ca4086ce8f8232f5ab0890a77cd40519b15dc56e102d3a64cd48195fd6b85a7346c5235864dd753291d0449206dc433e8b116f
SSDEEP

12288:53c3zZfZfZfZfZfZfZmZ2XsHUKwbNWuTncBxPMRS8SUC9H4jlNEz9vBiptAE43/A:2jZfZfZfZfZfZfZmZ2XsHUK8ni0U8SUD

Score

10^/10

locky ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

776 cmd.exe

pid	process
776	cmd.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

a876e3afe76dec729de810f4110f9877_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\ykcol.bmp"	a876e3afe76dec729de810f4110f9877_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

a876e3afe76dec729de810f4110f9877_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\WallpaperStyle = "0"	a876e3afe76dec729de810f4110f9877_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\TileWallpaper = "0"	a876e3afe76dec729de810f4110f9877_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8926C3E1-2A1D-11EF-9680-DA96D1126947} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

2300 iexplore.exe
1476 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2300 iexplore.exe
2300 iexplore.exe
2564 IEXPLORE.EXE
2564 IEXPLORE.EXE

pid	process
2300	iexplore.exe
1476	DllHost.exe

pid	process
2300	iexplore.exe
2300	iexplore.exe
2564	IEXPLORE.EXE
2564	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a876e3afe76dec729de810f4110f9877_JaffaCakes118.exeiexplore.exe

description	pid	process	target process
PID 2836 wrote to memory of 2300	2836	a876e3afe76dec729de810f4110f9877_JaffaCakes118.exe	iexplore.exe
PID 2836 wrote to memory of 2300	2836	a876e3afe76dec729de810f4110f9877_JaffaCakes118.exe	iexplore.exe
PID 2836 wrote to memory of 2300	2836	a876e3afe76dec729de810f4110f9877_JaffaCakes118.exe	iexplore.exe
PID 2836 wrote to memory of 2300	2836	a876e3afe76dec729de810f4110f9877_JaffaCakes118.exe	iexplore.exe
PID 2300 wrote to memory of 2564	2300	iexplore.exe	IEXPLORE.EXE
PID 2300 wrote to memory of 2564	2300	iexplore.exe	IEXPLORE.EXE
PID 2300 wrote to memory of 2564	2300	iexplore.exe	IEXPLORE.EXE
PID 2300 wrote to memory of 2564	2300	iexplore.exe	IEXPLORE.EXE
PID 2836 wrote to memory of 776	2836	a876e3afe76dec729de810f4110f9877_JaffaCakes118.exe	cmd.exe
PID 2836 wrote to memory of 776	2836	a876e3afe76dec729de810f4110f9877_JaffaCakes118.exe	cmd.exe
PID 2836 wrote to memory of 776	2836	a876e3afe76dec729de810f4110f9877_JaffaCakes118.exe	cmd.exe
PID 2836 wrote to memory of 776	2836	a876e3afe76dec729de810f4110f9877_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\a876e3afe76dec729de810f4110f9877_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a876e3afe76dec729de810f4110f9877_JaffaCakes118.exe"
1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:2836

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ykcol.htm
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2300 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2564

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\a876e3afe76dec729de810f4110f9877_JaffaCakes118.exe"
2⤵
- Deletes itself
PID:776

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
436907622804a7d0a14f8877e327f923

SHA1
35fe23531ebc86b63cde0d9fe3db5714cf3a6175

SHA256
b1b2230a06637ed99e3155f3524d36b61da3fd2e0a2a58fbb326e711d59d8da7

SHA512
efa0f9e507083a69d8ac618cd4d9a66aace9128f387383b7165d24481b70582c1fa4906f15ab50a0286ebcb535276fe46123a55b507083021b75c5e6280ea1cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c59049d16949c1e656295d717a0077b9

SHA1
37e6caee21959061e56530e4325eaa10d83e41d3

SHA256
81b19ea5094446d34e2825400dbf4021c270a3739ffac3a88e175bd18c648c90

SHA512
aeb3efaa395aa15748624e9d16c790a6b298ba9170fb0d4f568d15b2438b0720119027beb74a458310aec1444f77a0e52c89d7d8bf75423ac75aeb6ea07bbcd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
0555236b19cceab029d9fe465df8dd55

SHA1
ca900e690728b85e0b78ae29df58247269e472ab

SHA256
4debf4b88b7d770fcad0542c85e0e5b70c57243394506fa821c023cca9f8afe3

SHA512
4a10f0a20ab25f58b7dc22e2bad2289e7e76e54b5df0f77604f9e7f0843ed671696bcd642f117aa8cdf05dddef5a5b9fa1fad8353642f7be294457be190318c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
aa7831d17ff3e1c5d1a35665e22de885

SHA1
b1c2de6aa33507936f5acd59ae8fcf7542227124

SHA256
14a59c2481b563088be26d5521ca17e2fc4ebbc887f94b4b78d1246cdf114e0d

SHA512
82027965e174909491283ce79e8781c9f8797bb4718ec41baca11cb44e41c8ee1e4058a3adfa3e21d7de30b1888e87f50ca066c00dd65b694ffe2aa7500bf78d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a8c0dfd3188bea1b481b144312a061d5

SHA1
e6a5eaa19da69ed2fdc24c8d56f7305d43bc6aac

SHA256
d5d5f50831b096bb1506c73cc1eb84d709612d1ccbe10c6233b7d6338c21539f

SHA512
6acc98f7c9c993d34f9d6fbf14384bd8d0247f548bc5b6b7dd1ddcecfa0a142b7fdfa21d7f90d5755c6a57dd552dfc197350607ca74341b30e523e51082a8ce3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
7c0830cad9d01fe68d571e7115155b9b

SHA1
3507a2c9f92106342d80782666a9621d55c6ba1e

SHA256
60038bc10a674e3eb1e45799caec1b05c5e90bb0dfc9604e4ecc5dc7a516d282

SHA512
b2626f5c609f2aaa63b51c8d4781b7022c406fd5afd25dc44c1aca06087dbab7ad02def9f06d7b4c1b6d8d32eeb59b9abcdef68244d8ee750040ec932c2ee3c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3f01fef41ab1d10b4dcec46e04713b7b

SHA1
70c3ce112b14352a1b18ca90c00703f86e7dd848

SHA256
6d71cee36817361f69b1727bffac90f0e26b9c1d3ceaa568edfa8ed1bfec4e7a

SHA512
e2e86d14c487629080de57ffc99aa4879e487cc929ff3573d356616c08877f140e804a12eed8c84ce5dbf6fdee6492be60ad4193987faee2d9f3dc8a57f83544

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1475bd260fe35f07cbae279619dfc5be

SHA1
e4f98de7b101f8c2f0781554d460081f82ffb2c0

SHA256
b341de958e85cd93aed6daffd238739db914b84d45597d1f9c59bd0f913d8b8d

SHA512
d2d74a885f235678436450d4d8aad7ff511037c06926bb1207ec8a34c9e99fd6a68ed83483d428c8726662eb30a4940259c50f160c0cfe32cc256498350a25dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
f8fe5adff46ded43fd60b4f8aa529602

SHA1
95b888ee43a80d00239d2f9a927e0d156a381dea

SHA256
0c588d12e41f6cc7153d64738714537d36b761c3935cd5fe41d94c2586b319ea

SHA512
c491bdfa683dd9802c798cc13ebdab977be03faeade1fedc1164c4616dfe6a0b6636ee14bb0d1f980a23e945499fff0322cde7f94ec60e7f54beaa54971424ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab65D8.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6707.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Desktop\ykcol.bmp
Filesize
3.4MB

MD5
5a5b31dc0c36130ab32cba55e3ba065f

SHA1
6c97c4e291b14aa074459f135fa96b57e352f3ec

SHA256
8459eb83ac37235a696194697e24d515f3ecfd5a1c28331aeaf024bf287b4514

SHA512
0239218bf43dcfc70d9b77f3bb865ce470aa9cfcfc6708bb518ddab6b800385d3d3c515e74845ce7d25613e880393b4b63cb0999de5677b852bb5e90bb72b755

Download Submit
C:\Users\Default\ykcol-91e1.htm
Filesize
8KB

MD5
0ecaea8aa6432f8e31552c94e260b2f8

SHA1
f1f6f792f31254ac8ee807eba41176d42d8bb132

SHA256
89a0b48f9dd35e7eb2a9d039c5da28267130592e9431f3385566b6e4199096c6

SHA512
6ba8500d63b7e8ed5713dd9cbc713ec5dd8ed8c77b012ffc41b93762fb4db392bf47b92b7f9806ac22bf508f660b98a47740ea0b90f4c795544672e22cd16067

Download Submit
memory/1476-308-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/1476-311-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2836-10-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2836-312-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2836-307-0x00000000027D0000-0x00000000027D2000-memory.dmp

Filesize
8KB

Download
memory/2836-253-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2836-12-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2836-1-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2836-8-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2836-6-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2836-3-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2836-2-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2836-0-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download