teslacrypt | d4c33fa5c8029230ac4dcb181ea1899855e6cb3e22d33ceb0b361d014ff98dd5

General

Target

a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe
Size

340KB
MD5

a88a800bcbb2085db77ee1e6169330ef
SHA1

45737b9bbd250a604f2bc066e4f811cecbf29cfd
SHA256

d4c33fa5c8029230ac4dcb181ea1899855e6cb3e22d33ceb0b361d014ff98dd5
SHA512

cf5bea6231187f5de20e6834799f122a19467d5959b266066599e4e5a9b4641ed8602bc41bca6658cd2f478eaeffa33cff4acfdc6bbf744df387447efb70df75
SSDEEP

6144:V/f8fPWz3Tz5denLftACItq4JZzlZ4VnJVF+NVttoxeM4cbtn:V/fCK3TiftYNlkZ8rKeM

Score

10^/10

teslacrypt defense_evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\PerfLogs\_RECOVERY_+whygj.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E6E3CFB1B620C85B 2. http://tes543berda73i48fsdfsd.keratadze.at/E6E3CFB1B620C85B 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E6E3CFB1B620C85B If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/E6E3CFB1B620C85B 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E6E3CFB1B620C85B http://tes543berda73i48fsdfsd.keratadze.at/E6E3CFB1B620C85B http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E6E3CFB1B620C85B *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/E6E3CFB1B620C85B

URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E6E3CFB1B620C85B

http://tes543berda73i48fsdfsd.keratadze.at/E6E3CFB1B620C85B

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E6E3CFB1B620C85B

http://xlowfznrg4wf7dli.ONION/E6E3CFB1B620C85B

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (571) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exeydmnqirukjdg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ydmnqirukjdg.exe

Executes dropped EXE 2 IoCs

Processes:

ydmnqirukjdg.exeydmnqirukjdg.exe

pid process

4920 ydmnqirukjdg.exe
520 ydmnqirukjdg.exe

pid	process
4920	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ydmnqirukjdg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csisxynghsnk = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\ydmnqirukjdg.exe\""	ydmnqirukjdg.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exeydmnqirukjdg.exe

description	pid	process	target process
PID 2104 set thread context of 2964	2104	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe
PID 4920 set thread context of 520	4920	ydmnqirukjdg.exe	ydmnqirukjdg.exe

Drops file in Program Files directory 64 IoCs

Processes:

ydmnqirukjdg.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-80.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\_RECOVERY_+whygj.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_RECOVERY_+whygj.txt	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\_RECOVERY_+whygj.html	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\_RECOVERY_+whygj.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-40_altform-unplated_contrast-white.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ha-Latn-NG\View3d\_RECOVERY_+whygj.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\_RECOVERY_+whygj.txt	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-400.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Triedit\_RECOVERY_+whygj.html	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\_RECOVERY_+whygj.txt	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\_RECOVERY_+whygj.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_RECOVERY_+whygj.html	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-16_altform-lightunplated.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\_RECOVERY_+whygj.html	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_RECOVERY_+whygj.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\Windows Media Player\Icons\_RECOVERY_+whygj.html	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-60_altform-lightunplated.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hu.pak	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\_RECOVERY_+whygj.html	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\_RECOVERY_+whygj.html	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileLargeSquare.scale-100.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\commerce\call_failure_post_purchase.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_RECOVERY_+whygj.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\_RECOVERY_+whygj.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\PCHEALTH\ERRORREP\_RECOVERY_+whygj.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_RECOVERY_+whygj.html	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedLargeTile.scale-100_contrast-white.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\_RECOVERY_+whygj.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\_RECOVERY_+whygj.txt	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\Windows Security\_RECOVERY_+whygj.txt	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_RECOVERY_+whygj.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\te-IN\View3d\_RECOVERY_+whygj.txt	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\vi-VN\View3d\_RECOVERY_+whygj.txt	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\contrast-standard\_RECOVERY_+whygj.html	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-100.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.scale-200_contrast-white.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-125_contrast-black.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\_RECOVERY_+whygj.txt	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageMedTile.scale-200_contrast-black.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-150_contrast-white.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_RECOVERY_+whygj.txt	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteLargeTile.scale-100.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-24_altform-unplated.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\_RECOVERY_+whygj.html	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-16_altform-unplated_contrast-white.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\_RECOVERY_+whygj.txt	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\SmallTile.scale-125.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\WideTile.scale-125.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\_RECOVERY_+whygj.txt	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_RECOVERY_+whygj.txt	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-32_altform-unplated.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-140.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-125_contrast-black.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookMedTile.scale-200.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\_RECOVERY_+whygj.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\_RECOVERY_+whygj.txt	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENES\_RECOVERY_+whygj.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-125.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-256_altform-unplated.png	ydmnqirukjdg.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreWideTile.scale-200.png	ydmnqirukjdg.exe

Drops file in Windows directory 2 IoCs

Processes:

a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\ydmnqirukjdg.exe	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe
File created	C:\Windows\ydmnqirukjdg.exe	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ydmnqirukjdg.exe

pid	process
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe
520	ydmnqirukjdg.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exeydmnqirukjdg.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2964	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe
Token: SeDebugPrivilege	520	ydmnqirukjdg.exe
Token: SeIncreaseQuotaPrivilege	4356	WMIC.exe
Token: SeSecurityPrivilege	4356	WMIC.exe
Token: SeTakeOwnershipPrivilege	4356	WMIC.exe
Token: SeLoadDriverPrivilege	4356	WMIC.exe
Token: SeSystemProfilePrivilege	4356	WMIC.exe
Token: SeSystemtimePrivilege	4356	WMIC.exe
Token: SeProfSingleProcessPrivilege	4356	WMIC.exe
Token: SeIncBasePriorityPrivilege	4356	WMIC.exe
Token: SeCreatePagefilePrivilege	4356	WMIC.exe
Token: SeBackupPrivilege	4356	WMIC.exe
Token: SeRestorePrivilege	4356	WMIC.exe
Token: SeShutdownPrivilege	4356	WMIC.exe
Token: SeDebugPrivilege	4356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4356	WMIC.exe
Token: SeRemoteShutdownPrivilege	4356	WMIC.exe
Token: SeUndockPrivilege	4356	WMIC.exe
Token: SeManageVolumePrivilege	4356	WMIC.exe
Token: 33	4356	WMIC.exe
Token: 34	4356	WMIC.exe
Token: 35	4356	WMIC.exe
Token: 36	4356	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4356	WMIC.exe
Token: SeSecurityPrivilege	4356	WMIC.exe
Token: SeTakeOwnershipPrivilege	4356	WMIC.exe
Token: SeLoadDriverPrivilege	4356	WMIC.exe
Token: SeSystemProfilePrivilege	4356	WMIC.exe
Token: SeSystemtimePrivilege	4356	WMIC.exe
Token: SeProfSingleProcessPrivilege	4356	WMIC.exe
Token: SeIncBasePriorityPrivilege	4356	WMIC.exe
Token: SeCreatePagefilePrivilege	4356	WMIC.exe
Token: SeBackupPrivilege	4356	WMIC.exe
Token: SeRestorePrivilege	4356	WMIC.exe
Token: SeShutdownPrivilege	4356	WMIC.exe
Token: SeDebugPrivilege	4356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4356	WMIC.exe
Token: SeRemoteShutdownPrivilege	4356	WMIC.exe
Token: SeUndockPrivilege	4356	WMIC.exe
Token: SeManageVolumePrivilege	4356	WMIC.exe
Token: 33	4356	WMIC.exe
Token: 34	4356	WMIC.exe
Token: 35	4356	WMIC.exe
Token: 36	4356	WMIC.exe
Token: SeBackupPrivilege	1080	vssvc.exe
Token: SeRestorePrivilege	1080	vssvc.exe
Token: SeAuditPrivilege	1080	vssvc.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exea88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exeydmnqirukjdg.exeydmnqirukjdg.exe

description	pid	process	target process
PID 2104 wrote to memory of 2964	2104	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe
PID 2104 wrote to memory of 2964	2104	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe
PID 2104 wrote to memory of 2964	2104	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe
PID 2104 wrote to memory of 2964	2104	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe
PID 2104 wrote to memory of 2964	2104	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe
PID 2104 wrote to memory of 2964	2104	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe
PID 2104 wrote to memory of 2964	2104	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe
PID 2104 wrote to memory of 2964	2104	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe
PID 2104 wrote to memory of 2964	2104	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe
PID 2964 wrote to memory of 4920	2964	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe	ydmnqirukjdg.exe
PID 2964 wrote to memory of 4920	2964	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe	ydmnqirukjdg.exe
PID 2964 wrote to memory of 4920	2964	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe	ydmnqirukjdg.exe
PID 2964 wrote to memory of 1920	2964	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe	cmd.exe
PID 2964 wrote to memory of 1920	2964	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe	cmd.exe
PID 2964 wrote to memory of 1920	2964	a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe	cmd.exe
PID 4920 wrote to memory of 520	4920	ydmnqirukjdg.exe	ydmnqirukjdg.exe
PID 4920 wrote to memory of 520	4920	ydmnqirukjdg.exe	ydmnqirukjdg.exe
PID 4920 wrote to memory of 520	4920	ydmnqirukjdg.exe	ydmnqirukjdg.exe
PID 4920 wrote to memory of 520	4920	ydmnqirukjdg.exe	ydmnqirukjdg.exe
PID 4920 wrote to memory of 520	4920	ydmnqirukjdg.exe	ydmnqirukjdg.exe
PID 4920 wrote to memory of 520	4920	ydmnqirukjdg.exe	ydmnqirukjdg.exe
PID 4920 wrote to memory of 520	4920	ydmnqirukjdg.exe	ydmnqirukjdg.exe
PID 4920 wrote to memory of 520	4920	ydmnqirukjdg.exe	ydmnqirukjdg.exe
PID 4920 wrote to memory of 520	4920	ydmnqirukjdg.exe	ydmnqirukjdg.exe
PID 520 wrote to memory of 4356	520	ydmnqirukjdg.exe	WMIC.exe
PID 520 wrote to memory of 4356	520	ydmnqirukjdg.exe	WMIC.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

ydmnqirukjdg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ydmnqirukjdg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	ydmnqirukjdg.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Local\Temp\a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a88a800bcbb2085db77ee1e6169330ef_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\ydmnqirukjdg.exe
    C:\Windows\ydmnqirukjdg.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Windows\ydmnqirukjdg.exe
      C:\Windows\ydmnqirukjdg.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:520
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4356
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\A88A80~1.EXE
    3⤵
    PID:1920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4204 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:4960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\_RECOVERY_+whygj.html

Filesize
11KB

MD5
31e24d1ea5611ad36d75268e4878ced2

SHA1
9053ce35ee59d2c4fdba15dfb6c1a294d47db6f5

SHA256
da93c368a8d07333a2153aa0869df0a7e2413003e7fb92035ac60dbca63f857a

SHA512
f30f37f2236436d7abb15579416a489a73e33e37034f25b5ccc19c177ec279d488ead6ff674f6d1022c83adf11ebc9318a06538fe596abebe35e6e244aafd327

Download Submit
C:\PerfLogs\_RECOVERY_+whygj.png

Filesize
62KB

MD5
2dd1e245b5f2f3ed5dc3f8e909178c37

SHA1
4bf2a726318da5370c08c5403ca1c51075137f32

SHA256
20e910023aaa76c397aaa7b74af46d275a985966b811a07c8d5e6913aa9d04ee

SHA512
8c451bbd6cd780a890346f19e619a70358430c0e5c56796a3d6d177c6e7b015601f0706a2a5541473512fecef5a668a709ba4c02b442802c11a448193cd260a9

Download Submit
C:\PerfLogs\_RECOVERY_+whygj.txt

Filesize
1KB

MD5
a559a488525dd5be3d86de1b1f26e84a

SHA1
8c28cad0365918c511cb0e9c41f523fb4b919456

SHA256
990575f12f57a40266e450a7ef6a979355d0730fae5879440c24e4cf480daa46

SHA512
47425364d8184dd6a4a7d98788d27879502faf38abe9fb3dab4eb82911340e3d9cda8c1ee083f253e07d751be7c07f9e3b41c6737a157049a868880581371723

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
560197459352a11723e789d75684f22a

SHA1
77a8c927e5e1c4001b5c420eeae7a03040e23e40

SHA256
03dbb87df8a7b63ca850c4e3ec5a65ce2cff17fab01eb66aa6c9eb2021919bcd

SHA512
3b7e2f721bf27981be679c9f5a5441f9fa680555824ad5d8d21e72d190d6a0422ac71637b4c9e1a63b7c4837508406b4662f102dba96eb0c0ead47c03a9b197f

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
73faf2decf0059051155118fdc12cd25

SHA1
1a7e3d0b9441f59add78da88a2f82376f9ac9ceb

SHA256
32a95940ae36a58b07155a7cc3ccff445aff0061848d7ea447dc24fe68952cd6

SHA512
4c2d6ce10a0a51c0c9eb00ef96ee7d7a0a6f3185d3eacd6aa4034069317669b13c162d7465750fafa94d82ebef0c8922ae80f8c19e2486aa9e3a8f0e5175ee02

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
7f2f523448207f3cff2cdfefa3d21845

SHA1
0f58bc728183c8e348a77f5f48dfa8b63ab98219

SHA256
1ad610f68e226758b2fd6db1fd40f108cf6e42f2f22511bb6f23a02659b4dfa3

SHA512
27330a69edad9f5a265d9e836d2c2861510ae411f23cd6ddb622612937d34bbb28b4c53d7d7ada2b0303144435f6c773c89b64f4496c6e2af7dfe30dbc1488c5

Download Submit
C:\Windows\ydmnqirukjdg.exe

Filesize
340KB

MD5
a88a800bcbb2085db77ee1e6169330ef

SHA1
45737b9bbd250a604f2bc066e4f811cecbf29cfd

SHA256
d4c33fa5c8029230ac4dcb181ea1899855e6cb3e22d33ceb0b361d014ff98dd5

SHA512
cf5bea6231187f5de20e6834799f122a19467d5959b266066599e4e5a9b4641ed8602bc41bca6658cd2f478eaeffa33cff4acfdc6bbf744df387447efb70df75

Download Submit
memory/520-24-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/520-592-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/520-17-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/520-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/520-19-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/520-20-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/520-23-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/520-3585-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/520-3068-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/520-2281-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/520-1444-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/520-1101-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/520-768-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/520-819-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2104-3-0x0000000000C10000-0x0000000000C13000-memory.dmp

Filesize
12KB

Download
memory/2104-0-0x0000000000C10000-0x0000000000C13000-memory.dmp

Filesize
12KB

Download
memory/2964-2-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2964-1-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2964-14-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2964-4-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2964-5-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4920-11-0x0000000000400000-0x00000000005B4000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads