d989d682abae81162d7fe9ee3e9360fc3e4d2c8cb02eff69c385e0d7c3a26b95

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 14:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aa35e4b57c1cffa400252d7c0ed86489_JaffaCakes118.exe
Size

96KB
MD5

aa35e4b57c1cffa400252d7c0ed86489
SHA1

66ff11b0799df69bf02711518197d89f5b09f5c4
SHA256

d989d682abae81162d7fe9ee3e9360fc3e4d2c8cb02eff69c385e0d7c3a26b95
SHA512

1127fd5019cd94f7e15a6109fa274539b64ad676ee12897fa7252ff1f96ae92c9493fa855e94a90685d4be7d2afd5d675e9e882e7879f57a4b80052ac7215c17
SSDEEP

1536:iKY6w0gUYfy8INUt5RonVKwjZ4mJzrVnrmrPfIqBVz/fTT:k0gfy8OUZondp10Iqvz/fTT

Score

9^/10

defense_evasion execution impact ransomware

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Deletes itself 1 IoCs

pid	Process
552	explorer.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2732	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2936	aa35e4b57c1cffa400252d7c0ed86489_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2936	aa35e4b57c1cffa400252d7c0ed86489_JaffaCakes118.exe
552	explorer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2092	vssvc.exe
Token: SeRestorePrivilege	2092	vssvc.exe
Token: SeAuditPrivilege	2092	vssvc.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 552	2936	aa35e4b57c1cffa400252d7c0ed86489_JaffaCakes118.exe	28
PID 2936 wrote to memory of 552	2936	aa35e4b57c1cffa400252d7c0ed86489_JaffaCakes118.exe	28
PID 2936 wrote to memory of 552	2936	aa35e4b57c1cffa400252d7c0ed86489_JaffaCakes118.exe	28
PID 2936 wrote to memory of 552	2936	aa35e4b57c1cffa400252d7c0ed86489_JaffaCakes118.exe	28
PID 552 wrote to memory of 2336	552	explorer.exe	29
PID 552 wrote to memory of 2336	552	explorer.exe	29
PID 552 wrote to memory of 2336	552	explorer.exe	29
PID 552 wrote to memory of 2336	552	explorer.exe	29
PID 552 wrote to memory of 2356	552	explorer.exe	30
PID 552 wrote to memory of 2356	552	explorer.exe	30
PID 552 wrote to memory of 2356	552	explorer.exe	30
PID 552 wrote to memory of 2356	552	explorer.exe	30
PID 2356 wrote to memory of 2732	2356	svchost.exe	31
PID 2356 wrote to memory of 2732	2356	svchost.exe	31
PID 2356 wrote to memory of 2732	2356	svchost.exe	31
PID 2356 wrote to memory of 2732	2356	svchost.exe	31

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\aa35e4b57c1cffa400252d7c0ed86489_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aa35e4b57c1cffa400252d7c0ed86489_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  - Deletes itself
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" %1
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2732

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/552-2-0x00000000006D0000-0x0000000000951000-memory.dmp

Filesize
2.5MB

Download
memory/552-3-0x00000000006D0000-0x0000000000951000-memory.dmp

Filesize
2.5MB

Download
memory/552-4-0x00000000006D0000-0x0000000000951000-memory.dmp

Filesize
2.5MB

Download
memory/2356-5-0x00000000008C0000-0x00000000008C8000-memory.dmp

Filesize
32KB

Download
memory/2356-6-0x00000000008C0000-0x00000000008C8000-memory.dmp

Filesize
32KB

Download
memory/2356-9-0x00000000008C0000-0x00000000008C8000-memory.dmp

Filesize
32KB

Download
memory/2936-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2936-1-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download