Overview

overview

10

Static

static

3

adef96848a...18.exe

windows7-x64

10

adef96848a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    15-06-2024 10:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    adef96848ae6e61ed0d3782f6711239b_JaffaCakes118.exe

  • Size

    384KB

  • MD5

    adef96848ae6e61ed0d3782f6711239b

  • SHA1

    581aaca2d5fafadef12a0ad1556d7e149a71da50

  • SHA256

    36f910cf4a63afa86b711c14d4aecca3f4887232ba341d7581a0e5baa0fd916c

  • SHA512

    4860fe56a5dc55087a8e152d5b4d87f00941721d2ae2787e6e3bc6b79db5df228537d66d2750f95aab6d0ab685c28a51e223141bb3256bc91fc89abb2e4a7d94

  • SSDEEP

    6144:FtguKU1XD9oEmWMF6L2IzjAqXuxoaqHwdfOUavNJ3en9THb3IA/OYILI:kuRBoOc4js11GUfVsNJ3entMAWp

Score
10/10
teslacryptdefense_evasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ghnsc.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/8BF4DD7AEFDE425 2. http://tes543berda73i48fsdfsd.keratadze.at/8BF4DD7AEFDE425 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/8BF4DD7AEFDE425 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/8BF4DD7AEFDE425 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/8BF4DD7AEFDE425 http://tes543berda73i48fsdfsd.keratadze.at/8BF4DD7AEFDE425 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/8BF4DD7AEFDE425 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/8BF4DD7AEFDE425
URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/8BF4DD7AEFDE425

http://tes543berda73i48fsdfsd.keratadze.at/8BF4DD7AEFDE425

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/8BF4DD7AEFDE425

http://xlowfznrg4wf7dli.ONION/8BF4DD7AEFDE425

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (409) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\adef96848ae6e61ed0d3782f6711239b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\adef96848ae6e61ed0d3782f6711239b_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1548
    • C:\Users\Admin\AppData\Local\Temp\adef96848ae6e61ed0d3782f6711239b_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\adef96848ae6e61ed0d3782f6711239b_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Windows\kfxvghyuernn.exe
        C:\Windows\kfxvghyuernn.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1512
        • C:\Windows\kfxvghyuernn.exe
          C:\Windows\kfxvghyuernn.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2792
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2020
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • Opens file in notepad (likely ransom note)
            PID:1120
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1304
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1304 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:200
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:820
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\ADEF96~1.EXE
        3⤵
        • Deletes itself
        PID:2752
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:632
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ghnsc.html
    Filesize

    11KB

    MD5

    83d4b00a7d9e840fec7e5922f4397742

    SHA1

    98abdbac9c88fd5fd2a39a8b30eb3042a6dfc2f7

    SHA256

    5c4f211c3e956f924604d680a5566275cbcae6c28dc98ce89473eb929e5a3d51

    SHA512

    47120d6ca131a8f6ba1f916f507c0368a1148f6c75b84d1c66dea88eae0d241e63ff09e576231298088da1583735aff13f937fe2bccae4dcae5f0ed1df6d50fd

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ghnsc.png
    Filesize

    63KB

    MD5

    7840c5af103cd0e572e98fd4344fbb36

    SHA1

    95a2a98475d6db3418f1c6e1bbf4bb4adba15253

    SHA256

    6c8287dd0b2f97e05cb2d87d74d1bdcf895feb90a2c0c181b409009c5d911ca8

    SHA512

    d1c858dbcd510f37694d15df7bcf6dba3f2ffa109b7701146ca475d500c974b15ffc21d81ca941713d0ad160f31b952713bc805d004bcc5159fb6578dda9bcf7

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ghnsc.txt
    Filesize

    1KB

    MD5

    2fb93473defa08b63832e2faab84ddca

    SHA1

    062cf165d2626b03bdeb6d2c370ed9bec5e10caf

    SHA256

    daba76ebfd414a391f5d54ef432c607656ab3af92673c01018036d53a6466b61

    SHA512

    d64ae44b052394f92e776c1e2b178be216cd8637473ebb55a1a487381e2ad9481c71eb63e776b04f0d5ee64f0a5e9fff0205fd87d8e97c518efbf7be2f077329

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    d23b44e4edf6319edeb957e66882cec1

    SHA1

    37aa6172d232d19f658e7b7c0e268571bf9fa841

    SHA256

    1fc00300c8a5d32dd69fcfc98fd140c64b1d4622b5502ff2d16bb40f08bffbb5

    SHA512

    35a36f42b13401c9bb98d8ad8d0e0e2d1f25c14c0e2dea0391823903e4fd54bce47b326869ab187df3ed8adb682f64bb84bfc3766e67e44115f317fcf75f1ed3

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    63f51ee4229b9476d73a24122f068668

    SHA1

    57162ea481d5323b3552fc1641e65f5b0a767f81

    SHA256

    0c08081553f23636739d9e27018fc00f21df356ba19d3b52c83022a826fb0b3e

    SHA512

    761ab7432c520ecb71c0a829382382e0305274cbc7afdd28f30dd932426851f2e4df81fd6320055c77867f8ed56d1116aa9779ac95ab1ac42f0011b61e9ecc9b

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    173KB

    MD5

    89e2b63afd6a6f5cd3d8c7861f22a7c9

    SHA1

    22b10bc6570b821b2b1428f525293406eee1decf

    SHA256

    770e6fbc54251fd7015a1723e8869cfc07278a6b25498dc3f7ba2fdbaa08a390

    SHA512

    92a57718ca1a69210ef572e750b073673b32e5ba1a5af77f16f836885dbb1aa0762b3c957b02143606d8cbce90ae931b0297e458dae0adb184905ef19be0724a

    Download Submit

  • C:\Windows\kfxvghyuernn.exe
    Filesize

    384KB

    MD5

    adef96848ae6e61ed0d3782f6711239b

    SHA1

    581aaca2d5fafadef12a0ad1556d7e149a71da50

    SHA256

    36f910cf4a63afa86b711c14d4aecca3f4887232ba341d7581a0e5baa0fd916c

    SHA512

    4860fe56a5dc55087a8e152d5b4d87f00941721d2ae2787e6e3bc6b79db5df228537d66d2750f95aab6d0ab685c28a51e223141bb3256bc91fc89abb2e4a7d94

    Download Submit

  • memory/1512-28-0x0000000000400000-0x0000000000748000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1548-1-0x0000000000260000-0x0000000000263000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1548-18-0x0000000000260000-0x0000000000263000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1548-0-0x0000000000260000-0x0000000000263000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1732-6047-0x0000000000220000-0x0000000000222000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2652-10-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2652-12-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2652-6-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2652-31-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2652-2-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2652-16-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2652-4-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2652-19-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2652-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-20-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2652-8-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2792-52-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2792-57-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2792-56-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2792-54-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2792-51-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2792-2624-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2792-5849-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2792-6040-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2792-6046-0x0000000002B50000-0x0000000002B52000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2792-50-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2792-6070-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2792-6071-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2792-6072-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download