Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
15-06-2024 10:12
General
-
Target
adef96848ae6e61ed0d3782f6711239b_JaffaCakes118.exe
-
Size
384KB
-
MD5
adef96848ae6e61ed0d3782f6711239b
-
SHA1
581aaca2d5fafadef12a0ad1556d7e149a71da50
-
SHA256
36f910cf4a63afa86b711c14d4aecca3f4887232ba341d7581a0e5baa0fd916c
-
SHA512
4860fe56a5dc55087a8e152d5b4d87f00941721d2ae2787e6e3bc6b79db5df228537d66d2750f95aab6d0ab685c28a51e223141bb3256bc91fc89abb2e4a7d94
-
SSDEEP
6144:FtguKU1XD9oEmWMF6L2IzjAqXuxoaqHwdfOUavNJ3en9THb3IA/OYILI:kuRBoOc4js11GUfVsNJ3entMAWp
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\Recovery+mthqd.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/6DC472B792A4CAA5
http://tes543berda73i48fsdfsd.keratadze.at/6DC472B792A4CAA5
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6DC472B792A4CAA5
http://xlowfznrg4wf7dli.ONION/6DC472B792A4CAA5
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (874) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\adef96848ae6e61ed0d3782f6711239b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\adef96848ae6e61ed0d3782f6711239b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\adef96848ae6e61ed0d3782f6711239b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\adef96848ae6e61ed0d3782f6711239b_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\ssyxddomtoqv.exeC:\Windows\ssyxddomtoqv.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\ssyxddomtoqv.exeC:\Windows\ssyxddomtoqv.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffa988346f8,0x7ffa98834708,0x7ffa988347186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1456,14433697443973922843,14920626582976363406,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1456,14433697443973922843,14920626582976363406,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1456,14433697443973922843,14920626582976363406,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,14433697443973922843,14920626582976363406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,14433697443973922843,14920626582976363406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1456,14433697443973922843,14920626582976363406,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1456,14433697443973922843,14920626582976363406,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,14433697443973922843,14920626582976363406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,14433697443973922843,14920626582976363406,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,14433697443973922843,14920626582976363406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,14433697443973922843,14920626582976363406,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:16⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\SSYXDD~1.EXE5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\ADEF96~1.EXE3⤵
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5b07f38f7976d86cf0565e2470e2c7b31
SHA148ea227ba800c87bf8739ec53c0ea15dc5ee3170
SHA2561075739b8de0a6a1cfd67993cb07f65504192055ecf7d981bf28d6cd09b4fcc5
SHA512dd6add312ba54257e399b0f6d58288dc0c54292285e49aceaf8f76dc685f2a92d4a386611bd27575e4c0dfa28ba456e1fbd84e4ff0dfb9793f61c346b3a5084c
-
Filesize
64KB
MD55aa52bbc0ee019f2c4303178d8cf06ea
SHA15108e1a1cb52f86447872aa5ed3fd6ed3306d996
SHA2565a75f8e9b39af6974803323fa74cdac86084746bbef0b4d9458102ec590a9bbe
SHA5124cc8e48261c42e40e8c323c68409b3979873211f36672d365e9befd6a3ae74e6af80fdad4afc116058addee572056ba6399c9ca5de911921fdb8f7cfa72a165f
-
Filesize
1KB
MD5eb2645bf745192f2ac407a0f2b20d50f
SHA1ab113606249770f204f193601e84cce3c5c4cd1f
SHA25698d629766711d3bd5914ad75cf4586f11cf1af831fd97c0d765e29fb7b9a7286
SHA512f6b6bfc7cc6109b98c787cffe509cb5d6c5a379ef3c91488ef1ec27bd4d3b1a6d9bc42d1730197d45f4ae06b66aabdd583567acb7db475c540595f429cc199aa
-
Filesize
560B
MD5cec0a40b735ac6cbb02c4e6b82922335
SHA1a3e6e9893a6550205d0b59cbed5ea09e9a1d3584
SHA2563f544de3653cf300fcd53bf64449903ef18e249a484324890043d18d5fbf8e98
SHA5126a541c519868c93a265a6a7f6b76a3ad21f8d10666ecb23adc93cdad08470e4e79c4d28781a03d9f6c39ba089ba3996b1654af49160182c86fa75393fc34df0f
-
Filesize
560B
MD536e87e6236b7b8b9e68242203e1bde9b
SHA1e3b51036a0b1c30e6fbe41332b20a172d516ce6f
SHA2560e84ab399c8d1aee88433c33998e36146e7710efdbfd4b7c2362b7813e2f8b3c
SHA51248d540067e59a078f762d878e768417b961f5813bbecfc749d0ce14ad67034d8861bf49f66e47fb809c466d296f2a15fa82aa7847e643a750550f762f34d1a2c
-
Filesize
416B
MD551b03bc9d23a844df312d07bab588d77
SHA168680449edab7521f4dab87319520411f9e0e493
SHA25649f073ec914dc763b57273438b1993913c279f3615181cb5511b33d6dff37bfd
SHA512050f84fd321e5d943bb3674f490228c86ce82c22772060743b5342204449ae0ba1fec0b0d32a27e456cb532e62d9869aa5185251268023075f77582881b91eb2
-
Filesize
11KB
MD53c3f5b374a295ce52e4abf7607fa23f5
SHA19aa34282a46a753d326f83737df835205f597ab8
SHA25616973f5cfadb5e211f9adfb2ca27f270361b37792f1b08ceff680c63e70726f9
SHA512e9c037373731ff4ffdf814b02fa265a67f1d41a1478c6fdf5b771944d238619aade393a9214a74e3a6bb2f02e621bd2a75f74e306381eb1f65b7a437189488e0
-
Filesize
152B
MD556067634f68231081c4bd5bdbfcc202f
SHA15582776da6ffc75bb0973840fc3d15598bc09eb1
SHA2568c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4
SHA512c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784
-
Filesize
152B
MD581e892ca5c5683efdf9135fe0f2adb15
SHA139159b30226d98a465ece1da28dc87088b20ecad
SHA256830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17
SHA512c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0
-
Filesize
6KB
MD581b70d2f7360b0dd1e934283bde4ce96
SHA160b18b0fb8bf815bea64d64fd9fafd8c7a96a4cb
SHA256b282d945e53fb579bf74c1a1b0a2ad4371a008f18973516474f07125394c0b0a
SHA5126ebfb385c14378412776a22c3af475026035a585e95970bf3fa64c28f1984caf3630b2816cffb22ad2bf129bd3d9148f63dd0f502e7de84f37c7c13e9ac4065f
-
Filesize
6KB
MD51b4ecf70f4a6da3193725922514e5697
SHA13650efa0a39aa5840dbe0e62d17d742e90735cfc
SHA25604e2e27c75b1f5f6ffcedb3ddde08a27ef2c5c96d79046658a762bb9d39f3eed
SHA512d8b78b8eab0e3676cf00600a88c1be638035b3191a4c7f4fdf3fb3e14e0d55fb176bbfd2b1bca57251c59137f952ffded85637609e303c24f87824ae58122b88
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
77KB
MD5e4b94e1533c9d8af3d4d6890918ef1a6
SHA1357e8808dafca229819a119123a716f1340ec3c4
SHA256b8888663e2391a94c3d1dbd50d5636233be4e20d87b7417d060d67c00b5c2e9a
SHA51208150a32e0da16de02db3de884699c27fbd2d91a7b1a64f95d1f817055da6e467240d201b292165a2a5a53aea863d7e320940d365bd69d173769b9133915f17b
-
Filesize
75KB
MD56730324d542e2b7345bde4b3f274bb1e
SHA192725ab42d7bb897d810550a5072f38f8278520b
SHA2569ada438a10e7607214e5119785659666bceace5fb6310cc8c2513ba89bdfabc8
SHA5125a37211e062d456194bf86bbc0ab5edc107077a438035d9a016a27fdd111a504f616d61f831b0f12f22a98ebd5200676bf6ec1e98c3628ed33d7c2ece8110200
-
Filesize
384KB
MD5adef96848ae6e61ed0d3782f6711239b
SHA1581aaca2d5fafadef12a0ad1556d7e149a71da50
SHA25636f910cf4a63afa86b711c14d4aecca3f4887232ba341d7581a0e5baa0fd916c
SHA5124860fe56a5dc55087a8e152d5b4d87f00941721d2ae2787e6e3bc6b79db5df228537d66d2750f95aab6d0ab685c28a51e223141bb3256bc91fc89abb2e4a7d94
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
3.3MB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
