Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
-
submitted
17-06-2024 12:46
General
-
Target
b8af782f98793a4b4ce9171b1b320291_JaffaCakes118.exe
-
Size
235KB
-
MD5
b8af782f98793a4b4ce9171b1b320291
-
SHA1
5fbd09b0a10eca16802880083f9df314b8a18f50
-
SHA256
6a6e355d48de45bbf5a31ee44455aa0ec5f704421a35c6fc3a63d72b10dd524e
-
SHA512
d158f22a1d381324e56169bba328247d046dbf26ab641f93acda007de595aeba4c3db5513181c411c0bd184b01af468c521da4553ae0a0aa6575079b897de927
-
SSDEEP
6144:2wHyslfEpazAAN91h1wOQ/dICSae2c4UJ8ltV2a:NlfcaF7BwOQ/dIqeh4S8l3
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# HELP DECRYPT #.html
Extracted
C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# HELP DECRYPT #.txt
http://52uo5k3t73ypjije.gg4dgp.bid/7748-A23A-C3C3-029F-5571
http://52uo5k3t73ypjije.f0jlbj.bid/7748-A23A-C3C3-029F-5571
http://52uo5k3t73ypjije.91006j.bid/7748-A23A-C3C3-029F-5571
http://52uo5k3t73ypjije.o8hpwj.top/7748-A23A-C3C3-029F-5571
http://52uo5k3t73ypjije.onion.to/7748-A23A-C3C3-029F-5571
http://52uo5k3t73ypjije.onion/7748-A23A-C3C3-029F-5571
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Contacts a large (522) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 61 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 57 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8af782f98793a4b4ce9171b1b320291_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b8af782f98793a4b4ce9171b1b320291_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b8af782f98793a4b4ce9171b1b320291_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b8af782f98793a4b4ce9171b1b320291_JaffaCakes118.exe"2⤵
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# HELP DECRYPT #.html3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1636 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1636 CREDAT:603137 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# HELP DECRYPT #.txt3⤵
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im "b8af782f98793a4b4ce9171b1b320291_JaffaCakes118.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1192 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD577b4d26b627ca341be9d77adcced2f1d
SHA1577bbd03ec0589a9122af6e9b27c1795b61d718f
SHA256fb513e97ed277c9cfc35e2f0f1f5b1084f842a20e59e5013054f45fc31c20589
SHA512061f2a2c25e570d6618e6885fc399e5327b8fa973ebe60a694224c8dd0cf07070aadfcdea9b6acf73e101550f0664863cdf84441e92468c2c3902a88375fb556
-
Filesize
10KB
MD5730749b4be5e472772d74185e17ca53a
SHA12f23c605c78374f333dc17ea8405ac57680739e0
SHA2561800329c734c4a2042a0948a002c9293feb4e6d0fb38e5cb6059bac0090fe8d8
SHA51234d2f570e072eaddd738f6c4cae40941fba0f0cb8bb3d3a7a77a768301c5301ff1e69504f9b65c19356cd26627b56c14d079535511cbbce21d1f23ee4f32d3b7
-
Filesize
90B
MD520a6552a7a90aa289fb6072411815a2a
SHA1b1c40d877cf7891d384f4784e34a3285627dcd05
SHA2561f5cdd4e898c0dd8d0200b17a63b5e25bcfcae55a6cfb36cad5267bc5e0a4ee1
SHA5120bd85827d16f16c47108e947c687e6e549c427c33f5681bca5a73dd3f519606a2419b0c53ee2b46e70958ab5d99a277eafa3ecc543783bd29d13529f9a263ace
-
Filesize
342B
MD587f2d755c3524f6449f9c5a5f9b1c3b7
SHA11d2adf967a9de3ca46d4c763713b628a20f063cc
SHA25633c0835673fd7a27ead0e6f11ed3916e2cc73a0deb61f834a6df9986936c1771
SHA512f4e3ebee13ae816b8c25231fe6acd3dba5f6bdd62aa453b1df6a00ed7e446b04af0902f2b3f96eae5a8f5c907fbbe251fc907ef032160f70267802623c3ffa02
-
Filesize
342B
MD58cfe40d9bf239f0fe09e38619c973081
SHA11060476b5b23b0cc4d9ba741a965096ad8728223
SHA25672ebe01d752984f8b2de19f30962bd2783b3dcb48c0800356ddf6372cae85c2a
SHA512c3a1a379e0b679e7760ca5e8451933ed937f3535a2463f431b1ab761ff0c0492b1e5b9bc5c02c3c9677919470b10d8c580ea0617aacac11766b90a3b0899caa4
-
Filesize
342B
MD598d0caa0b2b3ecf8f7ed75dc19e078fd
SHA1cfbc29e995cdf675ec551cb85ed8d480f9ba6b4f
SHA256e655edea486eecd07491193c6c0c416dd19077556e69d89d133f8c9ea252afaf
SHA512b4d9340a76c2d9f23544b9f29418a4cb7e911a0a0925275eeb4ce7cc0785e6d0c02e6a7e0eae3543f8d86b52b11850951c9f6c1d897280550cde6a887ae229d1
-
Filesize
342B
MD5a6b0c6856dfd7cc4d85eb3bfdad67713
SHA10e2690461dcb24b248de6385d62c01b77718c9e0
SHA256630bec3025828f0cc26b0f069760626e73081dc5e644b214b73c4b567f7fc7e4
SHA512be6b567d087695abde9080b279f13c1f2bf37bf2a4f978d0e792b5cbf2b56accee68f99ebb987b659c9600d9c6bc46c03adfc367230453b72bbe2591943d727d
-
Filesize
342B
MD54e4fc5d6ff5a02b562a5d06eca595089
SHA1468036107dee40a665999c6d775b9e5cb858584a
SHA2562f7aa8ea4127affd173204ebf6f36fb7f7bc6ae576bf8829384a00871f270f07
SHA5127ddf93f0ff68ce652f364c6089ae09e93f04fcb32cb4ebc6c91dec166de1c9808c77e28475ee5fbd46215509eb14c4745c117071d505ea626c9c7f925f1dfd6f
-
Filesize
342B
MD5212bf583da023b9077be1fe120ead5d8
SHA1b4fa3036db2a2db1353fda24bcfdb392cc0ecec0
SHA256a16d1ecaf78f2a7107f21b282cfaf292983de8679c90a0e1e64f26988f8fa8db
SHA512c80d51cc9f1b461f71048900817ee83fbd16404ad48b1a91a457db5e0d1a58031302456b14fe45ca0313bf55c7ed6282326caf992367b82cd223ffd9082259c5
-
Filesize
342B
MD5df87379b007ec125719a4ad692031440
SHA145f03d87ff5cf2f49c660266dc62adc180e8fcf9
SHA256790e6ba661b55f7afa8cbfb0f256d5938c2f27dd2b42d7fece4ecb033481f7d2
SHA5126bfb918017a655c178f7ce3cf3dc5e1704fc4f9ae9af64a44d08a015125ccd0910456857affe27259e6afeba7b5b6b109bb247e10ff3c24a35a3a17788a360a8
-
Filesize
342B
MD5950b3eefd210251a0c123932cc2d45f4
SHA1d184ca7d879196850e7386b33228b020039f9329
SHA2566a01998165e410abbf1c901f55ddfa62138cd360d36467265d6972cc21753144
SHA51252f684616c3d1b3e734ec7494422a028374dc2e5837e7e8806a58f7561dbcb226bd2003f880930b19e2b309759be0f623c5a62d96814c994fef4f3876b981416
-
Filesize
342B
MD59d9b085590310df91d0b25946ed06860
SHA170ab9edf45d5b306454f0c8e7f32ee4a50263cde
SHA2567e57a818eee3af66125b2604183b353649906488f952af12b03838d8a8af7bc9
SHA5127348fe10c39fa5451ad0458a9d2c4d0d81e616f0f8bb1bf1b349b3cf0957033e5d24edb62c5201fa5a4c041b8446beffccfaa17d568e8e21899d8c6ba6dda6f6
-
Filesize
342B
MD5883105a156245097fea4f47df99b61c5
SHA102a384ab7887039990e6eb49d99b88ed81a31abf
SHA25687b1cee22ce4a7f6e8c04b5ce5d12d8686de8013531f9f159c8a6ecc7fbb0780
SHA512ca1e4475d1c8bdc455199bd7be064a526f206f00df837d7993ee6b842d629037099fc470b197932538e61f35faea0feee5f11e0f746e42e20dd212b3126d45c3
-
Filesize
342B
MD5ce78e840d9bedcaf945b380392480908
SHA17f800c55330e8ee7854a38347c5a84c6059db727
SHA256aa5487e9b64a562a94b4011b63acdc39c5cec2363ed91f1067aaf98602b5bfcf
SHA512555edfabcdb07f0100fb02fff68892c7be11f8baf2245ea436497a30dfe54217f48fa74577cb7c392d051658ceff3f99991b369f3490224d9d5cd6292387eb8f
-
Filesize
342B
MD52034be14233ab812eebd11f62a75803e
SHA1a8a0b6b5b8a61d2b04738f73d0774abc8de31f9f
SHA256a374131116f5874d8f6c7d477bb3524a0ffdef91d8b0c5519d1acf08ea986558
SHA5127995ef9b175f6aa6060d85480d9d86510fe32d59ac6356ced4da65136ccca4c506372e712f5ada8ed1c5db53f92aabb8c3f20dc42ec6da877b9341d1a154f6ff
-
Filesize
342B
MD510fe679be580c6d10e494ae0adfb91e4
SHA13afcc37d1f4c010bb13cd880d875844ae65da213
SHA2569caeccd1f307a31b56f9a4aef401aa3493bf9a3ba7c9bf625fc41978abf25daa
SHA512217aeb21f218e88dc9624e20b0a7c8b5845e868aa9db31bb13667a0e80a0ceb3b0d495dbede0f8cb1aea411fbcdfdcd52b13ed392c09c40573517fe67f827b81
-
Filesize
342B
MD598dc9b80ed9a436525b03b2235c19995
SHA1f2b5a27c0bbe25715eae5bf7181566d620112004
SHA25647d827e5f995c308b86715b1335080a13bb54748e922828a3c6e568dc4e8ffa2
SHA51298f8f2d432331f842561bee61047e6e1abb650f01aebe64258000f9c97bfacf1268b5444dd9622778f9ef745d9df369bc34cb9ff1ff4432b50f6c3a37540fe81
-
Filesize
342B
MD5ff1943a7c6ccb136842eb6296a85abec
SHA1091f824801b315c90328d50bcb4e343c2d82532a
SHA256c944a50d82d2fc7c05581fdbfd38edc2766c54ed1ff2008313b612ba9d49db1b
SHA5129c74fba08bde5eaf571aa90348b06c83bca3d7c13c1970ca463586a5f25d538230f93a4263e05ca158b6503141bb0be59e1e5fd2a781bbe9097611d4fc8ab80a
-
Filesize
342B
MD55cac688dd8b87e7b1f3fe899e72dacbb
SHA117ca976503d95c1594efcc398f2a5c5f4a96a601
SHA256c3cad2a0f0811757ebd961304a92d7e780fabdd6ca62fa7ac6721c0c7d4aa384
SHA512e355406f287cab0a89264be521421f9a957f81893bff95908b36da04c0db354181969f6a1dca6c921cb5cf59eb66baf0252e70113bd66de616bacf9d92466466
-
Filesize
342B
MD556ef18487e92d0905d1e5581aa01f5e9
SHA1b3c767be6ee386d09aefc5fcc3d0e42137cb90f6
SHA256ae24d20636636bb6a8256575c83a62e13fb44115b97f9bc82b917a8079e8cbc4
SHA512f71d3886cbe226fba69995a0dedf2181ff26eea1735020368d205c8acda1b8e9eb3314dc54e50e86ba98f1bf2f5c7cea8ba45b1936a9236d1f2eea4a04a13976
-
Filesize
342B
MD5a8f0ce7891dee02117289a955471a726
SHA130dd6d8ff7d6eef21ec92e3ab77dff6c5c955031
SHA2569b1299c28d64a127517530078a471edc1b43b133277facd5809c2cb23a7bf5a5
SHA512c956564cccbc6b97f8272cab42a46e00bb54af2925b9ff2912092f0abdc09b3e1930e072bc7f92526f4a79648c1775c0615f481ec7cc79e7684234d09bd1e4a2
-
Filesize
342B
MD594d5c08c415c0a1dd9985fad2161ee8d
SHA1485882dbb78516934256eedfb38c91f91aae0175
SHA256ce798a0d83f394ef1b5cba496fc88b06016c1c09748228b2f50332f391ea2e87
SHA5124c7e565d739d93922b2f892e2192ec344356c420e1ef6e62e9e7fd75cfe8732fb87f09e4f858bdae06b6fe1ae768c69b0ab2e6edd6f2ce05311b9ce4ab62e2f8
-
Filesize
342B
MD50c24afaba53a441504cb8d1bc7f200a6
SHA11b891840a480ea2f6893e89b293e76e566919cfd
SHA256449b89348dedc6c2e985fac5de814d3e96973235eca9ab8061ede5e334499ef6
SHA5123abfcb420e061808d970dc84eaa4ae8a45131062028b339fa3d85e30161c9fdd7ec4dfaa32a9701cd8f020fcbe3b6125fc3b4377ab5e66bba04371aef7a4beaa
-
Filesize
342B
MD5ae86babb1ae6ea756a662d7cd3f73ebf
SHA1088dc02f6ae182ec6e90305a3ef80186e2794b74
SHA256a333e2a94feaa8c68e31db49157b1ee7fdb25a293982c6836def3d135c636d86
SHA51281d50d868a052582e2cd90337b74bf62fb107f1957cb701c16428fc4a85dd160ca59dfa9ee25fb3c29cc45854a70067da47d18117418b135dbc12df4441ec1c6
-
Filesize
5KB
MD5f0d7226a5572fd21ff0e53bf749663aa
SHA1ec69eac5e3612e8f91afa50d42b25c58c09e98f9
SHA256462f2c17da14961bef88a64bd33f15d3bdcfe44c6c38a7bfdf740cbb4e4ca79c
SHA5125935790e64130495db9d2a293970e96bcca44a23fc30e98eae5d122b75ebb707836605dfac41a009df2c1359dc35d3b86dafbc9a58f1de4e4c2ebd1e15c50085
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
4KB
MD5ef4c7bcefc3c63dc32124160d26f2e4f
SHA10b08046ca6139031d60c14f46ad1dbc825519fe6
SHA25670ea0c2f9448e55df87cbe395d1e44deb64e34a4b420f04710d5472d0f30f63d
SHA51228261261cac6216543545436c78a62f506bda738b8b3c2b7c1b6e54ebd9dd0b216f19fcc8ed02ccca25362b589629b1b9e571d3a91e8328137d9570ede2fdd4a
-
Filesize
2KB
MD530d55bce2a53c5ca2e0b3a2e827f469e
SHA1b22e091deaf30d949781b625c1175c2c83b4f6be
SHA256096ed5d0ca98f280765e82d50c7c9159f226fbae5d315c4d0b010784d33d1bca
SHA512536966dc18c89d7f702aee1be6ee2c111fbd3a7372659c815824e43fb987abfc870f4b146b8cfa0b5cabb692ec0ef93ffb1f6ef5359ecfb252da70106e4fc039
-
Filesize
11KB
MD56f5257c0b8c0ef4d440f4f4fce85fb1b
SHA1b6ac111dfb0d1fc75ad09c56bde7830232395785
SHA256b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1
SHA512a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8
-
Filesize
102KB
MD57c433e47ecfd8e776a8551eaa3566331
SHA103061c1f3844edeb6e0f3d86fa5b3cefdbf81357
SHA2563696f8856be929b28f8db7902369251019168ef9d05c74e617f48a8f9d04ad01
SHA51233162aa80cc4ce511e2fe61ca4059067b264619d825afa66b791e3e0cacd7197e35ebfd1b257ba8d05e30209ce36822e1935eff6664e1c8a96e45ce7f3fbff7d
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
8KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
192KB
