Malware Analysis Report

2024-10-16 03:21

Sample ID 240719-r7fxrszdra
Target 5c66cd4f21254f83663819138e634dd9_JaffaCakes118
SHA256 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c
Tags
blackmatter ransomware 207aab0afc614ac68359fc63f9665961
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c

Threat Level: Known bad

The file 5c66cd4f21254f83663819138e634dd9_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

blackmatter ransomware 207aab0afc614ac68359fc63f9665961

BlackMatter Ransomware

Blackmatter family

Renames multiple (155) files with added filename extension

Renames multiple (187) files with added filename extension

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-19 14:49

Signatures

Blackmatter family

blackmatter

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-19 14:49

Reported

2024-07-19 14:52

Platform

win10v2004-20240709-en

Max time kernel

95s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe"

Signatures

BlackMatter Ransomware

ransomware blackmatter

Renames multiple (155) files with added filename extension

ransomware

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\il0ExfkEX.bmp" C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\il0ExfkEX.bmp" C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 fluentzip.org udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 121.170.16.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/564-1-0x00000000026A0000-0x00000000026B0000-memory.dmp

memory/564-0-0x00000000026A0000-0x00000000026B0000-memory.dmp

C:\Users\il0ExfkEX.README.txt

MD5 896f61d321c4af276b7a80be14715992
SHA1 feca31af9616ac09d73900d32a8dc8d08fce51e6
SHA256 8553b63516ebbad0ce0653b3e21831b5dd114584ec49f6f413ad928ee68e6c21
SHA512 81fd91036800c12a66e9c352a70293734f5d4355c6c2fbf39446602655f596ac3afc150a4c0494c804a4226aba55aa65f031bd0957f79ffd131e5329fb0ec82e

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-19 14:49

Reported

2024-07-19 14:52

Platform

win7-20240708-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe"

Signatures

BlackMatter Ransomware

ransomware blackmatter

Renames multiple (187) files with added filename extension

ransomware

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\uLxWKChWv.bmp" C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\uLxWKChWv.bmp" C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5c66cd4f21254f83663819138e634dd9_JaffaCakes118.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 fluentzip.org udp

Files

memory/1864-0-0x0000000000910000-0x0000000000950000-memory.dmp

F:\uLxWKChWv.README.txt

MD5 896f61d321c4af276b7a80be14715992
SHA1 feca31af9616ac09d73900d32a8dc8d08fce51e6
SHA256 8553b63516ebbad0ce0653b3e21831b5dd114584ec49f6f413ad928ee68e6c21
SHA512 81fd91036800c12a66e9c352a70293734f5d4355c6c2fbf39446602655f596ac3afc150a4c0494c804a4226aba55aa65f031bd0957f79ffd131e5329fb0ec82e