Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    30/07/2024, 13:02

General

  • Target

    6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe

  • Size

    4.8MB

  • MD5

    6ff1ca648505fe8bea6b4a26616b9722

  • SHA1

    7020b4d9e700b697d507a61bffea12c9475a23d2

  • SHA256

    7b7c16367746efe7583ae46235b2f062ce44602dda990c9a11a730d619b8d365

  • SHA512

    e65d67e22807e1a539997bd763fc6063226fce207c57b3b0316ef7640471f460016fa5f58feb006ff96dd7a2cf5bcff7c17f0af763e8518431fe13ce6d8c9db2

  • SSDEEP

    98304:zDAjjvoF+Cp+/bbbbp7FO1gTL9M5gmoZHOoOVsHalI:zuvAObbbbp78+VwzV0alI

Malware Config

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Avaddon payload 6 IoCs
  • UAC bypass 3 TTPs 2 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Renames multiple (195) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 6 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Interacts with shadow copies 3 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies system certificate store 2 TTPs 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6ff1ca648505fe8bea6b4a26616b9722_JaffaCakes118.exe"
    1⤵
    • UAC bypass
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1756
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:320
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:1840
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3032
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:2192
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2108
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:1624
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    792b2c836fc9383228793223f6d4a7f9

    SHA1

    d2816e2a9add63e4a55a005540f7b1899ff504b3

    SHA256

    1e730af979f8cc75e05bf3ca56fc6b58d548b28e5af7ec0c40bfc82fea4e99e2

    SHA512

    ac1ad729b0cdbbbe4bd0299c2714363987c70dfcdf130766fe1871bba197a32afac9a75e406dc9bb2e67d99144dfe87a1553d01df0a1933e70f4e1e666fa2a9e

  • C:\Users\Admin\AppData\Local\Temp\CabD413.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarD416.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\Documents\HideSearch.xlsx

    Filesize

    16KB

    MD5

    02ded5f95df3dce958d463354a439602

    SHA1

    691f30bff6d502c242a7b9a3e6a123ab6a99f1a0

    SHA256

    86f5befe0793d77981157fe00d9751c3bd2a183c4ffbfcd9d1602332391353de

    SHA512

    67a1e34aff97ac603cfc8d097d220e349802abf42a507cce06744ffb29084895deaadb518616ad8adb6fa40be0eb3618aeb58fe31dd7934782bee91a42f2def3

  • memory/1756-0-0x0000000000DE0000-0x00000000012B7000-memory.dmp

    Filesize

    4.8MB

  • memory/1756-1-0x0000000000DE0000-0x00000000012B7000-memory.dmp

    Filesize

    4.8MB

  • memory/1756-2-0x0000000000DE0000-0x00000000012B7000-memory.dmp

    Filesize

    4.8MB

  • memory/1756-3-0x0000000000DE0000-0x00000000012B7000-memory.dmp

    Filesize

    4.8MB

  • memory/1756-26-0x0000000000DE0000-0x00000000012B7000-memory.dmp

    Filesize

    4.8MB

  • memory/1756-501-0x0000000000DE0000-0x00000000012B7000-memory.dmp

    Filesize

    4.8MB