Resubmissions

16-08-2024 12:27

240816-pm43raycrm 10

Analysis

  • max time kernel
    129s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    16-08-2024 12:27

General

  • Target

    9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe

  • Size

    68KB

  • MD5

    9e5c89c84cdbf460fc6857c4e32dafdf

  • SHA1

    ee0a95846ce48c59261eda0fdd6b38dfc83d9f4d

  • SHA256

    dfecb46078038bcfa9d0b8db18bdc0646f33bad55ee7dd5ee46e61c6cf399620

  • SHA512

    6da517ae5159ebcb0ac138b34215924fb21adae619c3c15ede6863866648e445633f482b2beaddbe74de66b48e18d106dbde3253ee2d3ce86da667f7f8494cd8

  • SSDEEP

    1536:7ufJPTAoUei1obcxtZbW3BqlIS2IyUY4h2wEsOolJT+y9v:7upTAneif03BqarUY4l

Malware Config

Extracted

Path

C:\Users\Admin\AppData\DECRYPT-SEJClZ-decrypt.hta

Ransom Note
<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><title>SEJClZ Decrypt</title><style type="text/css">body { text-align: center; background: rgb(192, 176, 176); color: black; font-family: Arial, Helvetica, sans-serif; font-size: 14pt;}a { cursor: pointer; color: rgb(68, 68, 68);}textarea { width: 90%; height: 200px; background: black; color: white; border: 1px solid black; font-size: 12pt; font-weight: bold;}</style></head><body><h1>SEJClZ Decrypt</h1><h3>All your data has been encrypted with Exorcist 2.0 Ransomware.</h3><h3>Do not worry: you have some hours to contact us and decrypt your data by paying a ransom.</h3><h3>If you don't pay in time, price will be increased. Then, if the payment is still not received, your keys will be destroyed.</h3><h3>To do this, install Tor Browser (here: <a href='https://www.torproject.org/download/'>https://www.torproject.org/download/</a>) and follow instructions on this web site: <a href='http://7iulpt5i6whht6zo2r52f7vptxtjxs3vfcdxxazllikrtqpupn4epnqd.onion/'>http://7iulpt5i6whht6zo2r52f7vptxtjxs3vfcdxxazllikrtqpupn4epnqd.onion/</a></h3><h3>IMPORTANT: Do not modify this file, otherwise you will not be able to recover your data!</h3><hr><h2>Your authorization key:</h2><textarea readonly>Ob/5QaalAbbFYQYmEI5JzkNq0qmhX+E3KCLeF/Nz5ETf3evhBFxNQVdPvFCaV/bV ymjcd+65++IMGcgYK0Gv5jwAPCtts5Snggu2EvNJSj78eHu0m/CS3F7oB6vas+1q aKhnKeVM0evUPKI7HEo1cAGOauZ1LXnW0qSxat7EsRafPeueKpNpGRr/oHGmtK3I AhrXbu20KDAmPiPC3DEXXWQP2SdvxipZOVtXETcTGufGxZWKOfCrL2DiRsAkY8gg E0FZ88V9ltLa4OSp9vPpWN5Y7q/qg3540GafFclisu7zTZIx75+y3it8nOt4hd/x zVXH7PiTxbIUGSxosWk63US20BFtb5kmEc/FkAtMW0NtYEYdjTjB8aHO2bOajGgl qiSsUlSnxiAB7Rf+Nx4qEV9KFclJar9TgfHf85i84HKSXeeFLaxPSltxtsAMc3EV qbXzqWVhdK1yes3ykJwuu0cdC79z01FuWP93URIah3hn0OzR1hn6+a3+Dps8UKYg 1D8qUm0p11cWHkxNATS+C7aFq5201EMMsXnVM5oV6MvnulxZzRTprNSUpwfXVmq9 UCG83BrI1PUABBRFe0o1C8iGYWo3D8efFbX5ZD7enwFDobg01L4cxwVDevoJ32Uj uUq7JqioGDiBh0x/ue72pF69NUTSo7mkvN+7Mgkw4/C5w4St5Er5B1OHXuxj9puE PCV7chgCz7UsuapxXLP8irq937akkH53rl1smxik+BcxA0hA2iX1651CLZzgVDjy RKygIMqexn49cCXAkY1wTgYcu55D8ronIwv+ZAEqfSfIJkpwzYGPZlaVdvIJDTtw oeG5+sdVzul+xznn5FoCXqfK0zDMs26wAm50pM31BuV1wEiBThB45UjSZrj5d84d 9FeLqQDbrnB5+lJS55uUsdUmSh6qLs3KSDdFNuql9oTeLXwTX0rwI02WAJ8LppHo iZirJFGOjibEuJBaNEbYGN+YVxcc2DdQMCQbnx2XYQE+4CgB9Gbr75A60XMxknhK 4F9nsFAJUXF3JdrzJ9ICy/8DThMtnT3TTOV2IUrBCd7X1FnMjU3V6psHFSl5flQ7 JWKDWz7GVEKVztSBYRce1ketqTr4JV2NxYNahPd8ANX9BayHR2C52VKX9xns6B59 iYZiHOJS7Bvs0Jhar0Wb/hkQUFl9/kTO9DgJ5YIbQSyjg+9bT6Ev/p4wIPSy8SZL ZeQtyjbrYE8foabhAPbkDbFhzBzWoe6IrEJGPI0im5UlweFAXaBfiHh7Y+mNLfsD JaoKAgo3sEOd/bcKTH2BF2p4HwUef/EzEF68SXCV4pY6ZUhElzoyIq+bcbn8LczH DojA0w9DWDtbTdi1VPbD/fvQl1JIntQgLNVhrqgDXWUVIjOqEntbwAM3eqPvyMgL M6AAcm/MnawfguZb/ccrTwpsEF+Ta/IYjZdppy3DE/jGSIoVGROPcG80yASQQNO2 zlAFjWxMBjfx6U1PAZcmRxgzHaXS51f4H/OKApD9LYp/uKyhlR1QLvjtBkiNxr+r EuPW+g9Sy0JjTAQP4Jn6lYmawTbv4doA7FdGEnmYvx0wbszT2wA5w5KGwXqSsy2l 7ZhxqHr6sst11uB5/fC6rQH8ifIlSjJblhoP3ijaYx5vGyt9roNIdHEyaUcPeKrs HAowwdp0xq2nFAg1t3SUJV5KGQJTQshH//L843DEHkUNoPIp42ERWWZc1pEYV/9j JqEva/274uqj35JbhJxA+rCVPkyQofNBnaS3ex4orZBA+De2/FbswN21CotaGVxR QFElFFPbJU/6zTJbrCdBrH2mqFe2tCrJM4xlr8L2h99KJnM99+qteoOP+ki/CVmQ fCoo4LXct1op6mTzp1l4VGNn5lr4qK0D16bN8uFgbFeAH2sN0zhNFaTw7kYMvgI5 XM1wsEGn9JmrvJ0FoeB/QFRHbRhHqjeCw7TQRY+96qE0GpZu9LSmfZBwT2LYUd8U p2/jVtzqYFXjUx2XvCnFCitTukC8Zu2IXzq3WxZ9ql43xQFy0dy5KuDmiOI+0xnV npcJmuTZY9g5oNxdyZdOHYHPCaJqDxioOMlNPOcO0ADJNyPiTZ9k6B+pq7q4Bxd7 GwuUerpIfgowBL+RG0+p2+tiSM/a/Rp7LS+VhbW8nDpNW+xiO/+Up74DNwuF1+56 rIfWNO0WVz5pqATz2pglq17U7HyaqSNTCw034cc58xynygQKjExZOtJTb9ySiFq1 ETdE0uqrtHJVBpws5BBkEGcEHlIzWRPV10DJBGFPbp/+99qyoYcdlBMJycqT8WLP odrlvfjTDHOE6/X7Ek8VFAOj7pKWi3oLAz3QV3UdoIpgZxd4wvUp2BAYyIdR7M54 ZU7kmNEO+16bcHcBN0JMCOiwBWH1AXlVvc6qtWzd4SG5StYbZeG8BQwVErsGlsKf oNEZAqdVwa/ooXySxbz/NK3kikkW5f2+mbcPxGrF3J7s9DiY+Kn/XP0OqF5Ak/BD AI9gsy7nU2ZMA7i3sRW0a9ksK5BpRJAmaIlndmAenSUT9i+5vVO7fIuD84IEdsCk 1LEBD5xdryGbyT81CIjxl8+fJ8tqMTmjh6Jd+PuGLIQIliABULo4itaHO/yyDUhV brufrSmuOxe1PzaY8HUlYI/yV09hmQpesO8Jo3Z1VyNUPjBrMo9DDwYo6ZnZRJvs llHfEvoDijDvEPRAm3E2AbhhyK6F8CT+xe8aSaqvgQY657hiwilTtZOqxd2nyBKl l5FSeISh6maIi0PRpCCQ5UbK08v/DrBsH8V8mcSh0uHxa+HR/hDTvKQGphu34Ogv B+XO9cYZogektNTxi7jM+UeJq08eDurGDdti/85Ef0lTYpTzV6mHUC56e/59c6NY cUCuHoC0+NaJzoP2Onm+OIcKWTbK27B/OFFW+gXX9+ww9P1MRAGmCQg1FoO3TPcZ FyGZQlYdzgNf+YTMnOAyhjHSxOpxv0b8fByiDUX4r1H1xHlklR+j6s5C0HQQ5Jcz oPomHmmzU+w1qZOMCPHCNJtA/TiMplsGiT4patUyRwxOGKrLRDMtxcQ3C54GixCX G5ow+VW3n/2iE997XSguIoFpg7e2mCYGIYViw0itG1Sd5cuzT/+sgRcW/uEeOyIC Fi9iOK6rKlyGNjme5XRQN7/Nx0K5oUSoFypPH8m4AjPJNj0NmYwz/w1IAlHB1FuJ vfH7fbuj8RcOw968GA1q29leJVjGMEPw+Nxy3NW3MR9UQXtUVbfiIC6RUMsZ+Jtg mDr4clCjT+xJP6lQE8CeiWILqq1hfy98qrjwg8HiSuzvWSJbb4AP5fAwrt2Pfg2X d/XjGhlZxFrOilKRHLYk9gL1Rik0wquyzLYwe1gYntx4InZ+Yv4a1bJaEiDmm7bY ZGJt12B/nAwVmi2NgoN8SF7VSrL1TXD24eOIREx+AGjGrjKts8XVFHAcvW329jVD yDqI+jUMwpSvQrArD/12CAHMVEyZPB0nKJ9muZx5UsRYF2zH1KriCqxQ3FlLAxTk YkBFskDtYkseeWsdY5b+HNHR6s7/4XAycFzV5+YFIFl2JuSxBZ5WlLlV9HNODRX6 MoE8OkhLH9nBYDpi3Dgokfx2RPu5rQuPQWELPpU1/ABdeazLYFbwGDXAnOf/HF/L QT29QdON4gli9E32h0wNIEoX65cOhgUtDnsTqik5VL/0L9PHalUWvKSXQLFzo3Lu Time9BUrtM1AKHOP2LvWuEkrHv3lghNQCBSd+aVbjhd4fkMfxkXi615qmObcVhH+ big4v6STNdG6yqcle31ca1LBHFk0XGd0lWx8ywgVcvqGhjR066caz48nbEin9++P PjKKfML4RAdoc+KUVBe90epfBMttNi8/vW2KhfiPuRLRQJmINfIoBETFnRzFSRDM x8nEqOzmD+AWFgVaBiYG4xa2YDQ3FDm/nqvXhxuxEoIU7Ksen2jPA22eeKTp7Dz4 FGfxtyl+V+8zZjjs95WKM1rJRczzjd4S+V35YA2cWWlXsQ71PNQ0tSkb9tkZMjke lpVeE7oDFtt9vk6kxa9KJrTR1EZKMpoE04VBdt0zi7IotUyEixNT3FhOeQLhBZVJ VV/U41Kllp/CZap6UjE9UEtPKYLEuIt4TBtsbtccr0HDem1zAAZ5YluprQW+JI95 ikakrDjcajbA+b6XO8ISHtdu+AloWnhKSjjxez4lXTBIZBRbwOBrMGJAj2UuP1zt OVg3Kn44dqILKJWF4b74htY50T5fEqkKQsVX3n6iJwKHwjAZNKs7UtbOs7Sx1Vqo jNcMIH7eyeRhtDHDLbGquXyLYhXaZsfiAHxtOAfldnc9WBvmFETyzU5ssUgw+prD 8LjjTLhGXYcly/Fuui/wNVUSg6X1ST1+pN83wr+gjCWZ5rQ3HVqLouFSxTzs2QBw yRT0HkO1yr7mE9a2gvmlCzB0fHwDJPdaP/ddfjOO+U2f/XdL3N+5d+XBXNWJ7l63 KZmpdc/y+7JeiTYZUfPsAgrCw560eOcTbqRC1TIhIavI3Tgr8l6s3hB08okC9KaF ij8obJx/CC65BtAF2PAsAmxeiBg8+gQ4qtxo0gqufspoeco45tZ32nZCLcKr26EA jI948khqSPeH46THeluBIyggHeVJSrurTM0dfxgGhCH804Vum4XPdv5D0Wf5I5Rb q5ucQgMExNkFf0JwtW5qW7dQKudUIgFRQq+/GBFJT5T2uRh4KPeah3nrZMkgPJuV 2hmffaM2AGUCUS4AC5QzXp5tB1FUxd0cLEOzPWmyWpeHXXUSzSA1X8PKqQDfCnm/ 6uagr1pIR3x80ao1AIG1zzkfofOEOoqBW6KscdXMr28ucUI3tgR/WFr32dx3yAc8 AOsiN63cackgYonIzKSe+3OBooDV2/J4rNWwhhJIH02l8hZuUq8usGGmrUKY03V7 aJYgsfl65oK1Qj7MfSgkSU3zO+ZnBSG7XCPUyWcSZT/crdNw+l2tE6xIlXacOdDg ShNC/UkQ8abI2fPyD7+MgwwRAfrNlRU9ZOO9gPm0eQwAVC4qGx44qR96ROwouDCe </textarea></body></html>

Signatures

  • Exorcist Ransomware

    Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (193) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops desktop.ini file(s) 3 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies data under HKEY_USERS 64 IoCs
  • NTFS ADS 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9e5c89c84cdbf460fc6857c4e32dafdf_JaffaCakes118.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C vssadmin Delete Shadows /All /Quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin Delete Shadows /All /Quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:2040
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C bcdedit /set {default} recoveryenabled No
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2696
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2564
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2744
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2828
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C wmic SHADOWCOPY /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic SHADOWCOPY /nointeractive
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2756
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\DECRYPT-SEJClZ-decrypt.hta

    Filesize

    6KB

    MD5

    c808f71665399239e348cabc85c0e8d9

    SHA1

    9917eafda63c416f00f95bc681f39de00db25256

    SHA256

    bbcd37e8e059f37642182c415bda686e3c709298735fe9185643132809a28835

    SHA512

    3f8f3d448f1297020edea0507d3ac186c30f618a002299fabf53c486a9d3b68a06029933c19c120a50aa4b1cb7ff627c89a93f611bb2341f53a840354dc57485

  • F:\$RECYCLE.BIN\S-1-5-18\desktop.ini

    Filesize

    129B

    MD5

    a526b9e7c716b3489d8cc062fbce4005

    SHA1

    2df502a944ff721241be20a9e449d2acd07e0312

    SHA256

    e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

    SHA512

    d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88