Analysis
-
max time kernel
130s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
26/08/2024, 08:09 UTC
General
-
Target
c29986f0da4fb7c86b44bf91cd84497e_JaffaCakes118.exe
-
Size
615KB
-
MD5
c29986f0da4fb7c86b44bf91cd84497e
-
SHA1
bdc4ea27f151b20d708ca64b8fe2a112e0432e96
-
SHA256
8b0fde020709800cfb4a848a9e49cf3d594198d0e8ebbb6819a3f7a6b3f2bb8b
-
SHA512
98aff6943d31339c134d94fce027364a41ec95996e654ac2904ccd71531ab5f6a8968a0063f4bf15d7338911dfe08d82855a161c40d4ebc34b1dd94a236f2cab
-
SSDEEP
12288:zBRpTPN4RNTaeJPDOogtBOQiim9TXNau4nRP9EfIYhRG:zVTF9oPqrBCyRafIQR
Malware Config
Signatures
-
Locky (Lukitus variant)
Variant of the Locky ransomware seen in the wild since late 2017.
-
Deletes itself 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Control Panel 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c29986f0da4fb7c86b44bf91cd84497e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c29986f0da4fb7c86b44bf91cd84497e_JaffaCakes118.exe"1⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\lukitus.htm2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1732 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\c29986f0da4fb7c86b44bf91cd84497e_JaffaCakes118.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
Network
-
POSThttp://46.183.165.45/imageload.cgiRemote address:46.183.165.45:80RequestPOST /imageload.cgi HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://46.183.165.45/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: 46.183.165.45
Content-Length: 668
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Server: nginx/1.19.9
Date: Mon, 26 Aug 2024 08:09:32 GMT
Content-Type: text/html
Content-Length: 48535
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
-
POSThttp://46.183.165.45/imageload.cgiRemote address:46.183.165.45:80RequestPOST /imageload.cgi HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://46.183.165.45/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: 46.183.165.45
Content-Length: 668
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Server: nginx/1.19.9
Date: Mon, 26 Aug 2024 08:10:04 GMT
Content-Type: text/html
Content-Length: 48535
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
-
POSThttp://46.183.165.45/imageload.cgiRemote address:46.183.165.45:80RequestPOST /imageload.cgi HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://46.183.165.45/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: 46.183.165.45
Content-Length: 668
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Server: nginx/1.19.9
Date: Mon, 26 Aug 2024 08:10:26 GMT
Content-Type: text/html
Content-Length: 48535
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
-
46.183.165.45:80http://46.183.165.45/imageload.cgihttp
HTTP Request
POST http://46.183.165.45/imageload.cgiHTTP Response
404 -
193.0.178.140:80 -
146.120.110.46:80
-
46.183.165.45:80http://46.183.165.45/imageload.cgihttp
HTTP Request
POST http://46.183.165.45/imageload.cgiHTTP Response
404 -
193.0.178.140:80
-
146.120.110.46:80
-
46.183.165.45:80http://46.183.165.45/imageload.cgihttp
HTTP Request
POST http://46.183.165.45/imageload.cgiHTTP Response
404 -
204.79.197.200:443ieonline.microsoft.comtls -
204.79.197.200:443ieonline.microsoft.comtls
-
204.79.197.200:443ieonline.microsoft.comtls
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD506741eb1e189c0b3ecb78690601777af
SHA1b246acb0ccad79e0f0cd03ca3c0c0aa5f19328f5
SHA2569ae0aee94bf02c30f5e0cd619090d341b03ce035f68dcad6cd3eb4ef8027bcdf
SHA5120b423fb3d1c037a4e2c9811bbcdc75207b439813a144840e1a875b73abf56e9f5057727f76244c43f54895b1b36a5e631493b7219131e2c2061efb19fd414298
-
Filesize
342B
MD517a4ae13e910b823eaf8d13e4f96b3b7
SHA1411a47694fdfedd422a375b870864c70e293ef94
SHA25629e0a8ee6faaf702704208814a9da74918b79454bc0e9686eb28e1a973d02e17
SHA5121e3b8bd93c38ac4ba6b528ac45197c7807864c6e688b7abbbcc954190b6c1a86183e8f37b7e885686cbd62e46bf48deb8b38d308d1af9873f2b41f9dc4af30d8
-
Filesize
342B
MD5ecaaafe206912078ca64ad7ae2d312df
SHA13d95672c40b98ab804bebc6126bcf9ad7475055b
SHA256d7e45ebace2eb011c7cda34fa66a1d9727aebcb4d7499679ff4eee7d450a8ded
SHA512c39b91fe4aaee12f1e1eab4e7836860cf4ade36806c241cf33c42720bd86f595ed90175938d1ead63026e2aedeec0fb98b25962da7cd1cc8ae640dc22f5d91d5
-
Filesize
342B
MD5b65d6832f6cd41498b64916c4415a1ed
SHA104e61582468fc5757e41ca26ba77d9b7c929f04e
SHA256dcb3e9a06ea9cc7c063a895e5a2be6ce75c387228e95aac7a82ec3985e70fcec
SHA51204c0d81d600e7cfaf826315a65f2c99f2106fc9d1c32bd7b73a8d7e96758af20e6e49a3b2f61cd47af34666e2878fff9d4d9febc4a92ea95fe74557fc7e827fa
-
Filesize
342B
MD500acfa638e293670c6d3ffadd4e36b3f
SHA19cb96e9f4ae232e5fdcfbd960741377355d9b6fd
SHA256bf97ddf14b89b67b827ae7c24fd611537ddef537b2cf8690c6cf6ba389971bcf
SHA5124e6741a6fb14242e52875dbb216ea32d14782c2d0a8924d13d1ae7de32394b7ff3ff5cb09dbc94bc99ac14f47db2c6775c55c3105821ec11bf13a34f96b40e2b
-
Filesize
342B
MD53a62c95c10809096c3475a6c56c9bd28
SHA1e458de4d0ea0f2b59d6dd070585a67bd22d53ac3
SHA256a214f0872e33cd10b2b116204c66a8c4614e5bba2ba64f44cc60cfbfb08f5912
SHA512d5a8b2f567b69924e6a919f602e30cf8288a7a6e4ffaaa3f8a941dcae456fb3a70f446aee7c59620ddaeb45c6aafabaa3d3e698940460a9ceb621e6746745d12
-
Filesize
342B
MD58e954a8f3a865016064f38bd7c28a13d
SHA14b5efb739043dda8680431fe050dcaf0726b732a
SHA2563db06b10f2f5304fb3ffb8b28ff07fbc7211e43d954a3931f3c18cbce66bd12d
SHA512f95f33c911cd204f309a604a6368bb4e7829dfef8e744ae63ba6c2e0f0be80d1ab04b4257b2ebafb0bfb0b7daad78e41f5016597741f3b72fbfcc9f2d6142751
-
Filesize
342B
MD59b4799b12b263325a84cd9a768fba8b4
SHA1a178c470a478f5aa77061ed6051e4397c8b8a8b0
SHA256fb264c6e8504b4062eee19b5d8ebd4d28f07137fdf3f3711a60ccf5f7ed0ff6f
SHA5129633ff8850ed9a2e418270f9ccc8212e9544cbe4df8ada13c017004b6002d2f85102a6079fa3625eaf671204ab9bf41aa6edd6869969866cd265cfa1c3081b7d
-
Filesize
342B
MD5c7c6628c1eae41e18ec65ba6a97f16bb
SHA1672b4ccc32f3b70a7c806a13ecd817821ad2aad2
SHA2561f64dcde7d6063bbeccdba4fbbb44f600c1d35fd8ba34b7124f08609a5f749a4
SHA51293ead1474de40acf72ea135aa8bfe758d5524ed83ff42ff87d8fbb2b4cb744987fcb754307319afcff3f220d40f00ec00851b188f7b1c7e51eca564292abfc81
-
Filesize
342B
MD5cbb2bf6d5c409aeafc2e91bdf07d1ae9
SHA112291458cf1ef2d20b6c09a4200f19c7d42d2214
SHA256ffdda12aa8d364864931e8591f1df3d05fd732fc681b8c867517b5b608b864f5
SHA51273a279f70ac6826fce2c03ba191c9591a06a4c5de8e46c835862053e7d6bbc4072151200156e8be0fefb4768c817a2eb7b12e4ae420c4f2cb8572cccdf520568
-
Filesize
342B
MD5c75501971a52112f041fdfb2f6335691
SHA13b17c192f7e91cbb970e7905bb2a6cd4b08cd5c0
SHA256dc2fcdd3599b4c9ddfa149d8806cdc907ddab28e650fb05a068ecb4c08375b8c
SHA5123be6deafe6d8242a3d8604bb109be552c7fb1c3c60829f3db0efb3ec4699d26acf598152445d077197e712b2f0bd8496e22a06a7ba937178983f09edc750b726
-
Filesize
342B
MD586ceeb14697e6b71f895365e31cda3c0
SHA1d68daa387d771ff47967b37b3844696c6a79efcf
SHA256019d68b7bf47854f8826c2ee805a49023d0ddbd9b96b885200b5ee46f7d70e4a
SHA512f72547b335ea5b42c2eb7c82cf6cc268e0dcfb05ab6d7f2f2bb761682c3eb9b648580743d1a4b30f43bd0dd238ad056100ab8529069919e3a9d38cb9cd7fd233
-
Filesize
342B
MD5afb4201637460f1701d40558df738a13
SHA13ad795cce51028f4760114188401ac7907c6a01f
SHA256a1b26de8d4384abf229a7dfc167a1d60ffb17a141ef11740f50cd910480f6e2b
SHA5125e0cbae29a1bc7e91931b2733d3096419df53150b5d60a64781537f627b03c109d64aa84c2d54ca977055109235f73bcaa8ec58f4167d2e818f1141a24a74db2
-
Filesize
342B
MD563412579f8e23c40ba57c0302cf05b78
SHA1897f34bc5acff6f9499806a7dcb06db7839fe188
SHA256305c1204def643decc3613052ee6c60212f90a418a74cfc91585eab103731d3b
SHA512c32f5e3c863b42463e08864999106e68c2c37e7dd118ac0c19fc395689b0c2f89a615777dc634735d4676da1ce3269c775cd91ab30af02f6e17be64bc6abd722
-
Filesize
342B
MD5ced26fa61f6afe6b1879f03a9d24bc77
SHA18a368668b793026a23cd7d5ea5072e1c763d53d4
SHA2567a404459719df75b5d1509b38e0beef82000ab688efc836ec52b558f9fb35bd0
SHA512d394927190861261a0772abd5105a5761755033223d98928e739091d6219171ccb86b65c28f97e5e3156464b6cbce3c590346865fba6a944e493e0e7bf9c2a74
-
Filesize
342B
MD5c14944756be5524271a5d70a9b01f522
SHA1b53798e3b7597d60bf21338c5cf6219b3722b6f4
SHA256ba8483c23e452d414911ec3722c8022ddad49832aa5dc903d389791652082c6b
SHA5124640cdd802125b36ac56541cd4a9bf3e1c08afdfe75809c4456bcccb3c59d09bdd38e9e33fbf65c2f2f43ad0f62bdf6451e38d116391db6c9d1fa0a9a81f318e
-
Filesize
342B
MD5a8e1d7c5ae0dc8b1941423a66ddbfa6f
SHA1ea26a454689dc17c96138522f58271b8c0251c46
SHA256c05fefa816d3a45e4e82233b557bfb0c567374315d626b938446df380e1eeba1
SHA512414b6d49228d88f22bdb54bdeedb475c961539751400af3217b9390f098365a57eec0e1afb032a133f968be469b1565e38019feedf4a7611d5b6170423503b8e
-
Filesize
342B
MD53c64d54e33ff0a499bbe7ac1b1e6945e
SHA12cfa8b85c55ae95ce228ae0fbea52bfb30564745
SHA256913a0a4a0ddba4ac095be2bb7d661c43150cac6c21de420d58d7e2607c09f862
SHA512f6bcdfb2624343b27a5e34dc25c4cac981f2d64f8e596f8cf860593dd0f245a5d56ea25ff3434ea125e86757ca7214d2c08b50727e7720bd10a5d22db5469398
-
Filesize
342B
MD5767a2099457c0148b42a3c0c0d49bc4f
SHA16c0c11b6ce2c78997d94146dfca92ecdd7f1237e
SHA256cd4dbd3c2b375ed7ee5fdbd51db204fe7af8a09c889f33bb32f499622b5f5697
SHA51275e9799bbee0b11f0e4a33e1b42e8d8cb018a7ef933819a02a24201588dff262f0c02934c3ae306be87eb16d672ec5ea8e32cfb0121d21ad174a573593e462c1
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
3.4MB
MD5cba70867d979e0a69eba1e2a9aa5ee47
SHA1e142b5a1dfd2b942189693139cba3d5b03852818
SHA256508be77b991171c17feea53f473e788f0126b2aee7086f8acfb3504118841709
SHA5123f563a310c1346345361e93d2dd63742c44362d751c2eef49c816992268b8d66a3a6cd94bc9dfe50c6702774b10007fc9e13cf8dfaabefc5a56f220d947a4a12
-
Filesize
8KB
MD5c5a762fd6a71206c17eced1c9afe6c63
SHA1b2e84049d4ae5c5963b71b49c6ab3c163461ee80
SHA2568e2b0413eeabac46c4e80f4ad66db8bb609e26e3da63f47456b76c876eb8ed3f
SHA512db1a0a25e18b86f95a9915439e042a2711f10651111683d19d979e6f55e52e89ac36cb1e7ed3379ca1430aa3128f1f6627700723823fb43827b9b1b18a18412d
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
540KB
-
Filesize
4KB
-
Filesize
540KB
-
Filesize
540KB
-
Filesize
4KB
-
Filesize
540KB
-
Filesize
540KB
-
Filesize
540KB
-
Filesize
8KB
-
Filesize
540KB
-
Filesize
4KB
