Overview

overview

10

Static

static

1

c537ad6b87...18.exe

windows7-x64

10

c537ad6b87...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    27-08-2024 15:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c537ad6b878730ba88834bdb361e3bd7_JaffaCakes118.exe

  • Size

    595KB

  • MD5

    c537ad6b878730ba88834bdb361e3bd7

  • SHA1

    f6568b081dd562bcee939c9f691184b37ac10046

  • SHA256

    4b6ffe7c8bb710c3b3e7eef0a79dae32ec9c3a4a3684d252caff3f8a33bd8856

  • SHA512

    1e3b631f5178084ed49c5d22513c67aa6f8291aeb7a513f5aaeca44c83bd0bd0efb02c0d67b21e8829fe277c1befed01ae5e4bb5dca4befd2a28069e20451f05

  • SSDEEP

    12288:/mDxN5Hef7wWHX+IuNEFVqhJuWYI17c8Z7zo1N92:YN5+f7t3cEFVq5Y0wu7zoI

Score
10/10
locky_lukitusdefense_evasiondiscoveryexecutionimpactpersistenceransomware

Malware Config

Signatures

  • Locky (Lukitus variant)

    Variant of the Locky ransomware seen in the wild since late 2017.

    ransomwarelocky_lukitus
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Deletes itself 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\c537ad6b878730ba88834bdb361e3bd7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c537ad6b878730ba88834bdb361e3bd7_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Modifies Control Panel
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\lukitus.htm
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1736 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2852
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\c537ad6b878730ba88834bdb361e3bd7_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2904
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1992
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {D99E55BC-CC19-4A43-B3CE-17689E55823F} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
      2⤵
      • Interacts with shadow copies
      PID:2668
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    PID:2388

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b0860acf1fc643918f39598da8414d0b

    SHA1

    29329a8665f90653f9537c989397d68c421193c2

    SHA256

    d72e7e2bd88862de5e3004f5a571f251fc15a26dd0ba209874e90b17a3798eea

    SHA512

    bd6647bb3acef5724aceef406ef04da24fb4b8b014667f6d5ceccd298f0e0184a66e6479621945dcf86530f6f3395e339acc4855b152ac6b5180f3b459f795a8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    2036f3079af28fa0f19ee74394c6adc8

    SHA1

    219d80f14453ee0d7d64a04b4a7d4231f7e06e17

    SHA256

    6eb1c73b3d5d858ed9d28629e28c248f7b34662bee9811e4019f67ca6c65937d

    SHA512

    08f38ec5a4ddef742cbc684d86aca19546eb68412969b7d887c3be8cc3a3be06e48133c3d0ac4811963888484b494847df4138cfe5ba3e9fd38ddeea82a1f34e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    980155b99016ca74a6e26cd1089c9c4a

    SHA1

    ae0570eec9db7df88041a3b84bd6b397ab9e22e5

    SHA256

    d45ca621d186dbf48ff47b1b0a923a9beedc5182f07027d43888e19e381a48fd

    SHA512

    806ca0fb8d8476c57b117c56b23663cd25e19efccac75596f19cafd85c5f630b03110110f27c8d7cfe9673033807af28b30ad10054cf701118f46f0566367bec

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    13cea9ef7aee4adffff95977e45e3340

    SHA1

    0469b68dd22318b88adf0bca43109519a21558cd

    SHA256

    4c827efb5c9785c03e85ad60ebd603d400167fe7c235ce7f55a75de3f02344fb

    SHA512

    f3bf473b29656b9e1475e24e392f3ce8143341089e296eac4e47b8f2be295094528eaadff668efdda6cb567873ca8606afde0af5196a470f7b36b00d2125a941

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c378bfa11068e004578ee183ad11e644

    SHA1

    af6915491fdccb298159210f7b44e1c618140056

    SHA256

    b5a7608aa04ca1414e58e6622ecf52f2ca3261089642f29d151b11f0afbbe4c7

    SHA512

    1347da37dbbe832459a795237ae091ea7e209d2011d4c33e01d3f16f80cdefa2c3126ab107ebf1f7788470953e989bdb3c0cd18ccca9eb6803412ff9c01ebe7b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9441e2e6d7f3302345a9174d963c95ec

    SHA1

    730f8d49dfae7ee33c96efa5087adca5bb5fc68f

    SHA256

    ca0350cf473bc47ae8677f3fe147e16e6c73258cf620af7fce56470a611f6f06

    SHA512

    63f2e4649996fee110624df82bf507746eec23e9d5d896cb55f00ea2c730800a83bc6bebd4e9d597923e6e28930f48ac6ac4d08adc99e439925b5abf78b98959

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    870de712c943afe09007275eef3c32e0

    SHA1

    cdac4952485628657a475d34fffcd68a0fdf4292

    SHA256

    f132a0a42b48b04f0607db79f67b2c1c87f88c0e8b61e80880cc33066e00f0c3

    SHA512

    812b7bc84d0666bda0a78c6aec95b9b1a3c9131e17d0901cbbd72e423d01833835bbafc3c40699d559bd08f7cf68a95c77f9877294308d59cf9adbff69758a88

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    407f8a9a6a62eac2d2d1d384e85e38d3

    SHA1

    b4137f08c03f2abe9e7568139b721e2bd1a0a62c

    SHA256

    acd6527194ddf9226bb5b2060fbac359c3e82659d55b82a28181fb950199be51

    SHA512

    fd050fd6f8bb01de93bbabd21049e024ab198d2199871fe5905cc8b9568903ae1dd6fec3523c3bc111ff640d78ecf5de8f3c40b2f93d2ae598688e2769bde46b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    dde6a2c0b65ced9a3b51f0ba6f0cccd0

    SHA1

    afecf61a0c92be1f34b0280539df9c8edc80d1db

    SHA256

    d058a34da28e777c69c30fba9d6954aa405149908b212e279db4465bea3d5c6a

    SHA512

    eeebb8012f1bb8242272e7bd3ad7e9dfe7a565dfa150954cf255bada73142804b5ea3bea2c6d335f8a4f69852684322781bdd229af9969105ff52cb39a8a4f6d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    619aa4800f70abd5692e0bc4be21e549

    SHA1

    6e89313f40dfe28a13282e5c1e83b6629f0ccae0

    SHA256

    63e816ee92c69ee6b365f52a97c653984f054c5d2f703b7c42ccaa61200c6ca4

    SHA512

    2f56aa9ecf0bb81a5b63c689078cce52791db56c2294af9b34598e434f84d224673efa5c55f3763b91e19916116d8ae34345031cdcefcf1f1f9d0f2b8fcbc371

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8892e7780d970c225a296bdc965bceaf

    SHA1

    52157859f81c7585c9610f0c215379d9c8c22b2e

    SHA256

    b147d241a28e51f2e476ae00fca095647fed14245dfb1bda693255db95572685

    SHA512

    80fa0975945cdcc4840e0466d79e40cbdfa352479748b83a8fd21eb4b03d45a17344c313105c24892c2cf31f9c656e4ff4e6e6bd4a599645b065acb25d7ef6f8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    d1e0adffc76df178c15dbbb4e0458c0c

    SHA1

    fc8e65c03c8124615f2c70e55f60626ab8f9798b

    SHA256

    28605e8523245db6a7d327fe8d5571e5886426d71ae530c0086ee00f3b471796

    SHA512

    44a4a2ead3340f7933c340b9c0f698afef14e53dad8f4f474252a27eb1fd85ce83a06186d3458c0b0072d7ec53dc04811ffc9bdab03995f28d76a0d49e52f5a1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    dbc21dabff5cd9471f7a9277af873988

    SHA1

    4a9f1e97ca1fbe72d05051db879fc80e828d21e1

    SHA256

    85c0a94fe78a105b50ca612b2a26f26b3d90d47ab3304455dc4af4eb2ca335e3

    SHA512

    a7a84e5391ba5a21b9a4eff71a6bbeef1a5fa0aef89af19e977459964c4b347daf380209c94d985ea6f3a1f4368ef58a0d51f85fbd82fa4e44d3a64708e80bef

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    2a81afdd047c6481c510aea05ec95fa3

    SHA1

    4d5922e8b86b216d7733af0a5251526498e34972

    SHA256

    05db1b83f7d4619bc327aac6c8ec25c68406328c9e99023da3aa4755d9c5043c

    SHA512

    d053ff0233b0226f8b041b766d0ffd75b8b9a026f34683659e4301fea0fa3314ae2fcf88a9ff8735692679b15c1a5d3125068562a6e582d89dbedaa27e94f390

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    a4e62c28d4b98c0c66b5012c28bc032a

    SHA1

    b9b35d63ca125bd7a709030e26310fad1c883dab

    SHA256

    b38f1b6895c1247be1d9ade2ae9bfaa880399906e81b03783e071c3c132af4c0

    SHA512

    33b1318f14effe086f985ae4987486617ca1b24ad02008506c4b05d419c31e0589cd9c99a8dfec4d08603275a156e8578f3aac4e9cae157190d7d0522e6eb2da

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b799b16e8f725ae0966ed81b0479d123

    SHA1

    78ebf30f778bc31fa296f34892ea231ff66683fd

    SHA256

    2677bcd3b99efdb5f7c89f85e0e1b0f6ba7c5cf470cff423de75bd997eb15f58

    SHA512

    037be2b66f10fdf7d01e8dc4d19d7dfe9919f32d0a3111b5c622bdf41623b1b93815cfddcbcc67ac49c90fc5bbf1c8ff740b176862a0f58da0a71f61ca14e7f9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    57feff31c653872f90eac6afb7f8abf7

    SHA1

    c789cd59c22e25c59abab996bec5058c02c5fa79

    SHA256

    2013188607ebfced9a863fe9ea2c68b9e0a899d15c76d7dc7f3600754810308a

    SHA512

    be5afdba35f63e28a6f2191f0ed617a35a84cb6787ef5a8ee725c5c1015410e69e54b063f82ab5bef9514aad8ee1139e6cb92ced153b50c4edaabf565e3761fd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab8884.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar8933.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\Desktop\lukitus.bmp
    Filesize

    3.0MB

    MD5

    b248400369564ad9a1eaf2054ba7dd6c

    SHA1

    e92fc23a0fa7e0c957ae1ea0892174716ac8b3c2

    SHA256

    7463897d37d7d6e715e0616ca9df4a6fd37123b3f0856ebf2244f4230f60329d

    SHA512

    4a1f8c03c11f74462f7f218bf8f3c77afd1bd7a1765e05012435b4411c03ed8d7dfaf23f51087a7076731dc5ce7a6c937b4e3014ec686da30250d12a9e294086

    Download Submit

  • C:\Users\Default\lukitus-d3f9.htm
    Filesize

    7KB

    MD5

    20f6db2daa3d407c62486e84ce7c6b57

    SHA1

    75df2e47d7489666c96bfe1a4124179c01b1e289

    SHA256

    5cecdfcbe130b8b63d1c3126d494ffe9c362cc6b057143d675542b4512e3394a

    SHA512

    11f2beb888504b5e3add43f91e1d20c71c2f1248224f6b22a4d6d190d4e5db352c62f23cc8d415a76dcaf67855e1b1d2cb919d44cf1a7b514f46cae50e1eab2c

    Download Submit

  • memory/2388-266-0x0000000000160000-0x0000000000162000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2412-265-0x0000000002800000-0x0000000002802000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2412-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2412-1-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2412-2-0x0000000002740000-0x0000000002741000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2412-3-0x0000000000280000-0x0000000000281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2412-4-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2412-5-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2412-268-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download