Overview

overview

10

Static

static

3

c8be3a7e91...18.exe

windows7-x64

10

c8be3a7e91...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    29-08-2024 11:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c8be3a7e91cfa426531935853823e4ba_JaffaCakes118.exe

  • Size

    590KB

  • MD5

    c8be3a7e91cfa426531935853823e4ba

  • SHA1

    137c5469f469d721a4fbba9ba87d6e2e9f0005e6

  • SHA256

    e454cd6f7220ae25083c5e183e04fde1c26b1b6d9119e2aca4fc8b0125cd0be7

  • SHA512

    18de5016689e72c6d99720d1cc1f4a831ed07f8447a7fdd4e0dc9d0aacce5882c02dd417588a715dca86a8becd2e9024ec0f9336eaa0b5b6eadf09d75f952db2

  • SSDEEP

    12288:VmXxN5Hef7wWHX+IuNEFVqhJuWYI17c8Z7zo1N9:uN5+f7t3cEFVq5Y0wu7zo

Score
10/10
locky_lukitusdefense_evasiondiscoveryransomware

Malware Config

Signatures

  • Locky (Lukitus variant)

    Variant of the Locky ransomware seen in the wild since late 2017.

    ransomwarelocky_lukitus
  • Deletes itself 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c8be3a7e91cfa426531935853823e4ba_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c8be3a7e91cfa426531935853823e4ba_JaffaCakes118.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Modifies Control Panel
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\lukitus.htm
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2664 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2716
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\c8be3a7e91cfa426531935853823e4ba_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2552
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    PID:2416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    a5c8369ef03cb78fb7710bc767898646

    SHA1

    a493f91f17b37a0385c3a476dc3312f261e9fa8e

    SHA256

    4542b715b7fe702d66b50ef0e109fedc54066a99350ad08b7afc46586a1b2655

    SHA512

    f686afbc95f1ea693a565d53ba2606aa39d352a8a351d9e549f7d9554da29c51eb3c04dab5d5d9ee66f56762aba8bb366279eb159a7ae404f698c79099671fa9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5cd67a278eede2a24daaaa0d3392cd3d

    SHA1

    57f4bfaec4d549a29808c69630ae304b796a4b70

    SHA256

    25813786b6ebe6a0611d523b5d577d7eb40f3ff6d74acbc695c964b7724c9e5d

    SHA512

    46a37ff43789bb40ce77b14def027ea802e8b27387c2d56996099861b343c179330704881a1c3b91b92cfc5424ce6fad6c44ac2c6cc82ab5455acd2587f1f647

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5087a126b4cdac23bd4eb57bcc5cbbeb

    SHA1

    5855d538d3a73eb3b14701c6f84c20d9ec0f1600

    SHA256

    2ffa7c1b2da1b27f1b94fc23e8626ccb004e7f712ce468153024a38547f478c1

    SHA512

    460330f1464bcd66988289ea2c54c291a8adc839e05ef18f1672aeed453b7dff19c7f36e1f813a1f3fb04aac0f30eb9a5982bf0ed0198bb126bb4f7788e201ad

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    d335382cec6fe075540c5ddd6e1ad61b

    SHA1

    949c5df7efc6f79e47c68f2d07a64cb456c24730

    SHA256

    3820fe5412039d7a5d08c7180db7a9835ecf335138b80f15675913c74de794f3

    SHA512

    23cd1b9eb36b8e3ada4ab751d0923761bf20c01d7205b3587d7134138809c4eab3ca14494c069f7e30e571580060abcc7674941ff7298f89eaf0cb24231ba2a8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    782654fade590f794c5dd35a8d2b4175

    SHA1

    239f19d0d4c61149b6dddd9897a1c682840d2ae6

    SHA256

    392ffd5ce5da40c7c67dfb9e668a39e756f04404fda9c89e7232fd9b9c94d202

    SHA512

    1c4c5af28a31c0237b2a4eb9c79b43ba4506667070a00ec811863fec7025b49fe3122392041289c59760242407d2544d0d6d56795aec6eee9d90d29cbe54ca4b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    10728d21039b5f8cbcef3bf0350df03e

    SHA1

    f719a9144d19a0ec64e8f315af6162e35ef24753

    SHA256

    1e227d7057a2334a364543eef7c87aefff24b2025fb0a1564c8f0599abedde47

    SHA512

    8880908003a0a26322b6f28d5db193a5e11a3e0777f3beb4dc350bb4d80b4a382a50256dc75e86d2261ca327c267040be6c76601a209eabf8ca0c7382d0ad772

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    bcb6874d41d91dabc1d992171cd28381

    SHA1

    7334761c8cb23eec006debe695ca2140a1725b93

    SHA256

    eeb51e761660db6995d81230f474df68baafd150d48ab675ee27e6f564a007d0

    SHA512

    89cd62aa8baa66c1ec8a678ce758ad7fdf1e2d4b9c397f0e4713e1063b4b645090c1ce8e0e9cdd0d5628b7830fa935b2c47dd0cd3ec8451500911c66ff967e25

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab3537.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar35A7.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\Desktop\lukitus.bmp
    Filesize

    3.1MB

    MD5

    a26b6d3827e36e4755916445d8c3e09f

    SHA1

    2f81a6e0f6621c0669697f315e9abc0e98344543

    SHA256

    c61d719e92368e96bb54145f30c84576223d3d2aaa35428b79fb9ac8e1646acd

    SHA512

    04969536fd7b69657315cac7550d58dba0613045f64215395bf456575ca0f2b55c95de159e16e818f6c39e91b461de197204d9337894eecfb62e33f525c686e9

    Download Submit

  • C:\Users\Admin\Desktop\lukitus.htm
    Filesize

    8KB

    MD5

    5e04d61545cb66645aeb6b94ea064bb2

    SHA1

    a9a972c2333b432371c57ced25d3c671f51c3b27

    SHA256

    3c30385c6daba02ea64bcd65bdc93d73a5c3e522f30991dd8c084965b4331c5d

    SHA512

    8b2bedda4c85fce60be129342b30b0b58ee6966bbe596bc276f78d6f3cfc4463da114e4ae0a4029e4d417cf146fa43c3ef11af6dc3fb1b426481beda954e9484

    Download Submit

  • memory/2212-6-0x00000000025B0000-0x00000000025B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2212-7-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2212-1-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2212-297-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2212-293-0x0000000003780000-0x0000000003782000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2212-159-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2212-8-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2212-2-0x00000000025B0000-0x00000000025B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2212-3-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2212-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2212-5-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2212-4-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2416-485-0x00000000005C0000-0x00000000005C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-294-0x0000000000160000-0x0000000000162000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2416-295-0x00000000005C0000-0x00000000005C1000-memory.dmp

    Filesize

    4KB

    Download