Analysis
-
max time kernel
137s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
06-09-2024 19:28
General
-
Target
d04ce22792560340225e1efe380e148c_JaffaCakes118.exe
-
Size
396KB
-
MD5
d04ce22792560340225e1efe380e148c
-
SHA1
f2e32e42d39be73318734548b181f8c62a3e7c30
-
SHA256
6795ddd48ece83ed0ad29d73d0a17d581b6b0efb7768b59993da7a3e3c3c37d8
-
SHA512
09b280f4d279c98af195f56c1c62833bc116828096c23a173437d69b54eaf050d89c66b673c67a2c2ff9282fdf09913a9c83d79f87f248bdb115e4c521cc8304
-
SSDEEP
12288:zpMCsOfMaUJnei6Q8oCK/VODpGpNQwpdirufVVtCIoA:zpMCsOfMnJ36NmcGjbFvoA
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RECOVERxtdok.txt
http://h5nuwefkuh134ljngkasdbasfg.corolbugan.com/A831E1A67879F37B
http://p54dhkus4tlkfashdb6vjetgsdfg.greetingshere.at/A831E1A67879F37B
http://f4dsbjhb45wfiuqeib4fkqeg.meccaledgy.at/A831E1A67879F37B
http://k7tlx3ghr3m4n2tu.onion/A831E1A67879F37B
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Modifies data under HKEY_USERS 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d04ce22792560340225e1efe380e148c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d04ce22792560340225e1efe380e148c_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d04ce22792560340225e1efe380e148c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d04ce22792560340225e1efe380e148c_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\mbodoj.exeC:\Users\Admin\Documents\mbodoj.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\mbodoj.exeC:\Users\Admin\Documents\mbodoj.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERxtdok.txt5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERxtdok.html5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3028 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\DOCUME~1\mbodoj.exe >> NUL5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\D04CE2~1.EXE >> NUL3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD55ab658a59802539e0720b99912589983
SHA1f0685b1e2a4a81fbbf37871c89b9a2812a4a9617
SHA25662af367ddf12d00df5f19de3eefd9fad59a40105433b6b32942dde41159a16ca
SHA5124788280d5c81bcd5140d25601a5bc44cf09fe27a1e1bb3b758dc938df5dc7458e718ce1b5eb464be9e1ad473caa8cbe936acd184875ec0439bd1a44e425ee661
-
Filesize
79KB
MD5e093beb04fd77542eeb60a195a6eb7c3
SHA14e88fbdbce4a9b46ab4c2c7950d469a48b8939fb
SHA256eba85363ac37feaeb6f9a643a581a2aea14bb1afa249f1bf4e1759fc4b6072ee
SHA51237ad0de5dbf9a2eca232e97678fc492dd8d615521d3bd8e70351ec6ff115b5f903a5cec02e0ca3d5f282eb1dcd36db068e741660140494377332cffc53c5961f
-
Filesize
2KB
MD588dfa6c61e7f0ec6dac0c6eb2706707a
SHA1136961d00f2fd27e611ac69b91948bcb7da996ca
SHA256d11f9b46df57e5164823710d3e26549cebb5f0491db4f7682734c1847d99215f
SHA5127837da22ab9b6c4c1c63d91a163cf961d24cb1828ad2e63e6b207a693f8487872eb4b782146eaea54b2869c55f8b309b55b6af29ffc0d1c3216ca3a344e18126
-
Filesize
342B
MD506c94232949eb2ea436dac65f1bb9040
SHA106661a57b423513dc7b86f692fa39eb26e850dbf
SHA2560834a3c2e4b4bbc6edcd98375bfd51869f8f7e83e029088a6308452763de2a39
SHA5123b993d15199d29bd1962ca1b57b4bbc60bbcf14427b135de4db34507d20b934cff39de4c87610d232dfb38d823b29525fdef77e0448c8a4f8c920e5da5a2866c
-
Filesize
342B
MD50aab980027e6ab268b14d19b925e4d26
SHA19ebc41ae0c027141f04cfacecd744d3f57692cc4
SHA256b7cfad9546029b008209bcb6f84002f3d47a6606be06efe64a7c94c60ef5f21f
SHA512f55407e2e68fcec76ba2157099ff7f6b06869cfce86628928ebb67235ba96bafe220d06fde3e6985aa5e0f7312f71d23b17fdbcc749db410f27390ed4e1af715
-
Filesize
342B
MD5c991f37adea2857db63f5dc47619ee74
SHA183c0de96558fa841ee35a7a1b522110d0a671dbc
SHA256700b65c264eff7a04a72637832d88095646f24fcb67793d6014a61c63c1ca497
SHA5124162aa9a541628ffd0c020939797ec61e3ab95321119d0d10497dcdd279182df0672a985d83cb33e3871e884b09fbf66b0647ef025e5372c4500913901fdbd79
-
Filesize
342B
MD5785353065ff5b43400954db278c290f1
SHA1b2324a816c4d1648e386063e31a7b102ec22bb9e
SHA256da7f6bdeae5c42ce9c375b3b118b53eaa83cb7fc62261f09cf86fb39e857098f
SHA512f10e7171c08deff70875afac121f974d29b43c3bf95121682f1844ce5ca87dd0fc280476f66bd1f40939ce880c3aec1ac9d58d4ff110f3f473ffe53aa54aa6a7
-
Filesize
342B
MD52c61e651d7aea332dbdc28003cfb8a9a
SHA1bc5cbe5d6541a1da7815590e7b1c8eb1c6406519
SHA256384a32711a753f8638900b7e35cee34f6221249c53fa4fd3cc3c34bfaf9600e0
SHA5127d883878e6cf4494c4fcd15ac1d3bff2b69a9a2666a4054004c12356a6f7be06ac64aa0331a597d96f19e66f3dd63ed44a590bb2854da8f9c5e8a654e15fb1d9
-
Filesize
342B
MD59cba81c3a5c138addca96616b06c3800
SHA1a67362af78a4234d0fb14d9a9c8e32288080c7ba
SHA256c14742d757bd84f6071a26ca73cce5185f91f215673040610564c6624746f398
SHA512569a051a6103e95e373bbccc1e5bb2b5c6b0cd0679620fe6fa519693e03d50cccabe1dad7f94f5b27931deda64105fc13c3d7d115f30cc8af4820f0e178ffa6e
-
Filesize
342B
MD5d954c7d6d3c521e6eb9f1914e07340c0
SHA180517fc1ed15197d09edff8cbf8562f6dd75376e
SHA2566b935c3e586d7446f44ffbf36ab328306430c4114147b2f5f4216d8a0ca64009
SHA512d3f3539c2c71ba368a1bd0071fc26468a1a40b8cef23ad7ef23d433a041d5d9f265363634d5aa04ffa29e8a6f8a04353283078859c3955803515d26d98e0ca15
-
Filesize
342B
MD51f83fbbe07fa8ed695d9d0b7e6ed52d6
SHA1500ee55d2a50d000d4898d3e99b9774210159b3f
SHA256f2137fdccf534e2042364b15dcc2565bc3d61dbe3398dfeb40ce24ec6ca92fcf
SHA512623b027b6c339c735874f29c68f56bc3988043bbe77f62384f4b25c2842e60edbe7f9087d8494aa30398724b856cb2089c56bf014af7cb2345cb05a4f979e28c
-
Filesize
342B
MD58f836c6f31e6c9f5c0a4715ab28d9609
SHA1c225b39b8fe1ca4ebc181597b77a448ad419d818
SHA256e15f1b00db30b409207d61fe97d1e56fdca0ed577b9462c30d00dd7212a2e718
SHA512475872f8ec6ab9300a6b90460a8e58a1efa8ffb110600a8cee79a564e738ee2ae36d56c944aab4e563c7ff6a0445465ab22e3b95e56035f0eca8c0633ebdd542
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
504KB
MD58707623d16125e80c8bd47e7f021063a
SHA1d780e73774687fc6bb3143a8d8ca48f650e3a82d
SHA256d1c38e614b24cfd34a6dde69c5044d3a8536ec5c405f4ed5b75b5a409ba7a4ff
SHA5122f5442cfc2d53958d59e3af3ade9a26c5e1acf8c701391798eeeba95df172177e12cb7c300d480faedc367af4cf38753fc47d008c673a16db86859cd7a17d850
-
Filesize
396KB
MD5d04ce22792560340225e1efe380e148c
SHA1f2e32e42d39be73318734548b181f8c62a3e7c30
SHA2566795ddd48ece83ed0ad29d73d0a17d581b6b0efb7768b59993da7a3e3c3c37d8
SHA51209b280f4d279c98af195f56c1c62833bc116828096c23a173437d69b54eaf050d89c66b673c67a2c2ff9282fdf09913a9c83d79f87f248bdb115e4c521cc8304
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
8KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
8KB
-
Filesize
672KB
-
Filesize
4KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
