998ff68cb64a06a233007f450b9156dfed770cc4cf6321e0e2ac2400db1be281

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
Size

184KB
MD5

d54e43c271a8d379e2c77b9902ede544
SHA1

9d46aa0d4621335fb1a8496564f64f5a7edf1b4e
SHA256

998ff68cb64a06a233007f450b9156dfed770cc4cf6321e0e2ac2400db1be281
SHA512

5e75c52914f83676a36d505834754447ac0c86dc2bfba454cb4e6de9dea1289f0ba32253bc7036dc90ef1181e9bb6fea03b81a88adced295192bc2ac04b9ddba
SSDEEP

3072:HnIBtQnE7OhssdWJ5jy392aCmCbBqOS2zxLLjD6+s3WTe0K+cnJJUwlJQ4AX40bJ:Cqvhssdu5jyYaCmCQOS2z4f3WI+cJKwo

Score

9^/10

defense_evasion discovery execution impact persistence ransomware

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Deletes itself 1 IoCs

pid	Process
852	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
692	uqalr.exe
1716	uqalr.exe

Loads dropped DLL 3 IoCs

pid	Process
1324	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
1324	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
692	uqalr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\{BBB56EB1-F20B-596B-5204-4A268E62F975} = "C:\\Users\\Admin\\AppData\\Roaming\\Otpyr\\uqalr.exe"	taskhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

pid	Process
1180	Dwm.exe
1180	Dwm.exe
1180	Dwm.exe
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1112	taskhost.exe
1112	taskhost.exe
1112	taskhost.exe
1112	taskhost.exe
1716	uqalr.exe
1716	uqalr.exe
1716	uqalr.exe
1716	uqalr.exe
1912	DllHost.exe
1912	DllHost.exe
1912	DllHost.exe
1912	DllHost.exe
1716	uqalr.exe
768	DllHost.exe
768	DllHost.exe
768	DllHost.exe
768	DllHost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1092 set thread context of 1324	1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe	29
PID 692 set thread context of 1716	692	uqalr.exe	33

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2360	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
692	uqalr.exe
692	uqalr.exe
692	uqalr.exe
692	uqalr.exe
692	uqalr.exe
692	uqalr.exe
692	uqalr.exe
692	uqalr.exe
692	uqalr.exe
692	uqalr.exe
692	uqalr.exe
692	uqalr.exe
692	uqalr.exe
692	uqalr.exe
692	uqalr.exe
692	uqalr.exe
692	uqalr.exe
692	uqalr.exe
692	uqalr.exe
692	uqalr.exe
692	uqalr.exe
692	uqalr.exe
692	uqalr.exe
692	uqalr.exe
692	uqalr.exe
692	uqalr.exe
692	uqalr.exe
1716	uqalr.exe
1716	uqalr.exe
1112	taskhost.exe
1112	taskhost.exe
1112	taskhost.exe
1112	taskhost.exe
1112	taskhost.exe
1112	taskhost.exe
1112	taskhost.exe
1112	taskhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2412	vssvc.exe
Token: SeRestorePrivilege	2412	vssvc.exe
Token: SeAuditPrivilege	2412	vssvc.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 1324	1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe	29
PID 1092 wrote to memory of 1324	1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe	29
PID 1092 wrote to memory of 1324	1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe	29
PID 1092 wrote to memory of 1324	1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe	29
PID 1092 wrote to memory of 1324	1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe	29
PID 1092 wrote to memory of 1324	1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe	29
PID 1092 wrote to memory of 1324	1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe	29
PID 1092 wrote to memory of 1324	1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe	29
PID 1092 wrote to memory of 1324	1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe	29
PID 1092 wrote to memory of 1324	1092	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe	29
PID 1324 wrote to memory of 692	1324	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe	30
PID 1324 wrote to memory of 692	1324	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe	30
PID 1324 wrote to memory of 692	1324	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe	30
PID 1324 wrote to memory of 692	1324	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe	30
PID 1324 wrote to memory of 852	1324	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe	31
PID 1324 wrote to memory of 852	1324	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe	31
PID 1324 wrote to memory of 852	1324	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe	31
PID 1324 wrote to memory of 852	1324	d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe	31
PID 692 wrote to memory of 1716	692	uqalr.exe	33
PID 692 wrote to memory of 1716	692	uqalr.exe	33
PID 692 wrote to memory of 1716	692	uqalr.exe	33
PID 692 wrote to memory of 1716	692	uqalr.exe	33
PID 692 wrote to memory of 1716	692	uqalr.exe	33
PID 692 wrote to memory of 1716	692	uqalr.exe	33
PID 692 wrote to memory of 1716	692	uqalr.exe	33
PID 692 wrote to memory of 1716	692	uqalr.exe	33
PID 692 wrote to memory of 1716	692	uqalr.exe	33
PID 692 wrote to memory of 1716	692	uqalr.exe	33
PID 1716 wrote to memory of 1112	1716	uqalr.exe	18
PID 1716 wrote to memory of 1112	1716	uqalr.exe	18
PID 1716 wrote to memory of 1112	1716	uqalr.exe	18
PID 1716 wrote to memory of 1180	1716	uqalr.exe	19
PID 1716 wrote to memory of 1180	1716	uqalr.exe	19
PID 1716 wrote to memory of 1180	1716	uqalr.exe	19
PID 1716 wrote to memory of 1208	1716	uqalr.exe	20
PID 1716 wrote to memory of 1208	1716	uqalr.exe	20
PID 1716 wrote to memory of 1208	1716	uqalr.exe	20
PID 1716 wrote to memory of 1688	1716	uqalr.exe	24
PID 1716 wrote to memory of 1688	1716	uqalr.exe	24
PID 1716 wrote to memory of 1688	1716	uqalr.exe	24
PID 1716 wrote to memory of 1760	1716	uqalr.exe	32
PID 1716 wrote to memory of 1760	1716	uqalr.exe	32
PID 1716 wrote to memory of 1760	1716	uqalr.exe	32
PID 1208 wrote to memory of 2360	1208	Explorer.EXE	34
PID 1208 wrote to memory of 2360	1208	Explorer.EXE	34
PID 1208 wrote to memory of 2360	1208	Explorer.EXE	34
PID 1112 wrote to memory of 1716	1112	taskhost.exe	33
PID 1112 wrote to memory of 1716	1112	taskhost.exe	33
PID 1112 wrote to memory of 1716	1112	taskhost.exe	33
PID 1112 wrote to memory of 1912	1112	taskhost.exe	38
PID 1112 wrote to memory of 1912	1112	taskhost.exe	38
PID 1112 wrote to memory of 1912	1112	taskhost.exe	38
PID 1112 wrote to memory of 768	1112	taskhost.exe	39
PID 1112 wrote to memory of 768	1112	taskhost.exe	39
PID 1112 wrote to memory of 768	1112	taskhost.exe	39

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1180

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Users\Admin\AppData\Local\Temp\d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d54e43c271a8d379e2c77b9902ede544_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Users\Admin\AppData\Roaming\Otpyr\uqalr.exe
      "C:\Users\Admin\AppData\Roaming\Otpyr\uqalr.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:692
    - - C:\Users\Admin\AppData\Roaming\Otpyr\uqalr.exe
        
        "C:\Users\Admin\AppData\Roaming\Otpyr\uqalr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1716
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_677ccb91.bat"
      4⤵
      Deletes itself
      System Location Discovery: System Language Discovery
      PID:852
- C:\Windows\System32\vssadmin.exe
  "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2360

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1607042257-865452569-704505403-11345277754406820199817427-1451930822-1453136905"
1⤵
PID:1760

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1912

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp_677ccb91.bat

Filesize
272B

MD5
c61c9c6a2ecff716b7d80452b3df8753

SHA1
300d291cd09a2f6259a42d0e794f60d7894eff0a

SHA256
00203825aa277fb905111457376b69e5340d3ba834e169064aeeea7257e947b8

SHA512
af9333725bab920c529ab17550c2b7726680c4c46303e76175380dfda477d803d3b5cefc7f5702fc45c62ad44417b2f5ac37eb715c756ecc6b5ffce4c506c798

Download Submit
C:\Users\Admin\AppData\Roaming\Otpyr\uqalr.exe

Filesize
67KB

MD5
11052a28d96106eebe81001de76a4812

SHA1
23fb35e9f9809ecedc1cb8d972cea4836953b5ce

SHA256
274afc32a2cb92449be848d54c0c5fbf153cc4992c9e9bdc7db1171218b429b7

SHA512
635f068ce7f14016a50fe2b7c86e727ae9a64219a0251f0560a41589a5153f56403b7af3bd798ad88b7fa3b8298560c83377dd626ad60261706b904b05fb415c

Download Submit
memory/692-15-0x00000000004E0000-0x000000000057F000-memory.dmp

Filesize
636KB

Download
memory/692-12-0x0000000000410000-0x00000000004D9000-memory.dmp

Filesize
804KB

Download
memory/692-16-0x00000000002B0000-0x00000000002CF000-memory.dmp

Filesize
124KB

Download
memory/692-17-0x0000000000660000-0x000000000078D000-memory.dmp

Filesize
1.2MB

Download
memory/692-18-0x0000000000B10000-0x0000000000C19000-memory.dmp

Filesize
1.0MB

Download
memory/692-20-0x00000000008E0000-0x00000000008F7000-memory.dmp

Filesize
92KB

Download
memory/1112-34-0x0000000002010000-0x0000000002027000-memory.dmp

Filesize
92KB

Download
memory/1112-38-0x0000000002010000-0x0000000002027000-memory.dmp

Filesize
92KB

Download
memory/1112-40-0x0000000002010000-0x0000000002027000-memory.dmp

Filesize
92KB

Download
memory/1112-36-0x0000000002010000-0x0000000002027000-memory.dmp

Filesize
92KB

Download
memory/1180-70-0x0000000000340000-0x0000000000357000-memory.dmp

Filesize
92KB

Download
memory/1180-72-0x0000000000340000-0x0000000000357000-memory.dmp

Filesize
92KB

Download
memory/1180-68-0x0000000000340000-0x0000000000357000-memory.dmp

Filesize
92KB

Download
memory/1180-71-0x0000000000340000-0x0000000000357000-memory.dmp

Filesize
92KB

Download
memory/1180-47-0x0000000000340000-0x0000000000357000-memory.dmp

Filesize
92KB

Download
memory/1180-45-0x0000000000340000-0x0000000000357000-memory.dmp

Filesize
92KB

Download
memory/1180-43-0x0000000000340000-0x0000000000357000-memory.dmp

Filesize
92KB

Download
memory/1208-73-0x0000000002E70000-0x0000000002E87000-memory.dmp

Filesize
92KB

Download
memory/1208-52-0x0000000002E70000-0x0000000002E87000-memory.dmp

Filesize
92KB

Download
memory/1208-76-0x0000000002E70000-0x0000000002E87000-memory.dmp

Filesize
92KB

Download
memory/1208-75-0x0000000002E70000-0x0000000002E87000-memory.dmp

Filesize
92KB

Download
memory/1208-74-0x0000000002E70000-0x0000000002E87000-memory.dmp

Filesize
92KB

Download
memory/1208-50-0x0000000002E70000-0x0000000002E87000-memory.dmp

Filesize
92KB

Download
memory/1208-54-0x0000000002E70000-0x0000000002E87000-memory.dmp

Filesize
92KB

Download
memory/1324-2-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1324-13-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1324-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1324-3-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1688-57-0x0000000001DA0000-0x0000000001DB7000-memory.dmp

Filesize
92KB

Download
memory/1688-61-0x0000000001DA0000-0x0000000001DB7000-memory.dmp

Filesize
92KB

Download
memory/1688-59-0x0000000001DA0000-0x0000000001DB7000-memory.dmp

Filesize
92KB

Download
memory/1716-28-0x0000000000670000-0x000000000079D000-memory.dmp

Filesize
1.2MB

Download
memory/1716-26-0x00000000004F0000-0x000000000058F000-memory.dmp

Filesize
636KB

Download
memory/1716-33-0x0000000001FC0000-0x0000000001FD7000-memory.dmp

Filesize
92KB

Download
memory/1716-31-0x00000000021C0000-0x00000000022C9000-memory.dmp

Filesize
1.0MB

Download
memory/1716-30-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1716-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1716-117-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1716-32-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1716-27-0x0000000000240000-0x000000000025F000-memory.dmp

Filesize
124KB

Download
memory/1716-29-0x00000000007A0000-0x0000000000811000-memory.dmp

Filesize
452KB

Download
memory/1716-25-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/1760-66-0x0000000000170000-0x0000000000187000-memory.dmp

Filesize
92KB

Download
memory/1760-69-0x0000000000170000-0x0000000000187000-memory.dmp

Filesize
92KB

Download
memory/1760-64-0x0000000000170000-0x0000000000187000-memory.dmp

Filesize
92KB

Download