Overview

overview

10

Static

static

3

d35c98321d...18.exe

windows7-x64

10

d35c98321d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-09-2024 02:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe

  • Size

    340KB

  • MD5

    d35c98321d2f87f089b7d5c26174a10b

  • SHA1

    2d7f432514ba316ecec7a8f372d0a75cb32f8fc0

  • SHA256

    2d8e7d0a895c13a1d012b25b069a528481cd0d3c91b74689c61299f3b5a55232

  • SHA512

    a467e624af472a2dc240dc325bef21b4dd435315dd765e9afd6f4134bd1c2482d23072e2057cc9ef60e9aad9107f6985bdacde3c92f0d68601b44ebf9990c40d

  • SSDEEP

    6144:DrHbGlBfoXKBA4pOoGf75hK7d/X/CMmm/2ikfOmvA2CxjSJgE0ToC8uUsYEF7u2K:f7GliXAOJf75YtPhxd3dRMkz8rG4

Score
10/10
teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+yldgg.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/A9A41455F17F3379 2. http://tes543berda73i48fsdfsd.keratadze.at/A9A41455F17F3379 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/A9A41455F17F3379 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/A9A41455F17F3379 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/A9A41455F17F3379 http://tes543berda73i48fsdfsd.keratadze.at/A9A41455F17F3379 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/A9A41455F17F3379 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/A9A41455F17F3379
URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/A9A41455F17F3379

http://tes543berda73i48fsdfsd.keratadze.at/A9A41455F17F3379

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/A9A41455F17F3379

http://xlowfznrg4wf7dli.ONION/A9A41455F17F3379

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (413) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Users\Admin\AppData\Local\Temp\d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\Windows\dsqyqcsbmtyg.exe
        C:\Windows\dsqyqcsbmtyg.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2444
        • C:\Windows\dsqyqcsbmtyg.exe
          C:\Windows\dsqyqcsbmtyg.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2564
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2476
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:2860
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2616 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:316
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:372
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\D35C98~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2852
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1036
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    PID:560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+yldgg.html
    Filesize

    11KB

    MD5

    d9e939766b360d49b5e7944245330c99

    SHA1

    63a57a2c283f7ef42b4622dcae30b0ba3514202d

    SHA256

    9a815efdffc6e8cf592fbf472c864a3903edb7f7f2d02bc15781c00757548e0d

    SHA512

    cb68a392b74e2500a1be61dc204d8503b5ad7c2ba3271aff12759e812ff360c503c5352d5485fd08a33a3db0e2dd94e60ff4390654e60988b73d9460c851edae

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+yldgg.png
    Filesize

    62KB

    MD5

    1a0e50d724b2b691253087f9b264e994

    SHA1

    331b68d08c285c708e6d04ae49fa2f2ee98e17c7

    SHA256

    d2408757a61f3985f647a574c78506ed3466bfc843cd228d81b496380c13d1e1

    SHA512

    ab56786d5a5aa072bf9077002fd6bc338891548ec64fddafb14538e1f119d77a27ea16c768c4857a4b96ebc0e8770d572f2544c3136560f45eb6daf45fbfcf48

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+yldgg.txt
    Filesize

    1KB

    MD5

    7c6a7794f02d5e248c4c3b27424b95e5

    SHA1

    1f40c641aa603ea01522f5e768cf5615bb001d59

    SHA256

    760f080a6ac9fd1d7db224828baf7f51951634f4ad86b3efad0160bd50777360

    SHA512

    d43972ef57aae9980f60d5124c362b3fbb5f623084bab512908f245c556fdc79cd3a0329642339db1d25570c35b1d06237e8409bd1fc1514df2584d2d27dba54

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    85cd47ecd5a505bb033eef9446850922

    SHA1

    ccf6d98678883d28a2013ed608a3350e3d173379

    SHA256

    c6fcc86382cf82c46821cc5d09c2b22a9f3c83a08e5d7a38e17e0313421b89c7

    SHA512

    7a55ec3ac841d9e805a00ad177117e2593e8428ca788ff038af90a0a3cc85b80693db804478ec1fc7556e1659b93bd0b4915ad2ec71c26d57208b723236653b0

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    0a079d8c71fb1ecd905da7506fb709b5

    SHA1

    5b42d0e403793bd603107b496a28110a99400776

    SHA256

    19baf8f5d43ce8faf079d099f92991afc57d0228dd413a38a1f4ac46542c0bd0

    SHA512

    f09655fa64c2453f89bd789fe09a8def4c6249d62b9e8a75eec8f4cc244215ef89bb40f66413a65ee3a2e9ef946e32b4ae85d1dd7f8f4a98e8b01ac4f6de64d2

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    173KB

    MD5

    11012a7c1a2e221c4469c462d78880d5

    SHA1

    b1bc9cbe8b02197cf956b571f392081fd1d63b9e

    SHA256

    7eb3a17c4d33f1e80956c5e7efdfdd4e82ead2b50228ecc30b20d74e576591a4

    SHA512

    9896f46512a266f16b55c9e86130449cd86adee5f5c6b1875933c12da61f6966b8544c17ea6bd204cb9ce02b0007ba02a35936b651d7e32acd4948a2c6bce90c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    289bad442fa6014f756a7de0722cdeeb

    SHA1

    9288d620b0d7a30549c7426286bf5b214b62daaa

    SHA256

    f319d416aad6676936a2c3ccd9321eecc899a54ac21defcbffed6fcfa946601d

    SHA512

    9c16fa86665354987992003426cd871c50e43799ebfb12a55397acfcec2749541a665edf253a8511f47ebe5fba6b3295d7c4a45c18d527a57aacf0dc69584183

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    d6ef12fd6e19ddae0bd40a49ec8dc4fb

    SHA1

    45b521832201ff7e2e73265f62a0928316302132

    SHA256

    eb6af962ba67ef40665d7c13b4f927ec59d33f2312c2e69e272cd7b0a603e734

    SHA512

    c803aa529bb678a1c6d5c957684e54a1b43a7a0052ac3fa425ae16a2b1aef833a81c7a5cf065c11b3f50c5182613a4510b134af94703354d28a7edc58fce4f5f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    91c94fff216f8024533d093ff5d2be22

    SHA1

    4e9c00e0326cdff2e8d6be9527e9ddadadc5d379

    SHA256

    0fecc55046c55719a290761d9bc91514163177dfdd786f15398f468b38262e4e

    SHA512

    4506b710728831dcd3e19ab37e1689a6e425df204fe8e542926dca555588d8c88a4c162bfdc31a5f176ce2ca04467aa4d2ab841ef6af983d4a507bc49457c02c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    7bd1c9d156e8f1484360d38b0dbe5944

    SHA1

    4cdeb1b2453810527ef818cd9a288fe86ce30837

    SHA256

    716644cb92cd3a79f88456f4a796c0ebf1e87c7fc21cfb9eab736b2bfcfbe64e

    SHA512

    c0b5c4c3b94fd4678eee53b24701636f438e1e0fae9435849cc6db755626244814845bdf4d8ddfe827780a7b7e476a8d2a16cb2a5263d74287fb13a463e3490e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    078bdcb2dc872ea158e56798391eb0de

    SHA1

    e8c24cc784df2209373f85588d9dfe762a77632f

    SHA256

    9a717b808a1cb4c98c6b39e8361cced90713d2dcb217b60e2ab7e083b8b9475d

    SHA512

    8508317ccdd8ad406306ac35eed183f02bf78936b524b12aa6af7daa518b43a3e04bd0375d390ea43f0dcf7152c64a013288801a654f304c474f3b49299dd3a9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ed2214abb784854689a78c6af14d5cb5

    SHA1

    558d56343d05f62f9e6ebc972b9138f188d6a0a5

    SHA256

    3e30ef7aba9f0f6891f864bdb81e6bc975b115d80c5aed32a02e43796332252a

    SHA512

    9265abd9b7d7b266f0bce4ddf735a96058da52ebecb737585b64786035985e46fccc778d2705f4597a062cf6e28f3b306713cecf7d34be2854f78f4aecead246

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    aa66955a31f63374ebf799913da701f9

    SHA1

    17c786561999d638d02fcbf7470dcff0d55dbd01

    SHA256

    e3c3441949e34bc59bea6093b8ee8a9a926c8d9b56662d348ce6dcdb214f3845

    SHA512

    7d8664ff27cf930de6904a72fc85eea9314835a99500fb5b4a77c6107fa9b00503bc112cbbcf250672b93a994f9cfd7f79d8414339aa3254610046ce07e076d0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9c41fc8ea5b99c2ba10f70e065ca52e7

    SHA1

    7b0ddd12598945f134d97a7727294ffd33f5b3b1

    SHA256

    b255c535089055ca24bf41e88fe4de66d7e362f0f258ba7725f58d9113a142cc

    SHA512

    57cf74cc6fcf6532e0423b638affcdbc4b4d600d8dee157d07a928ce41c9ed79a3fc33af731b20e731284452f10866d50a43eded93273bce8953d32ad7f5a020

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab2934.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar29A6.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\dsqyqcsbmtyg.exe
    Filesize

    340KB

    MD5

    d35c98321d2f87f089b7d5c26174a10b

    SHA1

    2d7f432514ba316ecec7a8f372d0a75cb32f8fc0

    SHA256

    2d8e7d0a895c13a1d012b25b069a528481cd0d3c91b74689c61299f3b5a55232

    SHA512

    a467e624af472a2dc240dc325bef21b4dd435315dd765e9afd6f4134bd1c2482d23072e2057cc9ef60e9aad9107f6985bdacde3c92f0d68601b44ebf9990c40d

    Download Submit

  • memory/560-6085-0x0000000000130000-0x0000000000132000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2244-1-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2244-9-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2244-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2244-3-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2244-28-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2244-5-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2244-7-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2244-16-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2244-17-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2244-13-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2444-25-0x0000000000400000-0x000000000081D000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2564-6078-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2564-4357-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2564-6084-0x0000000002C60000-0x0000000002C62000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2564-6088-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2564-6090-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2564-5273-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2564-51-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2564-49-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2564-47-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2564-1488-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2564-1485-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2564-46-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2564-45-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/3020-0-0x0000000000270000-0x0000000000273000-memory.dmp

    Filesize

    12KB

    Download

  • memory/3020-15-0x0000000000270000-0x0000000000273000-memory.dmp

    Filesize

    12KB

    Download