Overview

overview

10

Static

static

3

d35c98321d...18.exe

windows7-x64

10

d35c98321d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-09-2024 02:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe

  • Size

    340KB

  • MD5

    d35c98321d2f87f089b7d5c26174a10b

  • SHA1

    2d7f432514ba316ecec7a8f372d0a75cb32f8fc0

  • SHA256

    2d8e7d0a895c13a1d012b25b069a528481cd0d3c91b74689c61299f3b5a55232

  • SHA512

    a467e624af472a2dc240dc325bef21b4dd435315dd765e9afd6f4134bd1c2482d23072e2057cc9ef60e9aad9107f6985bdacde3c92f0d68601b44ebf9990c40d

  • SSDEEP

    6144:DrHbGlBfoXKBA4pOoGf75hK7d/X/CMmm/2ikfOmvA2CxjSJgE0ToC8uUsYEF7u2K:f7GliXAOJf75YtPhxd3dRMkz8rG4

Score
10/10
teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+ioupu.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/9738704FFCF98B57 2. http://tes543berda73i48fsdfsd.keratadze.at/9738704FFCF98B57 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/9738704FFCF98B57 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/9738704FFCF98B57 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/9738704FFCF98B57 http://tes543berda73i48fsdfsd.keratadze.at/9738704FFCF98B57 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/9738704FFCF98B57 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/9738704FFCF98B57
URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/9738704FFCF98B57

http://tes543berda73i48fsdfsd.keratadze.at/9738704FFCF98B57

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/9738704FFCF98B57

http://xlowfznrg4wf7dli.ONION/9738704FFCF98B57

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (874) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4496
    • C:\Users\Admin\AppData\Local\Temp\d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d35c98321d2f87f089b7d5c26174a10b_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:452
      • C:\Windows\fgaouqsqvrta.exe
        C:\Windows\fgaouqsqvrta.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4780
        • C:\Windows\fgaouqsqvrta.exe
          C:\Windows\fgaouqsqvrta.exe
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4632
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4036
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:1748
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
              PID:968
            • C:\Windows\System32\wbem\WMIC.exe
              "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4220
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\FGAOUQ~1.EXE
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4964
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\D35C98~1.EXE
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4012
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3000,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:8
      1⤵
        PID:872
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2652
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=3944,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=4432 /prefetch:1
        1⤵
          PID:2376
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3936,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=4004 /prefetch:1
          1⤵
            PID:2740
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5468,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=4852 /prefetch:8
            1⤵
              PID:1032
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=4816,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=5504 /prefetch:8
              1⤵
                PID:1756

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files\7-Zip\Lang\Recovery+ioupu.html
                Filesize

                11KB

                MD5

                701d179c2f43eabc55fc70af201debc8

                SHA1

                daabb4b8abc48c86efb5dfed12bbfa0d5d711a82

                SHA256

                7c0d8d5a120c8ac7f947edbaf34eaa0877fc46b225a070d3df6622e42ad22490

                SHA512

                edb1f41afc693cfa2aaa9f186ed0ed527b9dc15eeed9577af047b90f81b91ffd7d07949598ed6c0eb398d5b51b0c05eb4301ebc67d987da0ccf7cee647ed1e66

                Download Submit

              • C:\Program Files\7-Zip\Lang\Recovery+ioupu.png
                Filesize

                62KB

                MD5

                b9d37c8bd34f08e1f7c3a93d62490827

                SHA1

                e10a1354ad52a73fe454e775f63d74d0f32bb0c8

                SHA256

                8ef7898d937911a7cd9eb64911e123ff2cf5fea223e3f5e08cd063c12b039a90

                SHA512

                590bc3de8c790c1e75670a1c0c47d4c8ba16e3de5407a6ea5a5b6e67d6804b82b7b91520255cad0d28ce7d8324b338d6f1d4bc48d8fd5d9534e66a1ec68baa29

                Download Submit

              • C:\Program Files\7-Zip\Lang\Recovery+ioupu.txt
                Filesize

                1KB

                MD5

                d454ed5f7302b58f01a949d46ce2990a

                SHA1

                9ddddb65fe4fc19ca050f42545b795f893edd293

                SHA256

                692ebce6f2d22febbc467555d335ca872e01ee5b22910f780ae0fa5311a0f375

                SHA512

                539005314e541378084f7d3655b0a51d9892b9a8e4546c96f8e08c3f7b62befdbaaa19312a96a7e9e658ac855682551649ff930955d21a485b353e5f1d5a9e68

                Download Submit

              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
                Filesize

                560B

                MD5

                5abb69277d5139607e96615610b54b0c

                SHA1

                4c51ae77997bac54353b62a51a3a880e823ed1a9

                SHA256

                a3fd6e6408ed048a1b11288b93d39a050af72ecaeb9f209c4a77526de6e7aeb3

                SHA512

                6de64036838392b1795aec3ccdd6b50af9e893c324cc9fd90f09e046ec8f9ababd4ce986303dd98d8d573696e4d0347d8bf5b3fc78f34ea4bc3b4a027a9e292f

                Download Submit

              • C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt
                Filesize

                560B

                MD5

                84048e81570010852d5865831d4dab84

                SHA1

                1558f793d8850db2399c0f5b3727c482e4b2ef33

                SHA256

                3892632bbf0121f5612327e0409b00f7b1492d823e997d5fb326092227b30d44

                SHA512

                69c9bd2fd140bd2563512c88d19e5ca934421f77dcd4873031f6e77e07594eb48098d2acfc32250219e86d7e019bfc95758f62c16be34b94b44b1f916acfdd29

                Download Submit

              • C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
                Filesize

                416B

                MD5

                197c2205a9e2a48d35ebc3d6717405ab

                SHA1

                5ed64239dc20b2fca81511cc64665abcf57046a5

                SHA256

                b52bf35068ad9505053dab4f49968742cfd149ee7d62e8ff1a5c2475773790fa

                SHA512

                ed8aea1d823cf72e1bee508686fc8cf415ff97b8df672f9e3f757e55adecf2dc1f38086a558475976c7be6c71eb0c223ea69ea044692ac894b860d8466879b08

                Download Submit

              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670754420482328.txt
                Filesize

                77KB

                MD5

                c41fd15411aa38babbefd189b75da3f2

                SHA1

                f7cb70ed0c5c9fc82137e01b034007d05043f3c4

                SHA256

                89b7964b18df2614ae90ee7a707ade956740e60ed64240b8e99c23ff55973c66

                SHA512

                fcfc50940ef75af61921fd3245b820eb7380bae6173ffd27fddaa0a64e62d10c99546cc11e1d9e6e152795183b5b40056c0ad7c9993ac4989797381ba86bdbeb

                Download Submit

              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670756582511987.txt
                Filesize

                48KB

                MD5

                a5dbbc760f7abad7bb0761f7eb1cd530

                SHA1

                6a4358e72dd3619acda596fe33da67e6d21299f3

                SHA256

                c21df6601d15d3ae5e518a91172913d75b374d9e823620f73b0525272663b0f1

                SHA512

                c90e3336e835bdec87873ca689ffa55b2917c035fbbfbee5737f4d4033f4aa595b6cec7bf4eee5e81e468b862d155f806790af16d7dc1025f37c1a528a5f9348

                Download Submit

              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670765474574461.txt
                Filesize

                75KB

                MD5

                836902b1c0724fbc4b30d539dfe220d1

                SHA1

                becc61be5b2e27ca7d3a3aea5e8cf964b89c9eb0

                SHA256

                60fdbab6dcc71fd8cda97cbbe7d841e3e9b50cce087f01e6d406c446f06234ce

                SHA512

                2b9e2198f253590fb8d4ca4779f15c31d27b0ff12bad260ba8af29882ab5fda8a72ff71e733ec502a661a52cc61a52059967d3f2e681621d827e13890fd889d3

                Download Submit

              • C:\Windows\fgaouqsqvrta.exe
                Filesize

                340KB

                MD5

                d35c98321d2f87f089b7d5c26174a10b

                SHA1

                2d7f432514ba316ecec7a8f372d0a75cb32f8fc0

                SHA256

                2d8e7d0a895c13a1d012b25b069a528481cd0d3c91b74689c61299f3b5a55232

                SHA512

                a467e624af472a2dc240dc325bef21b4dd435315dd765e9afd6f4134bd1c2482d23072e2057cc9ef60e9aad9107f6985bdacde3c92f0d68601b44ebf9990c40d

                Download Submit

              • memory/452-6-0x0000000000400000-0x0000000000485000-memory.dmp

                Filesize

                532KB

                Download

              • memory/452-15-0x0000000000400000-0x0000000000485000-memory.dmp

                Filesize

                532KB

                Download

              • memory/452-2-0x0000000000400000-0x0000000000485000-memory.dmp

                Filesize

                532KB

                Download

              • memory/452-3-0x0000000000400000-0x0000000000485000-memory.dmp

                Filesize

                532KB

                Download

              • memory/452-5-0x0000000000400000-0x0000000000485000-memory.dmp

                Filesize

                532KB

                Download

              • memory/4496-1-0x0000000002610000-0x0000000002613000-memory.dmp

                Filesize

                12KB

                Download

              • memory/4496-4-0x0000000002610000-0x0000000002613000-memory.dmp

                Filesize

                12KB

                Download

              • memory/4496-0-0x0000000002610000-0x0000000002613000-memory.dmp

                Filesize

                12KB

                Download

              • memory/4632-7528-0x0000000000400000-0x0000000000485000-memory.dmp

                Filesize

                532KB

                Download

              • memory/4632-24-0x0000000000400000-0x0000000000485000-memory.dmp

                Filesize

                532KB

                Download

              • memory/4632-20-0x0000000000400000-0x0000000000485000-memory.dmp

                Filesize

                532KB

                Download

              • memory/4632-19-0x0000000000400000-0x0000000000485000-memory.dmp

                Filesize

                532KB

                Download

              • memory/4632-2278-0x0000000000400000-0x0000000000485000-memory.dmp

                Filesize

                532KB

                Download

              • memory/4632-2280-0x0000000000400000-0x0000000000485000-memory.dmp

                Filesize

                532KB

                Download

              • memory/4632-4360-0x0000000000400000-0x0000000000485000-memory.dmp

                Filesize

                532KB

                Download

              • memory/4632-6609-0x0000000000400000-0x0000000000485000-memory.dmp

                Filesize

                532KB

                Download

              • memory/4632-25-0x0000000000400000-0x0000000000485000-memory.dmp

                Filesize

                532KB

                Download

              • memory/4632-21-0x0000000000400000-0x0000000000485000-memory.dmp

                Filesize

                532KB

                Download

              • memory/4632-18-0x0000000000400000-0x0000000000485000-memory.dmp

                Filesize

                532KB

                Download

              • memory/4632-11235-0x0000000000400000-0x0000000000485000-memory.dmp

                Filesize

                532KB

                Download

              • memory/4632-10521-0x0000000000400000-0x0000000000485000-memory.dmp

                Filesize

                532KB

                Download

              • memory/4632-11219-0x0000000000400000-0x0000000000485000-memory.dmp

                Filesize

                532KB

                Download

              • memory/4632-11220-0x0000000000400000-0x0000000000485000-memory.dmp

                Filesize

                532KB

                Download

              • memory/4632-11228-0x0000000000400000-0x0000000000485000-memory.dmp

                Filesize

                532KB

                Download

              • memory/4632-11229-0x0000000000400000-0x0000000000485000-memory.dmp

                Filesize

                532KB

                Download

              • memory/4780-12-0x0000000000400000-0x000000000081D000-memory.dmp

                Filesize

                4.1MB

                Download