Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
10-09-2024 09:00
General
-
Target
d7f039531ce2db4f604ca2a40f8ca828_JaffaCakes118.dll
-
Size
145KB
-
MD5
d7f039531ce2db4f604ca2a40f8ca828
-
SHA1
6c1c739d5d6fd0c04eac220b46646d3a5d5736c8
-
SHA256
45fe958019227f7a5e96d36b522178cd3ab24a99decfe517e5a2e91806c83016
-
SHA512
d095e6185ca9aa60df80066c8476604f1815ee9a4be3dd6c4fb8c4809f33974bb277da97d74fed11dbf7c9843ab6f48bb1312e2afefa148ecbb06d55bf551af0
-
SSDEEP
3072:t9T7LiXhC06rUwo3ueS8uYGEx8r8npU5f4rAFy/Vruanzg:/O0XrUwo65YGEeepUItru
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Control Panel 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d7f039531ce2db4f604ca2a40f8ca828_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d7f039531ce2db4f604ca2a40f8ca828_JaffaCakes118.dll,#12⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_WHAT_is.html3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1532 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {24D00727-980E-4E3E-BE57-ED9CF2ADBDF3} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\_4_WHAT_is.htmlFilesize
8KB
MD53859ca0ad1861ec89ea948bd7b59043c
SHA168bb0a071ae2589489e86a2e6edeadecfe8cbec6
SHA2561846f4f6fcf5a770360bda16d08a547b8d38fb2425d0d79ebcb7b202085690a5
SHA51271c271b16ae79fdfa08f4cc199b865505e00c479eb9d52cabaf30a9f92f19721a821d543f05f3d40c9fcf38975f1cc59de89616dd5d61dc5c28c58c4c1109454
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD53a5ceea5d9f16036f40cee7e2ae4efd3
SHA1cfc893dcccdf580407daab0fb0343c871f0e3982
SHA2560b6fcf06fc43d0f8801507211a737051dff495327260f0276d8c2082283be526
SHA512161567d70c0af8f4944b7f0a06ca2a7e4323c774d575b260f21f1ce46c25bf4dae9a77203161f19526c73e37b6c02fb77457f09864ef28ea73908568c0ec85ea
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD539b7e2167762fd5ce16598964b02a255
SHA1590aacc6b05f4d3ee8110dc6ca03872aec7da4ed
SHA2565615474e2680f28c689ea0d59ca9dd45d67132d02b222e5f2c2d02177838c7fb
SHA5127eb2a2d92bbc0d0c0a248eb9df0977937d17520cfc5851c97dd4fa69c7beeab02f9b022d4abbcbe324bbf7f63dd394f5e7756f70e999706a5334a292008fa294
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD50ace4512019eb46b4abaf901ef392aac
SHA179b8c1dfe78d5e9dc0648038c69c3adc359d6291
SHA2564f947f847ccd36b871d2ceef948149268b8ade965deaaed27baa9178fda40573
SHA512ebfafb6c76ff346c28725f30d395b2c5066ed16c4ec828ca7e53e309eb3fa20302561309eb07e9ba5e6638283fcc01b6a29c859d43e572a5e4fee330e43c9c18
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5816eb334714eb4b51c3904a8bb993c4d
SHA129b7f31f2b1f894c65784c93192192db9b9b5370
SHA2566144228eda30cbf6c700362d66d96a62b6d08784d2506fd2bb6fcc82bdfc47ef
SHA512c9638d940c0f6e320e0ea86e76f3f4b5714870088e6931f51795ce598b58f96ad0c0ea8d8534782c0c95ac90a9363f32142a897ca1b6c7af62510625dbbcf582
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD51102b3b266984b32b4886666dabd680a
SHA1e4a496687144c02599827393b3a3faecac70b774
SHA25623d9ff4848066babfbaa99a27bcd6745053c9693c6a476ea4ffd528f1bb125ee
SHA51214fdfdeaf4b46c24c549e68c44eb678f098f5104a6c5b6eeb7c3d6f34686a54d52706f8254b4b32730d0da8c4f02157b0673ecb0c63140e36793c849534408a4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD52e6abe3cf18c980a8da60ed426e8cd98
SHA1f9f6e95529e7ba24b7c7642178b18a6cf1bf2968
SHA2560370f9529077058461e6a958db272d884bdda8ec4a4dd7489a0337d7d70380f7
SHA512b848c02b55d3729509c51f9deb2c54f3d30ea0b2f349411d58650f1c0c737af12e5634161389e7ea1deb1ea44907a76d2d389041791bb3d01784f3bf78aa35ed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD525bced29a0b6213b04e37c480fa78310
SHA195be22006791ddc0d573f4c6f9528d53e1083037
SHA256945cfbda94adde90c750cceea1907b694fb5e792a7399fd34e894a1e57eb6259
SHA5120853ba8b1fe11a3255b506dfeb83b60d64f0eaa188bbee49bc4d44d60731b0778a430952c6c8b167d35bdce9d0d32148220c843850e73b892d2f0141d4756b7f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD54bae3ae94c64bc4007ef1f7de8783244
SHA11e75c94cb19f62e152e6d1e79d70332c99defe75
SHA2563c8b0a1681c0fcf3ebf7d422fb791f67ce3bd3a3a58785c27994554fa2f8941a
SHA512ecd43e340386b69a789715c6c2d77f731e624c89f8d0d75510953a796534a743daeada6387462e6e6cd211151d4e9a9329e06cebce25a61311dcf5243f428e37
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD531821a66f98a1864d90e0a130c61f461
SHA1629304e241ee0e5806b9b7f618e07ad263434c8f
SHA256ffb9b826fe0decbcce35b41a1355075bdd61b8f89424d96e94384fc18f7660aa
SHA512a454af49f401e41daba04fedc772e658462fc02e4eac889a69987a03faffbd71f7e3c400b1fe93869b39b8988ada63996ef2cb1bd07d914eaa715f87444c46c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD58ea795dc333bcff4872f31205428a61e
SHA10dadc7c2835fc08044fe1757e498c57d667c1259
SHA25605a4e9c26a012ff041cfaeb4a57be145cbb1df2196f8ce7ef901f863ae57bf74
SHA5122daf9c2ead0aede4c4c9973f963d1dd3f184756f8adc66ad2dd8b2ff6dd13498f22b3422c07105e49ece1b4e4cb46e6e713bd0f8e16b855ff92b9838542e394d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD580cf452b17b42510de04559198b63457
SHA1f13e719102ebb370fc23f771760ce31b09236f40
SHA2568ffd52e91882045690b544ea190ff6a5c37eb1f52b71bbc3856090221dcf9780
SHA512b0c86acb0adf77fca469e34991e437d90728da3da8ac15bab6ea7501ffba4523561df1057cb3357fac0016eb2fa2fbdc71514ac18286d0aac141bdff6c64f9a5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD53f76aac6211956c486daae60ad22a3f1
SHA173f07e4893f25ee572984b987c5dfeb929099925
SHA256761d9a554447ed80a1f40033f9b20c0dfd5986ddce27ba4b44455db5b4eaf1f8
SHA512e130d168a9a4c21788b2c2715c1baa295fb5da745f0cd17bc60d5d66c9f29e27a20eb3b5ef8d6f5e8471c410094910db3aa4be56a13c1e0d18ea375556737751
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD571790a45fa170cd1a1e1b3c3afe63c4d
SHA1472ef928cd2219e2c319b7cdeb1b3cb3730e785a
SHA2567b5c8f5ebcba2e1e7e9511991dc2bf071274aef030a4ed65032bab38502c57ff
SHA5123186fe6cfbe7c276fed27ab6f63f6951c316e639fc22d6b4de11dcab2a6356f5c8832cdec6eb87767fe7d0eb218abbd0f255054001452c886036115ef181a501
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD56a58632c0c80cb2aa0ee670a43f2f2ed
SHA1a411b5e08594082132b6d3015c2413b0e072350d
SHA256583949ed54d8d1a82ef3257ee1d5d1353e7ae410f00faa1106807a7601ec9333
SHA512228daec4c9d9e97830bb43abd0c7ce25976ededb1893b47bc450dedcd17ab0e82d3293b3b5d643206980a127a9bb76fa77f08f4e4537cb3571202366874f84c1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD51b1f3f919ce9a9a45700dd392bdb1148
SHA1eb8065b8ae82052734b1022e95ab3aa1217e324c
SHA2561af7a389793e3ab466ef32cd1cba086abf60f92b133cd32358bc8e6856c1e5e5
SHA512a5a6d4b7e8c8491a5723e69f741385281e5f11569bd37fde76a71e030aca7d277bfff6067caffd2258d33d2cbeb9c04ade686228566136c1c6e230e07f400298
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD560c34436fb07b6e541153c22215944ee
SHA1fa64fcd9fcbb2378c0e6a35d0bf0208c5e9605e1
SHA25635d7b088a58e2168b902550fff4c69036d628562727fd6725f8fcce70f361c40
SHA512ee3a7149bfb805121a7c4563566c2e3a64fa8cdbf47d2e4d040b511e1b4912bdd05b72a4207a4217a9206f735bdc0e15048076e6ff93920c553287bd7469de75
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD57f5483f12a2aa47584c73404705d549e
SHA1c7783e13b34911d21bf15ff142d97a1231b2c4aa
SHA2560af520edf9dd11ae9ee7de57ddef4d2e91af050b7105097337d215a8b5283b97
SHA51218a27a6bc2c94038f3e37bd0cd4fbd8202b644e29f57394f6a8bcfd51b655418c63c1b22a27acca63ffbd9703dfae40684f2c36aa626127fe976a195448316fe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5aa40f635a2e6f7f026a267cf33f44cea
SHA11da6f12e2d0d5cbe8031e53e3e4f531f98fc6ab8
SHA256fbe770c0392575e855b0c66160fd84afe0bbfdc90cafeb56031472859f121df4
SHA512edf27f7db9eb6a90f61a4da24367f9cefd232461c3f10fbb5a1d94dbbde629727e3505b857faa1bab8da6c70e1bb578ab6622e9ba4303fd6876f48c884eca5a9
-
C:\Users\Admin\AppData\Local\Temp\Cab88FF.tmpFilesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\Local\Temp\Tar89AF.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\Desktop\_WHAT_is.bmpFilesize
3.4MB
MD5605f7445474b5c83373bd058b6dfd0f0
SHA130fde83863d1009ff64458dfaab97034734153a0
SHA256e61a0a06d046fadc21776c82f920a6ca8cd3507ffb8f32a4e2aa116dba6a2cd9
SHA512080f52af88cc1a754a30a35cac8e021d2a4471f240edb566ffd94d46d4842dd1a87ac10c5e93a6736335253cb811a09fd73d82d989ec7e6e2deb044fa0bdc360
-
memory/2100-356-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/3036-4-0x00000000744D0000-0x00000000744F8000-memory.dmpFilesize
160KB
-
memory/3036-1-0x00000000744D0000-0x00000000744F8000-memory.dmpFilesize
160KB
-
memory/3036-6-0x00000000744D0000-0x00000000744F8000-memory.dmpFilesize
160KB
-
memory/3036-7-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/3036-355-0x0000000000330000-0x0000000000332000-memory.dmpFilesize
8KB
-
memory/3036-357-0x0000000074500000-0x000000007450F000-memory.dmpFilesize
60KB
-
memory/3036-3-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/3036-2-0x00000000744D0000-0x00000000744F8000-memory.dmpFilesize
160KB
-
memory/3036-0-0x0000000074500000-0x0000000074528000-memory.dmpFilesize
160KB
