Analysis
-
max time kernel
149s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
12-09-2024 02:51
General
-
Target
dbae9888aa3dfd015e4e1b91961333b2_JaffaCakes118.exe
-
Size
414KB
-
MD5
dbae9888aa3dfd015e4e1b91961333b2
-
SHA1
4171e53023cc452393dd11f128fd971deae613a7
-
SHA256
6d7b3d5696d4c8199a46bdc6f9f6d8310cb8052c5cca92dd91da819c53622654
-
SHA512
91f11c53b9d8c5bd0085e993206344fa9a3b01426d32a8647703a1c4046ea6db89e38c1a6db6debf2e6cc9df4b2aa225e3b551eb51c1004581c01d4c72cd31cc
-
SSDEEP
6144:81gNhF7mMk80a3Lsls6r/qqkdb+FoetPeh6mJbYXGf5yh/oJyBFThmBcjUm:pNW8h3Los6ryG0FJcXlQJyvEcjUm
Malware Config
Extracted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
http://zombietry4o3nzeh.onion/?ticket=6aWH6i3Gxp3cXPpqzl_38139B9E
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (315) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops desktop.ini file(s) 64 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbae9888aa3dfd015e4e1b91961333b2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dbae9888aa3dfd015e4e1b91961333b2_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dbae9888aa3dfd015e4e1b91961333b2_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\dbae9888aa3dfd015e4e1b91961333b2_JaffaCakes118.exe2⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
- Modifies Internet Explorer settings
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5b88c9cf042c5ae1c8c37188e8c440212
SHA1ac9cdc6c434d13d547f417c0671959ab71cd33c1
SHA256e82e2852d06fff67713adbd8a2c47753db619d0b3b021148ac48cec0b97e7dce
SHA512b76b4ae1a538514ead4507bde937ece99f4a9686e5301e7b239183bd4213316ab0f51a3665bfa211df41cfdfa8b0f3e7b745774b7ad27f8f0b461b3b6b20e874
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
100KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
96KB
-
Filesize
808KB
-
Filesize
808KB