Analysis
-
max time kernel
150s -
max time network
74s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
12-09-2024 19:00
General
-
Target
dcdc778ea843b2a8adbaf661df9bcf2b_JaffaCakes118.exe
-
Size
373KB
-
MD5
dcdc778ea843b2a8adbaf661df9bcf2b
-
SHA1
f609790c27853d16cd0b4d145a56a6a8f5712f90
-
SHA256
f09e5f8878752c555825aaf133b735b67f42a83f2034013dd0fee7d679fcea00
-
SHA512
b3f6440cde12dfd2e414d5cd95dbdfc5c49a1cd84e2f47301bd234d7401ad7a9041bd3207d9e564fa81c610074919eb316723027962b952286e944ab27c5b0c6
-
SSDEEP
6144:lXxVVly0Av8Q2z6Zz8t5iHcTNNVMoaJHuVPsRJL+BzO0RCaqeI4d/IYqSYA:hyX2I7QSHu2UnCzeBFIYqfA
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+eilnj.txt
teslacrypt
http://yyre45dbvn2nhbefbmh.begumvelic.at/69988E9B5F78BC6
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/69988E9B5F78BC6
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/69988E9B5F78BC6
http://xlowfznrg4wf7dli.ONION/69988E9B5F78BC6
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (308) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcdc778ea843b2a8adbaf661df9bcf2b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dcdc778ea843b2a8adbaf661df9bcf2b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dcdc778ea843b2a8adbaf661df9bcf2b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dcdc778ea843b2a8adbaf661df9bcf2b_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\blqpdawtbkwg.exeC:\Windows\blqpdawtbkwg.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\blqpdawtbkwg.exeC:\Windows\blqpdawtbkwg.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\DCDC77~1.EXE3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD577b2928e2b41260732dc46557e6d9d92
SHA10a38f62ffe8aa9a08c00ddb9132dafc152234083
SHA2560c675513aae3ccd0938a6d09606d3e07c29d4b76e0c5fb1f01af8a3ee36d4d35
SHA512c16299b04cf9b2658208192c9d4b75ba3b538e6f7a70e3301486c73e2d51e961a77ee85c326c5c42312f72556030671e0140fc5a5e1455617896a97a7222af54
-
Filesize
63KB
MD576bfdc5a670ea3bc38a81e7d13f6e97f
SHA1f25b55dba2c3d478a985b1bc44095bd200a2f593
SHA256b7b1b51ebadd1c34c1a180e6ca665014866eb5d8d4269bb1d62a59fcfa9a1107
SHA51204374283f8375eb66009a35dcba9cdf6300e165abb77f5d53eab8bb3a6c407da06cfea15d18b82b70bb68a2cd0c22f7d4b236b30d3f07e465f1baec2099f2292
-
Filesize
1KB
MD5261ff8ca96480408e5d817aeae9c9933
SHA1a372485791178b307c4b80bdcedc747dd9b84686
SHA256b067fbbd7e1909b9904793958f3c39b84d9f065ec93047682077ebc10bd6ffe1
SHA5127904aefbd1b0932aed04ae1161f86c403838f6fc9cd29dbab4b2dfd6e4112881723b938a51b34462306f77acc4ca3677ffe727361c74fa37819b9cca61e7ea1a
-
Filesize
11KB
MD5753ec2267f37ea102d29acf0168ffa92
SHA1c574b323fe6a68cd489fa13c1eb16a280a953537
SHA256ceb1d478c6cd8ca771df696a915a1de6ee93a2fae46073ed3d38e9f12cc344c6
SHA512bdf9249354cb9ab39ba6abb83dbb985b2ee7769ba1ef88f1f9c0a0b95b8828daa8a3fe15a157dd759bb54c917014b6d579481dea68fc6b03459f38f603b6eb49
-
Filesize
109KB
MD596552f694dcdb5ef1128cf7798f9b25d
SHA1755545422f341f7299b31663a32509b5e871e520
SHA256d01a39cb841fe4f082d9573eb7658a717cc0ebc68c75be14f5c850a883189fda
SHA5128e442cfefbf191acc9d2bcfd2b02ccf0c52dde850d4d4f8e5e1dc2750c29852abb1d02cd3ae7dca34839c50f747c951d8bf47627c06a042ad4b6c2578a040c10
-
Filesize
173KB
MD5f4dd73c04f48e114174b007a2bc52af5
SHA15b2057faffa82ae05c3cb037430879dbcde8384b
SHA2562ced17dcc0f0ab81ca631472600da9f21f039ffe419a8a4202616db727f66b9e
SHA512448310978552484b4612317b9e5dcb3e1aec407bfc003ec0fdfe327b4e1e215561f233af89933fd8cff85b321f88b9759a1f1dd7bad89bd8be80e4af8e67638c
-
Filesize
373KB
MD5dcdc778ea843b2a8adbaf661df9bcf2b
SHA1f609790c27853d16cd0b4d145a56a6a8f5712f90
SHA256f09e5f8878752c555825aaf133b735b67f42a83f2034013dd0fee7d679fcea00
SHA512b3f6440cde12dfd2e414d5cd95dbdfc5c49a1cd84e2f47301bd234d7401ad7a9041bd3207d9e564fa81c610074919eb316723027962b952286e944ab27c5b0c6
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
4KB
-
Filesize
536KB
-
Filesize
1016KB
