Analysis
-
max time kernel
149s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
12-09-2024 19:00
General
-
Target
dcdc778ea843b2a8adbaf661df9bcf2b_JaffaCakes118.exe
-
Size
373KB
-
MD5
dcdc778ea843b2a8adbaf661df9bcf2b
-
SHA1
f609790c27853d16cd0b4d145a56a6a8f5712f90
-
SHA256
f09e5f8878752c555825aaf133b735b67f42a83f2034013dd0fee7d679fcea00
-
SHA512
b3f6440cde12dfd2e414d5cd95dbdfc5c49a1cd84e2f47301bd234d7401ad7a9041bd3207d9e564fa81c610074919eb316723027962b952286e944ab27c5b0c6
-
SSDEEP
6144:lXxVVly0Av8Q2z6Zz8t5iHcTNNVMoaJHuVPsRJL+BzO0RCaqeI4d/IYqSYA:hyX2I7QSHu2UnCzeBFIYqfA
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_RECoVERY_+acsej.txt
teslacrypt
http://yyre45dbvn2nhbefbmh.begumvelic.at/292BC3C7DA93C1C6
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/292BC3C7DA93C1C6
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/292BC3C7DA93C1C6
http://xlowfznrg4wf7dli.ONION/292BC3C7DA93C1C6
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (891) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcdc778ea843b2a8adbaf661df9bcf2b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dcdc778ea843b2a8adbaf661df9bcf2b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dcdc778ea843b2a8adbaf661df9bcf2b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dcdc778ea843b2a8adbaf661df9bcf2b_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\phyesysbaecn.exeC:\Windows\phyesysbaecn.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\phyesysbaecn.exeC:\Windows\phyesysbaecn.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff437346f8,0x7fff43734708,0x7fff437347186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,8270098585810457352,12242821873353519588,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,8270098585810457352,12242821873353519588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,8270098585810457352,12242821873353519588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,8270098585810457352,12242821873353519588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,8270098585810457352,12242821873353519588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,8270098585810457352,12242821873353519588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,8270098585810457352,12242821873353519588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,8270098585810457352,12242821873353519588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,8270098585810457352,12242821873353519588,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,8270098585810457352,12242821873353519588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,8270098585810457352,12242821873353519588,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:16⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\PHYESY~1.EXE5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\DCDC77~1.EXE3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD577269c3823fcf2ebe2b56df06a0f70d8
SHA16aca7dd118c3085dc280d2288bc4943019ec4416
SHA256acff0c426ebfc6696bf388d15fed9bd88891cde965c52f75d748fb712de2c12f
SHA51254bdda2ef599abf6b724089a9eecd1423acdc2e69c0c6b0e06b28695ea63b92de24d18f6d7f4a78e16110bd537919f0f0b778fb9a150fbdf31c340eecf3e8aa2
-
Filesize
63KB
MD5885d41311e9c363b6520b78282b82ea4
SHA143861679fc7043fb85fe249469a3da3421181448
SHA256fd0f89c692fedcfd14edeba3346a0aae52e2c882d26ab57f775ed4b8c494c69e
SHA5129abc37cfa7e0042e2f4d0348d04f84a182bbf6e28284eba2ac5e1ac040fcc32366740ab5b99f5e734d6a9646f80fc64ed8567a4ced7bc9f70721a352f4e07ac3
-
Filesize
1KB
MD5f4d103508f4d18505ce15c00215342d1
SHA1dadb118704c37011c2ddbd001bd70761e4362df2
SHA25605524ff15e3fc100219ecf6cd7afc5ec85150edd7cbe7440c8304510ba7b7b93
SHA5129280f9588f958cfd763b9a4e3eec65ecbb30a008a0ebd3475d9c4d483adab54613b97a3b55c0beb63e45842eced4e4b1057ee5b6ece08bb26fa986fe87936848
-
Filesize
560B
MD5e77b4f73868918efddee92739d7b01bb
SHA1d07c7b4b91a85416d347a86d01c61fafdb0f87e1
SHA25679c32d92c36cc4211e0c1923043ff50b3e9721552eb8de3b21efeb963a0e37a0
SHA512a06052e4da0cb37cbed4b463f71772900a67800ee93090ebfe1801ec45724fecb09ce659c8f442ac941c66d9f4a7659669c815ad9c1a08b82baf0701f6363bd3
-
Filesize
560B
MD5dfd6e354fd12ba88aba112885d616ec2
SHA189ab6d43e3ccadee758af7fdd9b933737d224b7c
SHA2567a20ed3fa0043c57a436761532299e50f5a55f164ae25b8369b7942a8025a6d7
SHA51261d91e54ce975c6f321f29ee95549a00f8a1de8281bee3b84e87ee8628eb2fb6bf814806bbbdc69d905eb58a2be6a2ece342c58b8bb02232e86b9ea9f7c13a73
-
Filesize
416B
MD5830a1101a13d4803f90fc9d854ac3ed7
SHA12f8db7d04e1aa63136b0f0aa34d7bddc948373a1
SHA25606dbec275a55113b132406ff8033bd22a7602b2b68d822fe27232efeb9977f96
SHA51228d1e6508c2fbb76ca34d1836014d824e6d3254bf3e58fbb2148e2240653328c9cedab8f75b30f516053d39fde38007fba7702f238dcd4ea455c20f769a18fb5
-
Filesize
152B
MD5719923124ee00fb57378e0ebcbe894f7
SHA1cc356a7d27b8b27dc33f21bd4990f286ee13a9f9
SHA256aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808
SHA512a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc
-
Filesize
152B
MD5d7114a6cd851f9bf56cf771c37d664a2
SHA1769c5d04fd83e583f15ab1ef659de8f883ecab8a
SHA256d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e
SHA51233bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8
-
Filesize
5KB
MD58de8bbda76ddee8ed97adf1c73a3543f
SHA1026a6a42bcb3d203826f4fa9c1c3f7cc76ca9440
SHA2560df5305e597a6fdc69824c23162e6df12a58f544f52947fe27d2f4881104b470
SHA5127c6cebfc46ffaa712bded1050fe76b2e2b1927751376dc918e7f6f6681ab1273e6bd00afa9e142a63e8bff695d5d08928c4f1cd12b7edeb7f8dbe4e80625f821
-
Filesize
6KB
MD56fa7588859ed07c27db994fe4b08c794
SHA1f79d806062a79627544f2b8f70eecc9e2354c826
SHA25614e317a96e2aaab481eda048e95ebc45b860cf9591fa7d54602043c53a4d713b
SHA5129bc55175d1c9e987af44db56f8e0411ceedcd3f5bbb36ef6ef1ac82dce640e576f6ab90b2833723a4ffbefbdf5a65cae045ec0392562f5afb60548bf1347b972
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD567eba6438edb12bf47e96af25126b566
SHA1df2a9d82b0c1d919dc8e372103a549d5fa19645d
SHA25670b573bbde9c4b7e1b15c496c98a85536fa2d57f5b2c625780537c1d55680e78
SHA51258010cb0e7c3bc00681f4cf3df5044c18f28a0814959a9a1d40491717ef89a26dafeaa4f96dd948a9d2861602df5e3836f5258f329cd904877cfcf9b8e85a608
-
Filesize
47KB
MD5d6939b0d369354e044e89c78f9fdd237
SHA1cb23aad303fab9871dab3a30badf7e7327b475d7
SHA2565af1f299e0512a6becd536ebb711badf78603a826a159a963197ef063c6e57b4
SHA512358a36ea91d92a4816d9a430a6b0cabab572ee3d487586c3b16ecf9f19e86de1ae4c360c235d89a86a47db65e87e719f265808e0b6ab0134f2146d0fc9b165d7
-
Filesize
74KB
MD55fb7dba061c7f362874864205eec57bd
SHA1625eabd6a654776ed0f958871a23272fdf7c657c
SHA256efbf5c7c158a5242a8e9a2edfcccc4dfc363163ee498954948c8ffbab50f4234
SHA512483a229de756dffac527b2c7d07be04d64d6084a834d7f079fd7718e55c0de271c6e0f2d23c30f9ad6308eca2c113e84937cf9ad0152b299988bb9c9650f0107
-
Filesize
373KB
MD5dcdc778ea843b2a8adbaf661df9bcf2b
SHA1f609790c27853d16cd0b4d145a56a6a8f5712f90
SHA256f09e5f8878752c555825aaf133b735b67f42a83f2034013dd0fee7d679fcea00
SHA512b3f6440cde12dfd2e414d5cd95dbdfc5c49a1cd84e2f47301bd234d7401ad7a9041bd3207d9e564fa81c610074919eb316723027962b952286e944ab27c5b0c6
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1016KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
