Overview

overview

10

Static

static

1

dea68bfdc6...18.ps1

windows7-x64

10

dea68bfdc6...18.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-09-2024 18:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dea68bfdc6efd19c1dc933d61f115a33_JaffaCakes118.ps1

  • Size

    904KB

  • MD5

    dea68bfdc6efd19c1dc933d61f115a33

  • SHA1

    18b45cf13c0f34b572dc99c95af2261c5333cbd5

  • SHA256

    197390ed197b649aba275ca233a210c21ec03323df2aa5a445db47bee13b619c

  • SHA512

    7baf099cc2394499744db0aa9bc18ebb6a77ff5d9784c520a985df074f9ea79527f14ac793d46acb8e091270e342087e2eae25daf700a7e36d86ba7c20344b93

  • SSDEEP

    12288:V6AqPKqTq1cMlDjuEyTuCJwhEVg+82QvwyhXf3VZsH8p1dA3OIohPkKwbsWyBYsM:A

Score
10/10
netwalkerexecutionransomware

Malware Config

Extracted

Path

C:\Users\Admin\Favorites\Links for United States\11B918-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .11b918 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_11b918: kjzL6LjfXBoeTPkp+t4SjEciy2ttSpLuc/Ra05+YPOs8BfWvkH NxqLC6EqWFMoNcv5DicU3gffGelM918QH7ZRazFXDNe8JM+Uim ViZqcGrJpIOwHm230uZ2MJumwbEZuOhS87rw5vGc9Hd7zqIr4U A7bajzGnZUh00YFvsCZxzl2qwclE9irnCP+++AMuCcOtS3E5gp 26DHd0o7g2dtHpsXr15TuExd1U228uTwbA0vQYWPHDoCci+kUM Dd9LeEYDlGQNVaAdzuuYyQZSe7a+21TbTQKzVP7w==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

    ransomwarenetwalker
  • Renames multiple (7437) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\dea68bfdc6efd19c1dc933d61f115a33_JaffaCakes118.ps1
    1⤵
    • Drops file in Program Files directory
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\is71-ydo.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2392
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0E7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD0E6.tmp"
        3⤵
          PID:2864
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rvz3pc3u.cmdline"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:472
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD28C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD28B.tmp"
          3⤵
            PID:2800

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RESD0E7.tmp
        Filesize

        1KB

        MD5

        3735966aa90c3c081e61539f3369cf5e

        SHA1

        86030df8450a82bae735f209ab6869971665619b

        SHA256

        cba424acaa253e0e247ee23d940c97c02d71283e33dc2207414be9843cb33a46

        SHA512

        334398e691bbba9d342750936dffcbe94a3a7bbc38f23c6c05d62fc555b5f17c89a9f96bedb170a82a3a15d35499784c38fb7c9fa09ad8d76b8df8ff6a9441b9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RESD28C.tmp
        Filesize

        1KB

        MD5

        f0ddd16b7cf65597bf8f287d33acf4c9

        SHA1

        e9fc3d7285250315b85d7829ffb82be5ea7edea8

        SHA256

        da88835f6ed2c1b49f215047a1a32287c795964551d5a63877800f01a6c33fd5

        SHA512

        13d5b0c154764f11994af7da7ee2d98a9d6d7ee486e74504e1b3dd4c1566d3d22591482185bd2a957796c578482bd5826a65d4cd55b163373d464f9308d1674d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is71-ydo.dll
        Filesize

        6KB

        MD5

        8cbee83ce6e11ed4f37c52b07f1291c3

        SHA1

        466c3f3d54859b607f4f9b0445b9b8535ed94775

        SHA256

        c6c2c17055bfa9b63b67348c5920e34b47f80a0c608712f26516f3e6eec7ee48

        SHA512

        26c406ec484c6d53c826ba991e7db6fd7388143baf47a8f784a17a44c9b9b10a84ba0921a41b212042a6cca0056f23007f2100a51401ffc99e05113ecb6b9cbb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is71-ydo.pdb
        Filesize

        7KB

        MD5

        3066df66e1d2c149ceccfbca4917e193

        SHA1

        1cbeeb464b9a31b4e3a382f8cb8b7d65a15015e3

        SHA256

        905315a7ac77e9b424cad1ebc19940e7ad89bf5c9dab24ec3a7424398d55324b

        SHA512

        3bb86d8786c848e0468ae167018d118d526eecf7b16cc2e0b7e5a446cd343d765700bd4bcfd6fe8139c193bf30613e2a916fbf6d5fa63bdaa5e7a49c9eaedfca

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\rvz3pc3u.dll
        Filesize

        4KB

        MD5

        916da7f11c250fe5b390aac4cc3a330a

        SHA1

        4171cac2a9d1421f8caa787700f7fb55d05c237c

        SHA256

        ff325b7cb905eed1d51f42300c3a66e820a68be8872025145f43b2956c8589b5

        SHA512

        73b8af2008e5aa0d5c9828724fa0904684e9e3035bdfd7dfb54fdd9d65f791b5a4a6bf92de89cbd72f9b63d34c4d108be271b38e90dc310022ddb2c274fc2c26

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\rvz3pc3u.pdb
        Filesize

        7KB

        MD5

        e5d78acd71bddd7d28da8bccbd107f4b

        SHA1

        e1071cf619d41923f8f8848225a42ea885baa85a

        SHA256

        5bcd851d8e0669bbe4976c45c19029801046b8bc3e7324c439c381390cfed349

        SHA512

        4af198dd7ca162b0952282d594a98ac701743827d6003d3f34e692358e56d4db8284003ada459152d89792571b085e060c21a8c819cc77db3159380baee9f48f

        Download Submit

      • C:\Users\Admin\Favorites\Links for United States\11B918-Readme.txt
        Filesize

        1KB

        MD5

        28e0261e9470a73a9b151bca73a25f91

        SHA1

        04c6230f3405ad4c72369ab7467a94699d2930c4

        SHA256

        422fa7bef11fc3ca92e5f8404fd7c9bbf6cf45594b26a43ed6c3f7e891aa85f3

        SHA512

        89a5ac10a9158fdf0327d8b1cc6f5f0a561758154046bc9a18e9d2e53f68b59882e5f9c63e9d6c605e5ee59af30f90396fbe26493e6e6307a1fce66759d8adef

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\CSCD0E6.tmp
        Filesize

        652B

        MD5

        9b10a67cb5872c2dc7b3d447d8bf4f19

        SHA1

        a5fbedb799583bb28bf630f2f580e4f9343cf6c5

        SHA256

        edb820c4ad64e5f1018e84454a122823aedbfc97f26087c5a50cb31f21158367

        SHA512

        82e621ea6d88b66fd50241eebdf708861bcc6912605331671d9db284579b1acc73fc37d7f2d84422a6696a7e4ac851240c129a9a2f72667494402eb099f1507a

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\CSCD28B.tmp
        Filesize

        652B

        MD5

        abee0f4341fcc34b84901625a0f9726c

        SHA1

        50845c15fa0e2c9ba139ab02ceb47b258c59a604

        SHA256

        6b66db0f430c629fa88cb42e36d716b486608b8484b8d7aa5adf6abb16a8ca64

        SHA512

        62e4ccc173f9471d2d70a7bb1a147e4c97de400d313392e3a025e8540ff4583f410214bc99c9b6dddc8e34ea113e2943c3d3f3b99218d4c4c873e96945169f5f

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\is71-ydo.0.cs
        Filesize

        8KB

        MD5

        d5c00611ebcab33ffe4fc0f571f14b46

        SHA1

        cea0b42714d5e88cc7441b1cca1c6c4dc3626e83

        SHA256

        b04adeb7a2519d2ede2849c84bb6516e4471154caa1eaace60cf57f58cbab47e

        SHA512

        77782080e1ee91ffed3088a52ab236dfd06d9a9269f9df9a1575594862bbea5e9dab3f797b4ed862bb52026f253574a6483da82281f5e1fd9c25b84773b54926

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\is71-ydo.cmdline
        Filesize

        309B

        MD5

        77041577697f0cac82f8f621d52b0059

        SHA1

        d0af4b625dd254629169b8b72e10e34b264879c1

        SHA256

        f2cdb22b6d2253fb015e213045ebbd354c524a2269c5c65563ca245a58f2e5f4

        SHA512

        89a97d07597c6a55454518fbe9acc7cb8e60cd1f82ff356d83f522dc04522a9e3403cc796d26a754d7f3369fa70dc9f6f688c19e7ba3a5d0eafd2c8b53a1463e

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\rvz3pc3u.0.cs
        Filesize

        1KB

        MD5

        c6165496f076b4dc9c829317274a7e09

        SHA1

        0b2e56f84dc5d57a189d8079eeb761b8b91c96c0

        SHA256

        661a347736b792bfe0810528af624db0968e0ba6f31d2daa2a6645fbe6749ce4

        SHA512

        57499e49c60aa17e9eb0bbd0828973881c1b405ef7459c2618785e1fc28495544f9e9e7dcbbf75982f30e2a8af1f8e66b14ec85d87a88ae8fec6f0024553f9f9

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\rvz3pc3u.cmdline
        Filesize

        309B

        MD5

        dae7a3e5ec960b8da0ba632818276fca

        SHA1

        9278a6396bf2df6d163492717c1ce1a891f164bf

        SHA256

        9e357127345cf89279e938537d6dd9e09916f92154b4a23fb0757683a4c97606

        SHA512

        388d7e22d2b726a4c121d470f51c73028ca1a3e044e6411ad90040d60aa2ca48c795f7063e45c80dadd4a136875161508878c8a83e9bf02aa4c3466ceae1123f

        Download Submit

      • memory/2068-69-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-106-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-5-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2068-27-0x0000000002680000-0x0000000002688000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2068-11-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2068-10-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2068-43-0x00000000028F0000-0x00000000028F8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2068-9-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2068-8-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2068-7-0x0000000002290000-0x0000000002298000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2068-6-0x000000001B310000-0x000000001B5F2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2068-47-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-53-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-52-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-51-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-50-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-49-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-48-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-46-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-55-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-58-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2068-59-0x000007FEF54CE000-0x000007FEF54CF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2068-60-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2068-62-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-63-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-67-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-66-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-65-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-64-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-4-0x000007FEF54CE000-0x000007FEF54CF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2068-103-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-107-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-113-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-111-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-110-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-109-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-108-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-68-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-105-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-104-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-102-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-101-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-100-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-99-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-98-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-97-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-96-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-94-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-93-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-92-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-91-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-90-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-89-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-88-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-87-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-86-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-85-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-83-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-82-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-81-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-80-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-79-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-78-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-77-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-76-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-75-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-74-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-73-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-71-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-95-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-72-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2068-84-0x000000001B1D0000-0x000000001B1F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2392-25-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2392-17-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

        Filesize

        9.6MB

        Download