Overview

overview

10

Static

static

3

e119b6242f...18.exe

windows7-x64

10

e119b6242f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    14-09-2024 21:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe

  • Size

    328KB

  • MD5

    e119b6242f793a4d536159060d8009f1

  • SHA1

    49cc5f9cfea5c01f77aa7d33192a28aa5089d464

  • SHA256

    2d160f802f2835b98ce31906dd6803476f014661c472f6478bd56bf811c7031a

  • SHA512

    213e08c6cbc5b474be91b4682e00156c26a259e3e262591165b8dd4d0b2a4df0f580ea6d8820e22594b978824e5f377688fa3a7ea923a90ad0f6517b86f14342

  • SSDEEP

    6144:lAOlfFYViOkjJEZE4fC/Q9D03bcPSl5xhUDV9kl+JKODK1QztG/7:lnf+ViDEyBQ6r/gDo8JKO4v7

Score
10/10
teslacryptdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+eyvva.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/924123EAE73ACB9 2. http://tes543berda73i48fsdfsd.keratadze.at/924123EAE73ACB9 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/924123EAE73ACB9 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/924123EAE73ACB9 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/924123EAE73ACB9 http://tes543berda73i48fsdfsd.keratadze.at/924123EAE73ACB9 http://tt54rfdjhb34rfbnknaerg.milerteddy.com/924123EAE73ACB9 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/924123EAE73ACB9
URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/924123EAE73ACB9

http://tes543berda73i48fsdfsd.keratadze.at/924123EAE73ACB9

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/924123EAE73ACB9

http://xlowfznrg4wf7dli.ONION/924123EAE73ACB9

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

    ransomwareteslacrypt
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (416) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2968
    • C:\Users\Admin\AppData\Local\Temp\e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\e119b6242f793a4d536159060d8009f1_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2476
      • C:\Windows\aujdltalnccs.exe
        C:\Windows\aujdltalnccs.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2832
        • C:\Windows\aujdltalnccs.exe
          C:\Windows\aujdltalnccs.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2304
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:336
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:204
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2876
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2876 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2616
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2724
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\AUJDLT~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2156
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\E119B6~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2616
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:540
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    PID:1252

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+eyvva.html
    Filesize

    11KB

    MD5

    3a2c0152e0cb9cf70e30e60f760c66eb

    SHA1

    7af3db7eb088b1eed564832face80b6d39401fb1

    SHA256

    ab9b33973be8ce9a24d17053aa0f8792df08a3980d23ab5d0740f3fe6e82695b

    SHA512

    dcda8948e9eb8dcac339b01ff2cef91cc80e15770141b8dba9da0acce128756d8ca56ef8f353328b6ba0e4060ffb33991886e5b83aec4c1c8114afbb1e62ec65

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+eyvva.png
    Filesize

    62KB

    MD5

    47ec497ebcf25cbf4242efbcfa73336c

    SHA1

    456341d419786708e1b58a5eeb3c85b2ba8ebe23

    SHA256

    3dd1e1137a2a4f932e3abf31e8db49e2e0e9254fea8b9fc9e8c8600e489d3eba

    SHA512

    674615409e3289c3269fd439818a8c1a943600d72a2404f74a4e9ea312b2372df101717084d3d018e6624ce911843499497f09bd056f4aa957cbf2ca89f09b3b

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+eyvva.txt
    Filesize

    1KB

    MD5

    c10307704f6e0324382bbc1905e94dfd

    SHA1

    7bfecf6972f6ba05bdfb91d0da897ea71d6af6b5

    SHA256

    22b47304f9b5b75a4a57791ad3e1adccb08321b78024707c7928e56ea3ab8294

    SHA512

    8badeeef2fd46eb4824c7b95cdb101a99b2eb999ec55d52d2f83b2699d7b381a38cdebc5b7dcec4de922f9e7823e3c2c30bbba8418bb5210568c49bdce9ba881

    Download Submit

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
    Filesize

    11KB

    MD5

    4ad978250da921cfcae3c795e60f1f42

    SHA1

    bb3bb078214a2bcd41d153ae1b1e73ffaef2901f

    SHA256

    fdfe0873c1d4ad77df075225acb9e6ee24747382e1345a68a38c2b29a42654b7

    SHA512

    c9595c81bb8f0cd730f264503a469df782fec536d33f5dde08b6d6365c8380565118dc5b59531941c393a54d3b2b14a9745f4cd2d73970eb101be68af83317d9

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
    Filesize

    109KB

    MD5

    f9c624fc0ad07d744cb7c4ddd5399878

    SHA1

    59cd9f6662a4332b21e758a7bc4e54db1506805c

    SHA256

    fa35906f51008c5ae880dc282ab3212cea5f9a76c82fa7cc835df8a3796fb46f

    SHA512

    8869850870143471c6450eb97faa6ba86b9ecf4dfa694835943b67386d8f8210d71e3dcf9ccc34c42c34035a4f2f83e5f114818a3b1a8df3d1757b031ea6077d

    Download Submit

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
    Filesize

    173KB

    MD5

    624712513abbffc2d9c7ee25a1eefbbe

    SHA1

    47b9450fa92570cd77b11c1efaa327f6896bd353

    SHA256

    042c01d99e6a05957033d33ab94b707c21e18edae0ed79a60975d3cc5cc0bfde

    SHA512

    a78b7ad9f91c103344802e85f1b9e5f2b8ebec305a20edf1abb7c3f004497b28ef81a4aa4ac862fd6834d21489af4e6ff7f150c52a8694c5dc1ad1c3d870b5d7

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    7a66313f9728a90d93123a7105a571d8

    SHA1

    1a2cc3f7861ab1480942bf895f173ff21cc6187e

    SHA256

    c4ff6b14bc12f9648ca7c05ab85f95ad811b232f2beceb0608baeb53cea99587

    SHA512

    277f6083fc7f738e16c76f5d450299623ae40dd0d5de75409e367ce12e2bb5f758e9b94d693c18fe1bdc7bba886da2c62d18a0c21d8ac7268cb1f29ad79a47b8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    229800d9fd625beb12861ac7be3d09b4

    SHA1

    9a2ba231c45e2a00259d74453b5bd64dced2ffb1

    SHA256

    7c6d0d1cba267f5ab971024f94fffefd1796ab8826d174aad06ae0f608826083

    SHA512

    fc0730e6cf85a668823989fbddbdb47a30e52e189f7e9628c6c001fa1aa07fd6fecb6575322de82c7ed87f5b7e5e3241b31daced5d37f920221aff4e2550a8e6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    edc3a76346963938447b86223d0d5136

    SHA1

    be2d2922d92ad08feb95b5dd1a3c84f7cf3cbab5

    SHA256

    ab8192243e353b439e3305ca306fc07287078b51ae7745c5703ec65ca7142e9c

    SHA512

    10c8326001517ed5270dafe654e6464ce25a41fe646077a6a91e857fa8c2761f38db661aa1efa9640c19a7ce850f61b9768fbb4bb0a728b0c0f3a8df4adceb02

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    d342bea0f824f1afac4181a21819a910

    SHA1

    e3a61f2033fa2f4f681deff9e103c1f97ca3e81b

    SHA256

    c60450a4095a4013908ab4a822c8caa747afd0c70e4cd98eaa1080c8573b4b0d

    SHA512

    fb74bae5a2a457e5ef3b659ba1280c28deefab704a70024bee1350ba835a9eb8d10e77f81eb0e816fb4402b286793042a05dfc391ab035dc3fc8018c2202ea18

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5351f0b89ec9e354ad52944d5f9ba190

    SHA1

    b15ca9a676e5150cd39f9d1b02da4f167624da90

    SHA256

    5df7781a997f6d476d60823b51238155ec60447c36860ada1c4482a69268731b

    SHA512

    5e9f29cfca8177bc303ef71429c3ced40230888b67378ad130149d6e5ab6e33a1d0aa2216fa91ce1cb38487e7ef0a5c98f13914bfe743c21237bb6b6f717e3d5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c8a7f7511a3d53079db99f834c23c6f0

    SHA1

    075c79f7e075f51fb14fa06fc612d708153c6d31

    SHA256

    0782a23db2640f6b34b4d4d8160895e8cdb8e60e729ee93324bc0521767e5645

    SHA512

    4d1a0c5ef42a71f96e6193abf8b719501f37a606331ceba9bbec646fa8be5c0dde5da2755aa7b884d42a40b0cb15e2491d46f4a4bd07486943edea60f72b888c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabF9C.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar1194.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\aujdltalnccs.exe
    Filesize

    328KB

    MD5

    e119b6242f793a4d536159060d8009f1

    SHA1

    49cc5f9cfea5c01f77aa7d33192a28aa5089d464

    SHA256

    2d160f802f2835b98ce31906dd6803476f014661c472f6478bd56bf811c7031a

    SHA512

    213e08c6cbc5b474be91b4682e00156c26a259e3e262591165b8dd4d0b2a4df0f580ea6d8820e22594b978824e5f377688fa3a7ea923a90ad0f6517b86f14342

    Download Submit

  • memory/1252-6096-0x0000000000160000-0x0000000000162000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2304-6099-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2304-6098-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2304-50-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2304-45-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2304-6542-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2304-6545-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2304-49-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2304-6095-0x0000000002B90000-0x0000000002B92000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2304-44-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2304-1967-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2304-1971-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2304-2620-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2304-5374-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2304-6089-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2304-46-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2476-9-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2476-3-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2476-13-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2476-5-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2476-7-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2476-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2476-15-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2476-17-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2476-1-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2476-26-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2832-25-0x0000000000400000-0x000000000064B000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2968-0-0x0000000000360000-0x0000000000363000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2968-16-0x0000000000360000-0x0000000000363000-memory.dmp

    Filesize

    12KB

    Download