Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-09-2024 23:58
Static task
static1
Behavioral task
behavioral1
Sample
e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
-
Size
3.7MB
-
MD5
e14c0622af40260fec213c4100605bfb
-
SHA1
2cc388e5e5ccb150604e3e5c0a715a8974a274c7
-
SHA256
38cc87cc48cdb89a2ab1ffaa0897c10ba4a26ff645f16d9cd5a8bc8debf255c6
-
SHA512
e0ae9b2f70b6460672079b907cd30fc228b2245b60315561651a09de1516424aeb770383b5cd7468926c5cfb221f130787d536d87b0941fe09cdb47af40a2d05
-
SSDEEP
98304:YjNRO2u6p4S2tdxCrSs4bd2DOuYeWCLgq+cIMXam1zECP9Qz6:sNRPLD2bo4G6e8qRXaop
Malware Config
Extracted
F:\$RECYCLE.BIN\S-1-5-21-3063565911-2056067323-3330884624-1000\DECRYPT-FILES.txt
maze
http://aoacugmutagkwctu.onion/86d60966e1ec37a8
https://mazedecrypt.top/86d60966e1ec37a8
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
e14c0622af40260fec213c4100605bfb_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
e14c0622af40260fec213c4100605bfb_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 4 IoCs
Processes:
e14c0622af40260fec213c4100605bfb_JaffaCakes118.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\86d60966e1ec37a8.tmp e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\86d60966e1ec37a8.tmp e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
e14c0622af40260fec213c4100605bfb_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
e14c0622af40260fec213c4100605bfb_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
e14c0622af40260fec213c4100605bfb_JaffaCakes118.exepid process 3012 e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe -
Drops file in Program Files directory 47 IoCs
Processes:
e14c0622af40260fec213c4100605bfb_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files\ReceiveRead.reg e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\SyncWrite.cfg e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File created C:\Program Files (x86)\DECRYPT-FILES.txt e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\86d60966e1ec37a8.tmp e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\ImportResolve.aif e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\ReadStep.vstm e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\ConvertInvoke.emz e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\UnblockRead.xps e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\EnablePush.AAC e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\NewGet.cmd e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\ReceiveConvertFrom.odt e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\ResetCheckpoint.TTS e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\TraceProtect.docx e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\UnlockStep.jfif e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\86d60966e1ec37a8.tmp e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\ConvertFromUnblock.jfif e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\86d60966e1ec37a8.tmp e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\86d60966e1ec37a8.tmp e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\UnpublishDeny.xltx e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\WatchInitialize.wmf e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\RemoveGroup.jpg e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\UndoSuspend.m3u e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\AssertConfirm.xml e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\OpenSkip.dwg e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\OutWatch.hta e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\ProtectRestart.vb e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\ClearInstall.dot e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\EnterSearch.ppsm e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\EnableProtect.html e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\FormatDebug.potx e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\InitializeAssert.htm e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\ResolveBlock.ppsm e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\RevokeRequest.emz e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\SendConvertTo.m4a e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\ConvertToClear.lock e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\DebugDisable.rm e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\UninstallWrite.iso e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\UnpublishExpand.docx e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\86d60966e1ec37a8.tmp e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\FindSend.mht e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\HideSearch.xlsx e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\ExportRestore.scf e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File created C:\Program Files\DECRYPT-FILES.txt e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe File opened for modification C:\Program Files\ConnectLimit.wdp e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
e14c0622af40260fec213c4100605bfb_JaffaCakes118.exeDllHost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e14c0622af40260fec213c4100605bfb_JaffaCakes118.exepid process 3012 e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe 3012 e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
vssvc.exewmic.exedescription pid process Token: SeBackupPrivilege 2944 vssvc.exe Token: SeRestorePrivilege 2944 vssvc.exe Token: SeAuditPrivilege 2944 vssvc.exe Token: SeIncreaseQuotaPrivilege 2564 wmic.exe Token: SeSecurityPrivilege 2564 wmic.exe Token: SeTakeOwnershipPrivilege 2564 wmic.exe Token: SeLoadDriverPrivilege 2564 wmic.exe Token: SeSystemProfilePrivilege 2564 wmic.exe Token: SeSystemtimePrivilege 2564 wmic.exe Token: SeProfSingleProcessPrivilege 2564 wmic.exe Token: SeIncBasePriorityPrivilege 2564 wmic.exe Token: SeCreatePagefilePrivilege 2564 wmic.exe Token: SeBackupPrivilege 2564 wmic.exe Token: SeRestorePrivilege 2564 wmic.exe Token: SeShutdownPrivilege 2564 wmic.exe Token: SeDebugPrivilege 2564 wmic.exe Token: SeSystemEnvironmentPrivilege 2564 wmic.exe Token: SeRemoteShutdownPrivilege 2564 wmic.exe Token: SeUndockPrivilege 2564 wmic.exe Token: SeManageVolumePrivilege 2564 wmic.exe Token: 33 2564 wmic.exe Token: 34 2564 wmic.exe Token: 35 2564 wmic.exe Token: SeIncreaseQuotaPrivilege 2564 wmic.exe Token: SeSecurityPrivilege 2564 wmic.exe Token: SeTakeOwnershipPrivilege 2564 wmic.exe Token: SeLoadDriverPrivilege 2564 wmic.exe Token: SeSystemProfilePrivilege 2564 wmic.exe Token: SeSystemtimePrivilege 2564 wmic.exe Token: SeProfSingleProcessPrivilege 2564 wmic.exe Token: SeIncBasePriorityPrivilege 2564 wmic.exe Token: SeCreatePagefilePrivilege 2564 wmic.exe Token: SeBackupPrivilege 2564 wmic.exe Token: SeRestorePrivilege 2564 wmic.exe Token: SeShutdownPrivilege 2564 wmic.exe Token: SeDebugPrivilege 2564 wmic.exe Token: SeSystemEnvironmentPrivilege 2564 wmic.exe Token: SeRemoteShutdownPrivilege 2564 wmic.exe Token: SeUndockPrivilege 2564 wmic.exe Token: SeManageVolumePrivilege 2564 wmic.exe Token: 33 2564 wmic.exe Token: 34 2564 wmic.exe Token: 35 2564 wmic.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
e14c0622af40260fec213c4100605bfb_JaffaCakes118.exedescription pid process target process PID 3012 wrote to memory of 2564 3012 e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe wmic.exe PID 3012 wrote to memory of 2564 3012 e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe wmic.exe PID 3012 wrote to memory of 2564 3012 e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe wmic.exe PID 3012 wrote to memory of 2564 3012 e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe wmic.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Identifies Wine through registry keys
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\system32\wbem\wmic.exe"C:\jrass\..\Windows\hfltb\..\system32\mt\xd\ubuve\..\..\..\wbem\vvy\lrh\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
- System Location Discovery: System Language Discovery
PID:204
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Indicator Removal
1File Deletion
1Modify Registry
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_A82243F9A76B44D48C4451AEE384B7BD.dat
Filesize940B
MD5cf8c67a7a8fe60b7747bb1af1ab524e1
SHA1f865052ba962089baad775c52d758bc09e363622
SHA256a5f5e07c1bc5c4016567695f97696b8eb12c1c1dee02be5527ebcce965b104be
SHA512bad8b802a54c5af9824c6604848048ac1c30902a8b38c334dba2f4b9f706079135ae9b1aac3deab8231c889a3a6e46786c4dabf266b8dbd5ac57f45210a3abf2
-
Filesize
9KB
MD5d5c513666d43f7be7175589eeab9fa3b
SHA14dd4030c398b147842e6a2b782b04df94222f569
SHA25659b2bf79b3f8de547da84a5cc259b8dd28b400d38c9ba2d273ce85096097392a
SHA51216d7b9e8af798ab095b092d567a101735357c6c1d4b766721ca4721e26284739be7fdce4d58f52db3a6a33ca0e547f7aaff8748b660aaf993bcb837cc3fbd90c