Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-09-2024 23:58

General

  • Target

    e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe

  • Size

    3.7MB

  • MD5

    e14c0622af40260fec213c4100605bfb

  • SHA1

    2cc388e5e5ccb150604e3e5c0a715a8974a274c7

  • SHA256

    38cc87cc48cdb89a2ab1ffaa0897c10ba4a26ff645f16d9cd5a8bc8debf255c6

  • SHA512

    e0ae9b2f70b6460672079b907cd30fc228b2245b60315561651a09de1516424aeb770383b5cd7468926c5cfb221f130787d536d87b0941fe09cdb47af40a2d05

  • SSDEEP

    98304:YjNRO2u6p4S2tdxCrSs4bd2DOuYeWCLgq+cIMXam1zECP9Qz6:sNRPLD2bo4G6e8qRXaop

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-3063565911-2056067323-3330884624-1000\DECRYPT-FILES.txt

Family

maze

Ransom Note
Attention! ---------------------------- | What happened? ---------------------------- All your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You have a chance! It is easy to recover in a few steps. ---------------------------- | How to get my files back? ---------------------------- The only method to restore your files is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/86d60966e1ec37a8 e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/86d60966e1ec37a8 b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files on your computer! If you have any problems our friendly support team is always here to assist you in a live chat! ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- iWTgxnkl5qxnLsywtz8fowPK8rPJZyLR6fYEyBRTfXcR9QIOgHzQd0wW0V9N6Dk+Xv35P9gLIA7XHncCDKn2xoABj+FaQt+40nc1Rqfx3rW9wm3Z7PwCh/0Yg7ukQpQbPyHSDAKIq75A0yrjJo0gMyqFRx5/8KGP+AOzA7xzRYfeT9bOOEQLrEgalkAfvxPHtU/Ya6clYQTGGytISKttWElGMu4MdF7MRqhQ2HVB+WPhjcRTtP6eEn6I2DbkYF6CqhyNsjJ2C0ekdIqz+ETMESyhgJYfbTmmCvWX88Fg9IUzyOMo5P/kwFjPJee6pAVQUckaL06Aq1MXn7VoueHedf0u/3tiWxsG5FYWaPVeCDY3GdDxXZidMg8VCtaEFv8I0TCnBTK7EcbmUmuIiHAGwSQqsrrYRumtIYhvkv6BctTI62CYw58W8oo2MZ0cYvKSk6Gaflhn7OQfZmlySLVHNrZR49NWs/ARFlG83PtJvGlnvNMHHhU2eQBOw8351W/Sbv7Bb6f2bVTUBHCOSJKJhdx/nBAgmhigpnfA5+dFf4o0Mued8eVsgbR6Dtur4AJyN3f8qIearDNuBVyEmG2OLfBVu4kszGtGxqaUTwL0KHEQxM3aJIgEYz8pA0yizw/mzdyZCbXElVblFW7csvdpI0aOTc3qflKithYz3kdSAWKFo8E3wVpfx2ossiGFk5DaMev3Y0p5YJuu3Z7nPpVLT0A+tu3OapEjooIpBAijIMimjGAq/QFhtiExECLGvzECsvrSxYg6u/kl2BR/+lZn6IR2MWUlIgVrbe1dTKZeNTq1fy60mA715KjWvTgajBDyR4ZHds2ArYvYKBkiCuFoaAJzJJh9UPCCdcy2MKDXNAuRFsuQOltvMgnFINSsCr8nvegq0VsP13TFj+Xg/IgUwsfUAXXDHbNW9IOnHCUcOHRbyp3bPAcFt9eka2akSSvjPaeyEyHjdPj3Q6WjTFsCt2hWeuri5Y47T4M70Zpzy7Ip6LxM77VB4eEluZPhH9/1zg5Km1gfgt7Urh9/u9pk5qtGxMqj6TjV6z/lnf1MpkWp98+RtLfwbL6+r9h0vpikYeO3pvotnq/w2vKQ5n7GwTn0bKxYMICq/IuNq/F5xEpk2muCTYHude993y3dUmTWbabxZXTaKBI746b2G5G0G2W64XycAWuhEQahOXhgROS+RX8nKoWWwGR1+imaGbruET6UeIXILu65bOzU6tKW4hEQuKyfLoft2UYX3hmX4hQlj3fGCKkAsqZKGmA+CYEgOMWdhWLNvF6ey2RIgl3q4/BtI+TuN3vrJmoIELxFoKxtr5YHvVIPe1wlldti02CDFWVqrNtwPrMed8GU8sAfC4oecsKZUd2YW/qA5gqswu0DyWS4MQyXbDb8zFAxVh92JF7+szYgr2ZNQgHIvUPDB+0Dv6yBUjtNp7vAf6RkOHLgankmJNedGgkoH1Ub7FZsMxWYs7KkMzKjraKIfwLcZuRjBtCgIHgwoWkjoTWm1wSsRaDdyLIjaEBqikgpEvDsLQM67DmSAahK1YfNHxlqGN+ZUM4mj0fq4KDqf0oBsq1JGw+x8NHbkc96YWoJrmsfl9bRV2+RfS5zWsO9uAJ1VzE7ODxUdXx6H1DNgIZMA2YWuU9Ro5+Hdwa4U54tbYoen1tSf3kFigaMpvd+vY5HIyDzYqxpnQ1da/aV3e/+MwjU597gQqs7HjVc7mfKWLoUtb44soLi0k30e+8g0/tdteO0NfTqh7e/J6hbZ9H/SnHtEl3NWST/P77wABij07hHzv7Sksphq1EFOZvCPsxvrpuohUAFexy6d55gicbcXWR9b1LLPIivqDlJ0TTmq9GSS5emapw3/mJMedgJOFO0j7L0gUklTFCxTAu2C6Rrq0kkmrsCk2RP1vDKAyxGuuNgaLvlE94GmCPcvUP7542B4cBkmkJvsX1kuXfloz4QKJ9BmnTQDmJrmdwVJFTvvxTfm++GVTE3LwRNv9bijdEawhvGfm6Bndav0ELjFqhBxkNBRAJb89wZUGAD4xyv3MJ6D6CQ3Y8v2EZ/8nzhu9eCl+rOrix/2G/OD4/8ZR8baLKEtrjoDRBN/I8TTaKpHA9R0meOunI8OBgSmFlyOErcOi2FdrQ8u8gxxMLrdeyDwtassJAbd+k05Tf5rOTqCZS0qIEUqF8kVbDZ7Q97CP6KBpdGRidGC15pFqZZl9Fm9fV28pXHAJ/2IbITC0bQAgB08dQLhQoiOAA2AGQANgAwADkANgA2AGUAMQBlAGMAMwA3AGEAOAAAABCAYBoMQQBkAG0AaQBuAAAAIhJLAEgAQgBUAEgASgBGAEEAAAAqDG4AbwBuAGUAfAAAADImVwBpAG4AZABvAHcAcwAgADcAIABVAGwAdABpAG0AYQB0AGUAAABCVnwAQwBfAEYAXwAyADAANAA4ADYALwAyADQAMQAzADYAMQB8AEQAXwBVAF8AMAAvADAAfABGAF8ARgBfADIAMAAzADgAOQAvADIAMAA0ADcAOQB8AAAASABQQFiJCGCJCGiJCHD3r9t7eBCAAQGKAQUyLjEuMQ== ---END MAZE KEY---
URLs

http://aoacugmutagkwctu.onion/86d60966e1ec37a8

https://mazedecrypt.top/86d60966e1ec37a8

Signatures

  • Maze

    Ransomware family also known as ChaCha.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 4 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 47 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e14c0622af40260fec213c4100605bfb_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Drops startup file
    • Identifies Wine through registry keys
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\system32\wbem\wmic.exe
      "C:\jrass\..\Windows\hfltb\..\system32\mt\xd\ubuve\..\..\..\wbem\vvy\lrh\..\..\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2564
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2944
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
    1⤵
    • System Location Discovery: System Language Discovery
    PID:204

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_A82243F9A76B44D48C4451AEE384B7BD.dat

    Filesize

    940B

    MD5

    cf8c67a7a8fe60b7747bb1af1ab524e1

    SHA1

    f865052ba962089baad775c52d758bc09e363622

    SHA256

    a5f5e07c1bc5c4016567695f97696b8eb12c1c1dee02be5527ebcce965b104be

    SHA512

    bad8b802a54c5af9824c6604848048ac1c30902a8b38c334dba2f4b9f706079135ae9b1aac3deab8231c889a3a6e46786c4dabf266b8dbd5ac57f45210a3abf2

  • F:\$RECYCLE.BIN\S-1-5-21-3063565911-2056067323-3330884624-1000\DECRYPT-FILES.txt

    Filesize

    9KB

    MD5

    d5c513666d43f7be7175589eeab9fa3b

    SHA1

    4dd4030c398b147842e6a2b782b04df94222f569

    SHA256

    59b2bf79b3f8de547da84a5cc259b8dd28b400d38c9ba2d273ce85096097392a

    SHA512

    16d7b9e8af798ab095b092d567a101735357c6c1d4b766721ca4721e26284739be7fdce4d58f52db3a6a33ca0e547f7aaff8748b660aaf993bcb837cc3fbd90c

  • memory/3012-889-0x0000000000400000-0x0000000000BD7000-memory.dmp

    Filesize

    7.8MB

  • memory/3012-4-0x0000000000400000-0x0000000000BD7000-memory.dmp

    Filesize

    7.8MB

  • memory/3012-892-0x0000000000400000-0x0000000000BD7000-memory.dmp

    Filesize

    7.8MB

  • memory/3012-5-0x0000000000400000-0x0000000000BD7000-memory.dmp

    Filesize

    7.8MB

  • memory/3012-2-0x0000000000401000-0x000000000045D000-memory.dmp

    Filesize

    368KB

  • memory/3012-880-0x0000000000401000-0x000000000045D000-memory.dmp

    Filesize

    368KB

  • memory/3012-881-0x0000000000400000-0x0000000000BD7000-memory.dmp

    Filesize

    7.8MB

  • memory/3012-882-0x0000000000400000-0x0000000000BD7000-memory.dmp

    Filesize

    7.8MB

  • memory/3012-893-0x0000000000400000-0x0000000000BD7000-memory.dmp

    Filesize

    7.8MB

  • memory/3012-1-0x0000000077A20000-0x0000000077A22000-memory.dmp

    Filesize

    8KB

  • memory/3012-911-0x0000000000400000-0x0000000000BD7000-memory.dmp

    Filesize

    7.8MB

  • memory/3012-3-0x0000000000400000-0x0000000000BD7000-memory.dmp

    Filesize

    7.8MB

  • memory/3012-886-0x0000000000400000-0x0000000000BD7000-memory.dmp

    Filesize

    7.8MB

  • memory/3012-896-0x0000000000400000-0x0000000000BD7000-memory.dmp

    Filesize

    7.8MB

  • memory/3012-904-0x0000000000400000-0x0000000000BD7000-memory.dmp

    Filesize

    7.8MB

  • memory/3012-905-0x0000000000400000-0x0000000000BD7000-memory.dmp

    Filesize

    7.8MB

  • memory/3012-906-0x0000000000400000-0x0000000000BD7000-memory.dmp

    Filesize

    7.8MB

  • memory/3012-907-0x0000000000400000-0x0000000000BD7000-memory.dmp

    Filesize

    7.8MB

  • memory/3012-908-0x0000000000400000-0x0000000000BD7000-memory.dmp

    Filesize

    7.8MB

  • memory/3012-909-0x0000000000400000-0x0000000000BD7000-memory.dmp

    Filesize

    7.8MB

  • memory/3012-910-0x0000000000400000-0x0000000000BD7000-memory.dmp

    Filesize

    7.8MB

  • memory/3012-0-0x0000000000400000-0x0000000000BD7000-memory.dmp

    Filesize

    7.8MB