Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
17-09-2024 02:32
General
-
Target
e5dff6da6b5ad6933a59d7d62ff9c699_JaffaCakes118.exe
-
Size
374KB
-
MD5
e5dff6da6b5ad6933a59d7d62ff9c699
-
SHA1
9144d2847e93495c362bb01955a8da325288f453
-
SHA256
622bc8d9051a4d3cbbde029199aa1c4e0f376185d5c43645c187b344b458eefc
-
SHA512
cc47e1ea5361ea960c18893179aa6f7f2e776dcdd6923fa313cce1705f32831c5d1acb0c0be916516c03347b65a5ae6f50ec336c15ecc56fb8c14e1a9d96a857
-
SSDEEP
6144:Wcs0ZKB8pufhYHAk5Ey8FGilhdUYcV0RFJ+WV:Wcs0ZKipufhcumKhdbfES
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+blixq.txt
teslacrypt
http://yyre45dbvn2nhbefbmh.begumvelic.at/EF96E617E4228D5
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/EF96E617E4228D5
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/EF96E617E4228D5
http://xlowfznrg4wf7dli.ONION/EF96E617E4228D5
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (428) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 52 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5dff6da6b5ad6933a59d7d62ff9c699_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e5dff6da6b5ad6933a59d7d62ff9c699_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e5dff6da6b5ad6933a59d7d62ff9c699_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e5dff6da6b5ad6933a59d7d62ff9c699_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\uwxecumjvnnp.exeC:\Windows\uwxecumjvnnp.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\uwxecumjvnnp.exeC:\Windows\uwxecumjvnnp.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2656 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\UWXECU~1.EXE5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\E5DFF6~1.EXE3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5500423fdf11658dc9b8b8394e543f742
SHA1be6002e4aa7fc2037f78ead51f52a6b4484fffb9
SHA256c06367cf48bd97f8babfb40d636e2cb128a3fa3158a096107128582d8ba5906e
SHA5121b1f346561877d7a74cb4fc5b45410e365583122ea9e40b564f013e4a19fea64c3372b4963ac8bc79d8a5d4526335347ae4eb0e442c1afe86be217848863474c
-
Filesize
63KB
MD5c922164268bf76ee4445a2fc3a984d43
SHA12560c87d49970cc534b8798f0b619eae125a9ef4
SHA25664705b2c4d88f80afcafd565b2c4172133c1e4b133e870be4b87b1b25c0fb530
SHA51276aaf85e6e0aa540e532537c4c2d53010c37e476aba9182ec66dffc21f35883a6d1be0e1ab56896aed71fed57ca1f907a1ba162b0fb0bcaa48bbb4de9749d46d
-
Filesize
1KB
MD503a0c236d636c3738ee582fb3b321559
SHA1a4d7f5d2874c5b988887743941cae38ba7fcb279
SHA256ccc7b2b4d107c410ee18f0d2d052c35bc769249eff0fbad3eaee4bae87a9b929
SHA512dc330ccb9d4d9e47f421feb6cb330a6c44526b6661f4e6dc2df67ffada34f8de818b5b4a4fcf2ebe3f003620d59464e783cd7a91fccad550e30acee6a4232021
-
Filesize
11KB
MD51a7da782310e213b4f36576805c0227d
SHA137d06fb5832833c2c6257cebcb6e20f972950d6f
SHA256c9919b1c6872e100227e193cd9071cba6cd04a96e1d0996109359bd670be8ea4
SHA512e1671575cf4ed9fc6bb2836662c241cd941cd41118e8411a8cfc6de986a624d1662bd2ef4fc16f5f946ae2af42bacfb30ba3652f113b69aae2017ad29df7ec63
-
Filesize
109KB
MD51ce20a3c7a3575f11f568981e83ebff0
SHA17b577dc1fe8354d49bdb2ef349a09464386bd3ad
SHA256025160954c05e815e62295a314819001e594a829b8c04e69a5cc4f1e00ab62b8
SHA512a3bbf17e624966d6d532330387a3322d66139a38ceca5cd81ce586eab63718fa33bc50cbdf7f3361da5847e36f22c048038a5333c7db03da7dbeb1d714fe49a7
-
Filesize
173KB
MD5ed34a620de6a922bd126c6fe55b238e0
SHA1ac1ce0208adfefe08e006c405ba6f6760b738470
SHA256fe1e341861dd6183792474eda028983cab8345503d4f1557bd0c524805dc2a6d
SHA512d6972dbd46440fae65b98bd476a83a11da48f919f359c46a48f68873cdb020d284a9ab99c15e839e32a0ef80f051349f54fe8d2ddbab523867d61e0767703523
-
Filesize
342B
MD590f7d16c3287dcdf3020bb369e815181
SHA1af94f4751ebec68428f2d66a10ce9d220b3d1c0f
SHA25667926960df59f112c0e401aa24c92103aa372cd7b6b7316041dc144e0a0c4af6
SHA512d857479aa9fe4e3c36608b08f2e427ca9a0bd7474a696a49154effe3b0493ecf962c16ff868448e682c06d6a6a1388a9c228ecc2603036382e2cd9c9475f1f3f
-
Filesize
342B
MD5f55290970f6deb0004c2edf1fa3241b6
SHA12912640c6a48a63775f18aed008a89f58fd4561c
SHA256c327ca341fc887a578b2c1d5ab6d3b8dc829c12f7a4ebea79c17fbde91280469
SHA512525e5e79019f980f91abde7ed28715fc7fe9e6b8abfe8bc4fd552ce1a1f22395cc8ed14219eb0a3c328b7f6b8cbd4c2adfb17c48fb393899573f140849c34c85
-
Filesize
342B
MD57e1cee7ccb6d12371b554f1f62a9c28b
SHA17e82c6b92af6fb445075bc1853773165ddb1fd4a
SHA256e444c48f9d343e03e39017dfdf0ae3fce4502d379ea87aaad9f105693d65158b
SHA51217e06b4773bbfbe1f67934b91366c057ae39cbde484c0ddad610cb32f46aa638178922c0d2501d896f98cf5bfaa56526b62db604106ad45d49acaede7fe6bcc1
-
Filesize
342B
MD5a09eec903f0c0ae9a262b1c39b28f390
SHA1ce189b33abfe2bf8b89b379744d4e4d874e7066d
SHA2567a7873e9247ae5fea9bd55cbb82fa5db5868cb093ec39aed823bf1a9f5a3279c
SHA512c6e1eb912f37e98f6280ef642dd3406373ed3b24155ac8ff597569ffe27e7eda4ebe217c518582bde85d5bbae7076eecb5d13b0ea1dc0e145cd3c48905e2f47d
-
Filesize
342B
MD58a42235688d696712faf02c1c859abb9
SHA1d512b683c8cd448646d8b2c8aea4d835480a7f71
SHA256f24b1012d6373c789a7062e8efa6dce75ef06aa4b6066da1e0f674f85f08014d
SHA512002100e93fbe3aadb858918df6e9aa59c347bd25722d32adbd26744e04ef5690f69f39cf93947a52156a5df67466952fc65598a9fb944c02cff38cd2620fa5af
-
Filesize
342B
MD5e760fa5057dffa4c7582e0dfa80b3988
SHA19abff688708dee82cd5cd869ecf18687dc0bc8d2
SHA256820a727ea8cfc98a7141759580c4fdfc29f6871dc3feb9b6b435ab288e5a7b19
SHA512d87d212ed1158221507a74c4605d9870c0774c69247823c03b7b17a49672859652aa3ec1d62fadf898551c4d26a7723d4778afaf2592b3d4bbc4a079e04f224e
-
Filesize
342B
MD5208a0636bf8235ff3c85301a7cbf6a63
SHA1910bd616bc836b41994c1fd2036fc8aceea94b3a
SHA2566e9db8e51b2b07650ec4aed5d5ecb5e934691ba044ad3c8fc39059b1095a792d
SHA5125fd210514c9620d7675773215bb346856ad4b5249c55e001b1433c8a4413b58c4a8de03adaa072ff78471b9d4d906c42fc93ca497e1aa27275245cab5f80fd4b
-
Filesize
342B
MD5cb83399022953a1ecced161f1811e9f3
SHA14153ce7cd765304f5209b2b6c5e1dda2b984f611
SHA25677c0a0a3ac2dd42b47e3df8a5230b7add4655d7fd0f12065b6fd3f53bb32d24f
SHA512b3fe47cd530bb6b3ac199dc25dc6b279ba57625a836889b304defa5b622a0f91e178c836714cd3db91387d4c6c6b483c914ad61f281846ebd8df81591135cd10
-
Filesize
342B
MD5aa9427fd63262c638644e6c3f452edbb
SHA10e758561086410e62cc0e434db6aca1afc6692ad
SHA256806e55cdfb34854908cc95b3663c2377119a0c99885b5910cee7141067fc1173
SHA5120afccef2f848e71e77e2793aa723b67b95996a4b449bb6f6c54fba6cb55b93fa4b53b02b3f571e00d4613b62fdad0ed5e7f5c41b11484dda3b96589cbec38fc9
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
374KB
MD5e5dff6da6b5ad6933a59d7d62ff9c699
SHA19144d2847e93495c362bb01955a8da325288f453
SHA256622bc8d9051a4d3cbbde029199aa1c4e0f376185d5c43645c187b344b458eefc
SHA512cc47e1ea5361ea960c18893179aa6f7f2e776dcdd6923fa313cce1705f32831c5d1acb0c0be916516c03347b65a5ae6f50ec336c15ecc56fb8c14e1a9d96a857
-
Filesize
8KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
8KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
4KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
2.8MB
