Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
17-09-2024 02:32
General
-
Target
e5dff6da6b5ad6933a59d7d62ff9c699_JaffaCakes118.exe
-
Size
374KB
-
MD5
e5dff6da6b5ad6933a59d7d62ff9c699
-
SHA1
9144d2847e93495c362bb01955a8da325288f453
-
SHA256
622bc8d9051a4d3cbbde029199aa1c4e0f376185d5c43645c187b344b458eefc
-
SHA512
cc47e1ea5361ea960c18893179aa6f7f2e776dcdd6923fa313cce1705f32831c5d1acb0c0be916516c03347b65a5ae6f50ec336c15ecc56fb8c14e1a9d96a857
-
SSDEEP
6144:Wcs0ZKB8pufhYHAk5Ey8FGilhdUYcV0RFJ+WV:Wcs0ZKipufhcumKhdbfES
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_RECoVERY_+mqdnx.txt
teslacrypt
http://yyre45dbvn2nhbefbmh.begumvelic.at/21673FA16853FE37
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/21673FA16853FE37
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/21673FA16853FE37
http://xlowfznrg4wf7dli.ONION/21673FA16853FE37
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (872) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5dff6da6b5ad6933a59d7d62ff9c699_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e5dff6da6b5ad6933a59d7d62ff9c699_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e5dff6da6b5ad6933a59d7d62ff9c699_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e5dff6da6b5ad6933a59d7d62ff9c699_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\vnqeawdblawa.exeC:\Windows\vnqeawdblawa.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\vnqeawdblawa.exeC:\Windows\vnqeawdblawa.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec45046f8,0x7ffec4504708,0x7ffec45047186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,62570161845761916,3620563573224085260,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,62570161845761916,3620563573224085260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,62570161845761916,3620563573224085260,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,62570161845761916,3620563573224085260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2852 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,62570161845761916,3620563573224085260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2864 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,62570161845761916,3620563573224085260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,62570161845761916,3620563573224085260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,62570161845761916,3620563573224085260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,62570161845761916,3620563573224085260,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,62570161845761916,3620563573224085260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,62570161845761916,3620563573224085260,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:16⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\VNQEAW~1.EXE5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\E5DFF6~1.EXE3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD546c49704c9acf94007bb633af8e48ff3
SHA10f97ac9475dba2c445ba64d8871a092bfdf74b44
SHA2569e40ec6c2d286f705e6c1ac0a01d64e808098784345a7362a4b16884e9da71c2
SHA512052be44edbc8fac340c8b707bb4a8feeb05f9c0f70bd9ad46cb7597cd3d5a1b9a4017a5d80e380807f3e77185cf01f90665ad207596950589d05750490847979
-
Filesize
63KB
MD55876952759c01e4cd087ffad70aa4b24
SHA1d14748a9853528a65e9047ef6d4decc5e953d02c
SHA25647d20c7fffb70ed608c567f71815b99bbd884296d9843ee4a22c36c44a8e7c91
SHA5124506442dda80011dab7c3550a31991230a494041969889fe04ff4b0a34910a2dd1a67dfd51b0e642becde661016fa86adcc711491a49a7b999bbdc3fada04f47
-
Filesize
1KB
MD5ff1c724c30cedf99915ab2479031c673
SHA1e2f6fac606074befc68da796ccf32a5ff1aadf43
SHA256b504bb3db42373c851061a6b86c462ffd8459bf48abd728b344b2945ba7433e6
SHA512247c37a074403c2611b7864cf1b6128a2bfe54715ffc08bf62ca6beb4a1992c80c61cbc4630cc52cc820fe57783858f64fd5d881e92fdbb152a4868ab888799c
-
Filesize
560B
MD54cb26edfeb81cb1794d7978e1586d211
SHA19a59a440df1246a75042fb8db7f3f75403aef9f7
SHA256f9c5f2b13485269da498a241e126209ae1601491fa04fbe2a432d85e3d4e0350
SHA5128fe39f01d94024a20f75f805abd956716a820ed1de139601548b4c3681623c96b31e8c4fb6cbdc3b27d82c3aede24be162a721008ed3fbe39e8c1b90c97ff384
-
Filesize
560B
MD5b47e80ce2627fdbe468f0d5edf29e9b5
SHA141ee72570368870bb37af39095302b1568e5907b
SHA25636c2c352487af3af6b556e631321366e8bfbed87c4b10144f99e14d7b7ecdc94
SHA512fb71651e591c906356170c6dbcd4923391a37018bf672b2604ed37f7b613d3bc8cbbd1e6c4e7be5d2f6edb50e15eef9723def4ba6433802481a573885bbc9950
-
Filesize
416B
MD5298bf0d19d601304eab750200d366e95
SHA1cbce56383325c19451b5d2d106a75fb05c9af9e4
SHA256ad802ad4d33a874f8b0868cfcb03b41f5c8810d4d67914ebd579d5e7ccf1c613
SHA5127f4ecf6afb1112c043b47b5c06da694edbeb03ab77bc9ec12bcee0a6711fd96a8fde55837e793dd7c540d9a098170fa19c41b6b16012309ef9996027f72e851a
-
Filesize
152B
MD5b9569e123772ae290f9bac07e0d31748
SHA15806ed9b301d4178a959b26d7b7ccf2c0abc6741
SHA25620ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b
SHA512cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795
-
Filesize
152B
MD5eeaa8087eba2f63f31e599f6a7b46ef4
SHA1f639519deee0766a39cfe258d2ac48e3a9d5ac03
SHA25650fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9
SHA512eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c
-
Filesize
6KB
MD5145f9432093f191bb05d29ec9ff5787e
SHA1f2d219dc722027d48e72bb2046b65354a3d1873e
SHA25656098527a4bdc34055ba97af11e39018d53e19454b41128cc55e30349a969af8
SHA5120cd87ce58aa69d9cf76a5933beb19d255fbc2cbd3b4a74a5bf66830709e8499763ba147fd5f1b2d011b7c2616d8263871eb7f8375bfe799741c67e0c5b0cfb92
-
Filesize
5KB
MD5da0a9672c1608b03c70141c9bc215492
SHA1613910180e91f762732677dc647527153e86a396
SHA256c7946b465c5ac84ce72357ec4bf0be2ea337d39664f8b97120d1a72b77a43043
SHA51249d2d08f2e262dcc294152925fd2b3057053ea90c01b32555b36ec24f0ab59cd3c5a141e66fc0dc0d5484a2e994a19a300e68f4daf7ba18eb9540c59c7d0bb88
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5edd5b5b5083f88f0b197a3f0bac05e9d
SHA12d4532548e43be31fad6423091c6f873b8d595bf
SHA2563bc9999d8eed9949a900a7619467048ce8d2a9a2fc8c4dab211165b8243531c9
SHA512d279f8003e751bab7a6de3662184ec941e9f820e849c6f9ae86fe7b0caed89add24dd0dfcb36f44c8cc57034cfc83e0d9da3a22dc24b115cf494a1d68360be2e
-
Filesize
74KB
MD53d94fb03d4d627551182b312df901f00
SHA1dc9f54260c47cf85abf670fc0d9bb2305118fdfe
SHA2567440766ca7b883dd3e738fa493099996230ae1b76c7a6b451ef9ad734d6f4b5e
SHA512363bd1a3b6b5e8ed68e8f71254b871fc6a23bffdaaaa32cea0a503d881c16c12a28d500e1da85534e40268710148919dc8201058fa07b5cc3d62523a9c03346a
-
Filesize
374KB
MD5e5dff6da6b5ad6933a59d7d62ff9c699
SHA19144d2847e93495c362bb01955a8da325288f453
SHA256622bc8d9051a4d3cbbde029199aa1c4e0f376185d5c43645c187b344b458eefc
SHA512cc47e1ea5361ea960c18893179aa6f7f2e776dcdd6923fa313cce1705f32831c5d1acb0c0be916516c03347b65a5ae6f50ec336c15ecc56fb8c14e1a9d96a857
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
2.8MB
