Overview

overview

10

Static

static

3

ea5f9e5a62...18.exe

windows7-x64

10

ea5f9e5a62...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    116s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 01:52

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ea5f9e5a6230afdf746ca66d73a562fe_JaffaCakes118.exe

  • Size

    745KB

  • MD5

    ea5f9e5a6230afdf746ca66d73a562fe

  • SHA1

    e87f7c58123d206c0b2d6bbff53a776672337624

  • SHA256

    f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2

  • SHA512

    f24dc06251bf035973737fee95bedb976ce0eaa0e671a02e364de5d5ea6584b00685aef1466dd1baebc4a74823ae69dc58f01a42a3b5015a02eab8066d61ccdc

  • SSDEEP

    12288:DHJwPR6R5RDcj4eS39FuYOQ3JqLpH2xGHFijTIvZaw1xionTG2X5L:DHGPoRbCS394BEg9WoIqz1tTtJ

Score
10/10
djvudiscoverypersistenceransomware

Malware Config

Extracted

Family

djvu

C2

http://cjto.top/nddddhsspen6/get.php

Attributes
  • extension

    .ogdo

  • offline_id

    XIyyRCNH8lJ6pGHLNnQPCMfabY9p3AQCEQc3Lnt1

  • payload_url

    http://cjto.top/files/penelop/updatewin1.exe

    http://cjto.top/files/penelop/updatewin2.exe

    http://cjto.top/files/penelop/updatewin.exe

    http://cjto.top/files/penelop/3.exe

    http://cjto.top/files/penelop/4.exe

    http://cjto.top/files/penelop/5.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-SY0GqQtRAT Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0250riuyfgh

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 12 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Renames multiple (165) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea5f9e5a6230afdf746ca66d73a562fe_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ea5f9e5a6230afdf746ca66d73a562fe_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\7a8c691d-eeb1-4c03-9e05-89ecdaf39699" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      2⤵
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:4196
    • C:\Users\Admin\AppData\Local\Temp\ea5f9e5a6230afdf746ca66d73a562fe_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\ea5f9e5a6230afdf746ca66d73a562fe_JaffaCakes118.exe" --Admin IsNotAutoStart IsNotTask
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4048
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 1792
        3⤵
        • Program crash
        PID:4624
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 2056
      2⤵
      • Program crash
      PID:4940
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2004 -ip 2004
    1⤵
      PID:4132
    • C:\Users\Admin\AppData\Local\7a8c691d-eeb1-4c03-9e05-89ecdaf39699\ea5f9e5a6230afdf746ca66d73a562fe_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\7a8c691d-eeb1-4c03-9e05-89ecdaf39699\ea5f9e5a6230afdf746ca66d73a562fe_JaffaCakes118.exe --Task
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2220
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 1092
        2⤵
        • Program crash
        PID:3496
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2220 -ip 2220
      1⤵
        PID:3676
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4048 -ip 4048
        1⤵
          PID:3964

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
                Filesize

                1KB

                MD5

                7fb5fa1534dcf77f2125b2403b30a0ee

                SHA1

                365d96812a69ac0a4611ea4b70a3f306576cc3ea

                SHA256

                33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

                SHA512

                a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
                Filesize

                436B

                MD5

                971c514f84bba0785f80aa1c23edfd79

                SHA1

                732acea710a87530c6b08ecdf32a110d254a54c8

                SHA256

                f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

                SHA512

                43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
                Filesize

                174B

                MD5

                0641d920ef0eae81832fb01ad5f4ea5d

                SHA1

                c196ce53fa01e32dff7cf7a87e1e549009d9dfcb

                SHA256

                7f648d4edb49ae542a31c813f3e5b993efdb4a82102a9acab527533359f4e1bf

                SHA512

                d0f7dfeae57873e538d6aabe691acd6aa397ced3745de800b6653231ec1b94a4dab36b76bbc15ab1e2e832b9c19cde30993d4d8d8cdeb67e3becb1f0963aeff4

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
                Filesize

                170B

                MD5

                8c36d1c81d88cd0efa8f14efc00e8834

                SHA1

                18537dd88d84e5cf92396a6e0257029c5dd5ca6c

                SHA256

                4f43562d47332f54598677c2d8a3db2657f6dda2ff6dc6ef6bbaa9884663180a

                SHA512

                e7c38f6f76ee353fd7cfcefe1a6623ebdcb1d6163bbf51c9c8d071a7e8db79d00a00ef0513c6b752f5e04749d59e64460ca8beb7b44ed3c2bd1b9b96607cd53e

                Download Submit

              • C:\Users\Admin\AppData\Local\7a8c691d-eeb1-4c03-9e05-89ecdaf39699\ea5f9e5a6230afdf746ca66d73a562fe_JaffaCakes118.exe
                Filesize

                745KB

                MD5

                ea5f9e5a6230afdf746ca66d73a562fe

                SHA1

                e87f7c58123d206c0b2d6bbff53a776672337624

                SHA256

                f7416e3f009957168dba525532072bcdb53ef2e20e8f6891ac5ad5a16b5f16c2

                SHA512

                f24dc06251bf035973737fee95bedb976ce0eaa0e671a02e364de5d5ea6584b00685aef1466dd1baebc4a74823ae69dc58f01a42a3b5015a02eab8066d61ccdc

                Download Submit

              • memory/2004-1-0x0000000000B20000-0x0000000000BBF000-memory.dmp

                Filesize

                636KB

                Download

              • memory/2004-19-0x0000000000400000-0x0000000000A0A000-memory.dmp

                Filesize

                6.0MB

                Download

              • memory/2004-21-0x0000000000400000-0x0000000000537000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/2004-3-0x0000000000400000-0x0000000000537000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/2004-2-0x0000000000D50000-0x0000000000E6A000-memory.dmp

                Filesize

                1.1MB

                Download

              • memory/2004-20-0x0000000000D50000-0x0000000000E6A000-memory.dmp

                Filesize

                1.1MB

                Download

              • memory/2220-46-0x0000000000400000-0x0000000000A0A000-memory.dmp

                Filesize

                6.0MB

                Download

              • memory/2220-42-0x0000000000400000-0x0000000000A0A000-memory.dmp

                Filesize

                6.0MB

                Download

              • memory/2220-43-0x0000000000400000-0x0000000000A0A000-memory.dmp

                Filesize

                6.0MB

                Download

              • memory/4048-18-0x0000000000400000-0x0000000000A0A000-memory.dmp

                Filesize

                6.0MB

                Download

              • memory/4048-33-0x0000000000400000-0x0000000000A0A000-memory.dmp

                Filesize

                6.0MB

                Download

              • memory/4048-32-0x0000000000400000-0x0000000000A0A000-memory.dmp

                Filesize

                6.0MB

                Download

              • memory/4048-28-0x0000000000400000-0x0000000000A0A000-memory.dmp

                Filesize

                6.0MB

                Download

              • memory/4048-17-0x0000000000400000-0x0000000000A0A000-memory.dmp

                Filesize

                6.0MB

                Download

              • memory/4048-380-0x0000000000400000-0x0000000000A0A000-memory.dmp

                Filesize

                6.0MB

                Download