ae25dc288f5ef1ecfe4f7d6728a1814020813d2958434a06011778c206f575c9

General

Target

eae7974d820bd517495222b9a616a5c5_JaffaCakes118.exe
Size

554KB
MD5

eae7974d820bd517495222b9a616a5c5
SHA1

ed1344541be0cce3e93177ac577f56fa0b06b9f4
SHA256

ae25dc288f5ef1ecfe4f7d6728a1814020813d2958434a06011778c206f575c9
SHA512

2cc45bdb0b359d65246b731f9b009de68c625fc667bcd5f19d8e5846a7b627af65cb78665f86d9913f398cf734fe00a65480612b4d3c083f6d661434f581c679
SSDEEP

12288:YQjLuRE4xKR72qKoe/ZWsYUxUKQzZZQZsqtOqN:nLueaKR72qKoe/EhdKYavN

Score

9^/10

defense_evasion discovery evasion execution impact persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\agrbumaz = "\"C:\\Windows\\ypypexqz.exe\""	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eae7974d820bd517495222b9a616a5c5_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2084 set thread context of 788	2084	eae7974d820bd517495222b9a616a5c5_JaffaCakes118.exe	31
PID 788 set thread context of 1140	788	eae7974d820bd517495222b9a616a5c5_JaffaCakes118.exe	32

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ypypexqz.exe	explorer.exe
File created	C:\Windows\ypypexqz.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eae7974d820bd517495222b9a616a5c5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eae7974d820bd517495222b9a616a5c5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2828	vssadmin.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PhishingFilter	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2084	eae7974d820bd517495222b9a616a5c5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2600	vssvc.exe
Token: SeRestorePrivilege	2600	vssvc.exe
Token: SeAuditPrivilege	2600	vssvc.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 788	2084	eae7974d820bd517495222b9a616a5c5_JaffaCakes118.exe	31
PID 2084 wrote to memory of 788	2084	eae7974d820bd517495222b9a616a5c5_JaffaCakes118.exe	31
PID 2084 wrote to memory of 788	2084	eae7974d820bd517495222b9a616a5c5_JaffaCakes118.exe	31
PID 2084 wrote to memory of 788	2084	eae7974d820bd517495222b9a616a5c5_JaffaCakes118.exe	31
PID 2084 wrote to memory of 788	2084	eae7974d820bd517495222b9a616a5c5_JaffaCakes118.exe	31
PID 2084 wrote to memory of 788	2084	eae7974d820bd517495222b9a616a5c5_JaffaCakes118.exe	31
PID 2084 wrote to memory of 788	2084	eae7974d820bd517495222b9a616a5c5_JaffaCakes118.exe	31
PID 2084 wrote to memory of 788	2084	eae7974d820bd517495222b9a616a5c5_JaffaCakes118.exe	31
PID 2084 wrote to memory of 788	2084	eae7974d820bd517495222b9a616a5c5_JaffaCakes118.exe	31
PID 2084 wrote to memory of 788	2084	eae7974d820bd517495222b9a616a5c5_JaffaCakes118.exe	31
PID 2084 wrote to memory of 788	2084	eae7974d820bd517495222b9a616a5c5_JaffaCakes118.exe	31
PID 788 wrote to memory of 1140	788	eae7974d820bd517495222b9a616a5c5_JaffaCakes118.exe	32
PID 788 wrote to memory of 1140	788	eae7974d820bd517495222b9a616a5c5_JaffaCakes118.exe	32
PID 788 wrote to memory of 1140	788	eae7974d820bd517495222b9a616a5c5_JaffaCakes118.exe	32
PID 788 wrote to memory of 1140	788	eae7974d820bd517495222b9a616a5c5_JaffaCakes118.exe	32
PID 788 wrote to memory of 1140	788	eae7974d820bd517495222b9a616a5c5_JaffaCakes118.exe	32
PID 1140 wrote to memory of 2828	1140	explorer.exe	33
PID 1140 wrote to memory of 2828	1140	explorer.exe	33
PID 1140 wrote to memory of 2828	1140	explorer.exe	33
PID 1140 wrote to memory of 2828	1140	explorer.exe	33

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\eae7974d820bd517495222b9a616a5c5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eae7974d820bd517495222b9a616a5c5_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\eae7974d820bd517495222b9a616a5c5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\eae7974d820bd517495222b9a616a5c5_JaffaCakes118.exe"
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\system32\explorer.exe"
    3⤵
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer Phishing Filter
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2828

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Direct Volume Access

1

T1006

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ywynugoxasijikec\01000000

Filesize
554KB

MD5
c5601e89f4bfe5cd379c8ab61f1f6097

SHA1
cd94af1f1e85fac5c8d49e237d9520c04f484187

SHA256
ad96e48c1f59a3e104ef8f313b6892b7a6d7791098ddc2f995c9169a29cd1052

SHA512
c1609e27ca5c415503d41942762c1ec4daf558150e1b1cfddbe4463bac922b4908e4a83ac4b389bf8902ce860d17a29031d61f90b9b221e02664e9d0d92b9e90

Download Submit
memory/788-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/788-7-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/788-17-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/788-0-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/788-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/788-13-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/788-26-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/788-11-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/788-9-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/788-2-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/788-5-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1140-20-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/1140-19-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/1140-32-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/1140-31-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/1140-29-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads