Overview

overview

10

Static

static

3

ef18fa4495...18.exe

windows7-x64

10

ef18fa4495...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-09-2024 04:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ef18fa4495106a68af61c1d0d648ba82_JaffaCakes118.exe

  • Size

    659KB

  • MD5

    ef18fa4495106a68af61c1d0d648ba82

  • SHA1

    4b693c53b6894266e5e016253bda958ae7c612a8

  • SHA256

    aab0204705447fbf2ab759e57a9baebba3c36ea59799b5a774c9265032f502c5

  • SHA512

    bf368e77cf8fdb67fb6221e6020149747bfb85f70691954029cd2e42a5b42f98d344cce682ea4796cff14e0b03fd15ce1390b88d8425a279bc2411de15971447

  • SSDEEP

    12288:KVi5h23Ks1mQnWattmsbMVSH05SxQiEQ9jmE56r:KVia3p0RzYa+E

Score
10/10
locky_lukitusdefense_evasiondiscoveryexecutionimpactransomware

Malware Config

Signatures

  • Locky (Lukitus variant)

    Variant of the Locky ransomware seen in the wild since late 2017.

    ransomwarelocky_lukitus
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Deletes itself 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ef18fa4495106a68af61c1d0d648ba82_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ef18fa4495106a68af61c1d0d648ba82_JaffaCakes118.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\lukitus.htm
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2924 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2752
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\ef18fa4495106a68af61c1d0d648ba82_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:3000
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2296
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {5910DB5F-136C-4E8D-9CF2-F4EEE04BD96F} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
      2⤵
      • Interacts with shadow copies
      PID:2604
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    PID:2684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4a39dfdfb8be0c843b1574bbfed5253f

    SHA1

    508af1849839804ae333d56345eb91acf24b1dd1

    SHA256

    e26782d540faee79efcf044d9be7d3d4a267a736303d9b273201a38f1667307f

    SHA512

    584c3976a0af8fd6c32d82eaa80ebdc0a03e50dd9922a54b6fe13f290e0e6f0689c40ac8a6aad1da353130ad9445b716b5dbb1aed11a3b558106464377c749a3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e71a4394c28fa5c9266253b748a10d68

    SHA1

    af9575cf8a6bb0a71e7b9e9fc3160fc8d55e7658

    SHA256

    1ac9a5daf05ec974cc5df17f3178f5ad5074bd59f024308f97b4bd0a98107f61

    SHA512

    8f330af0d55e0f7e6afdb8255dce2b1717f19b3a4621bad9199cb0b0a71b43230a95b6b0789055247a57e73770286bd868027bb281f3b27734db111ec047f01b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    942e5555e367b562962bb02acba83877

    SHA1

    4ef28d2b58a312b4ae048db499612a2e8abe7616

    SHA256

    675257c303e119b8e1dc12cdd3392608a8bed52c6e9917b8ea6badb96c0f0196

    SHA512

    c786f5c2c1bcabfe4e93a97c6135b30775af306f8fffca8af7e2e003054e62055b10ce066a33dfccac3aea771e8240712843f831b4c224bf9f81078fa391f8cd

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    853ee5f0af5ea75dd6983d1db52767ab

    SHA1

    51025b6d77474ef8e3e5d79bca71c0a871e56258

    SHA256

    035d247328583b8061a341d0c35c876ab7e5c14d521a79daa982fc60c6698aeb

    SHA512

    483aa0f13c1c7e34ac1c4b069364aa6a6191cb414e2e5d729ece4dfd5e49ffceaeb53d9d956498ff2af45d4624aea2e8697944679e8d07b6da5c682aaa6ddcf2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c5311cb3c3fe5eb07bc96ba11dd34a03

    SHA1

    a769534a2ec5d3d084f564cd85a9ffd874701251

    SHA256

    ce5954bde5e28b122be7a4fa5424a07b01595ac3aea7a464fc03bac42d4c2363

    SHA512

    320b07f032b81ce85c393450711a8aac89268d1d480488e4aab67178e210ca04e738392bbd3026f68a33635b345e565e27e900bda5c99e8c36a524aefdab5c51

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    84f7090175a2e5be37f879fbc93a3b0d

    SHA1

    55e8f48c2c8c319da340f39cfae259909961b54b

    SHA256

    54a06ad07cbdd96e2ebcd50335bf1145421ecf57632d0eb17010e039edb5d9d5

    SHA512

    b1aca7945a2b7b72539193f7af64ee278d71de6c8db3730abaa7848946b244128ee57b50532d7575a0ddd4d055d65142b97d286fe79dd95b623ad730b48a9852

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1ad9965e63e3688b21799726f120b9b8

    SHA1

    54e794ef73d2f97ad8e58a3bcb385da37db4ac8f

    SHA256

    708cec832a3bb4e68b4190bae49a05c453f88cde6aa35e8378d4ccbe0ec251a3

    SHA512

    794cddaf3fa7c05052c78511340c1feacda85b8001c998a783760c76cd207ac39849c70924cf4eefdbd1b08cecd02539a6da2f69dc36e7e8f7d3b782cca02eea

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    cb7dd64d7730e5e73568c032e9906232

    SHA1

    df00941708c176f777e15eafee52ab86a6d419a2

    SHA256

    26d349b457a242c341fea364383f8955611853e5a3c790fdefda54db301ee7ce

    SHA512

    9f83969529a41e70d442e9d284e043939df633c50efcba853a3bc968dd5132a05bf962362256d5cf003299b246b6bc371dad53c47e75b1065aa82ba8de0a0186

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4aa0ad7155b476493c5ead2e0530aaf5

    SHA1

    f5f8280f48d73faa583eaa7ff2d38e19315fb70e

    SHA256

    7b23dd39abf3f76b894a16c7217f481006e7ea356882ddf84e98559736060f74

    SHA512

    27a6113b42792d4d4b9eed7499ae0de0b963a3d17beffdad4a7581937c7bedf69091b46d8b4e444696a5451da56f45ba1e027269f275e6f50d5f4c6a9e579c26

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    cd171fbf976cc8827dcd50d7e9bb8620

    SHA1

    46e1c0d8d0661a8755c72cc9e765a4dd0442c6e7

    SHA256

    478ded88a6cf3e0fb70e521b8be71fd2e6eef61a7dcf423bfb5d0a8a11942831

    SHA512

    a24fd17f0ab581bdf7b857d3e367e630e4078275cff9ff46312d888dce131d16a1719a0bdd26d04edb74832378cb79eb4730aa728b0da9d08b5c9378a9674135

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    96fe8981e87c73d1fafb8ba9653e9dea

    SHA1

    080ba6b19dbaa79abd765de938303bb04e719f36

    SHA256

    3da71ee0c885e701ddcea165633dafbe028732d5be7617435c85f618d0c4945e

    SHA512

    c4250f3c9b18e59fec1b92f2ff16c552330be877027a597d01414c46d5d7abeb08592b4e7c3317544082db2ab541c0c369cac3d3f3441058533694e5b16f1d21

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    928a9aea88b24c1c99115d88eff5d9d5

    SHA1

    488b4cc8bc4e9d2b93eb98ff8b13660252be2bea

    SHA256

    3d3b3ba2b34db9bb2bd3588341bb1b80eb8e70b9f9e8ababac44aa6943568024

    SHA512

    5f7549315b09dac3cdcd4588efe6321ce595fd68aa3dd0ef10828c10384fbb608e4c8807bdab7945b499452cd18286bfb636ae614f0d7f6321047db78fe8a458

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ad680b165a8ddfcf05452317793bed97

    SHA1

    c6eee9d213d2a959e8beee58f0dbad21b1801fde

    SHA256

    1bb907fc179e47de3fc86c25861b0af4088eac43fa928a10b2c7e86ba4683fdf

    SHA512

    a29263cb0815a460cebe53ba859288f0653a3e0f8a991ae30aea2f5d16d4ee6622dbcccc8c178ef28dd54476d0480d462afd2d680e7d7c6c9268d72d2b8941b9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab6DC4.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar6E53.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\Desktop\lukitus.bmp
    Filesize

    3.3MB

    MD5

    c0c663afd0ddf2184a10a6d6914c8880

    SHA1

    479b3b87da28d4fa128e71ee329fb91b1bfbe52b

    SHA256

    df6508e1a3b2895ceed8dd3e2bf439cf33615b23077da2999e6b3b13513cd171

    SHA512

    4f85ea413cb7fce14950bda0e8b61a6b5432bc7b82bb9babf6a89cc4df27042df9ebae59b298cb27c6cc0622d3506ecc970288ef296caff3f166974c1363ce26

    Download Submit

  • C:\Users\Admin\Desktop\lukitus.htm
    Filesize

    8KB

    MD5

    5d344bfea5918fa23ccd697477e8a08d

    SHA1

    40b78f9b30765365c4a7a8c4b5acbcf3f539eccc

    SHA256

    689be26c855d9e60610037768558d460a9e39a007db8a396b2d7f459fe2b1eaa

    SHA512

    1a8edf63617a2f1d3fc905a8840728938e162be28271c21e2664d9ab34690fedb38234ecb4510a19eddc393eab99cc53c6852a191c403025ff5912ef7f11e3da

    Download Submit

  • memory/2684-280-0x00000000001A0000-0x00000000001A2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2956-3-0x0000000000400000-0x00000000004A7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2956-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2956-279-0x00000000026A0000-0x00000000026A2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2956-281-0x0000000000400000-0x00000000004A7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2956-2-0x0000000000400000-0x00000000004A7000-memory.dmp

    Filesize

    668KB

    Download

  • memory/2956-1-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download