Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
23-09-2024 15:42
General
-
Target
f296876ebba9dbd1085b55b219b3e869_JaffaCakes118.exe
-
Size
384KB
-
MD5
f296876ebba9dbd1085b55b219b3e869
-
SHA1
d9ddcb36580ccee4687b5efcb8c7d6a3bdbc7703
-
SHA256
1506227b3ca0429e22ae401eed7eea7b7eedb4a50f80d496bfb0a93c50c13d5b
-
SHA512
9b0942e8f993faf6d18689bab8ae368b2da5eedee1bee0acdfd5f9444bc15027d447fc8ae72989ee52f58771865907ece85d32a6a312b5a9c7fe70b4db0d0e4d
-
SSDEEP
6144:HQMHIy84D4yxhkLAlsC+erjEU0R+f5DerHWQL1ZFGjg0AWO5rGMlukVt45yl07gc:HWF4D4YkE+ugTk6TQBABNKkVtEyl/
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\Recovery+smtwb.txt
teslacrypt
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/5414880CDDAB060
http://kkd47eh4hdjshb5t.angortra.at/5414880CDDAB060
http://ytrest84y5i456hghadefdsd.pontogrot.com/5414880CDDAB060
http://xlowfznrg4wf7dli.ONION/5414880CDDAB060
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (864) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f296876ebba9dbd1085b55b219b3e869_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f296876ebba9dbd1085b55b219b3e869_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f296876ebba9dbd1085b55b219b3e869_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f296876ebba9dbd1085b55b219b3e869_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\nmehoqgasvgn.exeC:\Windows\nmehoqgasvgn.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\nmehoqgasvgn.exeC:\Windows\nmehoqgasvgn.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff116e46f8,0x7fff116e4708,0x7fff116e47186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,6695707402642244713,17864069682804444062,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,6695707402642244713,17864069682804444062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,6695707402642244713,17864069682804444062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6695707402642244713,17864069682804444062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6695707402642244713,17864069682804444062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,6695707402642244713,17864069682804444062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,6695707402642244713,17864069682804444062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6695707402642244713,17864069682804444062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6695707402642244713,17864069682804444062,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6695707402642244713,17864069682804444062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6695707402642244713,17864069682804444062,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:16⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\NMEHOQ~1.EXE5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\F29687~1.EXE3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD55be45b1a7908e15acfad7e6bbb3078f3
SHA12191c74ae3cb535d3db14ee09309ba94a593beec
SHA2565f40ca2b16c7102dd0c62acd29043ff887b043347d48cd57fc83727cff07f70b
SHA51265c0ccdf9857d2db4d6849f8498fbe62e59ec729a052f8eb33cacaa21d67b1cd5a6ca7468846c728cbefb1d8ad5ee9d9998b11f7c916c2e0fcf4f90ab7f5e937
-
Filesize
63KB
MD5316c699aa9afe167d6d56d978b63510b
SHA11ccf5dc5cd530feb060d14f3067918962ae572cc
SHA2566a18e71ba4e0b1286f2e738e6e34e486d006aa9051db864185a53f1ba4c3a9b5
SHA5125a343e1dfc360d278b7e0e691a9cd303c32b538e933f4e8acde1d40aa24be56f4d5dbb2bd5699f32c1c43afbd354a7c325dd46f72040c59329cf01a15e51dfd1
-
Filesize
1KB
MD5346df044d4662952dcf7587fafd7d394
SHA18c2edc2cf4c3c853b4ab49c32b030148324597da
SHA256093590baec265dcd87320bb11b8ffce9202231f8941e9e0457db17d78ece9b3c
SHA512e3636cfca62a198437e72b27387ce2d303f41e50e781621fe0be029947a070155349d0d2c01b1200c69fa0fcf96ed7c89b69df565658251eff0bd0afe7bcb0e7
-
Filesize
560B
MD5d4d8b4e31835fd18312fd16368ce2271
SHA1f78a6fcd13f74f1fc23d96255015c2ea6d638b00
SHA256b3850931812cf54620073ea9899b678b28859b18973773f24bbdb87d04114d62
SHA512a2864c89511626700f8a7c852047155f2f75b4007aeb7549a02890d3512cf94c30bec66ea78e3d653373c27574819cde1a44b6a5f296cd53b9dd6eaa92a62c1d
-
Filesize
560B
MD5c2c0e5e9e4e94082cd0ed8bac1206e26
SHA14fd3c296332b2307e3e93dedf9c8ca44dbc17285
SHA2562e95cf6dcb7020b1f38c0fb9339622f1a6fcabaa461723ac701df9b54640ff98
SHA512ea006bd2485dc580cc2f04ba85880ac8521429f71570aca61b1a77e5090b0f1994bd2dba300256bd02e44024f2caf18dda28badb1d6800a916bf586b358ac6b6
-
Filesize
416B
MD524ad1eb07136cb3b754928e22129c9ef
SHA1b47221df9cb567fc1b9b817779484b4d3170dd7b
SHA2566b9af5a871d2d6ff31b9c2b7038fd8b96b2ca6966ad6a5c02e14f08733856598
SHA51214b5f47725177e33697929513e2867c628a239be8194c42e1b3bb57ced7064f158b0c9e6ca0a1a02652cd5793a7f92774706f3be2d566f372c05a50e889ef861
-
Filesize
152B
MD52dc1a9f2f3f8c3cfe51bb29b078166c5
SHA1eaf3c3dad3c8dc6f18dc3e055b415da78b704402
SHA256dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa
SHA512682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25
-
Filesize
152B
MD5e4f80e7950cbd3bb11257d2000cb885e
SHA110ac643904d539042d8f7aa4a312b13ec2106035
SHA2561184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124
SHA5122b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0
-
Filesize
5KB
MD57d609a647dbf3aa3e4c5e8bcdf933a63
SHA1609865ece0a2f943d2fd4599c30d6858996400e3
SHA256215d0612ae59a53edf288e3eaeaa38f26d44d261596d264bd19aecd883c675ea
SHA51205ae9a4683c0a822096a030666805c733508921e68270312b9ac7865800738dbca3bc4578f40c2cec61d9f6512ff32ba5e9ecdb42758397748b07e55d80ff04c
-
Filesize
6KB
MD540049bfeb30d769323f68fc56173f5f3
SHA1aad5687d0a48f0edc3181886a7bdf5ce55c73cc3
SHA2566a1f85604a32dc0a553d408bde5db4d0dfb45b747a4651626e349652153f95cd
SHA512a799713eb91972bb581554d386eaa2675fe865cdcb4fd676a5f9368f3c448a14f9d108551e86174e9e4afad1a1c774aa398915dd0f9936724b1880968383a704
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD589d4f4ee281bb538487c52008b6b0f29
SHA18e9892b163cf79d45e96e56703671a9a1abb8b85
SHA2564459c5f4f099d6f01abd0c89afcfe0d28e73b55cf04a17aa2f09948b49edd523
SHA5123bbcb8e632781497d0bee2b27dc1388691a6a411e7c06c4d584cdc8b37d41a0a3213202fb48f048cddc02badd4867bbb877395726dba18a8f3fa8d80d04478fc
-
Filesize
77KB
MD5888804e9376d2dd6121c2e60a54f9619
SHA180ff4f329157248fd6bb08652c13272adbf7d85c
SHA256a2499d422dbf8cbdc5608e5b43a122aee549d38f8b488bd5c218d59e1a4bef37
SHA51264fa326ef52726542972e29b3f33aea875a5c9d0796005b2da0e2a0bc2a785e0c4de6c6beaaa7358533de9b461e7d531e43edc29fc71f0fbff0bddbf26ad5895
-
Filesize
47KB
MD562e35134921722372384ed051fc2d0aa
SHA1ef8c441c2d7136589d56c90b2ad6579b162c978b
SHA25670d363f9440212dfc7cc9bd9f19396da6e23d171c4c9f871832a5cc6781198fa
SHA512ebdb4fcd89e5c8509f87b379f65d1654e2f243527562862958a6d6f77045c239c93d1ee403faa0a8e3a7565f892e8fe4e723756260e61f53aa502a480e119b29
-
Filesize
74KB
MD540049306cfb96dd0cfcdcec89c944f82
SHA1407c2769805f7166a85686a2fab80a1e72c23fdb
SHA2568fe5073780654f843228f42528895dea999b43566d073fc3fe3197edbd267c20
SHA512c17b5c741991eb2edeb591b1a58f8b8f1bbe638571802dc358fe5cb30c8714a354fce58dcd5482f76e107e27f7710f083de4887cfb71971dac20c95df58296eb
-
Filesize
384KB
MD5f296876ebba9dbd1085b55b219b3e869
SHA1d9ddcb36580ccee4687b5efcb8c7d6a3bdbc7703
SHA2561506227b3ca0429e22ae401eed7eea7b7eedb4a50f80d496bfb0a93c50c13d5b
SHA5129b0942e8f993faf6d18689bab8ae368b2da5eedee1bee0acdfd5f9444bc15027d447fc8ae72989ee52f58771865907ece85d32a6a312b5a9c7fe70b4db0d0e4d
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
980KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
