Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2024 11:36
Static task
static1
Behavioral task
behavioral1
Sample
f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe
-
Size
777KB
-
MD5
f5ecda7dd8bb1c514f93c09cea8ae00d
-
SHA1
f5e03c44b584367241cbd2152fbd99fcc9ccd43f
-
SHA256
4080402553e9a86e954c1d9b7d0bb059786f52aba4a179a5d00e219500c8f43d
-
SHA512
6ba2928825cced798d61cd1880525cbed4aeb79b04b4ec050e9657dfe06a95c7df3dc663dfc0f71c306af05a1dce1c764a27c4e0662719a7ba1f370af3aeb7d9
-
SSDEEP
12288:v4wMnyVrf59Kyh+exQk0wc5xQZkosR8uMS19dLz6f:v4dWmyh+jk1cHQZauxS19dLz6f
Malware Config
Extracted
C:\$Recycle.Bin\DECRYPT-FILES.txt
maze
http://aoacugmutagkwctu.onion/86d4096bfc4623b5
https://mazedecrypt.top/86d4096bfc4623b5
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 4 IoCs
Processes:
f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\86d4096bfc4623b5.tmp f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\86d4096bfc4623b5.tmp f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe -
Drops file in Program Files directory 35 IoCs
Processes:
f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files\ReadStart.hta f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\RenameFind.php f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\UnregisterCopy.dot f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\FormatCompress.m4a f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\MountMeasure.cab f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\EditOpen.edrwx f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\RepairOpen.pot f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\SuspendConvertTo.mp3 f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\CompareStep.wav f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\DisconnectUnregister.snd f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\WriteDebug.crw f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\WriteWatch.html f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\MergeSubmit.mpeg f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\PingDisable.scf f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\ResetConvertTo.MOD f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\ClearEnable.odp f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\CopyNew.pptm f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\AssertUnlock.dib f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\CompareStop.vsw f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\EnableDebug.eps f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\FormatWait.xsl f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\ImportWrite.htm f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\RemoveGroup.ttf f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File created C:\Program Files\DECRYPT-FILES.txt f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\ApproveMount.jpeg f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\86d4096bfc4623b5.tmp f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\ResetDeny.ADT f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\UpdateUnblock.ogg f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\MeasureAdd.avi f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\ReadHide.vstm f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File created C:\Program Files (x86)\DECRYPT-FILES.txt f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\86d4096bfc4623b5.tmp f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\CompleteCheckpoint.ttc f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\DismountEnable.cfg f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe File opened for modification C:\Program Files\RenameUnprotect.m3u f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exepid process 3812 f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe 3812 f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
vssvc.exewmic.exeAUDIODG.EXEdescription pid process Token: SeBackupPrivilege 4304 vssvc.exe Token: SeRestorePrivilege 4304 vssvc.exe Token: SeAuditPrivilege 4304 vssvc.exe Token: SeIncreaseQuotaPrivilege 2360 wmic.exe Token: SeSecurityPrivilege 2360 wmic.exe Token: SeTakeOwnershipPrivilege 2360 wmic.exe Token: SeLoadDriverPrivilege 2360 wmic.exe Token: SeSystemProfilePrivilege 2360 wmic.exe Token: SeSystemtimePrivilege 2360 wmic.exe Token: SeProfSingleProcessPrivilege 2360 wmic.exe Token: SeIncBasePriorityPrivilege 2360 wmic.exe Token: SeCreatePagefilePrivilege 2360 wmic.exe Token: SeBackupPrivilege 2360 wmic.exe Token: SeRestorePrivilege 2360 wmic.exe Token: SeShutdownPrivilege 2360 wmic.exe Token: SeDebugPrivilege 2360 wmic.exe Token: SeSystemEnvironmentPrivilege 2360 wmic.exe Token: SeRemoteShutdownPrivilege 2360 wmic.exe Token: SeUndockPrivilege 2360 wmic.exe Token: SeManageVolumePrivilege 2360 wmic.exe Token: 33 2360 wmic.exe Token: 34 2360 wmic.exe Token: 35 2360 wmic.exe Token: 36 2360 wmic.exe Token: SeIncreaseQuotaPrivilege 2360 wmic.exe Token: SeSecurityPrivilege 2360 wmic.exe Token: SeTakeOwnershipPrivilege 2360 wmic.exe Token: SeLoadDriverPrivilege 2360 wmic.exe Token: SeSystemProfilePrivilege 2360 wmic.exe Token: SeSystemtimePrivilege 2360 wmic.exe Token: SeProfSingleProcessPrivilege 2360 wmic.exe Token: SeIncBasePriorityPrivilege 2360 wmic.exe Token: SeCreatePagefilePrivilege 2360 wmic.exe Token: SeBackupPrivilege 2360 wmic.exe Token: SeRestorePrivilege 2360 wmic.exe Token: SeShutdownPrivilege 2360 wmic.exe Token: SeDebugPrivilege 2360 wmic.exe Token: SeSystemEnvironmentPrivilege 2360 wmic.exe Token: SeRemoteShutdownPrivilege 2360 wmic.exe Token: SeUndockPrivilege 2360 wmic.exe Token: SeManageVolumePrivilege 2360 wmic.exe Token: 33 2360 wmic.exe Token: 34 2360 wmic.exe Token: 35 2360 wmic.exe Token: 36 2360 wmic.exe Token: 33 1680 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1680 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exedescription pid process target process PID 3812 wrote to memory of 2360 3812 f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe wmic.exe PID 3812 wrote to memory of 2360 3812 f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe wmic.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f5ecda7dd8bb1c514f93c09cea8ae00d_JaffaCakes118.exe"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\system32\wbem\wmic.exe"C:\n\qec\..\..\Windows\ub\..\system32\yjj\aj\..\..\wbem\foec\pw\l\..\..\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4304
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x410 0x5041⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD572b096e157f214b746180b946acd67e5
SHA1d4fca9ed5435da7629a0bdfea187905d32009453
SHA25628d19936f4f0defc509d3edd31f1e4559dc1d7e860d658dedb1f1bbfa5f81fa8
SHA512f2c15e70916f92ce24310afce435e456ae62a723f5d61cbb2f224c5575df5dad8dcac5e2776ab02203498f5efd9be0dc389b20dbf9fd05cbb97fb54a6c356d63
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_F50B5EA05CEC48C6B7612754C4069F23.dat
Filesize940B
MD59e2d08370ab323900e3c693f8d5518f4
SHA18d1880e4d2207a80cdf2dc5b25e8f743da00be57
SHA2563718f2cbdb33b2fa43b7db512fd49e66d57355d976d7677ffd3d2c55fad9137f
SHA5122091a54656d118531dd11f1311b8ab375aa19ea9ae68e85d90a1032fb912591050b9cc32a8e2b2c00f9c444b3e8f8fd9c02f6d2d860ed8b48e88529bbcf1d80c