Overview

overview

10

Static

static

3

f974efbf6b...18.dll

windows7-x64

10

f974efbf6b...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-09-2024 01:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f974efbf6b643894e4b49b45059f0356_JaffaCakes118.dll

  • Size

    89KB

  • MD5

    f974efbf6b643894e4b49b45059f0356

  • SHA1

    c7d16c92e93810d548850271090b9f2966afd45b

  • SHA256

    e475d8d45a50f22007579f49e0b79d88ea302d71f429ea1c0f2f8f76f60b9594

  • SHA512

    6ce76c69bf412f0e9f011cc5030fcadfe158c1ee14b73d14cd625b7aff99747817dbdd621a4773963b9fd9cdda47bd21dcca9fb508763981b7fd1300487ba692

  • SSDEEP

    1536:VzO3tEZa/zXqbK0y/1fXbHkBGJ/bhkPj3/gQgHcYhYEdwI+VSvbWFUg:NO3ZqbK061fXbEo/YE

Score
10/10
lockydefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomware

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!!Read_me_How_To_Recover_My_Files.html

Ransom Note
<!DOCTYPE html><h1>#ALL YOUR FILES ARE ENCRYPTED AND STOLEN BY RAGNAROK</h1>Dear Sir<br><br>Your files are encrypted with RSA4096 and AES encryption algorithm. <br>But don't worry, you can return all your files!! follow the instructions to recover your files <br><br>Cooperate with us and get the decrypter program as soon as possible will be your best solution.<br>Only our software can decrypt all your encrypted files.<br><br>What guarantees you have?<br>We take our reputation seriously. We reject any form of deception</br>You can send one of your encrypted file from your PC and we decrypt it for free. <br>But we can decrypt only 1 file for free. File must not contain any valuable information.<br>Basic price for per computer is $980.Discount 50% available if you contact us in 72 hours, that's price for you is $490.<br>When hiring third-party negotiators or recovery companies. listen to what they tell you. try to think.<br> Are they really interested in solving your problems or are they just thinking about their profit and ambitions?<br><br>By the way.We have stolen lots of your company and your private data which includes doc,xls,pdf,jpg,mdf,sql,pst...<br>Here we upload sample files of your company and your private data on our blog :<br>http://6ss5vvdhmnhfux6xoerulzuu73ur52v6hcmvaiphohbtgvw2nnzflnid.onion<br>We promise that if you don't pay within a week, we will package and publish all of your company and your data on our website.<br>We also promise we can decrypt all of your data and delete all your files on internet after your payment.<br>Such leaks of information lead to losses for the company. fines and lawsuits. And don't forget that information can fall into the hands of competitors!<br>For us this is just business and to prove to you our seriousness.<br><br>Our e-mail:<br> [email protected]<br><br> Reserve e-mail:<br>[email protected] <br>[email protected]<br><br>Device ID:<br> ==AAA8VM3EjLw4yNyEjLwEDLBZkSIRlQItEL1YUN1QzN0QEM2QEMCVjQBlTRDZEM4gjM4IjMCNDOxMTNxU0NDZjM0EjQFFDODdTOGdzN1UDMCFkQENEMFJTMxIjQ5IjR1MDNFVDM4YDOEJEREFTM2M0QCljMxIDOyEENDZkM5QEOzYUNBVEMGVDRxEDN4YDOyIERwEDR1AzMGhzQ2kjR3QjN5UUOEljMzITQyUTOGRkM2kDN4EEMDNzN0QzQwEkNFJkNzQTO5MTMwYTQ2EUO2YDRGNTO2ADNFFUM0kjMBdTODFkM0AjRBNjRGFER0AzQCJDOCFTODFTO2UERDVkMCRUN3I0QEdjNDNDMyI0NDBzMEdDRFVzQ3EDR1YkRyMEMzITNBlDN2kTQzIENGZjMwMUQ1YzN5UzQGNDMxIENxMEO0kDO4cjNxUTO0EEMClzNEdzNzUTOwQ0QxEkRwMzMyADOzQUQFBTNyQTRGVkR4EENDlDM3IER0MEO5MERwkTMCdDRGNDNyUTN5ETMFVkMFNjRwkzQEBTO2EzNGJDO4IjN3YTRFNUOGNUN0IENyMjNGhTMClTRFhTO0MjQCJ0MGhDM4M0M4cTOzEjR4M0MwkTOzI0N1UUR0ITQxgTR2YUO2Y0MxUTMGNEMxQERBNkNFN0M2ATNCREN3YDOBVzMGhTOBNkNzQDODV0QyUUN5EERxEER1gTRENjNEdzMEVkRzITRxYkMxU0M0IjQyYjNCV0Q1QEM1E0QxITOxUkN4czQxAzNyIERwUzN4gDR4ATNGhjQ0YzM3QkR3MzN3QENxkjNxMkNFVjRyYjM2M0NzEkN0QEOGRUQxMTOCRkRBdDM3AjQFhjR5MUQwYEMyYzMygDRwMDNxU0QBVEM0MjNxETR2IkN3QjM3IUMEVDR1EjQ3cjR3cjQFBTM0MUR3UjRyEEM5ITQBJjMGdTRFZ0N0YUQwkzQDVTM5IjM0gTMDBzNzcDMFZ0N0YDMGJUM2IkQwYkR3gTO3QDRCJ0M2kTR4gTN0E0Q5UDO2cDR5IUQ3MUNwADOzATRzQ0NwAjQGZTQCNzM4EEO3YTOENTOBNkMCZzN5EkMxkTRwcTOxETOCZER4MDM3QkR3QURyUkR2QUQGVkQBNDRwIDODJUMFVzQ0gDR3MDRGVERFFEOFVjM5YzMCRUN3cDRwQTRFdjREFzQBVUNBNkNFNDOwIDMBZTQzAjMFhTMyMkNwYDN4YjMygTOEVkQ0UEM2EkQ0UjM1AjREBjMFBTMBJjRyMTQCFEOxMjQyU0MxkjRwgjNBBjQ0ETOGBTMxEkN5QjNygTOEZURERERxIDRFBjR1U0Q0EDO0MUNyEkNxQTQ4QDM3ATRxYTM5QjM1gDNBdTOGBTN5MUR4cjRxIDR0M0N4MTM1wyQ0MkM5MDRwcTRxIUMBRjRyYkN0kTM1EDRwMTNzYjQwgzM2EDRzYTR1ETOBRTQzUDN1QDRENDRDhjQ0kTOygDN3MUQEBDRyIzM5EDRCR0NBBzMFRkNyIDRyU0MCRzMFBjN0ITODVTNFRTMFZURwYkR4M0NwY0N5gTRyQDMEVkNzADMDRzQyIUMEJjNwEDOzI0N5gjQGRDR1EjQ5MTMCRDN3gzQzYEREVER3UDNBVUOxUkQERjNFFjQykTMCZUM3cTR4gjRyITMCVER3E0Q4UEOyYjMzYUR2UDNEFkQ1cjRClDOBJkR4ETR2QjMDNkQDRER1AzMzMENxUjR0YTMyETRDdjNzQTQzMDNGlzMyQTQ4gjMGVTODRzQyUERxkjQ2gDNBZkRxkjQGV0QFZkMyQ0N2U0N1cDNzYURygjNGBzMBNjR1czQCRDO2cjRwMUQDR0N3YTNCJDNGJTN1EkMyUzQGlzNyIzQzcjMBF0N0AjRGFkR0EUN1QUMBZjN1QENCdzM1MjRENTQDNkRzUzN4IjN3YERzgDN3UUOEhTQCZURGRTO3AjN5QzN2czQ5cDM3YjRDVURxkjN0EjNBZjMGdTM0UTM5YkMwQjQ2QzNBJzMBZUR0IUM1UEN3M0MGdDRxEzQFJjRyYzQEFzM0IEO0QEM4QkMGJDNyYDMwYDM5EDMFNURFZUQwgDMxQ0MzMkN0cDRGRUMBRkNCBjM2UDN0YDO4MUQClzQFVURGNUQElDNxIkM0kDO1UkQCNENBRzN2U0N4kDRBNER4YkQEFEM1YzN3gzMxAzMCFUOCVkMBFjMGFkN5AzQCVUNBBzNGlzQ0ITQzUkREBjRwETO1cjR3MDOyAjM4UjQGRUR1MjNDRjNzcDOFNURDNENyIDR3cTOxgTQCRkREVTNwUkMxgjR5cDRBJkMzIzN0IzN0UDN1QTO2EkQDNUQ0gTNGNDOzUERxADOykzN3QTQDV0MChzMCJUN1EjR4YDMxIkQyE0N2kDR1cjRCZUQ4UkR2ITNCZkMyUURCNkQzMTNyEzQ5IUQCFUQxMDMCJUOGFzN2QTQ2IURzQjRwIjMENENzQUM5UDMyMUNwQUN5EjRGJDOEFENGhjQDZER4QDR3cTQwkDM3QEOCdzNFZUNzUTM1QENyADMxUDOBlDM4IjNFJjNwMUNBBDM0EUM4cDO0YTO4cjR4YUQyMUMFdDRGNEN0kjRCRjQ4MDRyQDNGNTQEVDNykTN2cDMxYUNwETN3QUNDJTNFF0QDlDM5MUMCVUOCNUQ3AzN1YTR1QkM3IDOwIkQyIEMElDM5MEMGZzQDNEMCdjM1ATRCRkR3YjR5IDNycTOENEOykTOBRjMBhTMwQkNGJ0N3YEM
Emails

[email protected]<br><br>

e-mail:<br>[email protected]

<br>[email protected]<br><br>Device

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (174) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Blocklisted process makes network request 2 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 13 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 56 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f974efbf6b643894e4b49b45059f0356_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f974efbf6b643894e4b49b45059f0356_JaffaCakes118.dll,#1
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2396
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c vssadmin delete shadows /all /quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2380
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2288
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c wmic shadowcopy delete /nointeractive
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2060
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic shadowcopy delete /nointeractive
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2688
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2052
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c bcdedit /set {current} recoveryenabled no
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2160
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c netsh advfirewall set allprofiles state off
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2360
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall set allprofiles state off
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2316
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im note*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2164
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im note*
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1928
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im powerpnt*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1456
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im powerpnt*
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:552
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im winword*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2408
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im winword*
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2956
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im excel*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1676
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im excel*
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2376
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im Exchange*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1236
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im Exchange*
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2436
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im sql*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1392
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im sql*
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1288
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im tomcat*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1444
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im tomcat*
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:628
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im apache*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1484
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im apache*
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2324
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im java*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1800
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im java*
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2540
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im python*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2584
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im python*
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:692
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im vee*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2144
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im vee*
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2544
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im post*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1492
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im post*
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1584
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im mys*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:584
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im mys*
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2104
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ping 127.0.0.1>nul & del /q C:\Windows\SysWOW64\rundll32.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:2452
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1520
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Direct Volume Access

1
T1006

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Credential Access

Discovery

Remote System Discovery

1
T1018

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Documents\!!Read_me_How_To_Recover_My_Files.html
    Filesize

    4KB

    MD5

    4f810db409e6a2edde87da47a1816b5c

    SHA1

    2e51974206e32175fac2a16516950f0579f0f022

    SHA256

    0e2a8fe0f58fb17a0378ca356852a2dfdf3881aa23194430b21b55ed800eaaa0

    SHA512

    04fdafaa030a1f4fb7e2ecd656001501a2e131fc5c7f4e1da98124fcadc16d9982ef3a7edb6b01fea21113bbedfc04ae03a94c78cbe3f807ffd252b2648cb55f

    Download Submit

  • C:\Users\Admin\Documents\PingCompress.xlsx
    Filesize

    11KB

    MD5

    4661db53129b8f7a4a47e9941775f347

    SHA1

    40b01ffff1bfd8012fc6b64054a55242df736711

    SHA256

    8c3d8aaa54f2972fc787a341426948cc621d0011dfde026dacfc36a1dbb8bcd8

    SHA512

    4c80534ca74da558274466e2c88b44cd14872733487673caa4c3a99ccc32cf395f615c30a6793eafb00a9a5c454a52814a95670ef22ee9b75e04fcbc8f7fac8f

    Download Submit