Overview

overview

10

Static

static

3

f974efbf6b...18.dll

windows7-x64

10

f974efbf6b...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-09-2024 01:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f974efbf6b643894e4b49b45059f0356_JaffaCakes118.dll

  • Size

    89KB

  • MD5

    f974efbf6b643894e4b49b45059f0356

  • SHA1

    c7d16c92e93810d548850271090b9f2966afd45b

  • SHA256

    e475d8d45a50f22007579f49e0b79d88ea302d71f429ea1c0f2f8f76f60b9594

  • SHA512

    6ce76c69bf412f0e9f011cc5030fcadfe158c1ee14b73d14cd625b7aff99747817dbdd621a4773963b9fd9cdda47bd21dcca9fb508763981b7fd1300487ba692

  • SSDEEP

    1536:VzO3tEZa/zXqbK0y/1fXbHkBGJ/bhkPj3/gQgHcYhYEdwI+VSvbWFUg:NO3ZqbK061fXbEo/YE

Score
10/10
lockydefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomware

Malware Config

Extracted

Path

C:\Users\Admin\Favorites\!!Read_me_How_To_Recover_My_Files.html

Ransom Note
<!DOCTYPE html><h1>#ALL YOUR FILES ARE ENCRYPTED AND STOLEN BY RAGNAROK</h1>Dear Sir<br><br>Your files are encrypted with RSA4096 and AES encryption algorithm. <br>But don't worry, you can return all your files!! follow the instructions to recover your files <br><br>Cooperate with us and get the decrypter program as soon as possible will be your best solution.<br>Only our software can decrypt all your encrypted files.<br><br>What guarantees you have?<br>We take our reputation seriously. We reject any form of deception</br>You can send one of your encrypted file from your PC and we decrypt it for free. <br>But we can decrypt only 1 file for free. File must not contain any valuable information.<br>Basic price for per computer is $980.Discount 50% available if you contact us in 72 hours, that's price for you is $490.<br>When hiring third-party negotiators or recovery companies. listen to what they tell you. try to think.<br> Are they really interested in solving your problems or are they just thinking about their profit and ambitions?<br><br>By the way.We have stolen lots of your company and your private data which includes doc,xls,pdf,jpg,mdf,sql,pst...<br>Here we upload sample files of your company and your private data on our blog :<br>http://6ss5vvdhmnhfux6xoerulzuu73ur52v6hcmvaiphohbtgvw2nnzflnid.onion<br>We promise that if you don't pay within a week, we will package and publish all of your company and your data on our website.<br>We also promise we can decrypt all of your data and delete all your files on internet after your payment.<br>Such leaks of information lead to losses for the company. fines and lawsuits. And don't forget that information can fall into the hands of competitors!<br>For us this is just business and to prove to you our seriousness.<br><br>Our e-mail:<br> [email protected]<br><br> Reserve e-mail:<br>[email protected] <br>[email protected]<br><br>Device ID:<br> AAwX0UjLx4yNyEjLwEDLOR0RIRkUB9ELDVTN3gTMFV0NwYTRDlTRxkjRwQERENEO4MTM5cjQyYEOyUUQBhTRDdTR0MjQzMkR2YzQzkDNyUjNDJDM0IDM2UUQENUOyATNyUEM2IUMGJTN3Q0QBJDOzgTO2gTMwUUO5QUN4IzM1QkNGZDOGNzNzkzNFJEOxYDOGFTO4UENBJ0N4EzQFFTM4YDM2UkMDNTOCNUQ2QTQElzQDFEOBRTOyEUQ0ATODJkN2EjN2EkMEVERGRDRwUjN5EDRwMUR5AzQGFjQzQUNwYjMFBTQFFTRyUkQyEEO2IERCVkQwI0M4YjNBVTOBhTNxcTM2kTO4UENzgDN4UERxYDN0QkQzcTNzUzMCR0QFhDOGBTOBBTOEFjMygTO0QTM4MDR3EUNGFjN3EkMCFjM4cTRzIUNwQkQ2EjQBVzNBhDNCVTR1IER5gjNDVTQBljN0QEM4M0N0AzQzMUNFFkNCNENyQUNCJDMFNDNyIzN1gDMBZDMyAzQycDRDZDO5cTMGVjQ2MkNwQ0N2QjMFNkMGdjRCdjM0MER2MTN5IjQGFTNwMUNCFjR0U0QElTOwADRChTNBdjN3EkQ0IDREFDRGNTQCdTO1Y0M1cTQ0U0NGVTQ5E0MBRzM0YDOCdzN4E0QzYUNEFEODlTM5QTRzEjRyMTRCFUN2UER3UzQ0ADR4IUMxkTNChTR5UjMxM0NFZEOCZER4YTRFZUQyYzN4kzQzEkMDVEM1MzQBBDRzMUQDBjN3IDMClTR0UkQDlTOGRjR1MzQ1UzNxYDRzQzQGhzM4MDO4Y0MykjRDJEOBNTMGJEN0ETM2QEOzY0M2EkM2cDRxQkQzQTRxkDMyYzQFNjMyQDOEBTMGlTOBNzNFhjQ5M0N5QUMCdjR5QEMDRUR0QTR4czMxQDMBJkN1cDREhTMxEjRyMTQxY0N2Y0M2gTRxMjQFN0Q1MkM3gTN3cDMBdTQ5EUR1YjQ3UUOwMzNClzNCNkRBRzM0QkRGlTO1YjMCFDRwQzM2UjQ4IUQxQzN3cjMEFEN3EzMyMzM4UkN1QENDFUR4IUQBVUO3IUQxYTO4IENDV0NwYkM3gzQDNkNGJkQEVUOzMzQ0ITO1M0M2M0QwQkMwUDM1UEN5IDR4UTRzEjQEhDNyE0N4YTM0EkM2MkQEBjQ0I0NzcTRERERFJTRGFDRGFjM2AjN0IUQzMDREZEMBZDMyUzQxYkM5EURyEjM3MkNCJUNEVUNwQTRFlTMCZ0MBNTNwIUQFdTRFlzNFhDR1kDOENTQzMUOEJTN1UDM2MTO4UUQwQkMBJTN4gTNGJzQwEDNGNTQGFUQ5ADNzUDRwAzMDBjR3QzN5AjQ2gTOBNDO0gTNBBzMFRTRENzMEJjM3UUQ0MUNywSNyIUMyETQDFTRxMUMwcTMCdjMBJDR1cjRyMkNygjQzMUM4YjRDF0QzgDN2M0NyYERzITMyMTRCFTOFRTNwIzMzQERykjMFFUO5UjQDNzQyYTMFJUNFNTQyM0NwMkNFF0NFVDO2YkNCZDO5kjR3UUM3UDN3kzNFRkM5ETMxQURwQkM3UzM4gTQwYEOxUjMyEUMGRDRGJTNGdzMEV0M1YDOwQkR0YDR4YDN4EUQFVjRDJDR3EkRCdDO3QUQDlDRxY0MxQzQCV0NGRUQDVTNxcTQ1YUR2YjR3MDMwQkM1UUO0UDOBREO2kDM4YjQ3QjMxATQCNTR2MDM0M0QCFUM4QUNxgjR0M0NGdTMycjRzEERBdTNwUzN0UkR1kjQ4kTNwMzN1MkNDBjR1cjRyUjMFJjQzczM4YDM5czQ1MjM2ETO2QTO2YzQ4QDN4EkN1MTR2QzQ2cjRGhTMDlzQBNzMFJEMzUzQxIURFFzQ4cjN1EEOxYkNCNjNEVkREFEN3MER0MkRxQkN1EEOGV0NDF0NEZDRDdjN5QURwETRxgjREZjMGVkRBRURCNkN2EkR4cjQ2EkQ2czMGFDN1kzQ4IkNwUEO3AzNDJUN3EEN1YUQ2IDNzEEODJTOGBzNzQ0N2UTRDVUNwYjQGNEMDR0QwYkQyETO0UTN0AjN1ETQwUkQyY0MwQTR3MTRDRzM4YEO3UjMFVkMCVkQxIjN0UUR5UzQwkTM5MEO0E0MBFTQzITNyEUNFlTN3AzMFRjNFlDMCVDMFZENGlTQCdzM4IzMwkzQCJkMChjQFZkNzEDNBdzM2AzQzQUOwATQEljQ5YzQwYjNxEUQFRDNDhTN1cDR5AjQ1IjM2cDMEBTR5EEM3AzNDhzMGFjQ4YTM1M0QzIUOBJTMBZTM2Q0NBZzQyITQDNDR2gjNFBTQCRUMxE0QwMDNDVEOBNTQBR0Q3MDMyUTRENTQ5czN5ATN5EkMzEEO4QTMycjRDZTR5UUQwMEOEN0NCJUQzYDMGZUO3cTRyQDM2AzNBJkN1YUMBJUO1EkQ3gTNyEzQDZkR4MTOCFTR4EUMBdjQwMEOBhjQFFEOxUjQ0cTNElTNzIkM3kjQwUjR3YUQFdjMzEUNBhjN1QTQycTM0EDO1Y0N1kzQ3QjQ2cDMwQEN1EDNGFzQCZTQ1YTN4IEOBBTM4MEO0gDMCFzM0UUMCV0QxEENDRzQxMTMyQjRBRzNzkzNzYzQ1UUNDNkQFV0MxQEMzEEO4QEO1QjQxQDOzEDNCZDO4QkN0U0M0IUN5gzMxQUOBR0N1ATRGZTNBJzNFZDOGJkRDVDN0MDMzkzNyUURDJjR0cDR1IkQ1ADOGBTOBNUM3UTN5UDM3YkNzYkRFVTO
Emails

[email protected]<br><br>

e-mail:<br>[email protected]

<br>[email protected]<br><br>Device

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (131) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Blocklisted process makes network request 3 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 13 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 58 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f974efbf6b643894e4b49b45059f0356_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f974efbf6b643894e4b49b45059f0356_JaffaCakes118.dll,#1
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3528
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c vssadmin delete shadows /all /quiet
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2980
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c wmic shadowcopy delete /nointeractive
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4244
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic shadowcopy delete /nointeractive
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3920
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1404
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c bcdedit /set {current} recoveryenabled no
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4980
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c netsh advfirewall set allprofiles state off
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4268
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall set allprofiles state off
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:3336
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im note*
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4592
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im note*
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4732
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im powerpnt*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1032
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im powerpnt*
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4116
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im winword*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2740
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im winword*
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:708
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im excel*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2108
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im excel*
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1680
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im Exchange*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4448
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im Exchange*
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3244
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im sql*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1592
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im sql*
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3812
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im tomcat*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3688
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im tomcat*
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1280
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im apache*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3288
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im apache*
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5028
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im java*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2416
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im java*
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5020
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im python*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1200
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im python*
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4472
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im vee*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3872
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im vee*
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3228
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im post*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3280
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im post*
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:588
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im mys*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2320
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im mys*
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4840
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ping 127.0.0.1>nul & del /q C:\Windows\SysWOW64\rundll32.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:3040
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1864
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Credential Access

Discovery

Remote System Discovery

1
T1018

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Favorites\!!Read_me_How_To_Recover_My_Files.html
    Filesize

    4KB

    MD5

    2cd8a8f2966ef46d0df54b75b92b98a9

    SHA1

    9693068ba1a1e306475b98ee33e4c713fb421031

    SHA256

    f549a5a10667dc22d61f5cf3d3b2553744d44b2b407ffb9c8b1184588efc50cb

    SHA512

    b8a00908ab25b528014c44d18a95fead0af52107ad515a759a4f7d7f2033d60d0221571c3192cfb264fdb2ee86888760fdcd6276462ab04118dc2668d85384ea

    Download Submit