Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
30-09-2024 13:37
General
-
Target
019aae6df470cddcd82534e57037341b_JaffaCakes118.exe
-
Size
328KB
-
MD5
019aae6df470cddcd82534e57037341b
-
SHA1
3dff4a6faad3325c7600834d1a7c2c362887865b
-
SHA256
8dee4f6bc8513c5e9b387ea11183bb2964c2e73f7dc7a430060aaa0d4ae9b99e
-
SHA512
09d5c811227228a059c5ef989486b0c30ff8f51f786db1330f8e950cdcd1e608f276ea17d055ef3ceaf44d22f3f28d025e6a0312306b83dc8211232af8378d5a
-
SSDEEP
6144:aCHhOk2vb0Lv1Azgm4mxTg4OT/zNBv8wxvYfLQplE6R471K:aCBONvb075m4aM4OT77VlYDQplE6ip
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECOVERY_+auoei.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/54E925E43B7BEF5
http://tes543berda73i48fsdfsd.keratadze.at/54E925E43B7BEF5
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/54E925E43B7BEF5
http://xlowfznrg4wf7dli.ONION/54E925E43B7BEF5
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (421) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\019aae6df470cddcd82534e57037341b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\019aae6df470cddcd82534e57037341b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\019aae6df470cddcd82534e57037341b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\019aae6df470cddcd82534e57037341b_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\wwixtlysiqxd.exeC:\Windows\wwixtlysiqxd.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\wwixtlysiqxd.exeC:\Windows\wwixtlysiqxd.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\019AAE~1.EXE3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5836245b97c0ae1763d134268c96089f1
SHA1b73ba278c4e558c50a8f8f7506daff619c93ed33
SHA256773cf4b62a43b3516fe56248c0c759fa07d3962e286d692ab1aa1ce84ce0446a
SHA512a6aa18c0037be129bdef2702edb7defe8cb1abd3dfb98a4f29eed78d2eb1d94ba9c59687fbef654b20194e3c7609f8b900db4c6e99cc8d4d5ca26ccb35f5fef4
-
Filesize
61KB
MD5e37f41b8e01f9fcd0942e7418184644d
SHA1df4093c080b52bfd17cdb8f75d7d0257355b532a
SHA256587483f2209f0cdd2053f7213b171601694bdc2d4a4d9c36f59c7876b40e9699
SHA512265c46ecadf467f798349f7f2799631bf1600310ee45d98aac77f491631ff01bdfef9af06ab3403d73e8bddd43dc9cd813c84dcb69a76a2f4533398b9bd673fa
-
Filesize
1KB
MD5d0ed060f8bf39c02081396263b0d2300
SHA19c645e7e917e68576be62ca3fa018eeb69ad2210
SHA2566efe82412fbae7863b5cc93d8c52194b89fc7bcc3e8e199881a0a39de7f401a1
SHA5129fd5c616474c97047cfd1d5ac7f43a445ca4b55dd0fbe0b47cca26699aa7ac8ea9513877f15464210dd9358427b5b8c5e54bd778085a2c005391acdd1135b9dd
-
Filesize
11KB
MD56ef4f2f2c12a3e2583fd6922aab8c7da
SHA13dade6d7bdd0dc95ec7eb3eea13b648bd1af9a20
SHA25659d12dff790713db8dfac3ea7a95b431160c5241d3c6035d35741c3128983834
SHA512a62934551fc38f5e09ce35292bbcce06fd053fa76170c7dc614ff70e34c8c2006f987d5bb86729c7021485d1f1d086b85edb334fa62f83bfef429b31a0f1039a
-
Filesize
109KB
MD5bdf580a6573106d39497aaa905545eaa
SHA1cbbd932bdddb8db60783220e50bd20c3624a46ee
SHA256166d587409d59e778e5323e0ff0493c278f1cef3543898a30f3af5f1d49f88d1
SHA51230b33fcd1a73cb9af75049ac9a160c250e7919c41fe38016b7f011a0f2def22c01b2f77109eb3f05634f3f4a759967a06def5589d9c630d42a54fff2eadca9c3
-
Filesize
173KB
MD57cdbe6353b0c3a66a6777b07e2120efb
SHA195f47b6d306cf0bdc9ad46a5af1aa15428f118df
SHA2569c7a6d2176abf305cbc5378dbca234a2ccea345deaa69d7705523e7064cf2353
SHA512fedaee0645c784a23e824a3f37a1a3fb493ba806fb54db6399096a7577ec5d6e86b6533ccef3c152983b6d64bcfbfa1a865f34bf039933d419a3cc73b863d5d9
-
Filesize
35KB
MD5d20f3f6d69978a7df415940e08373c02
SHA18809bd1caaf2e4d39c87d036fb9aeab0efe75cc9
SHA256ba3ef2d7c75eb9d593d5b53c01de602a95dc09d415532cd731cf7d42550baf03
SHA512670f10f36689eecbaca98f243eaaf444688f932254d67c7026cda32aa3530d5af2971793c7d27026bc425cfe5eefff46378ed2ef3c8c03bdd7de463d42fbb47b
-
Filesize
28KB
MD50bd3c1695add8fa6975925b8eb7ff151
SHA1ff79d6ebab6cbf451a28555cbb2ccfb47c062a54
SHA2565d3c75938d3cd1def92c56853e65b3e14ad93e3e013ab200505e2a0511a36982
SHA512d8bdb9c21858a9b483bfc8ff81870e4a6f0133c5f78eaeb469582036cb49891dbfdb5f35dd1db92e1f243c529e2f920322bdc140e3e1cd7a8a32c4cdba509ebe
-
Filesize
35KB
MD5f4d84eea9d76e619c570a77a4e4d43dc
SHA140dcc7f29fec5c7f750f678a4cc1e526cf53d26c
SHA2567a8f734a904946a4506821797a539d4c5a2c1cea4e20b11187c9db17f35383ef
SHA512fe094ba68374716d4cd631e7666f9cc10b9dce2be0282406092743b8870e6fad9067fe107f7d8df80fb604168724823d9410071b6929495bb8b52f02e7d3f7ee
-
Filesize
28KB
MD55783798dcf4968f1f62d8ea20829a787
SHA18e3dbae66861d51b72c6eacdd7e9474430b282f5
SHA256993acea9cf0642ebad49f7c48f6a952a24a4d3fd523150682c9d54d1516176b4
SHA512708a38ac0b54ea48e3eff91cef6eba67e5716d39b124fe94da9ab7550e99a3b7504a904a305a988210adf881431d3d47e27622339277accb8ce6be5c9b1ecc37
-
Filesize
28KB
MD5b0b8a50df915709bdad1904f61c2e4cf
SHA1b10745d7a8cd9fe01a5720f1eed2f01458d85675
SHA256b81bfe07d541187f431c275c9524807f633537546b91d21620d7e09c433f7dac
SHA512b657938ca3050b5baba37f0b594a8449d46bcb3211516a65967031bcd5d4e8c616a553406e143da65260ee7b22872b949f516527ffe80b6e33a88b77b31a37c8
-
Filesize
35KB
MD504af07603a1a47a65bbf537b6a55bf55
SHA102dd7060f53b80e74ecbd8cc4b994d7bbfdab7aa
SHA256a82468bce11023c324f25f036a46d2b43b6fd244c4ab2a07116fcf0af4da4c09
SHA5126666535b7d228ef6d3eca4abf9418a98c9a4a1038147b0565f1ebb4e03b07439201e9c1636556e374b9570a5d6ca8c1fcad50d9e2e5dee6b5fc76aae5fb99224
-
Filesize
41KB
MD54d0ee6db90c432bf1f7bdad481f0f7fa
SHA1c4f865efd1bfc7f23d045b43d218507699b588ff
SHA256bf3d782ed5575d54fce643197f765ec0489f07e896430ea0ad3654f425b49c04
SHA512cea7cd0c933b9c1e45d5727a93103a088f80c80bd74b3d92fa34cc58daf76306eb6d69a1e1f1c1f2f1c308f41aa78f2e4ac68506e85b5952c9703aaf9bc5b5ad
-
Filesize
328KB
MD5019aae6df470cddcd82534e57037341b
SHA13dff4a6faad3325c7600834d1a7c2c362887865b
SHA2568dee4f6bc8513c5e9b387ea11183bb2964c2e73f7dc7a430060aaa0d4ae9b99e
SHA51209d5c811227228a059c5ef989486b0c30ff8f51f786db1330f8e950cdcd1e608f276ea17d055ef3ceaf44d22f3f28d025e6a0312306b83dc8211232af8378d5a
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
2.7MB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
4KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
