Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
03-10-2024 01:00
General
-
Target
0d3571a8ca8ef2fede9e3e11b8761582_JaffaCakes118.exe
-
Size
368KB
-
MD5
0d3571a8ca8ef2fede9e3e11b8761582
-
SHA1
f2b0416e2afe93050816f62646ecae6080a9e559
-
SHA256
543144026b1a0c1bbfea07c5af4b9e5654c6eb3416f7ac70d676c6c8682bacbb
-
SHA512
1474d517cf92cd4dcec62bb656ae918f383fd4e146dd951c9613e7cb300870e32606c3607872bb17d84e2de5c13d23bf51bc16e8f2f576acd4bae9fe3e2b661c
-
SSDEEP
6144:lysifNvmGSKiUuyWvY1ZEYVG3I825tkB9GqlzXwOwNM5s8Fy:8BQUuy6kP5tU1lzXwBqbs
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_RECoVERY_+rfaah.txt
teslacrypt
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/8B209C3EB36837C
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/8B209C3EB36837C
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/8B209C3EB36837C
http://xlowfznrg4wf7dli.ONION/8B209C3EB36837C
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (858) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d3571a8ca8ef2fede9e3e11b8761582_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0d3571a8ca8ef2fede9e3e11b8761582_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0d3571a8ca8ef2fede9e3e11b8761582_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0d3571a8ca8ef2fede9e3e11b8761582_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\sgnlsimuisty.exeC:\Windows\sgnlsimuisty.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\sgnlsimuisty.exeC:\Windows\sgnlsimuisty.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0x100,0x104,0xe4,0x108,0x7ff92e3046f8,0x7ff92e304708,0x7ff92e3047186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,4525905613846771580,15344451061278286442,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,4525905613846771580,15344451061278286442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,4525905613846771580,15344451061278286442,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4525905613846771580,15344451061278286442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4525905613846771580,15344451061278286442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,4525905613846771580,15344451061278286442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,4525905613846771580,15344451061278286442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4525905613846771580,15344451061278286442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4525905613846771580,15344451061278286442,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4525905613846771580,15344451061278286442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,4525905613846771580,15344451061278286442,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:16⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\SGNLSI~1.EXE5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\0D3571~1.EXE3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD55d0925513a7c909a4da8c5a0bc717451
SHA112715bf1db7687bb10ae15e15d3ad5893b8fc365
SHA256650ddef2748bd9cab08d9d4ee6c54f1cdcaa5578d9a8b76c4f1a397e18a4fb3a
SHA512957da26e5cc2b625d65214cf1426d416ece105fa241fe6932cd77c45ddae7778954c17a9e0c0aff4848f58fac8efa4cfda3c3b5c2942ee5f597285ef8b0f011e
-
Filesize
64KB
MD5be61d7bf3eb5348994814e46e17de61d
SHA12775d3f26d9cc8a2d9c28b59b37a20e776f34960
SHA2564b487ed32d9bad6e0827a4974ca269a82d03ce00215e9edec008752d19f432d1
SHA512044b50ce5f4c86046c522e6c1b10558757dc15d23a69a983f96a441baa720fb4116732e699b4da7253893a7a2514520fc170fbb224aaff56f3cca69d314d10b4
-
Filesize
1KB
MD5eca7d87b4b7d5eb604874c11d30ce585
SHA1376db7a17b8db0fd3e3833cbfdc1ebe9f2e790e4
SHA25603d46bd3b046ebd17c9e69ab5ea287fdea60aff02aeedd45b1b181e06ae6691c
SHA5124a0a72811534371241e1924ec361c78203525d245a46c5299b2e5622ad0f3467cff85f34bc3f1f47126eb56812a95f988badf32edf54e07e3c2470f186c8c298
-
Filesize
560B
MD57d55af7471a95242af01339044a38743
SHA1cbcb391a8f86aa9679a0aad108143efc5c4f9db7
SHA256e11386c9f57eb33d01007154a6d5353e9c1c22542b78eb862ff9ab5a08f8927f
SHA5123fb8b9f0894507ced10ca7baf5543d98d1dec661186ea7cd0ce71aafc89078521ec28fb09a93005fbd14e1bead504d23c4dac987637016474e69a4e94c6f2886
-
Filesize
560B
MD55cec491a726ea6ad8de66e6808124f43
SHA1c066b02a245553308ef4259da7a0ca044c263659
SHA256006b6801ed84a8126c9e11cd2592db152fb4baaa7f7bfc2df01b7a78c9a7ae8c
SHA512db5c600ba23be56f3b9014fec69d6fc869e4d1d2ac0ee75b252eaf737d59a665a7a2577011e5a9a56dd0991f55f463cdf25e4d078b1758effbdf27d77e0d74dd
-
Filesize
416B
MD56ec7a316c41cc491ce005a83f6e6a753
SHA1df7e8d6a945609ed3ce5a249586a91a827448ef6
SHA25616dad0a5d1bac5af220c4fc12d9aa531d5dca2febe94774b4ced77b51152e78c
SHA512d52a7bbdde7442df836b5765d952f96efe64a2a2da61e87359e43c01cad412fe1bf5e56daea9a40a74d2d02acb144e6a9e4bf6637db475b9df44cf98ced67912
-
Filesize
152B
MD5e765f3d75e6b0e4a7119c8b14d47d8da
SHA1cc9f7c7826c2e1a129e7d98884926076c3714fc0
SHA256986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89
SHA512a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079
-
Filesize
152B
MD553bc70ecb115bdbabe67620c416fe9b3
SHA1af66ec51a13a59639eaf54d62ff3b4f092bb2fc1
SHA256b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771
SHA512cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921
-
Filesize
5KB
MD5a63641084c4b9c1298bb66f7c748fe20
SHA113cd07abafa3977cecb850913f38f8b6f6362037
SHA256e058dfde16bf223d4506651624944aa6bee6722faefeca307f6a2a59d26ebab9
SHA5121663984789c05757b7f076c39797c799c4cc1346383cc5e2edb5d047cccc4d0b31c2f84bbbb0f9721fccc4f89ceacacfdcf991465bfee99cd5c5c7880121df4b
-
Filesize
6KB
MD5b8792e45d6eaa61527062ac5b06a8523
SHA1c8f6ea3dad8183fba15fc5c50a65c4b5ea299482
SHA256d80b30fd7104aabf601551f7850329bcc86e28b0994183e9161ea195f1cf4afb
SHA512cb20120a98eacfbf1a9f3fca24546a705668ae41b62184e7832fb5154251a5fee10834cf2cd63df5ab2b79122ecf99c5df8c94a970d8c0524f32451653f016b4
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD524491fcfece8384be112267e18986c9c
SHA1d4b7a57abfca489060fc30fc795251d745d1e24f
SHA2568be895d1647c653b605d654c8b165663a090f1d2a430805ef782b492fdf815a4
SHA5122e0f49eebc3c8262d4c2fc8590152561f694c7b21ff9f1b0dc8e4d4edd0265959cbb168846ebc4daaeb4b3a95161a6a3006bd5aef5da80cf51539c869871f5bc
-
Filesize
77KB
MD5a3556cc4ada3185050b6d43ba27126c3
SHA18e64d41cd068ee37b466398505225df8f31ddcf7
SHA2566398ae143531b3646f2c08da78a29e3c58b5f9fe90a0b24fe8a95619ce3e2a29
SHA51298ce32226c5d0294414b9c3fefede366eccd42fa7260757e3f621f6d63da0dca833eec7dd868e15513497c5e7473d8a8e1704d378582eb9948c6a276a6b70258
-
Filesize
47KB
MD5acde41305928bdfd9b2f2640a65a0afd
SHA1f3721ef4d153f1597adcc9681e464b3eb2eb2a97
SHA2569c5ac7d8efb3454c56a89192591922b8a8763c945cbec9f6b86dbc53e22a9c32
SHA5128886f127a9c3521ccfc4e45527865329b92e451b2f2a8ebfbbbdc7cd22d280e75777c7727d6950a8a81069b7d9e0cc90286823b646b0686df2c67a27458a2f3b
-
Filesize
74KB
MD51daaea0c090d8812b43dc6d81f37bed0
SHA101ddbb8e7a68dc0f4beb20392f8f8fd69e688ee0
SHA25664d6bae14d7f4b4f8764ca52af2b9d517ca6cb932075b54552054313a1ad0dcd
SHA512bb3f3f18633aa5adfa62c49ade14c9389e723c1bc9a8a7f01ff701fdff3b4a881e137918256fe29f9a99286c9ea7e70815dea95edf66ef842e8d834f07326e09
-
Filesize
368KB
MD50d3571a8ca8ef2fede9e3e11b8761582
SHA1f2b0416e2afe93050816f62646ecae6080a9e559
SHA256543144026b1a0c1bbfea07c5af4b9e5654c6eb3416f7ac70d676c6c8682bacbb
SHA5121474d517cf92cd4dcec62bb656ae918f383fd4e146dd951c9613e7cb300870e32606c3607872bb17d84e2de5c13d23bf51bc16e8f2f576acd4bae9fe3e2b661c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
4.3MB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
