Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
07-10-2024 21:33
General
-
Target
1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe
-
Size
356KB
-
MD5
1e096e7c6ffb32332933f693d00c6795
-
SHA1
28e7f909cbc28ca3af8af503111c5fc9f42502b7
-
SHA256
963aafe897132f8bd0fb1ce4beca2c4c2c04d8699a9e2612106c762cccca6256
-
SHA512
8c26ddc0f8a3da79646851fc39f57d44a654e3967dad708239f882ed273fd14522d771087b0ff0d688fbb15392145e176be519ada7fd94103a05b90aaab6141c
-
SSDEEP
6144:C94ZeMgE+D+G+33DpgPgRArNZltP8aLK9cdfdCWJATnKH92tIrWuZ/kE7eVmhgst:C94ZeMgE+D+G+33DpgPqArrltP839Yfj
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+xgmxi.txt
teslacrypt
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/656A37BED169FD8
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/656A37BED169FD8
http://yyre45dbvn2nhbefbmh.begumvelic.at/656A37BED169FD8
http://xlowfznrg4wf7dli.ONION/656A37BED169FD8
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (417) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\nscbvyxkihme.exeC:\Windows\nscbvyxkihme.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\nscbvyxkihme.exeC:\Windows\nscbvyxkihme.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1564 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\NSCBVY~1.EXE5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\1E096E~1.EXE3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5fb8cdcd890c5a0b2adad3722db5d54cd
SHA1574204478194dca4067518de2ac303949c14de86
SHA256b39f3b2da6b042867f382d05b3a17ac67d62840377a8ee8a7faa658adbd946b2
SHA512c367a4ec3ce8f7c81c5849e9c638547d9b419e73040b094d17b3298b83d22564bbab7a7bea07c122424800bb1d620f9cae75a155f10c4ff8877e42b4acb95d30
-
Filesize
64KB
MD5f5cea4e5ccda81e798b3a6c6bbd66a23
SHA1f57ce03d36e9191a35f191cc6a51343312865c3f
SHA2560448b93fcc88b2f9e8710a663fe64c691674f158f13052d8ec28ec0711cd16a2
SHA512f681ef6efab89efab6488ed9dd5b13829cac8bdc669e1aa9bcd9b380d9f4c23d72daf5db8c59bf5ffc92154f19dccf6eae72eef723f9a8fbbf0bafe5af763484
-
Filesize
1KB
MD50c1fa18f89ed39dae600111f3498e450
SHA11463aa6a80af72e9a5e4a07deea7cb965b6ac44b
SHA256ee97657f941ff036964c0bf05ea31b6d243dc583976ffe31da00920dfe474242
SHA512314fdd7a22d7d1f64b4b1f98e20bc0d4b2db8e4b9a512c0ae441cebb97a6ff40fde2533a2c7bd4ef8ed239e762a57dcb50b55540ef661091447314e54b054c1b
-
Filesize
11KB
MD5ad1f572faf7ac3afc86ac521c7577561
SHA109df647c4e29813627a34f1964100f7bc8e5af30
SHA2566c2bbd41cc63e4ce66568d01c984ca825b257f846488448bda0990b00a6920b3
SHA512e8893e690668ed9698be198ccb3bbc1a4b3b7ad8bbce7643e9f9e04649e8680a07199b9d6b17d1a2baa9a208eeeccd5463a8cbe565602fa0a1eda5f26313c953
-
Filesize
109KB
MD559b66769028c2fe1cc274e95521711fd
SHA1cde69adb745223af621c00671a984ba651955bfb
SHA25672e2cf51a5e0fb79642d6ddaa2542400c19f52bd80a1f742286756aebf20a1d2
SHA512fb097582e41a0b03c17ff7111eabf5d0635de25f740ef26cc6e5ef98657efc507e022a85be8cea0dab825de0f5ea7c8ec74960c66a7d94e991a1cabe251c7409
-
Filesize
173KB
MD5bdc48de57c1955d3bec8ee6a986e8344
SHA149128429ebeec68f03f2609a0ad19ca3a7957f68
SHA2564bb2f8049ccb4263775088a084fb68db0d83b6aa6f59b1291c0b9f0ac75ecca6
SHA5121e3ac06b238aeca6c2a534a2248c1e6fdc6b7f027ce9ae7b59efd633467a49675ff2c7795d766a84ce5f7d033c01c9d23620d832b8b309a1b1614a68abedcfc5
-
Filesize
342B
MD567e717f2ceecdcd9dfd25e2e0a1cb9ce
SHA16b5f38a6d899bddaa7eaa41395311ad481d49888
SHA256ffbeb4daf37d5c2829f6064498ad27da41a71f1dbb5be1006e0c1afb7ed0784e
SHA5126d78a84e35cf7dd4bc959a3203d57effdd73c63776a01ff0b529d39d31a4d12e0ed323eb4b5c1d1472b39ef18ab65d68bc053d9d04784d3f05a641b281b67797
-
Filesize
342B
MD53b175084bc0cdd35437240287f01543f
SHA17bd43e70bd5a0c52582c0d87d7798964a02c7e8f
SHA2564e60828063db6488ccb990bdaaef7ad0a29cb7750c396e0b5c671cc87341dd7c
SHA5126d801bc2dfa201955182647e26caae34d189df3fd8ee82b4151d93d85fa6b8e34ca923ef233227f0d2ed5bd7a6509683cd4902baa9532a0b79143c402f5e020f
-
Filesize
342B
MD5fcaac2de2d37055f5485f3bb45194091
SHA1b9e44493db1c28ce922c7650005c9a365c02e2d0
SHA256ed4cb27a4c077339075e9c4b876c789e5f12df7ef738a619c6157353b81c3b12
SHA512c01c913c849c0828e1ee1ae5d313376ec50e3d77d6f2d134ec747f55009c51f9c9b20be695be0ea5778bda0b49d83f982ef1bb7e11df44c1b4b5e3999581b822
-
Filesize
342B
MD574ba5b5422ed3791bcd68aa9f667254e
SHA1f125f6442f8035b47972efa542c504fb879bbbe9
SHA256d223346176b9d82bf054274b4705e93ffd27e853493215cdc918c2f39340e366
SHA51297eb07deb23dc506c95dbd32f73cdef39d28fc0ca5a8b41382259f100ba0ae0efbdbf12e116a7bb80073267ad62a06eccdf5f62ed1b3c7b43999ed472d99b302
-
Filesize
342B
MD5d14c95c3afae93ef5b75258d2824334c
SHA1a227dc5454daa6162fa32b8c72b635b228668924
SHA256390a94c8b5fd3b374a9836fd78f1465a29dcb212cffb88d3a56420760dfd1097
SHA5127a0d61cfa473cbcbbec957fd2100a256804fd2ffe65e4e0016518ce62ac509eb56773a2da69e8d4cc8a63ab42bc9f4baeac7a2ddadac96482992f88313e757ec
-
Filesize
342B
MD59851542c3bb4507f063f689063b2dd65
SHA15153daa42a4dd3acefb005e3ec50a64760dab0dd
SHA2562a38ffacc3645e3d391d397c10154374a0ae55595dcb5cddccb1a8561cadfa0e
SHA512df504d5f391a980e3f1eecefa23fc514daac3c384be1c65e4d4ba96dd74b97b87fdea5b33de445c832b71afda19a99f885cc68b443d36e8dae6be4d540468595
-
Filesize
342B
MD5aa16677ce04a3c33d5f4b40f3680ac61
SHA180fe513736dc51a2ff0783fb24bd3396bfc1434b
SHA256a798743929ab365a0b4b31fca9adacb7fd4a56f8b6b591837eda814b591e4f93
SHA512cd436777e214bb80528958a39041f77cfe14f645f6c355da66ec90fe536f15a7dc2c0296b23b92376b9dded2d5838318d2a755662ccc7da9fca314aeb6665828
-
Filesize
342B
MD58a199116dc333b209352a6380077095c
SHA1da6f192ebdf7e4a2bce037939d2a8e82cf129a2d
SHA2565288ec76d8ba866983ef820327eff746c368711b8a6dd117b4849cbe43c21c81
SHA512f5d92ee344185a73e9281c54ff8b0d45db9dab9cf63ffa40ecc3b605308ccda25d9983702666eab6521ebe13bd5850a1af615a74cd9232b0e956ec56d338b04c
-
Filesize
342B
MD58cbfe45f5bba93d294e791f80c08aec5
SHA10b00ea00cd4172fe827782cc52ae9cb8194842df
SHA25616ca93ec8a747f82307b93f1080202b909659f358bb6e79ed18d33a5a09438fa
SHA512f7babf32e9efaccf996113a53c0820cb3e3c21b165ab99b79ec454669096906ef02d262d488109596cc31cb0439a9d36c6211f3741c73becbd607aa5f076475f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
356KB
MD51e096e7c6ffb32332933f693d00c6795
SHA128e7f909cbc28ca3af8af503111c5fc9f42502b7
SHA256963aafe897132f8bd0fb1ce4beca2c4c2c04d8699a9e2612106c762cccca6256
SHA5128c26ddc0f8a3da79646851fc39f57d44a654e3967dad708239f882ed273fd14522d771087b0ff0d688fbb15392145e176be519ada7fd94103a05b90aaab6141c
-
Filesize
8KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
4KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
8KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
892KB
