Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
07-10-2024 21:33
General
-
Target
1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe
-
Size
356KB
-
MD5
1e096e7c6ffb32332933f693d00c6795
-
SHA1
28e7f909cbc28ca3af8af503111c5fc9f42502b7
-
SHA256
963aafe897132f8bd0fb1ce4beca2c4c2c04d8699a9e2612106c762cccca6256
-
SHA512
8c26ddc0f8a3da79646851fc39f57d44a654e3967dad708239f882ed273fd14522d771087b0ff0d688fbb15392145e176be519ada7fd94103a05b90aaab6141c
-
SSDEEP
6144:C94ZeMgE+D+G+33DpgPgRArNZltP8aLK9cdfdCWJATnKH92tIrWuZ/kE7eVmhgst:C94ZeMgE+D+G+33DpgPqArrltP839Yfj
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+twvcj.txt
teslacrypt
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/31AA1B2BB87F998D
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/31AA1B2BB87F998D
http://yyre45dbvn2nhbefbmh.begumvelic.at/31AA1B2BB87F998D
http://xlowfznrg4wf7dli.ONION/31AA1B2BB87F998D
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (872) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1e096e7c6ffb32332933f693d00c6795_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\cknnxfusdluq.exeC:\Windows\cknnxfusdluq.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\cknnxfusdluq.exeC:\Windows\cknnxfusdluq.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe261446f8,0x7ffe26144708,0x7ffe261447186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1427982648854466292,13215294627411117191,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:16⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\CKNNXF~1.EXE5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\1E096E~1.EXE3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD508da21c3705f679e8a03b4ac34def258
SHA125aed94c7159a206b43b17749db7e0855ec3b57a
SHA256db2509f7ebd35fadc327568329225842331f8dfe722ad7793b1688e4394eb074
SHA5122640eef5cae4489f3a97cce56f0b617d02f708919eefe8af1b46603f88a8979d00fd981ee8b18c12d6403d41e6cf0dbe4a34850e59af2a72c10b125b9603941b
-
Filesize
65KB
MD5baa00fb75d9491574bd4470833121267
SHA1a375c91092188dbc4e31ce27da86996aba3c1e88
SHA2566a7faab97df6dd74e7ebcc74128878ab60b639c4c996ee44869b59077677b7c2
SHA51255b6784a494bfef465f83aad8ea38903c74b6e18857e44422619c692d157850db315eb46ff596b12290a333119cf6d44d81b1b1072cb914156248ebc4a3409fc
-
Filesize
1KB
MD5a50317f8f74f8897e92397fe781c6da5
SHA1913529a938c6e33dde968cf00d2234bf4ba881b6
SHA256a58e8a498a7832d47ae0fdc064fd695086829294688152f3f81b38f21461773e
SHA512e80989d6b6b0412f9dad68a0a1bc805b8d848c57cc6f6fd45cb8b6aac7c83a1c91321380c230c487006f7c39c6ed7c5d6f7d3e53f7ac2e9ade1d471c52608bac
-
Filesize
560B
MD5a5d18b6561133987b50103a1789cca6f
SHA1c8df61bc666a52c7900f34f486e00938709594db
SHA256a3e7bd5677eaab13a8877e182ee4e2bfbeac760fa856857ed82d31337d5e7dfe
SHA512b2c7189bceb7580c23edd4e98a0dc827edd3301fe7821ebe6eb65c1d66af5ed562fca0fc69baea41a4507f1732db4e7ebd94799c1f3b8bfab29aaa46cf7bfad3
-
Filesize
560B
MD50e308d6da91c8139494e0f4d7d98625f
SHA1949e7219df1a66b05551c75459a1af1623e6ff70
SHA25654dd433ca5e732d63f0b43a1abc9d11b4ef87dfc728769234729812bbfa09eee
SHA5129e82b3d8c01da653134e71d7d5b5b6695bf049b5f26261c5f812ecfc5de733bf90773825bfc031cc7dded893414b6bada26f7b6420c6c34f6b7215a5d805f965
-
Filesize
416B
MD5173e082c9ce3b9c9c2e81b3da1844f46
SHA13b73cdd3caec44af7aa862482d8918aefc5ad397
SHA256eeb4e2c9dbfdc805538baa8bcded6c7cad14c4a91e640363be83050947f969f8
SHA5121fd27f3847f548a974c7a8c099354e417418161201c970d343ba6c96dce786085b427e168d8ded57ed47ec8ae256285c6dfec79f8ecc205d01427a4f822c56c7
-
Filesize
152B
MD537f660dd4b6ddf23bc37f5c823d1c33a
SHA11c35538aa307a3e09d15519df6ace99674ae428b
SHA2564e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d
-
Filesize
152B
MD5d7cb450b1315c63b1d5d89d98ba22da5
SHA1694005cd9e1a4c54e0b83d0598a8a0c089df1556
SHA25638355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031
SHA512df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8
-
Filesize
6KB
MD5022085245f3c85686bf17bfc97a50464
SHA1646ac9e0d28250feccfcf609abd1b44df74d2fb5
SHA2568962d69d2205df80533c06833172e94fec5cb0a04fdf6b640487161944f94b9b
SHA51249a79cdf4b8858b2b22bf408d432db18ef1fcf1e474af0db3335359f8a03d308336bbd9c0d5dde383acbc11a84c143018e1802d47fcb13b45ebda876c661ea6a
-
Filesize
6KB
MD51477ea3b6152f6c9476b59d508cda116
SHA1c401e2aaa84d8ac2247a4ac5504b0fa69aab2254
SHA256f87d9067ee7c003114217a2cb7f91797c8de2a86c568b99a504bffc620eb4386
SHA512f014d50c64815f26d8e1da9defa35065a20e99e3c6d0517b9506d6c8e4f781eb63450035de6362e63afb60f084118c3ff10c920b4627bd4af56a802fee10d8b7
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD567ca0b4d4e80b1d556cbe31a202171c2
SHA121940dd7a087ab9ba5c33d372b69021651a56533
SHA256cb5f4c6e8ab9bbfaa593404b761c806ba111fa830921fa22dfc029686885cd43
SHA512a838267ff11d63453eccf64d8e1dcd7147d6b306e7aae7a4028e69d69c09aa0d02d691f7b749a578ced5ca14cf49e58d4043fff62c52adbbac51877e005760df
-
Filesize
77KB
MD5ce879ac914f9d6a416102e319db4dcc5
SHA15ee641bc21612151682a3f480cb38641bfcdab94
SHA25646d219a89e67b3d8a1d06fe788773d183d1511bdb48b0fd3894a0fcb7e3ada56
SHA5127220100d701265aec27caf71257766448e44327ccd1afc0cfaf8da2d6bac79a874ea0c7cd1fc23426e03160c35af9b2ae457f98c8b3a8b67072cf85d162718f7
-
Filesize
47KB
MD58bbd94c93d47f40ade7225f396ee5c1a
SHA1f39435ae26e91d591875eccd6cffb1298dc9f134
SHA256839c5f464d01636b4fc1c83731722acd1a36ec49ad1ed3263d2d91710a013304
SHA512784cec555e95f2a9e9aa8b0e31b2d349c909047654beaf315ea58845143d5b7594f4ff07a4a46943cd2f5f873ee397f4e366356ed3fb90d0b1f91a0641ce0df8
-
Filesize
74KB
MD531c713c5f882f3a6fdb25127a6ce4ffe
SHA1648941512af20e5b342507682ea161f3d50ad3ef
SHA2564791d511043ce681ffb6d33688b04e51d1f1a0047df40530b9692e055d17a381
SHA5129849bc926064149b4f8ad066c30103cf4ba3bbe17e1eee2ba6043defa08159f58f0854c8bd7b1293a214f2828fefcb01ec975cfd5aaaae3e9b0b3fab33ee0123
-
Filesize
356KB
MD51e096e7c6ffb32332933f693d00c6795
SHA128e7f909cbc28ca3af8af503111c5fc9f42502b7
SHA256963aafe897132f8bd0fb1ce4beca2c4c2c04d8699a9e2612106c762cccca6256
SHA5128c26ddc0f8a3da79646851fc39f57d44a654e3967dad708239f882ed273fd14522d771087b0ff0d688fbb15392145e176be519ada7fd94103a05b90aaab6141c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
892KB
