teslacrypt | a45bd6e5fec24298c6453c29f5046fe9346366da194da4fc26935c5482c58734

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-10-2024 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe
Size

352KB
MD5

1d46f87737ca1591b52ef272100ccab2
SHA1

e0a0f3c73c3829a71eaf2444d9e71977227a8799
SHA256

a45bd6e5fec24298c6453c29f5046fe9346366da194da4fc26935c5482c58734
SHA512

f5de0eaa8e55d07772f8faa0664ddc10378a630050ca8afbb0c855e066d585459b2fd59d6a3b06f466a0bbd99c2f5f5a5c2c8d52df6a0117f07ff6334a5aa332
SSDEEP

6144:QMeb/EDtpBx1aRXJub19pf3gOURaJmf+ubexB3wLaYZSzvF:QTb/wtN1aRXJg1f3gO9Jm+u2BgeYkzv

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+gqbgm.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/69117E90EA9E84BE 2 - http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/69117E90EA9E84BE 3 - http://yyre45dbvn2nhbefbmh.begumvelic.at/69117E90EA9E84BE If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar: xlowfznrg4wf7dli.onion/69117E90EA9E84BE 4 - Follow the instructions on the site IMPORTANT INFORMATION Your personal pages http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/69117E90EA9E84BE http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/69117E90EA9E84BE http://yyre45dbvn2nhbefbmh.begumvelic.at/69117E90EA9E84BE Your personal page Tor-Browser xlowfznrg4wf7dli.ONION/69117E90EA9E84BE

URLs

http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/69117E90EA9E84BE

http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/69117E90EA9E84BE

http://yyre45dbvn2nhbefbmh.begumvelic.at/69117E90EA9E84BE

http://xlowfznrg4wf7dli.ONION/69117E90EA9E84BE

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (569) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3044 cmd.exe

pid	process
3044	cmd.exe

Drops startup file 6 IoCs

Processes:

wmplkufqkytq.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+gqbgm.png	wmplkufqkytq.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+gqbgm.txt	wmplkufqkytq.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+gqbgm.html	wmplkufqkytq.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+gqbgm.png	wmplkufqkytq.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+gqbgm.txt	wmplkufqkytq.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+gqbgm.html	wmplkufqkytq.exe

Executes dropped EXE 1 IoCs

Processes:

wmplkufqkytq.exe

pid process

2804 wmplkufqkytq.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wmplkufqkytq.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\nwaxlxg = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\wmplkufqkytq.exe"	wmplkufqkytq.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

Processes:

wmplkufqkytq.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\_ReCoVeRy_+gqbgm.txt	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_rest.png	wmplkufqkytq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_ButtonGraphic.png	wmplkufqkytq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\en_GB\_ReCoVeRy_+gqbgm.html	wmplkufqkytq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\_ReCoVeRy_+gqbgm.html	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\de-DE\_ReCoVeRy_+gqbgm.png	wmplkufqkytq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\lua\_ReCoVeRy_+gqbgm.txt	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\es-ES\_ReCoVeRy_+gqbgm.png	wmplkufqkytq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Microsoft Games\_ReCoVeRy_+gqbgm.txt	wmplkufqkytq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\_ReCoVeRy_+gqbgm.txt	wmplkufqkytq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_ReCoVeRy_+gqbgm.html	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\_ReCoVeRy_+gqbgm.png	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_ReCoVeRy_+gqbgm.html	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\logo.png	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_ReCoVeRy_+gqbgm.html	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr\_ReCoVeRy_+gqbgm.html	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\_ReCoVeRy_+gqbgm.png	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\ja-JP\_ReCoVeRy_+gqbgm.txt	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\de-DE\_ReCoVeRy_+gqbgm.png	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_ReCoVeRy_+gqbgm.html	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_ReCoVeRy_+gqbgm.png	wmplkufqkytq.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\de-DE\_ReCoVeRy_+gqbgm.html	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_ReCoVeRy_+gqbgm.png	wmplkufqkytq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\_ReCoVeRy_+gqbgm.txt	wmplkufqkytq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\_ReCoVeRy_+gqbgm.html	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\_ReCoVeRy_+gqbgm.png	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_ReCoVeRy_+gqbgm.png	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\_ReCoVeRy_+gqbgm.html	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\_ReCoVeRy_+gqbgm.png	wmplkufqkytq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\_ReCoVeRy_+gqbgm.png	wmplkufqkytq.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\_ReCoVeRy_+gqbgm.html	wmplkufqkytq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\full.png	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_ReCoVeRy_+gqbgm.txt	wmplkufqkytq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_ReCoVeRy_+gqbgm.png	wmplkufqkytq.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\_ReCoVeRy_+gqbgm.txt	wmplkufqkytq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\_ReCoVeRy_+gqbgm.txt	wmplkufqkytq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_ReCoVeRy_+gqbgm.txt	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\_ReCoVeRy_+gqbgm.html	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\_ReCoVeRy_+gqbgm.png	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\_ReCoVeRy_+gqbgm.txt	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\_ReCoVeRy_+gqbgm.html	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\_ReCoVeRy_+gqbgm.html	wmplkufqkytq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_ReCoVeRy_+gqbgm.txt	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\_ReCoVeRy_+gqbgm.txt	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\_ReCoVeRy_+gqbgm.txt	wmplkufqkytq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png	wmplkufqkytq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\_ReCoVeRy_+gqbgm.html	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\_ReCoVeRy_+gqbgm.html	wmplkufqkytq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\_ReCoVeRy_+gqbgm.txt	wmplkufqkytq.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\_ReCoVeRy_+gqbgm.html	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\_ReCoVeRy_+gqbgm.txt	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\_ReCoVeRy_+gqbgm.txt	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\_ReCoVeRy_+gqbgm.txt	wmplkufqkytq.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\_ReCoVeRy_+gqbgm.html	wmplkufqkytq.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png	wmplkufqkytq.exe

Drops file in Windows directory 2 IoCs

Processes:

1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\wmplkufqkytq.exe	1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe
File opened for modification	C:\Windows\wmplkufqkytq.exe	1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exewmplkufqkytq.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplkufqkytq.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

wmplkufqkytq.exe

pid	process
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe
2804	wmplkufqkytq.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exewmplkufqkytq.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2952	1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe
Token: SeDebugPrivilege	2804	wmplkufqkytq.exe
Token: SeIncreaseQuotaPrivilege	472	WMIC.exe
Token: SeSecurityPrivilege	472	WMIC.exe
Token: SeTakeOwnershipPrivilege	472	WMIC.exe
Token: SeLoadDriverPrivilege	472	WMIC.exe
Token: SeSystemProfilePrivilege	472	WMIC.exe
Token: SeSystemtimePrivilege	472	WMIC.exe
Token: SeProfSingleProcessPrivilege	472	WMIC.exe
Token: SeIncBasePriorityPrivilege	472	WMIC.exe
Token: SeCreatePagefilePrivilege	472	WMIC.exe
Token: SeBackupPrivilege	472	WMIC.exe
Token: SeRestorePrivilege	472	WMIC.exe
Token: SeShutdownPrivilege	472	WMIC.exe
Token: SeDebugPrivilege	472	WMIC.exe
Token: SeSystemEnvironmentPrivilege	472	WMIC.exe
Token: SeRemoteShutdownPrivilege	472	WMIC.exe
Token: SeUndockPrivilege	472	WMIC.exe
Token: SeManageVolumePrivilege	472	WMIC.exe
Token: 33	472	WMIC.exe
Token: 34	472	WMIC.exe
Token: 35	472	WMIC.exe
Token: SeIncreaseQuotaPrivilege	472	WMIC.exe
Token: SeSecurityPrivilege	472	WMIC.exe
Token: SeTakeOwnershipPrivilege	472	WMIC.exe
Token: SeLoadDriverPrivilege	472	WMIC.exe
Token: SeSystemProfilePrivilege	472	WMIC.exe
Token: SeSystemtimePrivilege	472	WMIC.exe
Token: SeProfSingleProcessPrivilege	472	WMIC.exe
Token: SeIncBasePriorityPrivilege	472	WMIC.exe
Token: SeCreatePagefilePrivilege	472	WMIC.exe
Token: SeBackupPrivilege	472	WMIC.exe
Token: SeRestorePrivilege	472	WMIC.exe
Token: SeShutdownPrivilege	472	WMIC.exe
Token: SeDebugPrivilege	472	WMIC.exe
Token: SeSystemEnvironmentPrivilege	472	WMIC.exe
Token: SeRemoteShutdownPrivilege	472	WMIC.exe
Token: SeUndockPrivilege	472	WMIC.exe
Token: SeManageVolumePrivilege	472	WMIC.exe
Token: 33	472	WMIC.exe
Token: 34	472	WMIC.exe
Token: 35	472	WMIC.exe
Token: SeBackupPrivilege	1956	vssvc.exe
Token: SeRestorePrivilege	1956	vssvc.exe
Token: SeAuditPrivilege	1956	vssvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exewmplkufqkytq.exe

description	pid	process	target process
PID 2952 wrote to memory of 2804	2952	1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe	wmplkufqkytq.exe
PID 2952 wrote to memory of 2804	2952	1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe	wmplkufqkytq.exe
PID 2952 wrote to memory of 2804	2952	1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe	wmplkufqkytq.exe
PID 2952 wrote to memory of 2804	2952	1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe	wmplkufqkytq.exe
PID 2952 wrote to memory of 3044	2952	1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe	cmd.exe
PID 2952 wrote to memory of 3044	2952	1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe	cmd.exe
PID 2952 wrote to memory of 3044	2952	1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe	cmd.exe
PID 2952 wrote to memory of 3044	2952	1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe	cmd.exe
PID 2804 wrote to memory of 472	2804	wmplkufqkytq.exe	WMIC.exe
PID 2804 wrote to memory of 472	2804	wmplkufqkytq.exe	WMIC.exe
PID 2804 wrote to memory of 472	2804	wmplkufqkytq.exe	WMIC.exe
PID 2804 wrote to memory of 472	2804	wmplkufqkytq.exe	WMIC.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

wmplkufqkytq.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	wmplkufqkytq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wmplkufqkytq.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d46f87737ca1591b52ef272100ccab2_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\wmplkufqkytq.exe
C:\Windows\wmplkufqkytq.exe
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2804

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\1D46F8~1.EXE
2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:3044

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+gqbgm.html

Filesize
12KB

MD5
969abb6790afd97c5d377091b4d03b43

SHA1
98c9260de33272f9b629dcec4c2a261bf66d8663

SHA256
09aa459d2134aaf31a664a36aac225a71ffc3e728ceb55089f49627060944ecd

SHA512
0016e7407ac3c2a367a03f9569e91674cccdc20407012e5f5407c2ffb94facb6f0ecd9f138251f7bcd5b93d9e37dd7fc106b51e734d86b5639c5852d2cb8d030

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+gqbgm.png

Filesize
64KB

MD5
655da07e2e78886dd5383e4efdb39d9f

SHA1
a22731563d6cd601953fae12f17e7ae6222519da

SHA256
f9e8516ddd75fc72a03fdcf96a6c56df2b4b021ff4c8c0b1b200816f84d88102

SHA512
0c5f0186a1be9c980142ba362b5729016dcff90dd8fe64dc4dd9ab407ad229f8caff860a8d6831f467f4c0638db5b1e38ced1a23f7b33a74a0e36b9055715023

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+gqbgm.txt

Filesize
1KB

MD5
7871ce64fdd09131569f4a99109935f8

SHA1
8581d09aca950f58573a7425dbedcadc2470e71d

SHA256
0b1d567d729433d792f7e18f48bc9263b57cfeb05eda89b3881ce6e1b6ed36e0

SHA512
e2c797173786a4b45326a99b48eba841b1be8e275cd90632e90dffb806de26780f59e25460e1eb1e0214da4a04098f2674dcb26de356026b858bd629e0823d4c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
ab88201d56eda7ef26f1ad0e651d88d3

SHA1
2993010e746d6eae6d70c98bec8723f8b4572b57

SHA256
4d9ebb0ee3d2615b3234fc9815226c04fb21fe9957a70639abd4fd0bac86e27a

SHA512
b5bbfdbaad73b49dd55bad2a89ca2fe39dded86f963989955713e68259112ebcf5f22b41098113595309072b26eb578613badd5c32ec08c8d68ed527463f467a

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
c6504723a713f32dbcac85fbe0d44a97

SHA1
d73ace0fcf1d9217bc87e1c8e861d46c678e62eb

SHA256
ba42d1cb9ad260c3c085e1454544e2943e24798d6d81f13815344fd82a04f633

SHA512
8101a5a0535837dcbf0e3772c4ee88542b0fdfc185a638f5855bc4f3017776d900c7d118f147faf495ac5398e7d9ba50267f2210a457eddaf3cb44a82d0ff543

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
f09cd2c023c8f5cf752f30e1c105105d

SHA1
474ab99069dd04132e235abbfb291f4b5f45fe09

SHA256
862faca0aa737ccd7370df6564ead301480bf342b091ea64a94da3f199b18385

SHA512
ad513fb4a0362074852872a3af654353dc5ccd5807229e04b1b9566eb7ad94a5521fc1de0348dbc6c1938b96ea7b6c06088b9bd8fdf27409f21a2ea1309be0cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sources\license\es-es\eval\professional\license.rtf

Filesize
35KB

MD5
b3f2e2a2a14b0b8bfe83e6cc0fc5e5a5

SHA1
055474c9aeffdef7efc76dd7943c44ed6b598d75

SHA256
20926217ed743f095175be01781fa9887ba47e838f22c0d2c4cee5138d23fa02

SHA512
a4f9c1056d4484356f20cedf67d091b097c241bb86f99cd54fb57d7d8288824176ce1288363f0789cc5aad53c027376760b9eb43077168ece129bb199dcf055b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sources\license\es-es\eval\ultimatee\license.rtf

Filesize
28KB

MD5
05a155f10088ef40c57853d4bd1ef3d3

SHA1
76e1bb1321c5624f59dd3d448f9635daf381a88e

SHA256
9febdf592a5f6abd1d87758fa1510452e049df71c0a778c2b04fd7a90a07a879

SHA512
3881db605d2cc955e4c0031c6f4cafbdfa652117a34fd1df536f08dc3d74b81000cc7f4436bf798ec2f0212ed0c3f25e4e8c7f6ff6fbdd7440c7ede4e0299f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sources\license\es-es\eval\ultimaten\license.rtf

Filesize
35KB

MD5
17bba4be13775a2dbb8033abbdc5a631

SHA1
5e9be1c28d514396eefd308a39b56b65c3db2c38

SHA256
6194464b5ddac491fbb26b7be2ab435fb304b44d00816de289fe81106e3d06a4

SHA512
c249f655e84d769b691ffc4fe4e74e1a400742e52d3c329c2506a2ffbeb154c22bc0ffb4673f80d8dec1b3785ae782355e78bbcbc053f886903a1a1f87bedfa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sources\license\es-es\oem\homebasice\license.rtf

Filesize
28KB

MD5
f81fc22486353d5a1ea6acf5ac25e4e8

SHA1
67c1677caa916a81cab418abc976a31a5d63be28

SHA256
3c1e341c37ef16b30d4972368ad102b160fa70d19e733526b51e4b54f0641882

SHA512
460bac3a4aeb9db321be57d55a25757cd39dc3ef590be1fe4158f631d42a6b01da4767b2a01d93b16a1686c378b1d66c4bb08e631ebcfe694b3d3f22497858fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\_default\homepremiume\license.rtf

Filesize
28KB

MD5
6652a57bf3add5550c2b677a48dd28fe

SHA1
c273f8f12d3f6c15f3d297be25c85b341c3f7081

SHA256
ec40f3e0d64a3ffab8b8b2e21f6949b3199b9bd436496b02aafc8336e3bdb671

SHA512
489b763b683fe3bae7ea1c376e5c8804b27da1d1b2cbcd8ba22ab2b086024e727560673dcff471962843be0372dcdd4aa61ec039172fb8b6059cec10a3240618

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\eval\homebasic\license.rtf

Filesize
35KB

MD5
f58860370820386a6b3a5272edfe57bd

SHA1
962dcde251885ed0f4846742879195b07fc41ab9

SHA256
87a715c693f4328a9d7765ac88127fd7f9aa928df21fd89800d94256c871061f

SHA512
f3a20c501f2587ab149188f348c50b570a866effdd8379cd6fec09f9929d9e6edf92e47cf11b62bce786c50737d20615a150776b85de5e6c2b63cd0c29d6da4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\sp1\sources\license\es-es\oem\startere\license.rtf

Filesize
41KB

MD5
6b0b3a7f7c072c55ab1a6117fb1a3445

SHA1
0aaff0171a15fd80c060621be0b85574cfff6d74

SHA256
4f55435dfe12ef470df76f40f5cd5971586fd0d57a1b97192a77d1593883b05e

SHA512
a20b9756a1f3c1df8345525252ab240a1d50ea83674063ee43f3e2930c83a304e1166cf4fc1422579d9421173b09349d46368c76ec659f5dc43c55e5e094ee0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fc29d5bca5556a09\lipeula.rtf

Filesize
9KB

MD5
28976c129a4b364738efea5ee4436248

SHA1
1302ab8219c409255d8d46909323628efeb647ac

SHA256
ba02c339c918e944e79a5b02bb62a392e47fce422b513febe5d459a30765a045

SHA512
08cb9c24ba54120a8c2f324576849e8b4523362710c6e0152b9d5c548cfef11464a56d3b9f804e403d77f352b4c42420c84705e3429f711833c28a623d32364f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9a71deeabfc0d8da\license.rtf

Filesize
40KB

MD5
f0aaf0209fe7dff15fb44a92c19033ba

SHA1
ab81675c2901ff26ac70b85ad4be749f5e98059e

SHA256
1da0ccae531234cdc0865207e4c5452413f8cae8dc731e28799e04527ab4862b

SHA512
95c1d213e88171fe3a94a7fdd334f43475f43895d26495b95d6195bde2f5d36a3ea697be1bb04da5efc874d3bfc37633969f0749ccbcddf6b965a70da29482ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7600.16385_es-es_30cf7a89f238525a\license.rtf

Filesize
43KB

MD5
95b42bdc68820cba4ea9b6a156511b98

SHA1
bd31cfc1d78086e622f4ed56e9fd6cb189a72bd7

SHA256
f3fd39f844a814470530085ffd299204bf80b3654ca82993356b5886a90ef451

SHA512
57736869084b41364f6053bd8628665fdec77c44673a1cdeed10c19f8d81fcdab1ecf1507915b96e9f65a6719ad312fbe3de1f6ff493971bf8826d066dce52a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7600.16385_es-es_16d3f6301ae8cff8\license.rtf

Filesize
1KB

MD5
4512ac966a3e57169057f9d4ecf992a6

SHA1
529594e1f9f018603af59243ae1933fd019f7af4

SHA256
14e07a519807676eaab1ee8e5618e078e704c876d96d350eab7780ceb6f8a283

SHA512
9a5c9ff910f42e7ba4677d827af43d783bcf79e74e650fe86af59d6c5752f313f37f4ab02cfd7948e6e133879f013fa6e7ca41acd4b5dee4850f225892043160

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..rverhyper.resources_31bf3856ad364e35_6.1.7601.17514_es-es_b990ce545164c82b\license.rtf

Filesize
62KB

MD5
ae09090a32717726ac581e0d17693567

SHA1
463ff38d9b4e2f8dfa14f2fcec6921d249b4adae

SHA256
5eaea731c21853b4a9b36af5cbe7262c5d0c51cf3a8c4ea72d5ef6c4316a6773

SHA512
6326a36c8ed4b888672564ab1406b87284ec00a3465a56dfcdf0c41ec8b5ad4e946954130865b5ed69883aea47d9ca0bd1f1eed5ed79a50d8ee9bde8a496ca3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b1cda3731d74e249\license.rtf

Filesize
1KB

MD5
ec3cadd648a7fceb10bc0d35c2720643

SHA1
ff834ae7d37800cedc890169f12e1f1ef861ab9b

SHA256
50105be616413f88515b4c778ed1be5219061c651e22e238320de647eb964c91

SHA512
05b70f0599225e3ea2d7afaaa36c876784000fd4845a917f7a9980e06a07fc673c78c4502e9f8eaea1652ecef9892ad1202d74c1352396ea4da409d068f34197

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7600.16385_es-es_18649662a3c65f12\license.rtf

Filesize
1KB

MD5
bc4dcf26b299415f4f29c68b46cc9ea4

SHA1
066b4814a4eecb2a092d15a2145b9e55920d7592

SHA256
dcfe89be5583d501c1fb2a645c59f1f28aaf2e265a42ff259d7686cc8487eb44

SHA512
249127a13d16c281c689e5c8abe03b5be5d4b248cde6ca44cda33e3c589434b77cd818322ea9a2265737feae7a426917794240a106ff8a41333ac1e0019759ca

Download Submit
C:\Windows\wmplkufqkytq.exe

Filesize
352KB

MD5
1d46f87737ca1591b52ef272100ccab2

SHA1
e0a0f3c73c3829a71eaf2444d9e71977227a8799

SHA256
a45bd6e5fec24298c6453c29f5046fe9346366da194da4fc26935c5482c58734

SHA512
f5de0eaa8e55d07772f8faa0664ddc10378a630050ca8afbb0c855e066d585459b2fd59d6a3b06f466a0bbd99c2f5f5a5c2c8d52df6a0117f07ff6334a5aa332

Download Submit
memory/2804-440-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2804-445-0x0000000000310000-0x0000000000396000-memory.dmp

Filesize
536KB

Download
memory/2804-4622-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2804-3548-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2804-2472-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2804-1476-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2804-726-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2804-8812-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2804-9929-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2804-7696-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2804-13040-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2804-13-0x0000000000310000-0x0000000000396000-memory.dmp

Filesize
536KB

Download
memory/2804-14-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2804-12289-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2804-11124-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2952-3-0x0000000000280000-0x0000000000306000-memory.dmp

Filesize
536KB

Download
memory/2952-12-0x0000000000280000-0x0000000000306000-memory.dmp

Filesize
536KB

Download
memory/2952-11-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2952-0-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download