Malware Analysis Report

2024-10-16 03:21

Sample ID 241007-rc4ekssfkg
Target 1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118
SHA256 b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f
Tags
blackmatter discovery ransomware 0c6ca0532355a106258791f50b66c153
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f

Threat Level: Known bad

The file 1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

blackmatter discovery ransomware 0c6ca0532355a106258791f50b66c153

Blackmatter family

BlackMatter Ransomware

Renames multiple (139) files with added filename extension

Renames multiple (149) files with added filename extension

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Uses Volume Shadow Copy service COM API

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

Opens file in notepad (likely ransom note)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-07 14:03

Signatures

Blackmatter family

blackmatter

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-07 14:03

Reported

2024-10-08 11:50

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe"

Signatures

BlackMatter Ransomware

ransomware blackmatter

Renames multiple (139) files with added filename extension

ransomware

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\ogFRBgZRA.bmp" C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\ogFRBgZRA.bmp" C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/2108-0-0x00000000010D0000-0x00000000010E0000-memory.dmp

memory/2108-1-0x00000000010D0000-0x00000000010E0000-memory.dmp

C:\Users\ogFRBgZRA.README.txt

MD5 c4947c60a66a5f286be734256b7e6e8d
SHA1 7cd483bbe59972ff22b2c122c08548933e812b66
SHA256 5119a7a0a3c668d897f1e33f1b39f3c78396a057b3efa58858c4b86878cce373
SHA512 ec43f7e65055d471c5f78d9777c0de661690a51da2f905467177c8a433468a74f546d2cac32f3881b75cdbfeabbff4e3ceaef10e181cdb2b5ae70f06875b2565

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-07 14:03

Reported

2024-10-08 11:49

Platform

win7-20240729-en

Max time kernel

144s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe"

Signatures

BlackMatter Ransomware

ransomware blackmatter

Renames multiple (149) files with added filename extension

ransomware

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\uSeecXGeJ.bmp" C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\uSeecXGeJ.bmp" C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Windows\splwow64.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\splwow64.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 C:\Windows\splwow64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Windows\splwow64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" C:\Windows\splwow64.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\splwow64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\splwow64.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1dd464cbb3fbd6881eef3f05b8b1fbd5_JaffaCakes118.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" /p C:\uSeecXGeJ.README.txt

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2632-0-0x0000000000B90000-0x0000000000BD0000-memory.dmp

C:\Users\uSeecXGeJ.README.txt

MD5 c4947c60a66a5f286be734256b7e6e8d
SHA1 7cd483bbe59972ff22b2c122c08548933e812b66
SHA256 5119a7a0a3c668d897f1e33f1b39f3c78396a057b3efa58858c4b86878cce373
SHA512 ec43f7e65055d471c5f78d9777c0de661690a51da2f905467177c8a433468a74f546d2cac32f3881b75cdbfeabbff4e3ceaef10e181cdb2b5ae70f06875b2565

memory/564-192-0x0000000004C10000-0x0000000004C20000-memory.dmp