Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
08-10-2024 05:47
General
-
Target
1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe
-
Size
388KB
-
MD5
1fe6fdfb7796bf1ec5bdf80f86fa9dc5
-
SHA1
c4f86755ca60567fedc3a05ce88c4a342219c8b4
-
SHA256
a878058e1c857a46a565cd950a6e26c2b6d30fca17ef97efb7488625c326aaba
-
SHA512
22cfa91dfb8f8a885932b269202b4e68da7b94316213f47729b3fc2a10050e7629abe310ffa583ca1211b54dbbc37b040f76442c1c2e774a6dfd79e3fd80d9b6
-
SSDEEP
6144:nYMk7V7PQkaYO0iNq/PimTBQNEETJYOo0DldfrvwmjcMVW5OouUI5KtrQ8POyU:nnSdO0iNEPn+TGOoYzwscMSOXUIJ
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\Recovery+mkfjc.txt
teslacrypt
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/5CA146325A55725
http://kkd47eh4hdjshb5t.angortra.at/5CA146325A55725
http://ytrest84y5i456hghadefdsd.pontogrot.com/5CA146325A55725
http://xlowfznrg4wf7dli.ONION/5CA146325A55725
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (875) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\dfyxpnhcruiv.exeC:\Windows\dfyxpnhcruiv.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\dfyxpnhcruiv.exeC:\Windows\dfyxpnhcruiv.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff29a946f8,0x7fff29a94708,0x7fff29a947186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13921705386224093788,15669640915244444088,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,13921705386224093788,15669640915244444088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,13921705386224093788,15669640915244444088,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13921705386224093788,15669640915244444088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13921705386224093788,15669640915244444088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13921705386224093788,15669640915244444088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13921705386224093788,15669640915244444088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13921705386224093788,15669640915244444088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13921705386224093788,15669640915244444088,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13921705386224093788,15669640915244444088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13921705386224093788,15669640915244444088,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:16⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\DFYXPN~1.EXE5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\1FE6FD~1.EXE3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD554a7d7bda802af382e8d3622a8063af2
SHA1ffb86a9e8fb8d83a44e5b585a6d060ef1eda759b
SHA25674cf9892e3108128ecf01147be93350c6136361ab6eb3eeba29aca181b87c93f
SHA512df0060c89133bf00f5092f8ae9f15507e0c82adc967b99b07975729cbbbe27dd666d0e2d606f4a08c1fe7ef44e6d923b5f476e0341dfbb1ad25409d638898a35
-
Filesize
62KB
MD55101ca8ffd45bca97d7a10f6111dce40
SHA1f6c7fcb062aa27241ec09ac1fced8eeae48b20c5
SHA2562c395f9bab956f1313cee2f18b16e9ba43c6f4dc1844f4d65f8988f22040fedd
SHA512ca5cf2b45c76428585eafdba7934fb91f19eff5aeb2327afb83369f483895be4d433d53202168445f7ae6404d884ea5b385fd49f1492a27babc0bc8b35eea47a
-
Filesize
1KB
MD52ea0f0d087b45989d3dd3b4256812ee4
SHA13d895b4a1df422878485f04c2703e6b7780dc3c5
SHA256ac732b5d3da4367db7d87a75d308ca784a260026b01a7834b486069d29b5e2ad
SHA5124b8f8c2eb1dda4307735a8cd8db7a0c76ce69c366d002f1af5d26541b10617296ac5442858805b3e0921c436930e60b398ff9275003aca331123a6fccec973ab
-
Filesize
560B
MD5843d2385318a28524d944caa3ba06c11
SHA143ab42208605b609b00fd13eab1bf15008639936
SHA256f18a603bec6b863ad557d2e3909ec7c502b8ba21f479b6efe1764753eee791ea
SHA512f13b420e1e28d3f5feea6ccbba57cc72a2c293b3a27da4e8df6ca2d59f807906390ea827f2bd7e318c0cd1dcfe746e54969035f9beb155f8a6f4e2d0adb9413b
-
Filesize
560B
MD5634f1914fff2fd35062bfb6c185a6f7e
SHA172a7651c291b2bb33e826704189a4bb4ce9398d9
SHA2567a0a86a940c8d0fc36b54eabe00c82cf585e73248167464b6994618d25a1523f
SHA51243847ef7986e7b6c689d7590b3729c47dfe0180feed215eb568b9cf3b70dcc044766671d03c46c73b7a995bc217ec573eb2ee934f987583f4c9a0c28f4a45297
-
Filesize
416B
MD5c2ae79360952a3efdd28f3b961f70868
SHA1252e5ed865a8095e1a854fb724ea2dc1023f61a0
SHA25675373777326b9e3cbc02efe33d4bda12084b16d6a6a17da2a8c789476d0ea500
SHA512512f75a0e7d692ab06ac25e50863d8572aee3aea3743e2b775f04f9311297fd689dce5e8a424c0f15542ec53797c09aaff64e36cd45e1bd4da42cc42666d29ec
-
Filesize
152B
MD57de1bbdc1f9cf1a58ae1de4951ce8cb9
SHA1010da169e15457c25bd80ef02d76a940c1210301
SHA2566e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e
SHA512e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c
-
Filesize
152B
MD585ba073d7015b6ce7da19235a275f6da
SHA1a23c8c2125e45a0788bac14423ae1f3eab92cf00
SHA2565ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617
SHA512eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3
-
Filesize
6KB
MD50d14f6b00ffe2e43845898ad052a00ac
SHA124234c2e84c0ebff8d11ba1fd54c52c9f37cea2f
SHA25695e23736e659220f9ce116cd116350a036acd3b3960f4bf0b8c4f8fc4def8c7d
SHA51252b02720c4572c666862aeacbb278778471907c3f3ad5263d9f3d0586f5c72d84a8ea181e844b70aa7acf78c033a62ef7d70331ccf947bcda15107158c5fd551
-
Filesize
6KB
MD5fadc31079ae7d6e93764f58ac923d282
SHA1c3b5f08b5f4d814a69750e0658394aff813329bd
SHA256d94b3f8f837eaded4e73b4cce3b02ccf63989cfb3e0591bbe2dbe50522b48751
SHA512c88fbed6b02a579c2ec26198cc0cc11ba18017ba75ea4f7c35c1eb159088a64c0c750ddd919eba908ae835d937ac532423e0354a190102c25e8cd3556c7bf4d0
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5f12f7d1d61993b9c087d30bc437f4ebe
SHA1b0bdb225c1e7b41566375e1819c6700f36610258
SHA2560c4ac229b4f12b03f68659e83ac14ba106895c536c397c72cce8effec3a36f97
SHA5124211fea4e1824df0d5db538e777bd6331016aac724fcce3339aecc996a1fbead117f8b48121fcd388207b6c467a881f196c3c74807ce5c8536402f50b9d2f916
-
Filesize
77KB
MD5d2aa36d5c27a3b44f77ddb6b33e4443b
SHA18c7bbe83b1251709bad19ec388ac44933c847ebc
SHA256730eb20d2d37209920177c82d8abdbe19ce9b46cccb12fb15b9aa30da18708b4
SHA5124e4911fbd01668143ca797b8f4950710a5a53a890d8b67e8116d892b6a94554b1188ca8311b1f76710247377dc3108469be4adfd21288a7c9b5a79f155d221b9
-
Filesize
47KB
MD5935f5fc5a2045f7b7a2d5be6e5a168ae
SHA1f5e6d21361dacbdd7415812dc694c72798ebe697
SHA2565defee96efea1c80a92ab54624dd61414c9215f7af4cbfc8d1d98794fe8908f0
SHA512a802b74cb798cc299971feea206a91f6e4f91d59a3ce34397374f88a6f4a251ed64375b8aa03aeb2a406412dcc0716bdc7162d2a970bcffdf1c2b7c34d4b9a61
-
Filesize
74KB
MD5475481f774bc2550eae223ca8066adbd
SHA1ad3f6f1316701e5b9184064b2f7d91e51fcc9cf1
SHA256cb165353de165902c63505638e0c33fa75342c920e7a30fe33e1c88a5eb4d781
SHA512c77d8ccb89c4d267f56c356068c0eea209835c856418d017018df5d1a7fe01a5655a886ca8cf3508ce56e8e2d1a7a96f01506a1f148b36735e06f5674c2d3efa
-
Filesize
388KB
MD51fe6fdfb7796bf1ec5bdf80f86fa9dc5
SHA1c4f86755ca60567fedc3a05ce88c4a342219c8b4
SHA256a878058e1c857a46a565cd950a6e26c2b6d30fca17ef97efb7488625c326aaba
SHA51222cfa91dfb8f8a885932b269202b4e68da7b94316213f47729b3fc2a10050e7629abe310ffa583ca1211b54dbbc37b040f76442c1c2e774a6dfd79e3fd80d9b6
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
4.4MB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
