Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09-10-2024 00:43

General

  • Target

    27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe

  • Size

    388KB

  • MD5

    27e887aa14f3890a72f06ec5d0759f20

  • SHA1

    8bacf22533725fd98c254c8eb6852edbe225a0ef

  • SHA256

    91a23ebd232c1d96458e3b0870ec5507e547e6763bf99c5c7ca69a89e2a51267

  • SHA512

    56f420069c68e971069ef6d25a5944d50901d8c9de84f57a1bdb49371cfca117855afd4a6aecf1c6df96369ca3d19fe655c5a939a8b66d6fff6341de97259089

  • SSDEEP

    12288:LhTjRwlkwFrnAEryLFcG3yBrZTRDgZ8zOhG6:F4DRw7325gPh

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+kvroe.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E28EB396F85EF8A3 2. http://kkd47eh4hdjshb5t.angortra.at/E28EB396F85EF8A3 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/E28EB396F85EF8A3 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/E28EB396F85EF8A3 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E28EB396F85EF8A3 http://kkd47eh4hdjshb5t.angortra.at/E28EB396F85EF8A3 http://ytrest84y5i456hghadefdsd.pontogrot.com/E28EB396F85EF8A3 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/E28EB396F85EF8A3
URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E28EB396F85EF8A3

http://kkd47eh4hdjshb5t.angortra.at/E28EB396F85EF8A3

http://ytrest84y5i456hghadefdsd.pontogrot.com/E28EB396F85EF8A3

http://xlowfznrg4wf7dli.ONION/E28EB396F85EF8A3

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (426) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Users\Admin\AppData\Local\Temp\27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\27e887aa14f3890a72f06ec5d0759f20_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\Windows\jyidguupnjpt.exe
        C:\Windows\jyidguupnjpt.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Windows\jyidguupnjpt.exe
          C:\Windows\jyidguupnjpt.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1664
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2360
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:2324
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1396
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1396 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2696
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2556
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\JYIDGU~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1008
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\27E887~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2200
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+kvroe.html

    Filesize

    9KB

    MD5

    71600f1d3f4a70fdf11c3085f73dfd66

    SHA1

    f3fee4dc472b39d850e43064b33411c0cfd537e0

    SHA256

    1a985bd853126e4d6a8ae84f6948965d2594c741cc84cd669358b140546771a9

    SHA512

    832a9b506ca6626c3045f173a2510728ddd0793d4912d1a354f5d166f26c00027e5afd9cfd712f4cfd2d9c1255b1111e43a8386cf0951abe49899b7540287d54

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+kvroe.png

    Filesize

    63KB

    MD5

    fc4ed43e3c8c7fd4efc44f7a8d01b914

    SHA1

    b559e3bd4d75a9a6661b4243f79d6b7fa7499ee7

    SHA256

    05a4a9d21d0d745cc8c83001b6d8658c46056a0431c5a6a62a436ae273532c9e

    SHA512

    77f90fad37c6f8eb7d8a592f4217dc05e07041ee8bce3e8338cb769f4a471d0483f96825d818fe7eb05ced4eb176e861a2d61022bbdce37124af90cbb865d542

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+kvroe.txt

    Filesize

    1KB

    MD5

    01184afac9e1528ed3bd7b9f8c85c2d1

    SHA1

    fe06e6a4f250f6e55fc052dc9541f5e3e115021e

    SHA256

    4a1fe91e41f16355ac83686f08f3b42abefc1603cca6ce014af659c5444b9152

    SHA512

    7d3e18b8035b2dd7b752101e6c5be0e521b53473713c9e7bd8da6edbd944c286a146868c6e6d1bf1b052c64c19b31941563c198983ccfe5aa111de84645f7e84

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

    Filesize

    11KB

    MD5

    f71101670856d4fd6b943408f66af767

    SHA1

    e8ccf0cbb0a37984ba34c13f5cf3291152bfd6e8

    SHA256

    1d4e63cad844866a5e2583930b4c4512909be7aee97cf735e403f4ebc5164aab

    SHA512

    6917c6c00fbf441f39af042e8682d3f0973ddd9c45a10df607cdd4b906138fef3e7f22f9104de1137865d6d66466462450115230e4782749a584d9bc85fb0daa

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

    Filesize

    109KB

    MD5

    2511b598b25ffe28b085551e0eee4f3f

    SHA1

    48953d1c0d597e3683cc0c3116b225a5a43df05a

    SHA256

    be7a45f36c17ae78a12790003216019eed7dfe2a04e4d688a613e8e49665439c

    SHA512

    8e912a53c1fd1f59eecdad444efa69c953fd03aef2c5c4d7cf1277d19148c4cf9a52fbb278fc32c7ccbffc31aa4e8c63385c65cbceb71f2e1b28a34b0d1db346

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

    Filesize

    173KB

    MD5

    82e9cdd3fe64bfcd12a1e23fccdc8033

    SHA1

    642dfa4f7d798cd04cf72e3310f167e1b49fbcdf

    SHA256

    5824bf292bc7e06176256df06018101ac3432b216dd5970f98db318ac47b276a

    SHA512

    e179d55246d03d84250c5e1e1689a20275880e33b72c2d14b2b9e913d927d838bf6cddb6ffc5bf506ac1659e636bcf2d26f1dfa5b676e8286abda5eba22a34e1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c88c89804b9b02ef97dfa974e70bc971

    SHA1

    ae55e8dee38a4339b0bb3d626a7fb595486d6456

    SHA256

    e747fcdf8db1c8b0099ddb422a83964273f89eac88717ad941f2c376f9f59d01

    SHA512

    04f46c3a9e898009a57736ba3c62728a1607aea0f4964dba0b91294bf422f4c67f6ebacc8a9af919d1cc20e0e0bc4b9d4e7886c4ac448093d365e33d04f1274e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    bdbfa183728138f31a7f17f9ab860b16

    SHA1

    a5828d36bbe6bc83b02c96a739aac36657f5ad2f

    SHA256

    9f990e243d67f58fb1679e8777cc9f00da2d76bd5c4403249887ca658785ee25

    SHA512

    cf5a91f4039d8ad52fc8bc4981d7ce30442ddb479d4f480f76467781ec7a95ac21f496aacdc112acddc1a57045e0258777e650541357e8dc09718ec8dfe587f8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f4270f7411af666e8fb5eb7dd0266df6

    SHA1

    87064b6a93005686deacf32bd2d1d5a99033776b

    SHA256

    bd45603c86dd1c4237633e129bb859daa69831703d9b2507dd56189a42b0f597

    SHA512

    cd2935ba99e807b0a52f12fba3a76969b38ffc1c3def4971dc8715760d41fc67aa683921513b7175e53beff41083e48564d6849a14018534de25a7b89d4ac392

  • C:\Users\Admin\AppData\Local\Temp\Cab4C6D.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar4C6E.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Windows\jyidguupnjpt.exe

    Filesize

    388KB

    MD5

    27e887aa14f3890a72f06ec5d0759f20

    SHA1

    8bacf22533725fd98c254c8eb6852edbe225a0ef

    SHA256

    91a23ebd232c1d96458e3b0870ec5507e547e6763bf99c5c7ca69a89e2a51267

    SHA512

    56f420069c68e971069ef6d25a5944d50901d8c9de84f57a1bdb49371cfca117855afd4a6aecf1c6df96369ca3d19fe655c5a939a8b66d6fff6341de97259089

  • memory/1664-5107-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1664-1875-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1664-6573-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1664-6570-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1664-49-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1664-50-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1664-51-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1664-54-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1664-55-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1664-6128-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1664-6127-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1664-6124-0x00000000030B0000-0x00000000030B2000-memory.dmp

    Filesize

    8KB

  • memory/1664-6118-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1664-2238-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1664-1874-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1752-2-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1752-20-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1752-12-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1752-29-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1752-4-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1752-8-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1752-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1752-16-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1752-10-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1752-19-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/1752-6-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2272-18-0x0000000000360000-0x0000000000363000-memory.dmp

    Filesize

    12KB

  • memory/2272-1-0x0000000000360000-0x0000000000363000-memory.dmp

    Filesize

    12KB

  • memory/2272-0-0x0000000000360000-0x0000000000363000-memory.dmp

    Filesize

    12KB

  • memory/2684-28-0x0000000000400000-0x0000000000633000-memory.dmp

    Filesize

    2.2MB

  • memory/2756-6125-0x00000000001E0000-0x00000000001E2000-memory.dmp

    Filesize

    8KB