Analysis
-
max time kernel
143s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
09-10-2024 04:45
General
-
Target
2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe
-
Size
388KB
-
MD5
2b15e8b996a5e439f4bb7c9e98a2ae0e
-
SHA1
a8dd6a2388e0e75add58a86bc0b72448e969e7c5
-
SHA256
0349b7b5d9d720f8c454b69716f21346967bfff297ac2f6ceec40ce80747054d
-
SHA512
ed6e2b79df27034d2f72230db1b3c83ed1d5acdc6cdae3ce9ce456884f682a18cfe6995b7169cb6c7cca668d662d0e72b6bd971799de5e5e0e280df3d089e1d3
-
SSDEEP
12288:z+QA5i2ipjoMARxOJ7dLQsNeqKLGrDh/:CngLpjoMARxOJJsLLG5/
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\Recovery+edpcn.txt
teslacrypt
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/C8C275FE92390A1
http://kkd47eh4hdjshb5t.angortra.at/C8C275FE92390A1
http://ytrest84y5i456hghadefdsd.pontogrot.com/C8C275FE92390A1
http://xlowfznrg4wf7dli.ONION/C8C275FE92390A1
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (874) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2b15e8b996a5e439f4bb7c9e98a2ae0e_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\neonlufikumn.exeC:\Windows\neonlufikumn.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\neonlufikumn.exeC:\Windows\neonlufikumn.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdcdbe46f8,0x7ffdcdbe4708,0x7ffdcdbe47186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,631836394479214899,17622773898490168399,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,631836394479214899,17622773898490168399,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,631836394479214899,17622773898490168399,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,631836394479214899,17622773898490168399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,631836394479214899,17622773898490168399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,631836394479214899,17622773898490168399,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,631836394479214899,17622773898490168399,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,631836394479214899,17622773898490168399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,631836394479214899,17622773898490168399,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,631836394479214899,17622773898490168399,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,631836394479214899,17622773898490168399,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:16⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\NEONLU~1.EXE5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2B15E8~1.EXE3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD59f2ce839a50d3ce49fca05a3a1b9a537
SHA11a9a0a8249974374bdbebe471dbe89e9730dd8d0
SHA2566c3aef33cf573034457346e90e2a0a1be069d061a37cab3074ddaac03cfff804
SHA51297824205868ab4d558ea667f3184c18811d589dd56363ab97306cd264a11d44b6786933318d296f03aa63587df68c611c5bd9ddde699b1fe8adb4b45ef9ef5cf
-
Filesize
63KB
MD5b90dbd7f0117f42ed44f24694ac4efa3
SHA1b2ac904b64e9a7c5ae7744074f5827976fec6905
SHA256b6f7b7bd0f7e7dd87147a3ea8274ac534ab1f3c800e457605f79e977869e8e9c
SHA512b0621aceb38fc68ded8434e1ce3b31e6b7bae38a0b5e0caebf870b98c08277bd87d2f7ee9ef7005d63bbd9c93c7d377e74dc1472e0d8ec771f9b05a0d83b9114
-
Filesize
1KB
MD54171dd001d475f64250a7f53b2001fbf
SHA1ced55b74676c77a700765d3c93a13051d02b5a2c
SHA256bee70f4edd1422179d6f27ee784170cd81ddc642f690cab359b2d5f42d4e6f32
SHA5121552cfc5b5f6e2b8a8f9de5097f3f2733f5ef29b1748aedb8e43f0a119b9e0332987db568c5374cbad3992323bdda2b1a216fb7faaf4fc7e0f09f3fd9072e84c
-
Filesize
560B
MD5b741d7d9b9ae336d8cd9513ac983f2b0
SHA104853a70c695c3c565d965444c1ae07e20cdb96a
SHA25617acf4a96e09be7f1c82fb50f294aca9829152f55fe3f2ecf66aef4e6a06879d
SHA512f79682db3490aafe72adb25fc0ea4bed7dca05883c63dab0c90c8d97f664635afda09ea04166731d7b2ec11a5603796f721723629128693a3965bea21cca62e8
-
Filesize
560B
MD541635229c6364820b3e02402808325d2
SHA15afa15c1d6ec150edc6e954a418ecd0bb0d63a97
SHA2568eb471e9853eeaad2ae2aa456906a8cbaeb703c30e4302f97776276096a4e2f0
SHA5123744775f83f1141f7fcfe76446faf13de0e863649b5dc09ec0d443953783cac0d8b56cac1a891325761939428bd8d532059455999854ca1129a1ea80bc299553
-
Filesize
416B
MD52fda0670b12cd2621f1cbee7aa138d93
SHA120025f231644172a8b9860569a5d812d925b207e
SHA25631c118ee96380eb582ad5ae91afe25b45b8b42d941eaef9bbac0588934e1528b
SHA512e2b87d8a95ebbbf4de2a0ab83c515bf6001c54d165ab8f8e477ee62cb898d953b87e28011911d9600d2421f40170012cc6ed346d555a9881eec851eca58de957
-
Filesize
152B
MD5f426165d1e5f7df1b7a3758c306cd4ae
SHA159ef728fbbb5c4197600f61daec48556fec651c1
SHA256b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841
SHA5128d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6
-
Filesize
152B
MD56960857d16aadfa79d36df8ebbf0e423
SHA1e1db43bd478274366621a8c6497e270d46c6ed4f
SHA256f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32
SHA5126deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe
-
Filesize
6KB
MD571ef29a133cc3711593386c6aa3ab241
SHA1504925a5492c55ca5dbe76e725aaf67821c27e4e
SHA256b5efed9add5c382f21d2db723d6cbed7cb0b058c576e44e01a4a477d7a5725a3
SHA512dd80961a45508dd46c094087ec7909c804b92b425923e788602b505d90cebb2c9343b8aacd71c897ac2b13d453061aa75066cace609653c85e776a710a8ca4bb
-
Filesize
6KB
MD5bfc2e35ef5a5b8d9a140de8c2011c6dd
SHA1774e9c25ad175477fb79fa94940b83b343e06a58
SHA2565f43ff12e75809b741e617dd50c347dd68024d8002a821941b610ea610c55217
SHA512572824c2db5ba38ed254c9e3a306ab99be29e7df200c549dab3e3052e2cbddfbfc81908f9fd4ebd3021bac37d1891f4a3f4e043776d314c2ba9b703c381f9158
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5fd14cd9d85d7be297650c7a05b933144
SHA125ce75b91bf7bb9903058060756989b0220e2f43
SHA256ec4c46552aa02bb97f7ca8c945c6a6e4d6af7269f280b14e0fa67cc720f57a32
SHA5125c1a99a3cd40e9b30013f8c403a8f83e9ad48406be45aab7111575a388648e1473170780d95b5832fed21ab49f30d4dfc162d4ac917464db30d93327040898b3
-
Filesize
77KB
MD58a28b0a59d9c649daebd3e98b70d4cf6
SHA17af4ea002ec63949bd77b0fed7dbe24911770a5b
SHA256bb21e35d6027cac0c8dc96b82d7ee3c4b372242122a5dce097800c39ab34fd5c
SHA5124969c596b778b115bb39721b4b4c2d335e4094d05080faad030bad1931048ac05ab158f317cdd2c5f60a8cf18fe01aff8bc924239bf4ef2a8f6eb3f88f943047
-
Filesize
47KB
MD5be38a7f48772929b3d9fc2628ce9bbf1
SHA18776b4e047be2efb9e22efa4478dfd44a779b45e
SHA256194fb3455bddd99579638847b9378eb33e7a341daddaf6175f46b407efc1fcd9
SHA512a2acb195e94cba5859a4a463e8ac798e9544900217e37d34904319877518eedd70463b9597f09ee19736ba26c84247b493d12ba3bbc7859c5c85591b071b12b4
-
Filesize
74KB
MD551f35e856ae302eb7977f22fb6a5bd40
SHA1be654ac6eaf62b9247bad8c11bd22a9fab5a3f62
SHA256d2ef30427844571b272d4e407c64d9b7761d08147907821057aaff89be4e44b3
SHA512e4668e4240d251da6ba04b4396602900b70c1f7c34dd26d72a83a11ee301ddc64135031b3d6e00c028b3d045d156ed2ca2b687aa5feb425026a710a8814ae23b
-
Filesize
388KB
MD52b15e8b996a5e439f4bb7c9e98a2ae0e
SHA1a8dd6a2388e0e75add58a86bc0b72448e969e7c5
SHA2560349b7b5d9d720f8c454b69716f21346967bfff297ac2f6ceec40ce80747054d
SHA512ed6e2b79df27034d2f72230db1b3c83ed1d5acdc6cdae3ce9ce456884f682a18cfe6995b7169cb6c7cca668d662d0e72b6bd971799de5e5e0e280df3d089e1d3
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
1008KB
