Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
09-10-2024 05:00
General
-
Target
2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe
-
Size
376KB
-
MD5
2b4d5982e3909f16967246c9fc4d2451
-
SHA1
2bd2a2d29679fe8cf68ab8f00ae9ed58f1506c06
-
SHA256
535bc699baf41334ad3f15528af60df9a8421533068f3f09ed01df212b40b059
-
SHA512
01d8716520cab4c226135116cc716d5337b54bcfd672fed8ef727b02560ecd1a16c8602bafbdc75fb65eb49f8af9d3add0658c116b9a574fe2183e2f2f9c68cb
-
SSDEEP
6144:6e3rNhMeYq4CGRTs4kadSoKVStcmTVn57CpSCwsUbg62oXd:6Y5hMfqwTsTKcmTV5kINEx+d
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+igjfx.txt
teslacrypt
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/9C478A68B158A78
http://kkd47eh4hdjshb5t.angortra.at/9C478A68B158A78
http://ytrest84y5i456hghadefdsd.pontogrot.com/9C478A68B158A78
http://xlowfznrg4wf7dli.ONION/9C478A68B158A78
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (433) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 50 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2b4d5982e3909f16967246c9fc4d2451_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\kefgitgwsscb.exeC:\Windows\kefgitgwsscb.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\kefgitgwsscb.exeC:\Windows\kefgitgwsscb.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2B4D59~1.EXE3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5e80813b80a1a05774209593fddab70fd
SHA1719a9da61776f5c7aded3a822940fdd5e31a0c17
SHA256882663361c48105a035b971e74978276764bdf167b66078ed620ed93f98644fa
SHA512db20a826e0c0e73450852ec09e79424802c337b276b924ff1add98b715e0d3188bb7d5b6777112552cf2c658e7223882bb9ebd5d3d72da80261dc51427120bf6
-
Filesize
63KB
MD59365c342563bc86f8f21316cf4fa3647
SHA16c27c864545d4169005c4d1261859401943d6ab0
SHA256ee41dab8a5e5b7c15f8d30e9787cabfb38b8c371c65d4039b7bd5a11cdda2f8f
SHA5128444852ce27b59cdf1dd1d30e01d0b429669edf320296831ddf947d992fa3b56fb278cee3b934ff5ac48aa77c61a05cfa6c2f2be2473eb4748098f89e37d0e8f
-
Filesize
1KB
MD57e6b1b5e8f113edb994e26cdede92150
SHA1735ab817b1bead877f4578bfeac581ca9d81addc
SHA256cdbdd3cbd87a919bf7852320f1efcc4043eb3c832215ed6dc18c269c09567138
SHA512149cb4141999acb4413cb033ed7f4d991bbe1e05bdace765026f8d3b9fbcbdc87e183ce1acd39c7bc6ff73c9269b13968a6665ca2e09939c3cef83890be27a8c
-
Filesize
11KB
MD525ef0d57e5708a2d211e6c9970c1e2d9
SHA1e45552f0a58cb57a565e866f4ef107b746188f32
SHA2561e44097d2d262dc5bb57e7febcb2d3b4f93ad4c318eeb227ec060350f6796bd1
SHA512f52307b7bad167e93dce61daf3692b0d06ccdc215e9b16b3b474044dd1d14d711b6d1d18632685a5f31c33185c6052804cb44ebfc1e7ee78eb0055ad32da01bb
-
Filesize
109KB
MD5ff157fdbbeb445ce8ee72c2e9057fdea
SHA1d9d06c9469d422d42d49c82615e55e482605806f
SHA256cb01566fec248bead8bf429c6df87cef01c8323753c2033b9c45c68ba5780bd2
SHA51213b5130c65ab3081be0eac8a9b1fc54728f359449311dc764090c32feee0284f845bcc41e2f72fa591bf3fc2114b018c692ad8ea2bd11a983d9bd6974a3626d5
-
Filesize
173KB
MD588df688ac77d349370c594237b26cd1f
SHA1b0c6a9c538fa60c98882636fe8806c9ed7cd2159
SHA256dfa9105172b3e511c0b1f7066f71fc56172d053ea54d7c5e964dd1261d2e704c
SHA512ac8cf2f3519b3c1baa11d6c5cd8370e3eb05ceed31516ee4117b66e1b4becbd1549038b4a0c6b1a7df17e940f2bf58bd135c8f595666559cae19e76f3802d99e
-
Filesize
342B
MD55477a5cf1b08e8a20db6b3d69cc0fd0b
SHA1131ffe8f5998d7f8c2aa8dfafe51bfa3e913e5a7
SHA25678c3da9f6fe2acd2244836238aeff3eeeb04d06e375df175581174f4f6d9ba14
SHA512e364a8f84f0a6a451cef92e90780127af7002ac23b628b7f402796fc87eadeee916345c9689a910f11dd68fed50f17145dfa240e4106fae417fe982527e761d2
-
Filesize
342B
MD587723bf7a88ad04c799971b34a0bfdf2
SHA1d0361da9454965c5220531877fde519f309a15fd
SHA256d85d36fc3e6b2e7765a310ad054941e24e437d359a308c30dc725de26152d1cf
SHA5129632aac1bc502ecc2153a3c70c56ac1d73a03c040c296e1221b63cc202c284077145144f91755b24465d86e86f5005d7b82d1d4fe88f966a4bcff5e58cd2b678
-
Filesize
342B
MD5f36a13f3dcbb21075dc846e1d26e0f5a
SHA129e94e80303bfac05f31ff2f490e7bd81f4d95a4
SHA2560f9e478e2d879744a9539fe6bf00674aeb79c84c2e9ab65d00194264c4f682fd
SHA512992198f440de11916849891540e48ae4dddc86f1b3055943071e9147d7ff4beaf039b9aba07e173f69f90b086440a7e52ed07c53feac3289b0444ac3fd425b8b
-
Filesize
342B
MD5160471c07646a26ff2a382b3adae8883
SHA167768718f30bedeb0071d491df4d0ff78925ba37
SHA256a59236be9e1de0c0c778ff1a8ae0f0c389319ddcc66fe9320e78bbe5898702c2
SHA51270f077f650453e5b9f605e488ca354f7b91ff9dd8d5abcc3014476ce6830a8a2bc8b647b5c81e34ff18c1f0755814227ac0ba2413a30541625fdf999f39dd6a0
-
Filesize
342B
MD51203fe7dea266d094d362ba287ade869
SHA17d992e5f005dbf9fd8bbada8f536b86a2859a021
SHA2568a059fd481f107dfc24b14fdcb178e5cb481cf5853f5a4cf9c9fdfda47cabdd8
SHA5122def8cacff7eae2e8fd43e93b43d31caade17ffdb056169b2f405ca12c6de2382a06141d1093ef2840740a053c28271670883b903a01cb3b5df9a032da6c8a4d
-
Filesize
342B
MD5cb25ced7a76d06d4228f3b827708668f
SHA1ea21c4a7dc23d17200c25fcec4b7bc44af47e5a9
SHA25630b9f0079a1a921f47a8832ffa437e488da32b36893547a8a6730d4052bf61b6
SHA512ef6e9eb0f82dc473032fe65d9b2920e51bfc65babfe4290fa854a79cf96dcce81b0d1bd0791b318a7530426d752e936267d3f9b769022d1079a1158442a4f28c
-
Filesize
342B
MD59a1fa3bfc60d686bfe4f2d8e5c867636
SHA194be60fd7271b592357695a96675b3569b8a182e
SHA2560d26309a5d972b9eb2f898933b01cb505bab8b0cf1345954ad866950dbd0db37
SHA5125ef16d144befc75c75d9870ec38be82d0184e6913cc03e5f26ed54e6b332c51126cd60936ceec347f5248d8b9038989cb67ad0e32e1b546f50f0ddc4fb5cc823
-
Filesize
342B
MD500190b202c5024aee895baff81a9e62c
SHA1a485f62186d6a00bc59308fb114dfb2892fc21a7
SHA256696eff33d394ba68765767dc55159405ea39122aba0dc38e6a227fae9bd24416
SHA512ce484ae3d9ea90166bc1fbaa907c2ee63e7d7b9600f63a35e13dd41844e76ca4f3f8b24518d6ec156cf3d3810219857f35e805fa9f7276c69ebace3dbf2a1888
-
Filesize
342B
MD52be89fd48511c6f8bc0dfd065b3ed4c9
SHA12d55a6b8350e16a8c6f2af6dd1744a76e3493472
SHA25682e72f3caed8763066df2dbdef7facb759c674b251e132cfd2970c75be5f20e3
SHA512437d109404e138cccf51352106fc0042e4dd20feaebe981a4c5c7e6caa62bc46716b193e00ce7eccbe00e04e3b3979deae75cd754b4f4afd8e4d90103299f764
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
376KB
MD52b4d5982e3909f16967246c9fc4d2451
SHA12bd2a2d29679fe8cf68ab8f00ae9ed58f1506c06
SHA256535bc699baf41334ad3f15528af60df9a8421533068f3f09ed01df212b40b059
SHA51201d8716520cab4c226135116cc716d5337b54bcfd672fed8ef727b02560ecd1a16c8602bafbdc75fb65eb49f8af9d3add0658c116b9a574fe2183e2f2f9c68cb
-
Filesize
532KB
-
Filesize
8KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
4KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
8KB
-
Filesize
1.9MB
