Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
09-10-2024 05:05
General
-
Target
2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe
-
Size
364KB
-
MD5
2b5c64d0ae335be2b30de30ed5cf9b71
-
SHA1
57a809107f1810a3ed01d4baf09f89a1fb562757
-
SHA256
33e6272f8a84de06327c40ad72efd8537c82d5f9d86b082ef1f6cfe7031f7c3b
-
SHA512
96ebf2562a60ef245aea06decf83298979368e4c4dabaa107068e430d7fe86af5f996cfffba95e7f1c5ef411e7d1265d24a84716be63eaedfd48ad3aac4dc4e8
-
SSDEEP
6144:REAU1eeD624pGSoJDZ2sqIrU5AsZBbgyg4s43yirHwlzKPm:RvU1eeD6282JtOI2D3bzsEHrQBKP
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+oqsrs.txt
teslacrypt
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/C4BE40509F94F2DE
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/C4BE40509F94F2DE
http://yyre45dbvn2nhbefbmh.begumvelic.at/C4BE40509F94F2DE
http://xlowfznrg4wf7dli.ONION/C4BE40509F94F2DE
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (904) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2b5c64d0ae335be2b30de30ed5cf9b71_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\gwwgbswhampg.exeC:\Windows\gwwgbswhampg.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\gwwgbswhampg.exeC:\Windows\gwwgbswhampg.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd65cb46f8,0x7ffd65cb4708,0x7ffd65cb47186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,5521505004423148097,9264027375139632862,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,5521505004423148097,9264027375139632862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,5521505004423148097,9264027375139632862,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5521505004423148097,9264027375139632862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5521505004423148097,9264027375139632862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,5521505004423148097,9264027375139632862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,5521505004423148097,9264027375139632862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5521505004423148097,9264027375139632862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5521505004423148097,9264027375139632862,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5521505004423148097,9264027375139632862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5521505004423148097,9264027375139632862,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:16⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\GWWGBS~1.EXE5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2B5C64~1.EXE3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD542659dd832f9f3965ea23d92223bd733
SHA1eebbcb68bc17c83f164883747e72112e4dee07e9
SHA256ac0361d5d82b41def5259b3745b5ab9bf71ce70a4c41fbb78cef6dc345250e60
SHA5121d63a1c14ad77ee79e3e622456318e561f285cde69e17b31cc98889f0f05e545d0f67528b2262ebc2ce17a83e00fcaa14a145bad22c53da490ce3b6da23ff4e1
-
Filesize
64KB
MD555d1691a252eb0ac44d3cd6e66a23760
SHA16ac66f42121333b53a049a1bd22dc47d995a96e8
SHA2562e6ab2e2387c00709c098fa9b69ecdd925abcbcaa2df9031a5b02e005a43c12f
SHA51228fae46ab2604ef4816193bb9ad942129db6fa70b8a5e6866ed96873211e902ca408f5b7e469520c3f40785a90d4acea462c313ba0d217a9b255d1fabe648907
-
Filesize
1KB
MD541a9e83aad309e5f2aa1e668d49ef993
SHA1bb6f4b42979eaea2400be2b1c0cb568a01b372b4
SHA256402580fcd85d101d7996169a0606ddeb45d74302973e60282f2a218d51cc7a7b
SHA512946c6f786f8b14092dfeb86f0c52a9357274fd4f53eedd95563988fa07ce08d0f0923e6ac08be7536cc95282280463e5dc2b7911f7d2c24512aa0e4f8f557906
-
Filesize
560B
MD523c8c2f471f744e6e0599779e8e87ec7
SHA1ce98ba47811599178ffd1ae4218f0e053c2f5001
SHA256665de6530ed11a803c03e583fa66c042d48c1ad20bcb398e983f46618bd7b1e4
SHA5127620be1f73d278c827fc0522412dafd069e609aa143611735c2b1dd3210680c7dfb74bba2a4211243aee36c77d19c0a966aa6a3d0493c51f24d22c2d3b41ede0
-
Filesize
560B
MD5a8e27e9139ed06611e2bfe980cdcae32
SHA167b23117e3bbe03ab1d8463fe2795675422a1671
SHA2569f62e5af7fd5797b79be955874b57ec9106b69ab2a1615ed82d92e475f78dc42
SHA512746aac269a994d4c7508a4484afa7266fa7122dde7f6281c952eb943c9c90da19e26e48cfb68ff79c2efd40624ec2a0750f6fce89078e55ece8e0c386123c902
-
Filesize
416B
MD5541a6ea6a11d50683ed6e5a2568ea442
SHA14516eb96360a8ca11cd0e8f468e703a7888f2ce2
SHA256df3a0813423df52ac2733198332937e2f031af25bf2d8aa9a65452e513cd894f
SHA51288ef8aefd462a12782acf554bde2cd598edb2f4cd894864356c208aba21bd000f72a7383967067147c00d01b63d079d9a0bab9002fd7d0a10fa0bdac96fe5c36
-
Filesize
152B
MD534d2c4f40f47672ecdf6f66fea242f4a
SHA14bcad62542aeb44cae38a907d8b5a8604115ada2
SHA256b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33
SHA51250fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6
-
Filesize
152B
MD58749e21d9d0a17dac32d5aa2027f7a75
SHA1a5d555f8b035c7938a4a864e89218c0402ab7cde
SHA256915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304
SHA512c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a
-
Filesize
6KB
MD52149e7354a127f33a90c0175d503dbf1
SHA108c7614e58cde758db8902f8805fc53564305706
SHA256025441e6322794a0a5ce08e790958631bc479415ab625656edde4c7de8687f46
SHA512186793e3ce4679348fb121adad60139692507b19458ecf447e71cbfbade74e54b5566306ed3c3337ae5d14a26250dd8deb1125232b8df8dd125e48487b744d0e
-
Filesize
6KB
MD5b13f4142a754274ea99b7853b24dff20
SHA187dc82a1856408cf61041529eb5f528e31a1b955
SHA256688b63ffda31fb2a64808943ff52315aa97caf8043c5e212538bf9481dceacb1
SHA512d36aa7ddcbe4a664c15d6ace9633220fef9b55f194b90a7fbe352d95df3f58118c782c6806002f9af746ac3546a2b16564b2d5d0cf227a9a5ddbbb5e639ff227
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
10KB
MD5bf6662c2f511c4c60d0f0e7f31d50b59
SHA12aabdbfd51156211369e963c305e69d30e0b4b88
SHA256cf9974b773ee2b1fd871ea56893295831e245f812814a5c5aec9eca0b76b2a6e
SHA512c1a2b9b076cf3febc16da3998af52ddc99dd3248c38bd503bfd37f6ed18d0ea4eb85585287b075f21902f2b1abea86681d6277b7a0724dd9576dbbf55cfbe9e6
-
Filesize
77KB
MD55e8ae34cfc16fd68591b44598ebf1bad
SHA1b8a2e72080dc8c1cc08d0b2985425fdb0abce358
SHA2560595fe25ed118bc2d375467d1456dc523d0200be355d87a1f4a4e34589eb4143
SHA51251dd0ac114f63f6090a428e5f11c81891e4adf343413337837119fe951397a25149ea6d28e98195cc0fa10ca080a4e85f3f6fbe583b34f40b590bd4f6136e073
-
Filesize
47KB
MD539153ff6792e71488c2e165908607561
SHA18891033e6b9f529f747a4c101a3bc60d9ebef8fd
SHA256523dc81f05be2877ba3f1cf3bb1a5043c256a9830be815ca6407e8cb9c390cc8
SHA512bf5380f1abc68c45855a4d79f716ed6a96808763340088512a2ebf87b1810c7b07d03d835d23f515a016dbc1d861fcfe43380dd7f8b602b628a9db15b5ccdc61
-
Filesize
74KB
MD514cc4bc231a107c6bd609fe0004cdc32
SHA118f14979395f51663533e2de0c94c96da3f0a2ee
SHA256cf16c216e5aa10984ebc4dae340f08844a4698266ef85aacc92f8b080d2f40c7
SHA512d0e6394a4fcffe01b1c3fd9516131c41974433fef30892800f61c843eee31e305931f0e83c0f3f2cb85733ebd2be3166bc9069394f362d7f4631e2fa544cb990
-
Filesize
364KB
MD52b5c64d0ae335be2b30de30ed5cf9b71
SHA157a809107f1810a3ed01d4baf09f89a1fb562757
SHA25633e6272f8a84de06327c40ad72efd8537c82d5f9d86b082ef1f6cfe7031f7c3b
SHA51296ebf2562a60ef245aea06decf83298979368e4c4dabaa107068e430d7fe86af5f996cfffba95e7f1c5ef411e7d1265d24a84716be63eaedfd48ad3aac4dc4e8
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
900KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
