Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
09-10-2024 10:06
General
-
Target
2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe
-
Size
293KB
-
MD5
2f3373e966d98b09c7de17ebf02e3e5a
-
SHA1
90a307047c688dd34e9ee337bb229d6eb693cdb8
-
SHA256
fbdcb15aa69d2b10586e61ed558e55bfb2e5dc44dc5dc3f1cd0eecdf1d8920ca
-
SHA512
2ea399966362e572e0e6562ae4fc7631ee56a3dedbcd4537ceeb4ea4005b6d319f5815f4b253d506d39371fea6946aca48b23ce54851c7a085b0731aef412992
-
SSDEEP
6144:ln/L+Xx9IroJBTRohGirODzHW+/NPpXpcgojiONSI74jOMPtGR:tEx9IsihGiO/zKg2gGQO+i
Malware Config
Extracted
C:\Users\Admin\Documents\# HELP DECRYPT #.txt
http://52uo5k3t73ypjije.o8hpwj.bid/C542-0487-A54F-0042-F9EC
http://52uo5k3t73ypjije.n8niwa.bid/C542-0487-A54F-0042-F9EC
http://52uo5k3t73ypjije.ojesoa.bid/C542-0487-A54F-0042-F9EC
http://52uo5k3t73ypjije.7j6htz.bid/C542-0487-A54F-0042-F9EC
http://52uo5k3t73ypjije.onion.to/C542-0487-A54F-0042-F9EC
http://52uo5k3t73ypjije.onion/C542-0487-A54F-0042-F9EC
Extracted
C:\Users\Admin\Documents\# HELP DECRYPT #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Contacts a large (522) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 59 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 49 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe"2⤵
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# HELP DECRYPT #.html3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:112 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:112 CREDAT:406530 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# HELP DECRYPT #.txt3⤵
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5481⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1716 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD50254f3e6a9e6d998871cd1a99f7bab4a
SHA10b6cb3d8d8b14d2d9603efc8e75480f1f4c6a9c3
SHA2565fbb3d7b67528b65a118d2140003337e9647ca66260e819b968739c5b70c3b24
SHA512aa9e50b30024c39c474967c71cdd79eaba71708ad39fbdf7d9edcf134dd972d940ba022ca80da61092c2bdd46e3d73abfa63416cbef368cc2328889de27a85fb
-
Filesize
342B
MD563c9ccb39a44b0b4c512f3e0a986fa37
SHA1bd95cd0dec42a2c6704a1f60557cdcbe071ec6bf
SHA256434f45f0a72518a683091c12a69fb1c348bc5ebd72074d89c76a24025f057298
SHA51295d430f2d5d9aab63e82e35fe1bfbe73bca940f1cf2ed710ec72e49c9cfd43e986e87e25a917d62f4c08d176741091bdfba13606b3740487951b10d9b7da8771
-
Filesize
342B
MD5ea87e97f0975a02ae6a98d119c85b236
SHA180fa9981291a3f93b0e77b5727cae23fc0a51b53
SHA256b9ace45a16a47d04ed250ad80c1168f99197d105e552e5a3f328cde6f46e6203
SHA51270223e7d9e3f22dc5f34637aa95295579aa2468d6bebd956526489b45a5a5fdad68924c21d2429b980cfbc76539649d155c35181677fc2d3b94191517f15d6c6
-
Filesize
342B
MD5b9da555add718d868e6886d9da2c9f76
SHA173cab2e4765517f89bb49c0d7d5143c7b155e35a
SHA256268ac103a0b7de84076d2db5271bda9aebc3869f7087ae213c293a943eba9baa
SHA512a8e09d498bb17ae67d2dee32afb2a15862b46f63c6adb398912b4fa68a2150bc1749021fac78f2dc062064187ca39e3b45237e8a31031fa89e7d13d7f269174d
-
Filesize
342B
MD5dcb05fdfabafd2e13954b66d0524c66f
SHA14b670f03df4853b69644fe8bee99f6421920f9ca
SHA256113fe04f59978e68b01ceb78a7b7fd075182c1affced7309f39d89273cddf886
SHA512f5f0faa198f86258ea12c2f733e2538da770e5114af63c09e58fa6c419b621cde7af6f1a9fc082b787c6a7935b35193fd53c718bbef0fb7dc8baba6fcdf66728
-
Filesize
342B
MD5669cc80ef1bd6c97bfbb1d218c404707
SHA1ccade7112a8e90e987cded50506981dd46d2584b
SHA256b4abee7a5d67250c5d9ce4b15af96f4409c28a30256a3963e49a4fade15efc60
SHA5127162f3d1902c91c569de88f49edb1fb792b5bc5cdfa8edd2768e8ff262676cbfd163da11c0dc257498603e5971ded5c634e945d19ad4bbc4dcda5b1cff4d709b
-
Filesize
342B
MD53e1983c4fef1ae470e7abea8ff086900
SHA1b3df732528b7866a9e456d4e664ce38f46cf1500
SHA256f16d38a906c797bba1d052e2c7e2fc12db72d95f04bb9babc83b9e5ab64a1901
SHA512affac418efa2c2597d1059b7f241e994c31452c873fa855e1d38d49c53fc2475e34d822b25aba1ad7ebc1d8b2f981a8ae9bf149b76eb5114a613b79a62e51df4
-
Filesize
342B
MD5ef99354d2a93cfac964b374145dd95d6
SHA1ba069c99a3ebd65c409cdfca4370e70a9c778dfd
SHA2568cb0a810c2531c2286d488bf1135a00dcbfe9f63a766ce6e5daad09aad99f764
SHA51281563653542f8d2d308902ec318abf2cb603f2aff08f07a8b8efa2143a5045d950a010ca07419f96bbe336b3bd1a1eeeb614e2249c7941ba5156f7bfe3e7c569
-
Filesize
342B
MD595663d70130b46d8fa6e205e237453d2
SHA1cba4c8812e35a2151e6388509689183efaaf9a4f
SHA256e6a365488e387860c69182dd60fa9f4c3a343afbc431957043ba0609c4fbdff2
SHA512a64d9cb9cff417723a4ecced5e00750738f46b7156865c9c8e5e3c969cb39b01d556f9c53ac09946c087234e4cec158a3769159e447ffc840863c683ecf7af17
-
Filesize
342B
MD5f8c80b07eaf431071aaf00cbd8567845
SHA10ecb9212576469d2128347f8f88d395f73f5d61e
SHA256d584ee18f8c70e605134d8c0fedb8b5fa613f522283e41d89c275af16dddfc5a
SHA512b14d65daf61268938ac57f6d60d91fee5cdc44f000f428b39eb21aeb976cc2549e9c6df38e6661d714022c755f6e51add5ac5ed9a91590067c0c5158a330bf96
-
Filesize
342B
MD5b1c5ad2b0db2508317229271b2a26d73
SHA1fc5b15625aeb3a2e9ed9805211a2a43379a7baba
SHA256ee64af78cc6609d29af6999c8fcf54971b9286cb5d9ff9cf141352fc445ce3c5
SHA5121365c1d9de696d8f80b6694ca168cd04a6803c6384abadd4040d768a19139cd516b051a4b222bb8f03bffe5ebaa62614c08b5820469199b5d88dfbd9514c7308
-
Filesize
5KB
MD5d101233a69255b39924b94ed56d29901
SHA12772df7902e09ee7a0cccabde96a844ea5edbda2
SHA256e2e44aa7dfa7726c6882689de53dff4b159da7e15d4992687728ea57476191cb
SHA51244ee2368ae90aa76ea1a5b983c1a19ccbad005dc49a64e54ecda1f4f55db5a60cf0ff188a3c5746fc565730de659ba9f6ac07034e2319533d41faa2bef738632
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
5KB
MD51fd1316acfa2c03772082589ba52af8c
SHA166111e88d34d105a941cf4c178e3f22a4bf4bc5c
SHA2563b4bd1f38888053533d19f9993db1f39386a9b51d14cce08fdce42c0dd719d53
SHA5121940190e5ad0252ecc70e56924ca88e2dd19c41385f779f797c5023a62dfd8a6a90ac534cd52127c949e9ada282c2e37e9c5575a74f5218a7a6098201a2c34c4
-
Filesize
2KB
MD5a253e59427f7f76ae99bda53f827adbc
SHA115ff08908dd0fc28b165302b773d8ad81ab3e5c8
SHA25652a3be226a347763750dbd5813e994d38a0a0672176b7d44a1cc8d7cdadaa5ad
SHA51212e4d61e8fc19aefee2385708424046beed961a4b0ded0aadd0d1c5fe68a9ffa54547b7aa99b4dbb4abeea022742ab35f366a871340cc7056120c225bab2b930
-
Filesize
2KB
MD572a57432fb03b3ebb42a75670b165554
SHA118c6015c447d6043ea535c6709983087903d5673
SHA256bcbe2c2a9adc284bc60c2b4753d008e399a436199dc2567b4a3489c47e014b62
SHA512ba1a1b2c4b2c7535f379c26d5fa87785df957865075272f49c5abd9c5853c353576cac5483bcba4fa4b2ad6a39d29d252785e786bdc15411b98ca2a4f316381d
-
Filesize
5KB
MD503a3af8a91ccb635179a8d04468086ea
SHA11b1de33660db2d178b74a59ce4f094cb2bcbb0ab
SHA256e823a804f0ead0b63aa81841a80774fd1910d46c4ab806a6617e658e95e9c99d
SHA512ff33eecada32f366e79e0e3712aaaf0560a09f64df6bdd9fcbad1352beffcfa1a46f43c21a663f313d9e9e51ba040db0d07d47c0d5d1e0652695ec74eec53aac
-
Filesize
19KB
MD5363b990bc0a80e3720dfa6533d9226b5
SHA17b16f9a953efee3bc691b969eeb73e61c56b5ac5
SHA2562437548ca12a78f61943629a8ccc0042bc655133c6ac435afbb153bbb8aa944a
SHA5125504694263a1a6f9d3d35e085345087378750f563a49efb85dc19265e79b229d637c587a315dcd545cf4808ebe7631814ff5e98870ff7d999cf396a16939692f
-
Filesize
10KB
MD57f173932d17d8fa01e9c8519c1d0a02c
SHA1ae83c127481b5b6c50dd6adf2f5419f9d04b9f78
SHA256c01879445a69fb5e6d98623493114a6381a4788b9418b60ae895871feb8f6719
SHA5120037e533e073fd1e7a9600049be2efbc6cd58ca923e1f0c45f61e4c2c740d66977da540a532f35f06de2f818f93b797f288930e31cbe7f55a75a7b8761f98350
-
Filesize
90B
MD568d6615025cbbdea584a18b933a59822
SHA1d1356f862bbb1da50e0fe7b312208f0f14bf1104
SHA2565ab15d128a2c2bc898363c7ea5f904c96de56c57b7eed0e3cf3004e307835e0c
SHA512ade7a426c67e40829314645e584d3e06194f8f586933dc4734c09c52cb36c7908181a077c32934a46ec838907121f3cd0e122c68a7e7b0708e0fd00b72a8da44
-
Filesize
11KB
MD5a436db0c473a087eb61ff5c53c34ba27
SHA165ea67e424e75f5065132b539c8b2eda88aa0506
SHA25675ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
SHA512908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d
-
Filesize
14KB
MD568034fc27e1c9f1cb2b6a6f60eefd893
SHA12ed61813ff32d7faa818ef7d9b3b18c9d3829541
SHA256dd5f2a15d20726016da804082c1d767b0d0404e9292cf211336746bbb67109b0
SHA51293753329f3680dca4045b9abd251f7ecd978e7b831e8fced3d75deb3de7c65c6b841824f6a7c6810e604ae3dab3dc5f7eca026c46cbbba47998b507aa1f29f6b
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
8KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
