Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2024 20:07
Static task
static1
Behavioral task
behavioral1
Sample
31a09770fea2d2ad58709b9a2f0e78c1_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
31a09770fea2d2ad58709b9a2f0e78c1_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
31a09770fea2d2ad58709b9a2f0e78c1_JaffaCakes118.exe
-
Size
733KB
-
MD5
31a09770fea2d2ad58709b9a2f0e78c1
-
SHA1
52236081902e7b6de16baf141ffb518a6cba4691
-
SHA256
931708bffa6eed76585c166a080ea6b544f32951cb5dbc2d2065088ee9ebad95
-
SHA512
3972210025332a87df980513a3223abfd354be22be149bdaef7294b2a6d0ac2cf144120074cbb5b78ab393f0201026ec90fb46ba3b2b7f141738920d66a387de
-
SSDEEP
12288:0wThSCGHciZYJgDCVcEBQFpC5udlV3kbxZyNccd6/:06hQHnKxBEpC56V0b3yev
Malware Config
Signatures
-
CryptoLocker
Ransomware family with multiple variants.
-
Deletes itself 1 IoCs
pid Process 4496 Wawbmdknpbal.exe -
Executes dropped EXE 2 IoCs
pid Process 4496 Wawbmdknpbal.exe 2632 Wawbmdknpbal.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\Wawbmdknpbal.exe" Wawbmdknpbal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\Wawbmdknpbal.exe" Wawbmdknpbal.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 31a09770fea2d2ad58709b9a2f0e78c1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Wawbmdknpbal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Wawbmdknpbal.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4860 wrote to memory of 4496 4860 31a09770fea2d2ad58709b9a2f0e78c1_JaffaCakes118.exe 86 PID 4860 wrote to memory of 4496 4860 31a09770fea2d2ad58709b9a2f0e78c1_JaffaCakes118.exe 86 PID 4860 wrote to memory of 4496 4860 31a09770fea2d2ad58709b9a2f0e78c1_JaffaCakes118.exe 86 PID 4496 wrote to memory of 2632 4496 Wawbmdknpbal.exe 87 PID 4496 wrote to memory of 2632 4496 Wawbmdknpbal.exe 87 PID 4496 wrote to memory of 2632 4496 Wawbmdknpbal.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\31a09770fea2d2ad58709b9a2f0e78c1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\31a09770fea2d2ad58709b9a2f0e78c1_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Users\Admin\AppData\Roaming\Wawbmdknpbal.exe"C:\Users\Admin\AppData\Roaming\Wawbmdknpbal.exe" "/rC:\Users\Admin\AppData\Local\Temp\31a09770fea2d2ad58709b9a2f0e78c1_JaffaCakes118.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Users\Admin\AppData\Roaming\Wawbmdknpbal.exe"C:\Users\Admin\AppData\Roaming\Wawbmdknpbal.exe" /w0000024C3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2632
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
733KB
MD531a09770fea2d2ad58709b9a2f0e78c1
SHA152236081902e7b6de16baf141ffb518a6cba4691
SHA256931708bffa6eed76585c166a080ea6b544f32951cb5dbc2d2065088ee9ebad95
SHA5123972210025332a87df980513a3223abfd354be22be149bdaef7294b2a6d0ac2cf144120074cbb5b78ab393f0201026ec90fb46ba3b2b7f141738920d66a387de