Analysis
-
max time kernel
136s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
12-10-2024 17:03
General
-
Target
3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe
-
Size
369KB
-
MD5
3b240ca653bd5467b19e195889c07c6e
-
SHA1
bfb732fd34099fb9f4467cfab185a4bf3bb28e95
-
SHA256
62aaa2a24236be5ae371e5851370f24e6261025cf4bf539b7c40bdefc6ad07e6
-
SHA512
32242830aaf7fee32d16e86da4d602640fd360f24ae309bc5391c130ca384b951ac97f9ecc1f596bd7c7b3933c589dbd87ee872b4dfd8cda62835143e04e0296
-
SSDEEP
6144:fo07Ev9jgh+J0J+l/moekR1MlvlMa0FIe03ncsCMYZx/FqDN6TETpspvQrMX1r9:ftQVG+JIe/mGzMNlMVFC3Xi/YwOi
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_RECOVERY_+gcves.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/3C66E890F3AA6B1
http://tes543berda73i48fsdfsd.keratadze.at/3C66E890F3AA6B1
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/3C66E890F3AA6B1
http://xlowfznrg4wf7dli.ONION/3C66E890F3AA6B1
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (869) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3b240ca653bd5467b19e195889c07c6e_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\legnomeroaqb.exeC:\Windows\legnomeroaqb.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\legnomeroaqb.exeC:\Windows\legnomeroaqb.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeaac946f8,0x7ffeaac94708,0x7ffeaac947186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,5635452452813203426,6448027828358606066,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,5635452452813203426,6448027828358606066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,5635452452813203426,6448027828358606066,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,5635452452813203426,6448027828358606066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,5635452452813203426,6448027828358606066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,5635452452813203426,6448027828358606066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,5635452452813203426,6448027828358606066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,5635452452813203426,6448027828358606066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,5635452452813203426,6448027828358606066,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,5635452452813203426,6448027828358606066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,5635452452813203426,6448027828358606066,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:16⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\LEGNOM~1.EXE5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\3B240C~1.EXE3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5ce5ddd5d3a6d990e92449787c63bf8f4
SHA1427dc4f5947a4cc8233faff0c6e223c79c28b01a
SHA2561821d82645e685826135214aae3cc842a56a31e5af707b1ff27f4fad7c179e1b
SHA512b3b0de97d413b29d25a0f98304492d7ebd0922e54a02b52afdd3215bb6d22e0e447b4b425b061d80880f6002e7f30c5bf7f7d109c24e4884b37f1d815d23f5ed
-
Filesize
62KB
MD5297eafccea73c97fc5d37e444333d24c
SHA1199b80bbdea97274ebc7b6eab0c9f4e09b5cb415
SHA256706ea29dc951512f3cef6af0f9edeab8df8a5dc45ca1c78ea46d72de4dc75c83
SHA5120c828db0ea1f9ca6ec44ba67f6300d7b73a4a81b23acf26ccc1cfe3bd186024afbc6ba5375d14fc5c9659e9772d659efd107d5b6669fcd7703286b6b65873f6d
-
Filesize
1KB
MD5c199287d9ca5a01ae5e246d7202b105a
SHA1b72518ae1fefe59ede9bbab3ac7d6a68bc67927f
SHA256bd10718b7b671657c3a4383a18a8cf3a85681fab306c821833069fe642a88fb5
SHA512c41d812624563690d394782665a9d89472a2f641774543b6f8d432bcf2638eed8154f724cad4bc2b39ee441fa9f2b5a1ef29655f9c95bbdb319e3dd7b3709c68
-
Filesize
560B
MD5116454184638edba836f3ab7ec384292
SHA197cb3a0a6c3f31be72e89eb2d05be25771eba588
SHA25627c7e018878244eb06223e6268d3147dbe3cda3df68e4d208ba96ed82fc77176
SHA512a8feb57e7c421a00e82238b79efbc8c200602291a5f8296028ce8bf5940ed78ae0958f5b1dae1c3a10231af0c18482cd0d8751f6dd6dffb3aad65fb5ccc9e3de
-
Filesize
560B
MD5e38f58df301f8cfdee1eaa7404a1c564
SHA113780b78cda8366844d88eaeeec71722bd439950
SHA256aec5a7105ea49db4c9b0c8bd5ed131d9a5b17af9ae592d132a59ef484db99b34
SHA5125413ce7a6d63363ead38b9651fa60e9ffd148efcf0cbfd057d6bef1d44645c50c04bbbbcdc31a044286bb67bb5e81e1ceb34d9d7f51ed2321a8f7304c2a365e1
-
Filesize
416B
MD57f4580d071c507ca6178af92a67766b7
SHA1045eff101f596e159d5c107b3cd819e1a6c77b74
SHA256e22f5dda264a214b4893e4d168f67f43502025ecdbd1987c7388bda070b4b1ac
SHA512f8d88cfa6c07ed89d3c576dacb1617d6ca883740c55ab3fb70537b9640b8fd5afa3af1fe5beabc460d1c5542c53f5dda64b43f4e7ac85cf17f4796ae47e9549a
-
Filesize
152B
MD536988ca14952e1848e81a959880ea217
SHA1a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173
-
Filesize
152B
MD5fab8d8d865e33fe195732aa7dcb91c30
SHA12637e832f38acc70af3e511f5eba80fbd7461f2c
SHA2561b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA51239a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43
-
Filesize
6KB
MD555f2dbdc89df6841a1180045b21995b7
SHA18b99b97430f85fe7eed25d7d3bde6abb228d671c
SHA256e64e6b1134b20351881f236de78e86bf4201197af154bbabfa25d109b3d3304b
SHA512454961a32dfe247245b5c36718056aa677a9a47c7b6daaafc484f01295fad56b74aeff40e8204349382432dd1bccedcee367e7360b1009f5b453b277a3ebc276
-
Filesize
6KB
MD5cd81a203b9df68409606cf96bcf40fc4
SHA15cebfad515034a0c07903f9c9a5357acf9c2165d
SHA256de8f2e2b3201ab4881b8c5fabbf4f8d438bcee98665b9def0c0792c303d9f181
SHA512c7f07c3a3a4e37f9b7cc5e6db550135b1be3db3efc6ce46e37500a6e5fd2f8b043443c497044a0ef6eb8b55ee8ade5fde86a8e2dbd35f984f25ddbe698369bbe
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
10KB
MD56c95856219716300f5f09d442a51359c
SHA12ee2fedab26aaf81b100894d90adc7777f6bb510
SHA256faa9f49986ee3b30518afcb1c962d1d6d6f0f4116110264f86a497d091d9da3a
SHA5120e9fddc709a1f89e1565cdc09ab376cdf5897b3bd00d657ac2ae147d87e263cdd2bc0b60893e7a3041db88fd8d51ff8f6f3bb311851aba7ce887a70576bf935b
-
Filesize
77KB
MD5c9d35bcb7ac37741736ea4e49ec7328a
SHA1f03fea006a0b75f677115eb2798f796db39c3c4c
SHA2560fab7cc16269e6b53617ce358899c0f8ff078f3867ac7f211e575ae518ae5851
SHA5121779bdf2ce2e960611e44e6edbc453319922c06f99eebc8a366a7134d643d6515894e09486b7a65e3f1666323b31e4105a868815b6596fe8bc4a081c66d25c45
-
Filesize
47KB
MD5f6c5162d0166c2f256d0fa2c7d6a16e8
SHA1933271632c8ab9294065d5ec569475e6652a4f2c
SHA25630ce022784010289c68ae0b6e9263cecd08dd95fd1c7f89ed96bc8d0cf5ca44f
SHA512cc6c679a0e40c54483fac20de7cab1e53fc8809329dcd1eca913c68f5dc26c4b49ab3e250b283a9126aaedc14ff47cb549cdccd6e9c21912d45aa86bf7c1311c
-
Filesize
74KB
MD5e994a8890b3ac21f0b4980c1889a6e87
SHA18f7e5856adbe0c2cf4386edee8cf4dc517bebb95
SHA25684e885a6d76401fbea23cbc262e12af98d57b94afd058053f0e3563507d5030e
SHA5127643b8d8fe49516ed5b7c8275e35d839c174598bab5509614a9da716a63104cf2a6a915233be606927c0c5a1240cd8b68772e9719f0879136d8dd48418b6b858
-
Filesize
369KB
MD53b240ca653bd5467b19e195889c07c6e
SHA1bfb732fd34099fb9f4467cfab185a4bf3bb28e95
SHA25662aaa2a24236be5ae371e5851370f24e6261025cf4bf539b7c40bdefc6ad07e6
SHA51232242830aaf7fee32d16e86da4d602640fd360f24ae309bc5391c130ca384b951ac97f9ecc1f596bd7c7b3933c589dbd87ee872b4dfd8cda62835143e04e0296
-
Filesize
1.3MB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
