Analysis
-
max time kernel
119s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
13/10/2024, 10:21
General
-
Target
3f4c5fe355ffe9030f6bfce23fe98e55_JaffaCakes118.exe
-
Size
308KB
-
MD5
3f4c5fe355ffe9030f6bfce23fe98e55
-
SHA1
e1391a7b978d0b44803118a0955221748b2bc9c0
-
SHA256
65f0013f4dc1c0c79266f6bb57de3d7d08457ff25c7eb31ffb728e1538620db5
-
SHA512
7ab1f051b47b189f094efb4838ee2a7b90d9da271b9a568789d1b28a764f693a45d5b8e1c1e2d74a02a41d8c7024447f30a1bdd81a3c391babb681a9d45911d1
-
SSDEEP
6144:cGkNyqgeuogtHpT5q0UAkrTswA4fMyxqnDYs6xbKy6gG:cGiyqhsJTqFrfA4fMysnMs2KT
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_jyjxp.txt
http://nasdki39dawk.oj998fh4txkjh.com/81F42A45F8E16A39
http://awoeinf832as.wo49i277rnw.com/81F42A45F8E16A39
https://zpr5huq4bgmutfnf.onion.to/81F42A45F8E16A39
http://zpr5huq4bgmutfnf.onion/81F42A45F8E16A39
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_jyjxp.html
https://zpr5huq4bgmutfnf.onion.to/81F42A45F8E16A39</a>
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (426) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
-
Drops startup file 4 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f4c5fe355ffe9030f6bfce23fe98e55_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3f4c5fe355ffe9030f6bfce23fe98e55_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\vcwkyw.exeC:\Users\Admin\AppData\Roaming\vcwkyw.exe2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet3⤵
- Interacts with shadow copies
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RESTORE_FILES.HTML3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1940 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet3⤵
- Interacts with shadow copies
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwkyw.exe >> NUL3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3F4C5F~1.EXE >> NUL2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5cb54aabc62635e1c0f7b67ad52076445
SHA1b4fa6f2ef23c183ba9ee5dbf1e878274a43f84fa
SHA256b1742a964a0b4de52e851e0aa25eb6371385a9d8ac1780d5a869754d82064e00
SHA51215ef94a2c38c598938ae843ce866464ba3040b1d32cd4f9d4bddf741cb6bb02ccf3492d41083d4ff2d019795207cc8a4d6c676a6b71dffaf6fbc827459c66679
-
Filesize
2KB
MD5aab8fc9dd57d283453e5f5f21813c28c
SHA14b7c9129654ffc5676bbac9aa8071297c4467626
SHA2565e4ac607985bbed5803192bf822c3655c4799834bd9ad94fa7712555199e1317
SHA5120cca5c476c5b33f0ba1a8e1d50e5963cb8e6af5563118815d7ff20331937998f157ccb9cc6974a9ffdcd78b4189a0c1c2bd9fa632bd68ed9ba9f8a80683b7465
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
Filesize
252B
MD5057e50e85c1de2445d62ccd62c6516b5
SHA169848bcf4036ed5e3560ef02c65dc5e09156b5c5
SHA25622892590cd18ef5fc2e514d341f7cfdb029f7b7fc269c3b877ed16aebaa097c5
SHA51294c3c2ef28a8b139248fa9bad98e6b4e12d40f1a5d9399d0807c7a01071d8ac760cbd22bc251ff77b7989f884a0d4f4d1f158cced2e2b2a305c8e54d9d399bb1
-
Filesize
342B
MD523e9028621a8bfe1e316653afc6ff768
SHA1bb9149846b1cec87a5ff5bfd558aa4e7b5f5b54f
SHA256aa85f5797f9cddd9e0903cdf7cc83a2a2ffef3c4c6b720b1db1736f94a8c3134
SHA512cedd9aa3cd62f5f3bbe8f1a92d3d51a748d5b79949e79140f7369712566554821296758071898a3c0756a407630419423371eee6765c6d036ebcde156e987c7d
-
Filesize
342B
MD567fa98de05736eda25d6974a11419128
SHA18aaa82fe76f41e6d68a728d034f8d67f4f9a1de6
SHA2565c6f2b9e1ea8ad476aeadeaa0a60688385a5590f0cd053334eb7430374a1031d
SHA512bcbf3c08ae33778fb356bc0a67632c3189a61931cc7aa53667a526f8539e77ea57f8a8c3329f2e2b4b3457811b3cd4e09ba69f4afffb3d78fa23d46a1fa973c4
-
Filesize
342B
MD5b636a7c4d071d94524b83ee201ba20e2
SHA1b504439a5714995d2de32cc3ca4d89740a688700
SHA256eadab979056578233e7cea331dc074f5d7d38c548c8dc185f1297f8c932f5cc4
SHA5124f65eae25615af18c1424fd1f840e5ed673a284e44245a1669d436cc40f2add4b03f25b1d621ddd7a2de19af020354efa6de03f432030d7bbe923dfc2965238f
-
Filesize
342B
MD519d9084399e8b9a59ac0fdbb6a9075aa
SHA116499fd75dcaa967ac933b627367b907609aa3bd
SHA25615874c77adcd8c0cc2d1edcd1eaa5b423bc2833ad0c30077a17a7c379fd0f327
SHA5120bcbe9836ab0b1a13a2eeed210c7897904154f0709611cdbb3df9a0b3bc7a4e05d47403b7bea68dc81509859954a0f98cfffe2cf69d45d7acc3927819a49f6ca
-
Filesize
342B
MD52261ddcb983dda6938e982313efddbeb
SHA1d842c2db7a34d0bcebffe8827e6a2aa75fef407a
SHA256b9e7385b5e9822df7fdd4684e44e0f1b568069530de8f2b38a21be6f77cbdb72
SHA51256aa9bb709dae84d99b0422886c75f9fc0ce887b38794f8d9ee32dd9d757b4e3900f489cb48c573ead470357331455f1c5eb0ba71a124e04ebcc3823a3145eff
-
Filesize
242B
MD5c7335dae6ef127d36793a273b0d93c20
SHA1706928d4f08bf5b0358fd400f61f90d675daf8c6
SHA256c9ae40d0ece0d341dffdd576c8c1217e356de30d605796d63aa6675f331a196f
SHA5128658f0b8d6eb879a0921fe9d4302f8e74725dacebf99915e9d29f28a0deb3ef1ff3ff7966aa652d15bd94eb1c0d8881c8b5284a59308e27e80257e19eb893094
-
Filesize
242B
MD5951a0eabbb69453f15e10a6dac186a05
SHA169517b33c24c920c0788006afe9af97e36189981
SHA2562b31b60f19e6278a4076f92319d59f6a2de9db8ed7108d842c0731fcce9778b1
SHA5125c2bf0aad25ab5f2267c0849c9e9013dcc6493ae94697c59ac1ac4e32d49bbe5224d6531306df65193c78a6e39ddb218a60788bd8adfce91528732b1b52eb8ff
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
2.3MB
MD5adcb21de7d7edadd3ef760f69aed8e43
SHA15af2c8a5caa4c539cce90d472c2e399b89de0438
SHA2561566739ec9254558b0c7af65212d62f4d1cc5a72d4740190f64ad5b5a61fc8d9
SHA512cca9ab7a351d5929058f8e70f95894eb3ecaac86c9fdd3adf9570af050e302b737cb355c55ef5125429c5985172037a05d6163bbf3fbce874130bc0162ebb9bd
-
Filesize
308KB
MD53f4c5fe355ffe9030f6bfce23fe98e55
SHA1e1391a7b978d0b44803118a0955221748b2bc9c0
SHA25665f0013f4dc1c0c79266f6bb57de3d7d08457ff25c7eb31ffb728e1538620db5
SHA5127ab1f051b47b189f094efb4838ee2a7b90d9da271b9a568789d1b28a764f693a45d5b8e1c1e2d74a02a41d8c7024447f30a1bdd81a3c391babb681a9d45911d1
-
Filesize
8KB
-
Filesize
1.4MB
-
Filesize
8KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
16KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
12KB
-
Filesize
16KB
-
Filesize
1.4MB
