Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2024 18:36

General

  • Target

    4e62ce349bf0b83eb5290e166f8b1640_JaffaCakes118.exe

  • Size

    220KB

  • MD5

    4e62ce349bf0b83eb5290e166f8b1640

  • SHA1

    2cfed0ac41cef40837ae9efff2ac53a0fcb4a7c6

  • SHA256

    cc3a14fc4597290919d7f8b806634f722a50eead9319bd115a84cb0cd3691227

  • SHA512

    4204502044adb6c429d85eea7ad656f6677361e716f606a44b469006e9fc33fd527d12a58255a46abf192f80e77256ab434f211ffefd7eba098a8236d2b93ebc

  • SSDEEP

    3072:4Vnaqq7y2RpRlrtowJL1rnEbgQInHNY5aMdflZs68jv:ynaqq7J3iuhWgrntShyv

Malware Config

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e62ce349bf0b83eb5290e166f8b1640_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4e62ce349bf0b83eb5290e166f8b1640_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\syswow64\explorer.exe
      "C:\Windows\syswow64\explorer.exe"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\syswow64\svchost.exe
        -k netsvcs
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2160
      • C:\Windows\syswow64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:880
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1996-5-0x00000000001C0000-0x00000000001C1000-memory.dmp

    Filesize

    4KB

  • memory/1996-4-0x0000000000420000-0x0000000000422000-memory.dmp

    Filesize

    8KB

  • memory/1996-0-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2160-12-0x0000000000080000-0x00000000000A0000-memory.dmp

    Filesize

    128KB

  • memory/2160-14-0x0000000000080000-0x00000000000A0000-memory.dmp

    Filesize

    128KB

  • memory/2572-6-0x0000000000080000-0x00000000000A0000-memory.dmp

    Filesize

    128KB

  • memory/2572-7-0x0000000000080000-0x00000000000A0000-memory.dmp

    Filesize

    128KB