Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
16-10-2024 19:55
General
-
Target
4eb96c4de5d7f7f9c600c565eb169d4a_JaffaCakes118.exe
-
Size
241KB
-
MD5
4eb96c4de5d7f7f9c600c565eb169d4a
-
SHA1
3851e8d3a83e3ae0e25003b91fc91b9d908cc512
-
SHA256
b8bfe6d99aefb50a8918788e51a1bc19d06479ed674df5db07e8cf318a9c09ea
-
SHA512
75b9b6e2c46c4ec3c547d60fc9d85e0749827eafe112f1c0f44144e7f8a851f8fb33fb53fd7438427aa10edb9caf4c2ed5b6fffa57758637dc6597854a203ab1
-
SSDEEP
6144:kL9h7YTJUQR+xHFGO1/Fc/+1+RF5boHp9U5+OYCy4H:i/Y6QR+7GS/Mq+RF9oHHU5ACy4H
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+frhwm.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/386FABB516D380F7
http://tes543berda73i48fsdfsd.keratadze.at/386FABB516D380F7
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/386FABB516D380F7
http://xlowfznrg4wf7dli.ONION/386FABB516D380F7
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (420) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
-
Drops startup file 6 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4eb96c4de5d7f7f9c600c565eb169d4a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4eb96c4de5d7f7f9c600c565eb169d4a_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\sfkqpeehapwp.exeC:\Windows\sfkqpeehapwp.exe2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2884 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\SFKQPE~1.EXE3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\4EB96C~1.EXE2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD537674bc6d48bb8aab61bb04d63b3d2a7
SHA1b09ede1369a34dd721a0ed144538a3aa553d3fc5
SHA256f3325e25ed785221ee96352acddd382f74ef4410302f556eb7721f03ce6a1ef1
SHA512223874db4dce3a7691f9899175998533e73e287968cfbad6af872c47b4ad5a5b19670d4c1980736d82eb9679df1ec30668161e6b6722094dfb5c3994a7d0b33e
-
Filesize
62KB
MD5c8e4e387486b9d6d6eccde29df8860df
SHA1b15c1d035cbf7daefe13fe4c93b5084d6b32bdeb
SHA25647793962d404803632c76650b249da73044cfb43dc738317488570a8de56cd66
SHA512ec52e8228f7c000c30a2b958a416cbf70b06c38d642f1da3c815d962756669bf8d83cf9a4178fa60ebe3ff518737b749424581c8297a9b4a4da9f5947a881e39
-
Filesize
1KB
MD5af895109d915b2a150773976828a41af
SHA1a4ed6b9d9476f7d0a3c6b8a5115e116599fce491
SHA256598a3f4a98798e3728a48d7a4541204970983ffbc2a9f0fd69ec8dad9ffb7078
SHA51268fea2fec0ee8da9e901af2362ccc8a768372e48ce4e328b1095f1f23a82945837ee274dfc1af3306814d1af7ad5fca2fdf7c4237c936d4c2cea9673f8db089f
-
Filesize
11KB
MD5a187c9c4fffaa7ca60a5d373d547da00
SHA1c3bff2eb6024ee2e39ec3afd2a021b603b738da0
SHA25652482a35826a1af391c424d009b3e44f959c32e1299892168fbe65db72e14461
SHA512feef478998dd7d4a0e47a7e4f84458e4834f90a9f81143d0a56901c92097515e3118c7c3c3a1566995ee35dd7ef580be626729527410e97e3fc5f90719b81d16
-
Filesize
109KB
MD57a6d8d973bb0b6203166612cedc52705
SHA16f367dd1cd1347f037b203d5ad060cd4692d6c50
SHA25625616b89d3cd6db39319662f25c11ad51470586ec71cb5432d6c04a49ef8c849
SHA5125d84aa496704c4d48e5a5362716c603d763cf97f0cab9fb701a186e5daba1765a99a2948a18f89d6af30fd8d5e7698f320d53908b5cffb6c306760310719e33c
-
Filesize
173KB
MD501153d68e544882a7172fecdd5fbc508
SHA19a7c62950e939084e101b05808c0c79ebfaa89b1
SHA256e078a6d0092421febb11a71b715d488aeefa9b613bcb8b3356662e3c68dc5b7d
SHA51229e44b3f06369a5ae9c41718d9f1fd157f9e521868fb865b934780d92b4a3ef570c4b01a374d69ef7e5c047eec3c67b38e846ebd684245338b7309bab5f64eed
-
Filesize
342B
MD5f78356bd907ac424ad9158a095531e3e
SHA141c41b720793df3d4d7acae838da293691fbf8f2
SHA25649c65fa2e02b2e2287e72c2d4e44bd03a3f4f8efc8745633c7ba7e0b30296c4e
SHA512554d7e72b4ddc84bce665fcca0b410e84f51e9d6d0279808f39938adc29419111342f304388b7320637b0aa2b903f9e7b8af91e0a08d0409a850a7072285795d
-
Filesize
342B
MD5a4766b3eb6b1b51c47c904577ef11e84
SHA14d5a0886ded80dc812d3791299a71c1406456ec5
SHA256eb5c9cc64fd46ee1ac151b0f380cc18a25d167b785c48e26c282212da6556640
SHA5124c9c84658e0f94e23af943fa343f97bd24e1038bb4cb1a37788016e0bf5dde4054f50a2cc15714b6b29c045e25dbeb2c84e65a7b6435addbebe820fd2b2ea4db
-
Filesize
342B
MD56cf8938084fa5bdd1201b6025363f9d4
SHA1ddb8732916896dd601a8785fd27441fc25b1f3cc
SHA256da8f6662b0f5bffee145d6fe9e219f2b483ec6e8b8c6c29fa407f2433cb53b62
SHA51217ae6ca30067b7effb688b66f64c83f1be0a438bd3784d0332a8d4fa603ed67bdbdbf56a7f8be3183beb286ffb6cce8842c0a360bda8fd4d569e0de606e71ba8
-
Filesize
342B
MD55ccf823b5c276356be7054b29b558247
SHA15b60bba2d57b12b476df8d70fbe1ff42dff8e200
SHA2567faf24aee80f0775a87fbb494517f2238750bc80383a7e79d6bb3da91e04b417
SHA5125223ac038b7e58ff74ab7255d17a38da4c1fb96a4d47daa1c17e86e0dda44d1df6481332d8de6bebb0160183fdd1d8b9d8dd86ad563fdc8a9c93f1ad22944c41
-
Filesize
342B
MD5d5218c4dbe17a3e29952ce6587c11f36
SHA1b8031e7cc23ed0bcc0e569f779581e5cd6213581
SHA256908471e750b9a16a8dd084fa34b31481ac8c2b5d9398c11b7345645d1d575167
SHA512fbdb09d646c99af25b2b68feb5911a3fe363cc3939647ce0ee1dec17ec6372c4989af4c8dd77a5bee58c1a06dda5633326688b65d5bb7cfad005218f4c167ba4
-
Filesize
342B
MD585ea9af408aeaadae95152e3ca3a6c21
SHA1b9da68d067152bf101e175f61f2256382c88b31a
SHA25688d3d9b696c22a1c45f71241a509d4c9cdf4f310a89b5a1867434866e271b72f
SHA512ad3e876c6de09225b1c42a9a6cccf5500ff4d6c835d65db6a82ca2b74cf9094eada5eba6eef1eef619b6e2b261707e175c3fbbb3523a7afd2a6a283f3a6a8fa9
-
Filesize
342B
MD5b4c00377962a4e86de3775b468815211
SHA1051ce84c4028d081ef3e9ec036e30b5c134aa748
SHA25634a371000f4ff1f9ae9a5ee8b12d8ca213fa340538c0ab4e6cd9c1a5ab00ce4e
SHA5121244285b19cf3eee49aae7fb67391186ef21a76f2261b8e0a1836566b313d7902ffc08d40315f5b247ac76999f3d6c644d3b46c8a5a976d112f45abc432e6aaf
-
Filesize
342B
MD5f988d8d545de22ef0a93dd2da1aafb64
SHA1ef5c8e69049297525c09dad7ecf5c59d87b25630
SHA2561af44c7ca5cd306500f21908ddf3ee3f877cbf240bdeb4726a41acc0c5929a02
SHA512db7e7c7a1bcb5846ef7ae214655b729e0b38964d15c0f71f6894d45d53749eec254ed62296ce9809e0ded9076e9412f08ce14de4c01c938bd479e132074aab69
-
Filesize
342B
MD59a876cfdf60757711dc06d595eca10ff
SHA1fdf30a5683cbdf3926d6253563f4ddad74e9ddee
SHA256c350e335a7eb9c499e905a346e6d796c7a39dbe2db34fd5b5c9c7a87cefdce8d
SHA512012de81a961437357ab31eef119f57f4962c23a0c624c9e428f7f37d8866ebaca949967bf300a63ae23d5bbb0670a4a0f966ebebbb73efdde53ae3a16378d919
-
Filesize
342B
MD5c9048e95155df9114cdce8546d12f8ab
SHA14e71c5d2b784352f667361494f6be652c51cf773
SHA25656f5ebf7968538a9a494aefd1d0e284bae6d2a0e1b91bb249e9627ebe53cb5d4
SHA512cd94f7da4b110148be7adda7c0c9697398462628ef4fa3ce19f3013a1413b1b4978e6a4719b0196c412842b21493101d2cb5c239bc14622f5c594221fe2e484b
-
Filesize
342B
MD5606f1fbd3d097fc46cb946015f5ff876
SHA191a9a43ba0239e10adc1d9478462e2865eefa6f2
SHA256375dda1a8ce4cb1bb4b0edf87803f90c60abc5164bae25fb66f307507004cd5a
SHA512d7e2ad5a431b4c1685137a8e297d2a22625e8bd5f250fb18e06a2f52157fdc4515b1b817e301e27e2bb9606608c391b4e1af0817b0d61be3e07e519e6521f7ff
-
Filesize
342B
MD5a7a99e2987e1f78c63c5840fecac0653
SHA1e57be9f0806885cfc2cd2f9b8d14084df5596320
SHA2565e4cf2f54e58c013a573768a08b4c058ad8adf83218a7164c639e16b2c1ca5bb
SHA5127165b4dbd7db85cbd9058290010a6aefe69b53246cd944560cbebb4e96c60738a1d970419fcbfb6c80d74cc501c4fdb13a2ed14d24762e858c840cd927c05ced
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
241KB
MD54eb96c4de5d7f7f9c600c565eb169d4a
SHA13851e8d3a83e3ae0e25003b91fc91b9d908cc512
SHA256b8bfe6d99aefb50a8918788e51a1bc19d06479ed674df5db07e8cf318a9c09ea
SHA51275b9b6e2c46c4ec3c547d60fc9d85e0749827eafe112f1c0f44144e7f8a851f8fb33fb53fd7438427aa10edb9caf4c2ed5b6fffa57758637dc6597854a203ab1
-
Filesize
184KB
-
Filesize
532KB
-
Filesize
4KB
-
Filesize
532KB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
8KB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
576KB
-
Filesize
8KB
