Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19-10-2024 22:18
General
-
Target
5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe
-
Size
356KB
-
MD5
5ef1fdd422951c153db8c39b87e84e5d
-
SHA1
a89966004343653b2d20c06b373b1390ed0450d3
-
SHA256
b5a35f6dc7bc0708cfa5b5fb39472509eb81c22ccd93bdb563305164381a1d3e
-
SHA512
94a775ab67babe692fd6cc6c597453f3607e39627579ec82575025a1c1aa3015a108418852a64d84e4fb8c2a5ef4b5619284b25d52a5790b5e3ef11153c11871
-
SSDEEP
6144:nOWcl+ocAAe1EAnT43osv0pnzKK+PDncAuLELquaWVzsHA93Wo8nswPm22fwh:nFeq0F+PzcOLyWRsHA93/oswe
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+hphte.txt
teslacrypt
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/9C1E355595DD6A
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/9C1E355595DD6A
http://yyre45dbvn2nhbefbmh.begumvelic.at/9C1E355595DD6A
http://xlowfznrg4wf7dli.ONION/9C1E355595DD6A
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (879) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5ef1fdd422951c153db8c39b87e84e5d_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\stetcqlymbji.exeC:\Windows\stetcqlymbji.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\stetcqlymbji.exeC:\Windows\stetcqlymbji.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffd361546f8,0x7ffd36154708,0x7ffd361547186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16551731062999898916,3278692855380246558,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:16⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\STETCQ~1.EXE5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\5EF1FD~1.EXE3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD516498f5835d4e84e73e985136535fb6c
SHA1080c38ee1abd20c6b5cd5af45b2b463676d81824
SHA256595b888e93bd59741a495d5130c370ae62468e2155718226ac2c16dfa522bb63
SHA5126aa595d87d91b00921bb4bbef4d0f977219445197cd1b8a5434d8aa94dfde56ac4f72c1f5d398d489ac7c5fdcbc2d322fce6dbd6c9debef49ad3e377abb91137
-
Filesize
64KB
MD55190c7e6b91aa8463cbfe26bd67ac155
SHA17ab8c93e96c35cefe126abe0d8e2dbef39667e01
SHA2563cc5e0dee02c4f0c231284f255a2e914ab9c7b65c3a54cad3f6d1a891a6fe1fb
SHA512186e1e28375985a966598354d09927f7bc1dab53da43c90b418482c9f870297109faec96a6fa9f52676b5420a87f6fe7b6d3bb54a6d1436a0c5ca9944fc0077e
-
Filesize
1KB
MD5a653901ac27d3a1f7cb35922df93b6c0
SHA1abf30407845e01907cc8c4d4035ed39d4b52787e
SHA256aaa82f49cc6788c02a55d26a38963dd8dd83722cb830e3aee16c20b7b37039a1
SHA51237965fc17d3876e4968a4e4fe14bebf525748aee4aaca863409a59389f930022a710bbfd9d6da9b81c545a5d83dd2d783060b647f5b46526648219b7c661f9b6
-
Filesize
560B
MD55afdff6596fb94be517f4e030c75f0e0
SHA14ef608ec3bad82d3635848ffb180b213345c23e4
SHA2565051e285f84f0a5c0db0430ef9af7352eb406fafd305c20ea6db9cf54aed5be9
SHA51236312e6cf66427e145c4a6dc14e83fd0b2096c0ff0ec99990395e7966898179af61bf1e3e17b88f9e4ffa6793c3c6c4a6bc0f182d709630b9679ce1da65e34f5
-
Filesize
560B
MD557c3b0e0a51702ae3bc039e21236ffbb
SHA186f9e2989654cc4df9504c7227b4ed5566e6b9db
SHA2560e3ab621e0fa7731094ef44349fd4a2c7a49d52abf3e1b6a8880b767d0335783
SHA512c9ac6e3a6c2d670ec94d288526c0fad012f98401758b487c148dce212bc52bf364a30866da55554f0d8ec279bb0c2a8b201a2c325390bde668f20cd9c6c82e35
-
Filesize
416B
MD57fcb1e83fc8a96b6f16c6e6da500c2a3
SHA12637ad6698309135abd54e4df285fd63634486bd
SHA2564d17cf9fd3ab1988bbb019ae0a49337c959e3d84bcfef0d71edfc561757632f0
SHA5121270ac5aabc2f3932033c0ffd77520018eb79a47a9068d431bef40f8f87a947bd643aa76c081f04dce1aeb8a369c22fd43e5454bc329b48b6f7d8ba42b664ef2
-
Filesize
152B
MD5d22073dea53e79d9b824f27ac5e9813e
SHA16d8a7281241248431a1571e6ddc55798b01fa961
SHA25686713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA51297152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413
-
Filesize
152B
MD5bffcefacce25cd03f3d5c9446ddb903d
SHA18923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA25623e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7
-
Filesize
5KB
MD5da0bb20a73ca1628692baf50b163cc90
SHA1e19477aaac2031d3a79ff7b35ef846fde2c69431
SHA2560ca74c45155e1b7d2d9285fc046496803c21858d912024e0fa15c2b9acebe9cf
SHA512b4acbea73711759e4dbb26372d32e85825429c6fdfa57f85c5216cc90c2a1a21e9a4a55fe416c216adaa26eaeeb664aa4cede2015e5f54e8da11704ae90e1ef9
-
Filesize
6KB
MD5f4aee8ccecc11944f58d239ac57450ed
SHA1f460159c092e58cfc12cc76838e7b619644da73a
SHA256ca32cbd8ebc3a401126e4daa7b29b59c92b0fba7c4f0774eb52dd59d20758b63
SHA512a14072b8feaa795bfa8b6f9689d8266e0bd47e9b50bf1d9b215bbc3aedd0e8b832e711eb16fb1343cdb537bd5c0993fc1b2e81fda5e72db36ec1117fb4dfa802
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD54990acdd93bb4198bb05f75983db046c
SHA1d3631623414fc950a595e2d90af675dcd1fe9a86
SHA25611a530661cd643bd8f8e41d982a30471c3467890879afde38bee012691febf72
SHA512610ed27e30cd51f03afe34eed050a35a63a063152325ba8aca2a9cfbe9740a4d87d09a52eef6e184e083ee15c3bb86f199504b8bd88c7c952ff5ce37f7b74b0c
-
Filesize
77KB
MD50cda444361d0e78ce7eaf17a79c6099a
SHA16058bc4231b4ca965f7a984504559239e732b433
SHA2565917424e97b0b93aaf404a976ff5222a7098e6fa83ef1f1598f80920b94d7d44
SHA512127644caf5b73d8ac350a0f6cc67e3c1feb6ab18cbecf8ec665a605edc15a39d1f6894a5122aa8e80f31e38a8501b28a21310fdd6e148b2df7c1de324880b65d
-
Filesize
47KB
MD5250646e00251ddd08dd4c948bf9ba553
SHA160b6da18f49a2d3109e80842adf6a70663fde7c9
SHA25636d534a22d660e6b1267c574a0378135419154393d79de8ff919c14cb0b5050a
SHA512816b324aaf25e444632a3fc633a926b3109512434abb7b1c15912573a9db5f3431adb20215d14275153ee3b7935c1bd759e8eb6dfc42d31b186875ee79b06c1e
-
Filesize
74KB
MD5fff803db53fe7c05c929ea2eb78a17cb
SHA176c813e72b1d70ebfa167bbd6cf48b81fc32dce6
SHA25638f609f10b9544c64a347688ad292264141fa724dff1e6e8752aaa2faee14a1f
SHA51246f457197ab708b1aa5c1d8a29070bb4e1f116c019c918f7db8d16ba055a674a3a02e178c3cdef0da5ef1aaf8f906bee6fb04aa3220eff6dc88dece0b9e73ab0
-
Filesize
356KB
MD55ef1fdd422951c153db8c39b87e84e5d
SHA1a89966004343653b2d20c06b373b1390ed0450d3
SHA256b5a35f6dc7bc0708cfa5b5fb39472509eb81c22ccd93bdb563305164381a1d3e
SHA51294a775ab67babe692fd6cc6c597453f3607e39627579ec82575025a1c1aa3015a108418852a64d84e4fb8c2a5ef4b5619284b25d52a5790b5e3ef11153c11871
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
892KB
