Analysis
-
max time kernel
146s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
21-10-2024 07:19
General
-
Target
65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe
-
Size
384KB
-
MD5
65f583e82e837183c8962dfdbf5bdc35
-
SHA1
5181731fa74f097de73d81ff347fe2fec634887a
-
SHA256
1a4a1e76c6d2dc585ce77c9be7163163c0d614d5668a0c83601bb3d6f91376a0
-
SHA512
827817ae552ebc95dd541d62cc04af0cb798bc33af3960153f403a945f1cb139129fa6e40cd09f359bbc673ac6c11118eeecf1a33790873a9c070bc487e24a43
-
SSDEEP
6144:SzVGON09XRWtlggcMOEqmgWqvANwxcLSgL8J4bAvtqjPtW6wU25vB8ynNd98UW:pON09XotWgOfmgLA8cNYQAojtwU2xnv9
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\Recovery+dbnry.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/8DD956EDAB2720F3
http://tes543berda73i48fsdfsd.keratadze.at/8DD956EDAB2720F3
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/8DD956EDAB2720F3
http://xlowfznrg4wf7dli.ONION/8DD956EDAB2720F3
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (866) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\65f583e82e837183c8962dfdbf5bdc35_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\omgoiwkgjwxb.exeC:\Windows\omgoiwkgjwxb.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\omgoiwkgjwxb.exeC:\Windows\omgoiwkgjwxb.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc8db946f8,0x7ffc8db94708,0x7ffc8db947186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,7820487000952695053,5724715832761452710,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,7820487000952695053,5724715832761452710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,7820487000952695053,5724715832761452710,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2480 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7820487000952695053,5724715832761452710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7820487000952695053,5724715832761452710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,7820487000952695053,5724715832761452710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,7820487000952695053,5724715832761452710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7820487000952695053,5724715832761452710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7820487000952695053,5724715832761452710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7820487000952695053,5724715832761452710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7820487000952695053,5724715832761452710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:16⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\OMGOIW~1.EXE5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\65F583~1.EXE3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5f92be7686b29e16570dd22b4e208ae4c
SHA16797f0fb11443b66f5caa17ab8963d806080ab58
SHA256603de12d916f5c69f3bb42367fb357bc38dfb621f6747d4300413c8e23c9be19
SHA512c9dcb16224ff3795cfe675a09dc9d24ceaf23119fcd413e0b40e76a5bdd9402461e9dc89917f614152fbd0ebd6e3a17cfd0f37bc6b67a127e24f6e4fe6c2099d
-
Filesize
64KB
MD531366df6482f065435912d969312b4da
SHA14e4b02499a254aeb448f4ab623b44fb1843baff6
SHA256548cb810eb8d8125bfe50851d8f60c4cd3895bd6ffe0428f61009ef052ac75a3
SHA5121c3767a769cf542f229f54708b5c65a91aa6e64ca7dc8bcc79e2a8a873b74de528aad2b9edefe046ad9ee14fb11b8e56fd7d41f6834804edb35e612284255544
-
Filesize
1KB
MD54e046e4c31e07dbba3420c5915af2ed8
SHA120bd3d0c3fa4171e33f950218ead5919c70d4ec3
SHA25689ccfccc43d86567b728f876e4da3ba6559372d121c9212a9254452cd54ac890
SHA51207e296cbcf0aaa7540879463aadf41231d2db5bbadcdac71f9d6c2b475d2c18ab3769f178bed05d3b2bf0593b52356b8602006d53359be1cb7203502aadc7c57
-
Filesize
560B
MD5586e1ef68558b4c2b896942717662e91
SHA180802d14b09b4da933d21185e47290befb09780a
SHA256000910e7a9b65f8229f916c65eb2aea10a8afcd6645b6439e96f89f8d41010f6
SHA512c73c2df6ae4867436a92f452bf5bba948fc507a868c11cb9dd1e8fb645897343fe4e87b66316e66a1f751a739d05341148594f66968325455d7c0b7da1d6221a
-
Filesize
560B
MD592c2c5209fa839e55b015ebe17f75886
SHA177eca820f17445f8aaf1431146dd4228b717dc6d
SHA2561c800d7296f62c47b3c7dd359e7e349f725e3465bb4a99502e4ff8f36bae85a4
SHA512ddb3a1c0a7f8820d1be8dd0e8e488ce5a0f4a9f97bba524e71bff1263f49f8edd0cc22298bafbd0f5e2d8c93a00a345cf0b58e4ca9ccbc0a3ae306e622e099fb
-
Filesize
416B
MD527dfdbbd9f2df5ebd93342b02286b6b8
SHA1c614fe53c65c7311686b1d17660ae76cae6f61b2
SHA256dd2b27508e132a4311fcee703a8becc64880dc363bb784c9ed863f0d3fbbb78c
SHA5122af7e4a0eecfc820ebf30946664b54eb80d904890498ffe532fbedc0945b854dc749f23cbdf9cc6b7a88ad9781143c17cb2f7d9442948bf0cba76c30dba02c88
-
Filesize
152B
MD5f426165d1e5f7df1b7a3758c306cd4ae
SHA159ef728fbbb5c4197600f61daec48556fec651c1
SHA256b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841
SHA5128d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6
-
Filesize
152B
MD56960857d16aadfa79d36df8ebbf0e423
SHA1e1db43bd478274366621a8c6497e270d46c6ed4f
SHA256f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32
SHA5126deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe
-
Filesize
5KB
MD53738bb28f2ca5395a27e5a551986ccd2
SHA19f9b8fd05ed3375dc9c3e1f06c31dbd9a8ef4432
SHA2562b4baa7afecee7614d45668b292482d4c87a22b3d5f60a8478b457300cb4f58a
SHA51278d53a456d03503e0a62a415588dc0356df178e0c459b6c98beba79ac812e6ed6e7306bcee99e39cade21a9846f5731e4fde268af43cdfb1f9c1e0230ed83160
-
Filesize
6KB
MD56542302b71425724893f8cf28fabb575
SHA10d985a2361d23e37b5af71547f558db7e4335e7c
SHA256bcb41101ffbf9fb3e75375379bfe39e444889bdc6bacffe67849a410d9babfb4
SHA512dd6d319e576e43fcf0abbffd89194fb3c1d518f8e8c6facb0f24936ae1922653398d7371eafd91094d75f4dcc7d80f0aa9410edd906fea5dc8c02b5816ed07bd
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD543de8345f1ae93dee0b5e0d8085592a7
SHA1c69700e2cced6b42d26326ce8973457a7bd1eb63
SHA256b853abed33a9c31479588240a5f857e763950da1425dac73931a68a7d7023675
SHA512719f0de308d1b52b4f195e64d9381e37a728a49ba36374bed468d88d5b1fa4cbf141a188fde38d5279356e56aeefded080e2a6cdb275aa663ab9fda48e079a4c
-
Filesize
77KB
MD5d31c49db95ea394c58275b0623e5c4b0
SHA1d3dc3d9882266de4d422161ebc4fc44886234eb5
SHA2567c8037952380843f0d7db49157b21a242414e50102441c28070c5587760069b9
SHA512978b959b74d877f278bdd986949c3fe771ffe9f3b56377ef610c5d35eeb8fc10e64bcea85c3febd9eb66077acc4ced757d9d13c8a9ac8241b54d80ba4aa04bed
-
Filesize
47KB
MD549a3e17342c636c4e8efbff759327d91
SHA15ce600ddbd6d60191e98ae6773da34ca2c073765
SHA2564ca7c4fb4472cde9aa4bd5e5fb930b832ff41995be0323d0c049eee7ed8de88f
SHA512cce92de27079c8e9d4c831076890306467b8e40018cd3cd3f25ea11711248017f0a642556fc5559fba4aa347cc06fea01fe07b4d83f965a819c2f6abbc8cb8d6
-
Filesize
74KB
MD5e84205c3a8799112cc51f2ea1e422dfd
SHA16d594ef7a2daa0541f16909605abb15ee11dc34a
SHA25692aa0b184d29f654d2d4698775e906b6e876e9118342fde22678e96993ddd4d0
SHA512f746d938b8b10698f5b846b29bad0be08f8f1685152454111ee83fad2293ed6579bd93d571546d6c6d12f760ac34cb245cc65041adcd262b2f3c5ee9eae8dc52
-
Filesize
384KB
MD565f583e82e837183c8962dfdbf5bdc35
SHA15181731fa74f097de73d81ff347fe2fec634887a
SHA2561a4a1e76c6d2dc585ce77c9be7163163c0d614d5668a0c83601bb3d6f91376a0
SHA512827817ae552ebc95dd541d62cc04af0cb798bc33af3960153f403a945f1cb139129fa6e40cd09f359bbc673ac6c11118eeecf1a33790873a9c070bc487e24a43
-
Filesize
1.3MB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
