Analysis
-
max time kernel
144s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22-10-2024 10:51
General
-
Target
6a1dd1d327f60aee8509df877c8dc38c_JaffaCakes118.exe
-
Size
608KB
-
MD5
6a1dd1d327f60aee8509df877c8dc38c
-
SHA1
a2246029749e47a2532b016f80f5132f431e712f
-
SHA256
3e7affe327ebbf84f56bccd753c86122e0a1f0e8bf941547bfbcec775ab3ab94
-
SHA512
c29b9159c1bcb40db1a29cb3d91fc46e5b633db5e09ef52e8996a1d0e9900c153e6b68a7da680747215dbf0b03d34a1259fd17b90da01ff7c45cf1c4abedeaf3
-
SSDEEP
12288:Ax5WAOBdN/sM6Bn6fKzh1N4mZSZjCQm+OHAp3T2FWdP8CQm+OHAp3T2F99V:OsAOBL/sM6Bn6fKzh1N4mZSbF3HdPmFe
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\RECOVER+khowk.TXT
http://akdfrefdkm45tf33fsdfsdf.yamenswash.com/DB61BDA74E94356
http://p4fhmjnsdfbm4w4fdsc.avowvoice.com/DB61BDA74E94356
http://nn54djhfnrnm4dnjnerfsd.replylaten.at/DB61BDA74E94356
http://fwgrhsao3aoml7ej.onion/DB61BDA74E94356
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (875) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a1dd1d327f60aee8509df877c8dc38c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6a1dd1d327f60aee8509df877c8dc38c_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6a1dd1d327f60aee8509df877c8dc38c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6a1dd1d327f60aee8509df877c8dc38c_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\omndmehoq.exeC:\Windows\omndmehoq.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\omndmehoq.exeC:\Windows\omndmehoq.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\obyjh.exeC:\Users\Admin\Documents\obyjh.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet6⤵
- Interacts with shadow copies
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_H_e_l_p_RECOVER_INSTRUCTIONS.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_H_e_l_p_RECOVER_INSTRUCTIONS.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa7c3c46f8,0x7ffa7c3c4708,0x7ffa7c3c47186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,8009492789435247675,1908388272387305646,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,8009492789435247675,1908388272387305646,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,8009492789435247675,1908388272387305646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8009492789435247675,1908388272387305646,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8009492789435247675,1908388272387305646,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,8009492789435247675,1908388272387305646,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,8009492789435247675,1908388272387305646,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8009492789435247675,1908388272387305646,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8009492789435247675,1908388272387305646,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8009492789435247675,1908388272387305646,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8009492789435247675,1908388272387305646,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:16⤵
-
-
-
C:\Users\Admin\Documents\lxdjm.exeC:\Users\Admin\Documents\lxdjm.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet6⤵
- Interacts with shadow copies
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\OMNDME~1.EXE5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\6A1DD1~1.EXE3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD550a69a73dce23ee230c1653d00f4c2db
SHA111ddc62a2654da48752a070cf72d81eb172878e5
SHA256f97429fdd3709ac92a276046f1bdc7d32999c84e30f6dcb76dc50e10e4046c27
SHA512d066037aa5e679b7ef610a32aad74b425b39e46482dd48f6bfd5da5fb657fff49b1453291d0fbb25633238dd229f24cd1222535a678af4ebbf835f58864f1712
-
Filesize
66KB
MD587723d7b582f785ad74301fbcc66a5d9
SHA13fe2dc2856f6f6a3a63e0b68ca937ff78d8adb72
SHA256cea893c6dc30810d9a609f4c42916401519e57fa6d97df63c96a144c2c0f7285
SHA512e3fc87efed64fb36b151312d7a1db29dfaa923b1fa9650cbfd9ffe77b1b775d1b17856f5540d18278f9588e39f4363e31642f69ac719a65ab7996edccbfaa8ad
-
Filesize
2KB
MD508a33e93900631b0593f27ff336b0921
SHA1442e2a6bd6f7bc439add5d8f13e90085ad588e04
SHA2567f15dca98089cdd7c8b5e632421e371e25d73319bd73556f8b0f9b7d0fbc696f
SHA512ee40781b11a2a70d51cf6f86bbab8fad9568b863d750dc8ade55dd2350d7cce6e5e58b3227e2004cc2c82ee2c7286f38dfc2f0f37ee24a38f9f986a60c307af4
-
Filesize
560B
MD5eba4cf30e78f3672543ea74e933b84fb
SHA198751a29048bfc42f3418c4106b86661a3637e0c
SHA256850cc31474a4b35002215ce867af89e7de3b1dd2771f86014f59b904fdba627f
SHA5127879d5a0773e899bc8457945e24ed94d3d408dc8d1287b737dc05f1cc847b31d44e1947d82d04bda384884af4780257610713385f786af20fa4eb9839eed4852
-
Filesize
560B
MD52ba4bde25169e892cda1e398f11a0145
SHA14180db197af2369686353e68be875b8a6820d5e8
SHA25662924d17ef4b51a099b5b3a899ffe54c9558233a3fc90d9f34c5c126fc861559
SHA5126cbeca10fbbe4da46fa622391cb1fa33dde02445a7af6e1d706c9a0a1b4aed2b357b7058aeb00d6b34b7e68a6344fd38934a3ca376e755f21371cc41e705eeae
-
Filesize
416B
MD50d91228add7f99c6a8b1a3f051fb5d59
SHA1bc74a2e503cd6baebe73f71ad8e0970dd5505dd8
SHA256dc88860d7240aabee9517a08f08bc0256f66aa769caf2cbf2e07b6f8f8529a46
SHA512a086074291d3a87a21fb4ac8f0b9da48e3dbb3ab2c364427f2099c20a1200aa902d16f22b54aa0068e24563eb01d3f6a8975196ffe87449dcd8e04c90838d630
-
Filesize
152B
MD5f426165d1e5f7df1b7a3758c306cd4ae
SHA159ef728fbbb5c4197600f61daec48556fec651c1
SHA256b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841
SHA5128d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6
-
Filesize
152B
MD56960857d16aadfa79d36df8ebbf0e423
SHA1e1db43bd478274366621a8c6497e270d46c6ed4f
SHA256f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32
SHA5126deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe
-
Filesize
5KB
MD5d74e6ee7839f8c3fa934b771ac19685e
SHA1399579cda90483c2da44b4f86495d1f29b8ddcb8
SHA256ea0a44827e5998f9296870fb204fc78355332279a30ef3af8afc52c7e01398ec
SHA5121be39e672439ed63fc98b75f0a64a217860570913a30a828c56c8674d45c4d547ddbc7e86b4e214c2415a7752232049c368ff0abdf291c8b2f65fc89563b22bd
-
Filesize
6KB
MD59021e22a85fbe3a2352fb626c4ca3919
SHA1291395ad56b8edf32443565b4a86792161732f64
SHA2567896adfc0c42beed9ffa494f793b21e1569e40def02d85cc7fe9705eaf73174c
SHA512b01fc8f8ebb2953eb5dd113498ecdcfbe186a9a817fc39f9d9ee534d6f3cfef8560b76281f85aff6b8cf170bb51c0a2903a9362ab2ee82444709e82597033551
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD55b2ce38ee4a393d0bb364fa2522b0be2
SHA17a6e64961234533436c379f497fd87c01eb4c3d2
SHA2565b492bf38941ad0a87e297db0686ce75ddf0808d3390b5872712213edaf8940c
SHA512696835629e28be977986ab58b1fb86123687b0c5f12388db8414a28b789e4770006dd8cc59bad59996740c955a49f4f3c9bc5632e25942cabb7b6359803dcd36
-
Filesize
77KB
MD58a7e2add364e120ba042f778c25cbc88
SHA13f3f4888df65f59959a3841bb468081c785c9598
SHA2565f982cfb496f0872ebcc5d76607728126d74cc1e07c535759a81fa02a504149e
SHA512ec3b19a17eb64cb09d72393eada5e58eaf66ccbe0d4359008d2932beefbcff92afdfb8ce49686162ebdeb8c2bdc719f0be165d339ba0e6b223a1f0092b0a1cc0
-
Filesize
47KB
MD5126c20db9f2f23d0865ba4aca8679f64
SHA1229e53dabbba1d1cba56d07b471a3585e56cbaef
SHA2562a43d2d2e094033c6050eac2fa1c94424fc227281e3a9a4c9dd731dbcc916521
SHA512437b0e6e7daad2857e0b5b87edcd17e877163ad8632c1417e252d6edd01cba29698d2325bb61aca759feac3ebef70d50ef88886be6fb52fa1055ce3ce5c9c571
-
Filesize
74KB
MD564a65328430017cdb266b3fa0352bf25
SHA16e030e3cc6cd487be0d2d134be974ff9d705e2b9
SHA2561136536d8a333be6b737b5dda06e11217023f3dab795a5a5d89b2785c0fa2ba2
SHA51220ef505a70e4448bf63d97ce73ac9b7049d8882d3e09043bb5af11e6b372980b47fa2304e42f5d1ac9ea790c37da2eaa5f1fc0153574f69fa0c362f3682f5d09
-
Filesize
3KB
MD59dfc75037c8deccc2f1840b249b17750
SHA1ee37e409cfe2b124e63f98f1797aec0330204b82
SHA256b5680fd682b7f64e577492c097c825e4a5a00baa82a8668f478640c5f8918da1
SHA51225e9f3546af040f3cf782b4d6c511517ac0c95cfff8b3afec407c5917427f3129c92495f95873fb67ad928a9c7ef234508ecc9ffd8835da260d8fd1e64ead16e
-
Filesize
608KB
MD56a1dd1d327f60aee8509df877c8dc38c
SHA1a2246029749e47a2532b016f80f5132f431e712f
SHA2563e7affe327ebbf84f56bccd753c86122e0a1f0e8bf941547bfbcec775ab3ab94
SHA512c29b9159c1bcb40db1a29cb3d91fc46e5b633db5e09ef52e8996a1d0e9900c153e6b68a7da680747215dbf0b03d34a1259fd17b90da01ff7c45cf1c4abedeaf3
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
