Analysis
-
max time kernel
145s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22-10-2024 20:26
General
-
Target
6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe
-
Size
340KB
-
MD5
6bcc066e2a81f34c7e052895001f44c6
-
SHA1
6f892ec0287ace1c4c7c86e3945b44de6c9d3ba8
-
SHA256
39a70938288eacf5eab1002150cb06a8299475ad6064fb131aa6e9118c66b4bc
-
SHA512
b11b924dfda23d28019879acbd790778049f4f711134b0003967408b28532544745d12081a9da538f9ecd84f3791b621d3d9c1b4a62699b22d7c56274a1f9f2c
-
SSDEEP
6144:2//b5dx5w2hahQGvPmZ8n0SylbvO+MeTHLlj9HhRbr3ET4b7ODRJT0luqig:SddvwdhHvPmZiyIXgLl3ZoMq4wO
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\Recovery+vtfwp.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/CF511D6BC291FBC
http://tes543berda73i48fsdfsd.keratadze.at/CF511D6BC291FBC
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/CF511D6BC291FBC
http://xlowfznrg4wf7dli.ONION/CF511D6BC291FBC
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (866) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6bcc066e2a81f34c7e052895001f44c6_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\vsebfsdrlbup.exeC:\Windows\vsebfsdrlbup.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\vsebfsdrlbup.exeC:\Windows\vsebfsdrlbup.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe56e746f8,0x7ffe56e74708,0x7ffe56e747186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,11906337424592112924,8009102294996541082,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,11906337424592112924,8009102294996541082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,11906337424592112924,8009102294996541082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11906337424592112924,8009102294996541082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11906337424592112924,8009102294996541082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,11906337424592112924,8009102294996541082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,11906337424592112924,8009102294996541082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11906337424592112924,8009102294996541082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11906337424592112924,8009102294996541082,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11906337424592112924,8009102294996541082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11906337424592112924,8009102294996541082,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:16⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\VSEBFS~1.EXE5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\6BCC06~1.EXE3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5abb8013efa8ac6a582a0760e9baa0276
SHA18accd3d823b1dc1cfcc072d0ab726b05a553b1a1
SHA256793b1c1ae36507ff9afb3572e86c0ec2bce37f9ac240e3c7ba92ca5b5e3a46cd
SHA51240ab4df3d8d6ee60d8a7bed6bcd737fb0ae7a43d304ec919d49df821b984af3b6691821594e694c54308d5f2f6154269ec68bd44a48ba3fe21d621a17268c89f
-
Filesize
62KB
MD5033da1cae97dd300caf3af2b713554ed
SHA1c0c413835da2f1c8bf1d8edc4afd58df7551ea16
SHA256a4d8129734d5b3ba6154ccdc53a4a907c40577797d3644e8a854104951fd8e8e
SHA5127b62358f1c74638b4893415f963359e7384bfd4bbdd4911acdb5d8f2d3c1d90390a325343d9274d3dee51c91eec5a9906e13a9dbf7dd0ebf045dd300d856eaf4
-
Filesize
1KB
MD549e7058dda3bfe195a0b584f336c4b55
SHA13e380ba34862388c7f0e9326065d7622f3b9df64
SHA2563159d6100465b3a1a2be2a621cefe7b05a603723b15727329ddf1a4e0afce1a2
SHA512bafdbe0d9c98495798eb84572c4e6b4a0baf2dc17f1a4da4f544c51a4eb33f9188af0bf016d4c727d745687daca67a3515169ed143293e4c9e9f9fc9297055d0
-
Filesize
560B
MD5b67011e84abab4dbfc6257bb56c24433
SHA1be16cb16e81b5a35a8b35fd5abfd04398df71405
SHA2563592f9771aa25dbeee615c8f9f9febafddab057ba292dadef36f02f4558cc5f8
SHA5122c2275a26dc14497efd3da65f5f25d82b13454cece9295694f76463c702936c3695da8198f2365a45dc8a158bc47a4124e3d0bcbc1310d3ef5d552b028bc1815
-
Filesize
560B
MD58d2a461213e5092c95ba02f7e8c2680a
SHA19515149d19990e047c9866604d072dc0e1b475e7
SHA256a7475a2907da9bb91bb8d5ca45da4b609af0792dda322c31bf3146ba32a2f9a8
SHA512a8d17a8d345fa69084f296df822a1ddc43e840335548e2df35c543ce5038f725fd055ba5df44ba6932140cfed4216f168ad4fee28e60f8438ea015bfb538ccc4
-
Filesize
416B
MD5512806dfec0a9c5e6c7b47058854433c
SHA168cf186c842707beef318a1d63ab51aae9d8cb64
SHA256ea09cfc6bd7690554223cb83adc13258733edb00209a1a31b8cee6e5f2f2592a
SHA512a0c6fc9a9252324002c3b68b496bed9097f6af70e9c997386c77139f91eba03c299d478587cf50f79f26152f027a515648f2c28c35caee56fe61dc285c80c4d6
-
Filesize
152B
MD536988ca14952e1848e81a959880ea217
SHA1a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173
-
Filesize
152B
MD5fab8d8d865e33fe195732aa7dcb91c30
SHA12637e832f38acc70af3e511f5eba80fbd7461f2c
SHA2561b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA51239a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43
-
Filesize
5KB
MD5cec5b88e0fcee9e4ff063108173efe9a
SHA1c3d5ca4db0f51d4ef60d02240382c033ef8fabf1
SHA256ccbd088226c845dce7325b57881cc2365101f8821c517d1b22fbaf103869431d
SHA512c2c54ed31ff61b0851822d32cbb4424a7f0b31daee2be286b97b967d60cfb1df91a57facbc98ef2b71a3866e4040b2f1c69cd77a9c12eae25e5486002f780531
-
Filesize
6KB
MD52c853bd3b89c3cf0de483e4b865f7695
SHA1882d179d570b6945cabcb0b8db703d147f865aab
SHA2565dc6717c00945df0dc762ab62dc323c377ad003369849c14ce732def68c107e0
SHA5129b8c74a8453cc88a140414bcf20e018f213854725510e71e883b42bef92892d209ddbef53ccd2c5f2e644ec809d81653027bb8858d97ff4d0a779727c32d2a84
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5c94ca0035ed0bd4c32797eadf06b2a7e
SHA1c0fe30d5dc85c1fcaaba327d856c1d9c93d5cd6f
SHA2565328b0ed830a071aa05793b0683a159ed881579a855b7a802f2795bfada09324
SHA5124c1c27d31fdf07f728b048cfbce2d538aa05baf9311420199b3668566724f6f5807d9d306eba685472f6e4da3b74339e224ab01aa595dd87586c53ff23b938bf
-
Filesize
77KB
MD5099336c9ed429f6462669b922654c98b
SHA15a4fb401f49d0cdadc45333d5405b849a6034985
SHA256861cd91bea573f7ad14140f9ab4bf72269a04b798a52ca52cddb142dbae15e95
SHA512d9e76c74f427bacc33d3b8f0802d633e6a59caf3c367e9f4b9bd20c847971f00d7c1caab6765168f49e35b3b2353b54fcb10e968dbe07c5cef8745f99010089b
-
Filesize
47KB
MD53083bc7b00f175352b88a7279b65521f
SHA1e1fd69156003bb22b606e00f51b2c56f21a74084
SHA2564f04b3f1b8ec9f24fc3466e5dc9ef87b655e7e891f0544b2ee4604dc890e1221
SHA51275d24017578569c7c2e5db6d57728cfabf8c454b24d72106eda374257d57c89e74e9b54b14b79b51571f05870020f4294d879ac33dc86ea2faa25bc9404928ee
-
Filesize
74KB
MD5653e31b325d4768e5f40e335f8172066
SHA18f35366ab518fdc6f24463ec9cbe55d5cfad0281
SHA256ad0f2acc69a79a8785d09601329d94877eeba13f943f6cd30b475a728ee2c01f
SHA51247ce551bed878f778fdd55613ef1d7766b03c4c5da7d158db95004888543b4ee9ec76416b31fbc68484beda63c3c76089b1971316b3e2fff3b5ae77bc6cdb772
-
Filesize
340KB
MD56bcc066e2a81f34c7e052895001f44c6
SHA16f892ec0287ace1c4c7c86e3945b44de6c9d3ba8
SHA25639a70938288eacf5eab1002150cb06a8299475ad6064fb131aa6e9118c66b4bc
SHA512b11b924dfda23d28019879acbd790778049f4f711134b0003967408b28532544745d12081a9da538f9ecd84f3791b621d3d9c1b4a62699b22d7c56274a1f9f2c
-
Filesize
1.5MB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
