Analysis
-
max time kernel
139s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
28-10-2024 05:43
General
-
Target
77f9f38aff6772904e5cb6ff14a7abe5_JaffaCakes118.exe
-
Size
428KB
-
MD5
77f9f38aff6772904e5cb6ff14a7abe5
-
SHA1
948101647975f44217414a8a8110b2a5d9e4cddf
-
SHA256
05884e3e77892db6e9ae3af788003e5265aa2336cd655ac4c81b98e3242ff04c
-
SHA512
6fdec7bcdeaa9fed3de2708265e0861622d003fd6d83ff1d5d8ad4ae1cbae7da6c9f2356ea74fd93df2736156703b6c883a10ffd39b79d27c87ef587dc53703b
-
SSDEEP
6144:YS61KBLwidWQW0StEYurSyTheRmfu3pUlzwgaa9rSoXbftChXW3AxfulDGgB:YSxvdk0DtrSmeRh3pUGlahbblCJxfS6
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_RECoVERY_+hjhcm.txt
teslacrypt
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/DCB5A5CE6EFBD776
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/DCB5A5CE6EFBD776
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/DCB5A5CE6EFBD776
http://xlowfznrg4wf7dli.ONION/DCB5A5CE6EFBD776
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (862) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\77f9f38aff6772904e5cb6ff14a7abe5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\77f9f38aff6772904e5cb6ff14a7abe5_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\cjnakbtbgtpa.exeC:\Windows\cjnakbtbgtpa.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdcddd46f8,0x7ffdcddd4708,0x7ffdcddd47184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,6195990801754748509,14968637260527073512,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,6195990801754748509,14968637260527073512,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:34⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,6195990801754748509,14968637260527073512,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6195990801754748509,14968637260527073512,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6195990801754748509,14968637260527073512,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,6195990801754748509,14968637260527073512,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,6195990801754748509,14968637260527073512,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6195990801754748509,14968637260527073512,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6195990801754748509,14968637260527073512,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6195990801754748509,14968637260527073512,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6195990801754748509,14968637260527073512,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:14⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\CJNAKB~1.EXE3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\77F9F3~1.EXE2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5b18856152ce964e1c498f864b63e10e0
SHA116474b1fcabb469ad7ab8dce09b5ada2154b66f5
SHA256618636514e3dee5385a0831a70baecec659b5faaf20e3af7f6eead7c5dfb45f5
SHA512b00fc34ce4b8f38113b4e714fe2453bffb2bd9bbf8ffc6404706e6104ea46a81ec82f1af8a29b06f298c6a7c2bbed138aea28c2fd44c26f08167b03d11e030b9
-
Filesize
64KB
MD5e6e91360f96f0036ea993debbe937d72
SHA176d721b4596ca36b6c00f501b0679298c1a1b611
SHA25607a01d8586e4caf5d5e03bb0d2b7b09b3654040cb3efeaad486ae5b64b4ff32d
SHA512cf253a35644b05536fec73e7d5262ca7d4ba27d89891bf710660195299052fe8eef9ce4a07f6294977ab8eee0505761ceb215168d056c9833cca9f777e957211
-
Filesize
1KB
MD5367ea1077443ce870dceeb9c0041d301
SHA1b9d4c1638be9647cd6572f7c8dcb18ec5040dfc1
SHA2566f7de4dedbf456788e012b97b3ddfc40b95c8e409c7aa74b5ffde59b393eb356
SHA512bef7d5799f0aed6689e33cebacdceb5287c599227150d6c3221b40f6d040335e38410ea66de55798304e388d7ab993edc366deff0b84c31b8c7b30ce6ed78b39
-
Filesize
560B
MD5c1d34696992a2a42971ed67aec5251bc
SHA115b20c1cb8b91855fe3ec97dfb085684d280bcdb
SHA256b51dfbbc46595495306fb4f4bbfbd1d97b40294a2eff1039fe90efaa457b5298
SHA512d11a219716757feec33b936cb04bf49c004b82fecc5b46dc9f3a21ba78a0c66bbb0f89e7e93599afd4b3a5158d50fcc81f8326ac062506ada51b9dae291c88f6
-
Filesize
560B
MD587b3159755737584693a26412afe710d
SHA18510c1283c61b1d7966f57d23cb3c7cd9faa7c15
SHA256723b12bb990328c8107ee814d633236dd04c8bc24904025e1950ded4232b6ec5
SHA512b600b5f606a02e1ffdeff781c50448ef79765836068cf6d5aa80281a0023647bb5961ed2788d56b5dc8b37b55effdceb353b9626e6b1b62e3a0b338d9e9de876
-
Filesize
416B
MD50267a38469f3125cc39200726102b7e3
SHA16cbe64f765020bd0a213577f9d24af5fecbb0ae3
SHA256dfd7378ef172ca0b51f089ac2d4f8ed46be11bd8dbc2b02a82b2477f79eff5c0
SHA51224b64988d7caca105e2ca6b8ce36cb8b68d8f34ba4e7d2cfa07941b6bbcc24c349e9fd73589bdfdcfb1c0af57e1a70ba6ace276d994512206c149b3d1bee6d06
-
Filesize
152B
MD5d22073dea53e79d9b824f27ac5e9813e
SHA16d8a7281241248431a1571e6ddc55798b01fa961
SHA25686713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA51297152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413
-
Filesize
152B
MD5bffcefacce25cd03f3d5c9446ddb903d
SHA18923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA25623e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7
-
Filesize
5KB
MD5e66dd6eb9a001c0db573c5f67f6b122c
SHA1642589d8c2e9c2ac237b4b4555dc16e45888a177
SHA256b31f967aaadd44af377448f56476722a0abf4b60577eaf26e3629ba30621df28
SHA512cb499a673381529c46833e46bf21290e7a64ca650ce909187ba6b81e3625908630bf8498e703db57793bfca5e1ef0970ea015ebd8f247c7ca178a63c12050c79
-
Filesize
6KB
MD5c387fae5034b9cd9a1196732dff84682
SHA1f22d6e91b3857b0c7d415bdfc98d033856d5368a
SHA2560b76cce3b2ea609cb879d560705c8a4c8a2e33f34a5abde035190681484c558f
SHA512e17e31a602417224dbc36c6e936e9f82cedbca45bbc1b71b8d80b008942ec168078d8cd82cb11a622c69af6c50a8f4591d98c32571894e1164c8495fb8cc8c68
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5373cc8cc1a88f63f5eba50c604e8d9b5
SHA1942bd140d83d1a1082a9c0422f30119bc9703823
SHA2560407950eeb03288a5db6fabc832896aea65c7decef6e7af842a87198adfe9c06
SHA51229f973dfee89d18f9d4ab18e18f310d342827da47c2ac3bf5cece41acf965a7e05380f871447be95fd04d51e6aadb8784dcae6bdc837bb182e30967a3451b9b8
-
Filesize
77KB
MD57aa3d307c3dfb1d769d1adc050d8be39
SHA125a3f7d0d7d6aae1d0c6dcfdc7a9d38b4e9987b4
SHA2566df66c9054d39565968d4b6b0eb060205a02bf9fd3ed3efc2445bbc28e180687
SHA512df31272aa01287c5722ed9763b6ddf446b33bfa669c54209497ce104f7b78a2590995a33a1059fa248328790eefb40c4fae1f976f2110be3dc2c45e73204b2ac
-
Filesize
47KB
MD5ba41d964976942ef0e43baaeaba9fa7a
SHA1b3ea94aa079f7cbbb4034cbc660d667a29271c48
SHA256170a0581b9a166bec0442544e1e2f62f7b19916aea399fc0abe4c55297ade9c2
SHA5124eca989cc0fecc6f80138108dabc61c89eeb48b938e2d83a35aa830306732b7886f532a550723158f1f740e307ce885c4154ec9192087d235eb4c66587a496ed
-
Filesize
74KB
MD5a837cc917ddff3acce22b19cf758b54e
SHA12b7a93e9b71fad5eb75a1de52e712751c815ceac
SHA2566e39ceb8b39003bf41a7805c8666e5596420bd89b46551c5f73a300cbbaebc27
SHA5128713d30cf28340357d1804eb859eec64313fdcd089e30f38062a716ca0012e9dc99cc2888e0b4a6355d57e65e95268f1ccb3fc6020d70e75c80470b7ef6ebf92
-
Filesize
428KB
MD577f9f38aff6772904e5cb6ff14a7abe5
SHA1948101647975f44217414a8a8110b2a5d9e4cddf
SHA25605884e3e77892db6e9ae3af788003e5265aa2336cd655ac4c81b98e3242ff04c
SHA5126fdec7bcdeaa9fed3de2708265e0861622d003fd6d83ff1d5d8ad4ae1cbae7da6c9f2356ea74fd93df2736156703b6c883a10ffd39b79d27c87ef587dc53703b
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
532KB
-
Filesize
696KB
-
Filesize
696KB
-
Filesize
696KB
-
Filesize
532KB
-
Filesize
696KB
-
Filesize
696KB
-
Filesize
696KB
-
Filesize
696KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
696KB
