Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
24/11/2024, 20:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe
Resource
win7-20241010-en
windows7-x64
23 signatures
150 seconds
Behavioral task
behavioral2
Sample
97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
26 signatures
150 seconds
General
-
Target
97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe
-
Size
376KB
-
MD5
97020660b63757de9c0e8ad51eed9acf
-
SHA1
bc75b2b04ec8591829a69a7634698c2d7ff406b5
-
SHA256
9c5feadf74c3a5ce0b40d5402f0f1ded6aea80b517c016a179b02f38a22aa489
-
SHA512
a6cc6b7c7c8d16419b826affc813ea5cff9501133c5bc386217fa686c35906404a937630bdbcdee193273e5c22872f891e1a40d332393480c8d684ea8bec0f67
-
SSDEEP
6144:ie3rNhMeYq4CGRTs4kadSoKVStcmTVn57CpSCwsUbg62oXd:iY5hMfqwTsTKcmTV5kINEx+d
Malware Config
Extracted
Path
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+lkufq.txt
Family
teslacrypt
Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com
What happened to your files ?
All of your files were protected by a strong encryption with RSA-4096.
More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
How did this happen ?
!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server
What do I do ?
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/8AE376AEAF8819AF
2. http://kkd47eh4hdjshb5t.angortra.at/8AE376AEAF8819AF
3. http://ytrest84y5i456hghadefdsd.pontogrot.com/8AE376AEAF8819AF
If for some reasons the addresses are not available, follow these steps:
1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2. After a successful installation, run the browser
3. Type in the address bar: xlowfznrg4wf7dli.onion/8AE376AEAF8819AF
4. Follow the instructions on the site.
---------------- IMPORTANT INFORMATION------------------------
*-*-* Your personal pages:
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/8AE376AEAF8819AF
http://kkd47eh4hdjshb5t.angortra.at/8AE376AEAF8819AF
http://ytrest84y5i456hghadefdsd.pontogrot.com/8AE376AEAF8819AF
*-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/8AE376AEAF8819AF
URLs
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/8AE376AEAF8819AF
http://kkd47eh4hdjshb5t.angortra.at/8AE376AEAF8819AF
http://ytrest84y5i456hghadefdsd.pontogrot.com/8AE376AEAF8819AF
http://xlowfznrg4wf7dli.ONION/8AE376AEAF8819AF
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (376) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 1716 cmd.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+lkufq.html qmmhrexicrfa.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+lkufq.png qmmhrexicrfa.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+lkufq.txt qmmhrexicrfa.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+lkufq.html qmmhrexicrfa.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+lkufq.png qmmhrexicrfa.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+lkufq.txt qmmhrexicrfa.exe -
Executes dropped EXE 2 IoCs
pid Process 2756 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\aqortkbfkyug = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\qmmhrexicrfa.exe\"" qmmhrexicrfa.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2332 set thread context of 2700 2332 97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe 31 PID 2756 set thread context of 2580 2756 qmmhrexicrfa.exe 35 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\Recovery+lkufq.txt qmmhrexicrfa.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\Recovery+lkufq.html qmmhrexicrfa.exe File opened for modification C:\Program Files\Windows Media Player\Recovery+lkufq.png qmmhrexicrfa.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\Recovery+lkufq.png qmmhrexicrfa.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt qmmhrexicrfa.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png qmmhrexicrfa.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\Recovery+lkufq.txt qmmhrexicrfa.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\Recovery+lkufq.png qmmhrexicrfa.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\en-US\Recovery+lkufq.html qmmhrexicrfa.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\Recovery+lkufq.png qmmhrexicrfa.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\Recovery+lkufq.html qmmhrexicrfa.exe File opened for modification C:\Program Files\Internet Explorer\en-US\eula.rtf qmmhrexicrfa.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\Recovery+lkufq.png qmmhrexicrfa.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\Recovery+lkufq.png qmmhrexicrfa.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\Recovery+lkufq.png qmmhrexicrfa.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-previous-static.png qmmhrexicrfa.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\Recovery+lkufq.png qmmhrexicrfa.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\Recovery+lkufq.txt qmmhrexicrfa.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_thunderstorm.png qmmhrexicrfa.exe File opened for modification C:\Program Files\Recovery+lkufq.png qmmhrexicrfa.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Recovery+lkufq.png qmmhrexicrfa.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\Recovery+lkufq.txt qmmhrexicrfa.exe File opened for modification C:\Program Files\Java\jre7\lib\management\Recovery+lkufq.txt qmmhrexicrfa.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\Recovery+lkufq.png qmmhrexicrfa.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\Recovery+lkufq.html qmmhrexicrfa.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css qmmhrexicrfa.exe File opened for modification C:\Program Files\Windows NT\Accessories\fr-FR\Recovery+lkufq.html qmmhrexicrfa.exe File opened for modification C:\Program Files\Windows Sidebar\en-US\Recovery+lkufq.txt qmmhrexicrfa.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_over.png qmmhrexicrfa.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\picturePuzzle.css qmmhrexicrfa.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\Recovery+lkufq.png qmmhrexicrfa.exe File opened for modification C:\Program Files\Internet Explorer\it-IT\Recovery+lkufq.html qmmhrexicrfa.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\Recovery+lkufq.html qmmhrexicrfa.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\babypink.png qmmhrexicrfa.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\RSSFeeds.js qmmhrexicrfa.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_cloudy.png qmmhrexicrfa.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-TW.pak qmmhrexicrfa.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Recovery+lkufq.html qmmhrexicrfa.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\Recovery+lkufq.png qmmhrexicrfa.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\br\Recovery+lkufq.txt qmmhrexicrfa.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\keystore\Recovery+lkufq.html qmmhrexicrfa.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_up.png qmmhrexicrfa.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\Recovery+lkufq.txt qmmhrexicrfa.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\RSSFeeds.css qmmhrexicrfa.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_preferencestyle.css qmmhrexicrfa.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\Recovery+lkufq.html qmmhrexicrfa.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\Recovery+lkufq.txt qmmhrexicrfa.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_ButtonGraphic.png qmmhrexicrfa.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Recovery+lkufq.txt qmmhrexicrfa.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\br\Recovery+lkufq.png qmmhrexicrfa.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg qmmhrexicrfa.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\Recovery+lkufq.png qmmhrexicrfa.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\highDpiImageSwap.js qmmhrexicrfa.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\glass_lrg.png qmmhrexicrfa.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png qmmhrexicrfa.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\Recovery+lkufq.txt qmmhrexicrfa.exe File opened for modification C:\Program Files\Windows Journal\es-ES\Recovery+lkufq.html qmmhrexicrfa.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\Recovery+lkufq.html qmmhrexicrfa.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\Recovery+lkufq.html qmmhrexicrfa.exe File opened for modification C:\Program Files\Windows Photo Viewer\fr-FR\Recovery+lkufq.png qmmhrexicrfa.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\Recovery+lkufq.png qmmhrexicrfa.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent_partly-cloudy.png qmmhrexicrfa.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\Recovery+lkufq.png qmmhrexicrfa.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png qmmhrexicrfa.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\qmmhrexicrfa.exe 97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe File opened for modification C:\Windows\qmmhrexicrfa.exe 97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qmmhrexicrfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qmmhrexicrfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1A1AB321-AAA2-11EF-9358-7ACF20914AD0} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2792 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe 2580 qmmhrexicrfa.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeDebugPrivilege 2700 97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe Token: SeDebugPrivilege 2580 qmmhrexicrfa.exe Token: SeIncreaseQuotaPrivilege 520 WMIC.exe Token: SeSecurityPrivilege 520 WMIC.exe Token: SeTakeOwnershipPrivilege 520 WMIC.exe Token: SeLoadDriverPrivilege 520 WMIC.exe Token: SeSystemProfilePrivilege 520 WMIC.exe Token: SeSystemtimePrivilege 520 WMIC.exe Token: SeProfSingleProcessPrivilege 520 WMIC.exe Token: SeIncBasePriorityPrivilege 520 WMIC.exe Token: SeCreatePagefilePrivilege 520 WMIC.exe Token: SeBackupPrivilege 520 WMIC.exe Token: SeRestorePrivilege 520 WMIC.exe Token: SeShutdownPrivilege 520 WMIC.exe Token: SeDebugPrivilege 520 WMIC.exe Token: SeSystemEnvironmentPrivilege 520 WMIC.exe Token: SeRemoteShutdownPrivilege 520 WMIC.exe Token: SeUndockPrivilege 520 WMIC.exe Token: SeManageVolumePrivilege 520 WMIC.exe Token: 33 520 WMIC.exe Token: 34 520 WMIC.exe Token: 35 520 WMIC.exe Token: SeIncreaseQuotaPrivilege 1160 WMIC.exe Token: SeSecurityPrivilege 1160 WMIC.exe Token: SeTakeOwnershipPrivilege 1160 WMIC.exe Token: SeLoadDriverPrivilege 1160 WMIC.exe Token: SeSystemProfilePrivilege 1160 WMIC.exe Token: SeSystemtimePrivilege 1160 WMIC.exe Token: SeProfSingleProcessPrivilege 1160 WMIC.exe Token: SeIncBasePriorityPrivilege 1160 WMIC.exe Token: SeCreatePagefilePrivilege 1160 WMIC.exe Token: SeBackupPrivilege 1160 WMIC.exe Token: SeRestorePrivilege 1160 WMIC.exe Token: SeShutdownPrivilege 1160 WMIC.exe Token: SeDebugPrivilege 1160 WMIC.exe Token: SeSystemEnvironmentPrivilege 1160 WMIC.exe Token: SeRemoteShutdownPrivilege 1160 WMIC.exe Token: SeUndockPrivilege 1160 WMIC.exe Token: SeManageVolumePrivilege 1160 WMIC.exe Token: 33 1160 WMIC.exe Token: 34 1160 WMIC.exe Token: 35 1160 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2500 iexplore.exe 3048 DllHost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2500 iexplore.exe 2500 iexplore.exe 3016 IEXPLORE.EXE 3016 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 2332 wrote to memory of 2700 2332 97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe 31 PID 2332 wrote to memory of 2700 2332 97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe 31 PID 2332 wrote to memory of 2700 2332 97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe 31 PID 2332 wrote to memory of 2700 2332 97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe 31 PID 2332 wrote to memory of 2700 2332 97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe 31 PID 2332 wrote to memory of 2700 2332 97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe 31 PID 2332 wrote to memory of 2700 2332 97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe 31 PID 2332 wrote to memory of 2700 2332 97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe 31 PID 2332 wrote to memory of 2700 2332 97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe 31 PID 2332 wrote to memory of 2700 2332 97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe 31 PID 2332 wrote to memory of 2700 2332 97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe 31 PID 2700 wrote to memory of 2756 2700 97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe 32 PID 2700 wrote to memory of 2756 2700 97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe 32 PID 2700 wrote to memory of 2756 2700 97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe 32 PID 2700 wrote to memory of 2756 2700 97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe 32 PID 2700 wrote to memory of 1716 2700 97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe 33 PID 2700 wrote to memory of 1716 2700 97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe 33 PID 2700 wrote to memory of 1716 2700 97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe 33 PID 2700 wrote to memory of 1716 2700 97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe 33 PID 2756 wrote to memory of 2580 2756 qmmhrexicrfa.exe 35 PID 2756 wrote to memory of 2580 2756 qmmhrexicrfa.exe 35 PID 2756 wrote to memory of 2580 2756 qmmhrexicrfa.exe 35 PID 2756 wrote to memory of 2580 2756 qmmhrexicrfa.exe 35 PID 2756 wrote to memory of 2580 2756 qmmhrexicrfa.exe 35 PID 2756 wrote to memory of 2580 2756 qmmhrexicrfa.exe 35 PID 2756 wrote to memory of 2580 2756 qmmhrexicrfa.exe 35 PID 2756 wrote to memory of 2580 2756 qmmhrexicrfa.exe 35 PID 2756 wrote to memory of 2580 2756 qmmhrexicrfa.exe 35 PID 2756 wrote to memory of 2580 2756 qmmhrexicrfa.exe 35 PID 2756 wrote to memory of 2580 2756 qmmhrexicrfa.exe 35 PID 2580 wrote to memory of 520 2580 qmmhrexicrfa.exe 36 PID 2580 wrote to memory of 520 2580 qmmhrexicrfa.exe 36 PID 2580 wrote to memory of 520 2580 qmmhrexicrfa.exe 36 PID 2580 wrote to memory of 520 2580 qmmhrexicrfa.exe 36 PID 2580 wrote to memory of 2792 2580 qmmhrexicrfa.exe 41 PID 2580 wrote to memory of 2792 2580 qmmhrexicrfa.exe 41 PID 2580 wrote to memory of 2792 2580 qmmhrexicrfa.exe 41 PID 2580 wrote to memory of 2792 2580 qmmhrexicrfa.exe 41 PID 2580 wrote to memory of 2500 2580 qmmhrexicrfa.exe 42 PID 2580 wrote to memory of 2500 2580 qmmhrexicrfa.exe 42 PID 2580 wrote to memory of 2500 2580 qmmhrexicrfa.exe 42 PID 2580 wrote to memory of 2500 2580 qmmhrexicrfa.exe 42 PID 2500 wrote to memory of 3016 2500 iexplore.exe 44 PID 2500 wrote to memory of 3016 2500 iexplore.exe 44 PID 2500 wrote to memory of 3016 2500 iexplore.exe 44 PID 2500 wrote to memory of 3016 2500 iexplore.exe 44 PID 2580 wrote to memory of 1160 2580 qmmhrexicrfa.exe 45 PID 2580 wrote to memory of 1160 2580 qmmhrexicrfa.exe 45 PID 2580 wrote to memory of 1160 2580 qmmhrexicrfa.exe 45 PID 2580 wrote to memory of 1160 2580 qmmhrexicrfa.exe 45 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qmmhrexicrfa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" qmmhrexicrfa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\97020660b63757de9c0e8ad51eed9acf_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\qmmhrexicrfa.exeC:\Windows\qmmhrexicrfa.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\qmmhrexicrfa.exeC:\Windows\qmmhrexicrfa.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2580 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:520
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2792
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2500 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3016
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1160
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\970206~1.EXE3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1716
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:3048
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD56dc89e3c0232db39b91d65ef7e532975
SHA12396cb673fb8b6e1c4f9645dc2b711d755e7706f
SHA2568eb1573d8b82d58373055eefbf75cab91d981303391b308825f07b7b110e085d
SHA512be18893ba0154ece3a79f1381fe113216c936343515fd8d09472178b742cbfb6d060ff4c4055eb27d9181273ee786430787e151cc6cd90bd4e4a2b068dd7f42d
-
Filesize
62KB
MD5bb0e2d6a5f15fe1204e6f50aa36e7998
SHA109bdc94d1f69ca5a64ccd6de28e8c674f5bfbf04
SHA2563e36e7feea99505ef32836e950ae267307c07480909fabb8d56d97331825a7a6
SHA51240a6d0a5795111baa6c256c5eb7c981325eed4afd1f2e79e6e385c5e3c77906ed89b25a1fb21ad3120e205d3a79f996c6f269d6059ebaab8393c4869090d087f
-
Filesize
1KB
MD55d1f2ea046005b65d9234993a6774c3b
SHA178fb553e9dfbe546ea4aa8fcaf5f3af392f4a122
SHA256edb60010385fa8b21e1fec7a4abc1a24e519326050d2c41f0fe8c6b935528d7a
SHA51291e8b8aa88d20fefdeaa7754ccb5345d8a726c8149d2c273b4850966df819ab631a4cef208a84b923458d03015747d10b112a92486de4c30c31c5072ddaec2c9
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD5e981f95180129c56ec2febb7deb3a392
SHA1c0dd59f7ccbbece54c11f9e21965bc4ec7df3241
SHA256fe87b995c152e89efa9f38d2cc8f5c3097e40757738c5d6c87ee6226b836e6d1
SHA512012c56885575284fb57e94bfa22af2dd22eb12df95e62ddee939732acc200b8479a38aaee452502e159846eb61b630c94023f190090785186d95b491fda9c7cc
-
Filesize
109KB
MD57924574fe8e396b6fee492b51320ec29
SHA1f2d65d5792d6b58ea4d8e6f8748841e493493740
SHA25668846a92794fb0497c6fd74dac83c052b89c174f4a776e63a3870f1f99fef261
SHA512748d696922b324a1b0f0e4c8253589b76d6964f02249b503a6963479fae60948b0a3a03899257963da9178e7db1d898058f2fa3ecd96b509bc15b70faa134b50
-
Filesize
173KB
MD58a58869f52d4c415993fe65891f468aa
SHA15bee6acd572f342681d98a0b3dad0b2cfaf84fa3
SHA25635a8b6f866b8412fbeb32bfd32803710bb6a24dd854c9c5a3bff7dcf0fc164d4
SHA5124baed40ee009d887721036b7f6ddbb7f437f1cf11c959ad5db1eec02feb8a5ebbafa367fe4ca7aa47c467aa8c52300f29a82b77d7a9b566ccb8fada1fbf17845
-
Filesize
376KB
MD597020660b63757de9c0e8ad51eed9acf
SHA1bc75b2b04ec8591829a69a7634698c2d7ff406b5
SHA2569c5feadf74c3a5ce0b40d5402f0f1ded6aea80b517c016a179b02f38a22aa489
SHA512a6cc6b7c7c8d16419b826affc813ea5cff9501133c5bc386217fa686c35906404a937630bdbcdee193273e5c22872f891e1a40d332393480c8d684ea8bec0f67
