341435c117881a0bf2a791134c4708c1b21ad208b1bdd1fc86db0c6e0f7575c3

General

Target

9e66aa1e09ea99b1b50a6b1e1e0d8460_JaffaCakes118.exe
Size

315KB
MD5

9e66aa1e09ea99b1b50a6b1e1e0d8460
SHA1

2a96fcdaffff4d100750ef82b4398ab0039cece8
SHA256

341435c117881a0bf2a791134c4708c1b21ad208b1bdd1fc86db0c6e0f7575c3
SHA512

76101c106048a5a7fa8b5768863160a7d849ae5233f47d0f5d061739a82b783b5a5fc1eebd382b88f983d5167f745bc8e4d5891648d93c3312fb8990e96f5bc8
SSDEEP

6144:WmK7MifvmpPYBdJEm3OaPHXLJRfyA+hrmHIIzAEK:V3iKQd3OW3LHKAumHbAEK

Score

9^/10

collection defense_evasion discovery evasion execution impact persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	explorer.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	explorer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\owujanwk = "\"C:\\Windows\\elysacyf.exe\""	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

9e66aa1e09ea99b1b50a6b1e1e0d8460_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9e66aa1e09ea99b1b50a6b1e1e0d8460_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ipecho.net
Suspicious use of SetThreadContext 1 IoCs

Processes:

9e66aa1e09ea99b1b50a6b1e1e0d8460_JaffaCakes118.exe

description pid process target process

PID 3032 set thread context of 1452 3032 9e66aa1e09ea99b1b50a6b1e1e0d8460_JaffaCakes118.exe explorer.exe
Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\Windows\elysacyf.exe explorer.exe
File created C:\Windows\elysacyf.exe explorer.exe

flow	ioc
5	ipecho.net

description	pid	process	target process
PID 3032 set thread context of 1452	3032	9e66aa1e09ea99b1b50a6b1e1e0d8460_JaffaCakes118.exe	explorer.exe

description	ioc	process
File opened for modification	C:\Windows\elysacyf.exe	explorer.exe
File created	C:\Windows\elysacyf.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

explorer.exevssadmin.exe9e66aa1e09ea99b1b50a6b1e1e0d8460_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e66aa1e09ea99b1b50a6b1e1e0d8460_JaffaCakes118.exe

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

2976 vssadmin.exe

pid	process
2976	vssadmin.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PhishingFilter	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	explorer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2788 vssvc.exe
Token: SeRestorePrivilege 2788 vssvc.exe
Token: SeAuditPrivilege 2788 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	2788	vssvc.exe
Token: SeRestorePrivilege	2788	vssvc.exe
Token: SeAuditPrivilege	2788	vssvc.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9e66aa1e09ea99b1b50a6b1e1e0d8460_JaffaCakes118.exeexplorer.exe

description	pid	process	target process
PID 3032 wrote to memory of 1452	3032	9e66aa1e09ea99b1b50a6b1e1e0d8460_JaffaCakes118.exe	explorer.exe
PID 3032 wrote to memory of 1452	3032	9e66aa1e09ea99b1b50a6b1e1e0d8460_JaffaCakes118.exe	explorer.exe
PID 3032 wrote to memory of 1452	3032	9e66aa1e09ea99b1b50a6b1e1e0d8460_JaffaCakes118.exe	explorer.exe
PID 3032 wrote to memory of 1452	3032	9e66aa1e09ea99b1b50a6b1e1e0d8460_JaffaCakes118.exe	explorer.exe
PID 3032 wrote to memory of 1452	3032	9e66aa1e09ea99b1b50a6b1e1e0d8460_JaffaCakes118.exe	explorer.exe
PID 1452 wrote to memory of 2976	1452	explorer.exe	vssadmin.exe
PID 1452 wrote to memory of 2976	1452	explorer.exe	vssadmin.exe
PID 1452 wrote to memory of 2976	1452	explorer.exe	vssadmin.exe
PID 1452 wrote to memory of 2976	1452	explorer.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	explorer.exe

C:\Users\Admin\AppData\Local\Temp\9e66aa1e09ea99b1b50a6b1e1e0d8460_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9e66aa1e09ea99b1b50a6b1e1e0d8460_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\system32\explorer.exe"
  2⤵
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer Phishing Filter
  - Suspicious use of WriteProcessMemory
  - outlook_win_path
  PID:1452
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2976

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Direct Volume Access

1

T1006

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

2

T1114

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\yrozusybanowydap\01000000

Filesize
315KB

MD5
c029362316cd0fd9244031eb703585d8

SHA1
17d804bee755483233a9b762af32ac6a293c9ff2

SHA256
321597925041af93bcd86fe35f95e6e50d22eb0ec6031c1f1a87328f3576f34e

SHA512
5db3c11c7db4d8282f959275eda6f27849dce75c6463af393ff88b281da44dd603ace864e172c763bee8afde801a23c1237f4bb120629190a9805dc8b02653f1

Download Submit
memory/1452-2-0x00000000001A0000-0x0000000000216000-memory.dmp

Filesize
472KB

Download
memory/1452-1-0x00000000001A0000-0x0000000000216000-memory.dmp

Filesize
472KB

Download
memory/1452-4-0x00000000001A0000-0x0000000000216000-memory.dmp

Filesize
472KB

Download
memory/1452-10-0x00000000001A0000-0x0000000000216000-memory.dmp

Filesize
472KB

Download
memory/1452-15-0x00000000001A0000-0x0000000000216000-memory.dmp

Filesize
472KB

Download
memory/1452-17-0x00000000001A0000-0x0000000000216000-memory.dmp

Filesize
472KB

Download
memory/1452-21-0x00000000001A0000-0x0000000000216000-memory.dmp

Filesize
472KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads