Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-11-2024 04:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe
Resource
win7-20241010-en
windows7-x64
23 signatures
150 seconds
Behavioral task
behavioral2
Sample
9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
26 signatures
150 seconds
General
-
Target
9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe
-
Size
376KB
-
MD5
9fb86c5050cc496dcdc3f53ee2c59069
-
SHA1
ee358c3adca4413b6c30b146a8b33b70a230b3c7
-
SHA256
a5643944606ce1fc7025ba988e0186ab8d37a44af5efd077a8934e36a41d8624
-
SHA512
ecc5f28fe85343e1574112323e2f35853b49290100d450e5a4ca708c16f07018b5ae82be70bb5408d0e92183344c12d3612a9198fa7c641f61f8a5f6c536f21d
-
SSDEEP
6144:Ee3rNhMeYq4CGRTs4kadSoKVStcmTVn57CpSCwsUbg62oXd:EY5hMfqwTsTKcmTV5kINEx+d
Malware Config
Extracted
Path
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+tsbmu.txt
Family
teslacrypt
Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com
What happened to your files ?
All of your files were protected by a strong encryption with RSA-4096.
More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
How did this happen ?
!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server
What do I do ?
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/2F5261AE59F53530
2. http://kkd47eh4hdjshb5t.angortra.at/2F5261AE59F53530
3. http://ytrest84y5i456hghadefdsd.pontogrot.com/2F5261AE59F53530
If for some reasons the addresses are not available, follow these steps:
1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2. After a successful installation, run the browser
3. Type in the address bar: xlowfznrg4wf7dli.onion/2F5261AE59F53530
4. Follow the instructions on the site.
---------------- IMPORTANT INFORMATION------------------------
*-*-* Your personal pages:
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/2F5261AE59F53530
http://kkd47eh4hdjshb5t.angortra.at/2F5261AE59F53530
http://ytrest84y5i456hghadefdsd.pontogrot.com/2F5261AE59F53530
*-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/2F5261AE59F53530
URLs
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/2F5261AE59F53530
http://kkd47eh4hdjshb5t.angortra.at/2F5261AE59F53530
http://ytrest84y5i456hghadefdsd.pontogrot.com/2F5261AE59F53530
http://xlowfznrg4wf7dli.ONION/2F5261AE59F53530
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (387) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 1936 cmd.exe -
Drops startup file 6 IoCs
Processes:
kewjbrwyumnu.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+tsbmu.txt kewjbrwyumnu.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+tsbmu.html kewjbrwyumnu.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+tsbmu.png kewjbrwyumnu.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+tsbmu.txt kewjbrwyumnu.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+tsbmu.html kewjbrwyumnu.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+tsbmu.png kewjbrwyumnu.exe -
Executes dropped EXE 2 IoCs
Processes:
kewjbrwyumnu.exekewjbrwyumnu.exepid Process 2624 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
kewjbrwyumnu.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\yjifmouvcgkv = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\kewjbrwyumnu.exe\"" kewjbrwyumnu.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exekewjbrwyumnu.exedescription pid Process procid_target PID 2484 set thread context of 2736 2484 9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe 30 PID 2624 set thread context of 2148 2624 kewjbrwyumnu.exe 34 -
Drops file in Program Files directory 64 IoCs
Processes:
kewjbrwyumnu.exedescription ioc Process File opened for modification C:\Program Files\DVD Maker\Shared\Recovery+tsbmu.html kewjbrwyumnu.exe File opened for modification C:\Program Files\Java\jre7\lib\applet\Recovery+tsbmu.txt kewjbrwyumnu.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gl\Recovery+tsbmu.html kewjbrwyumnu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\Recovery+tsbmu.png kewjbrwyumnu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-down.png kewjbrwyumnu.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\TextConv\Recovery+tsbmu.html kewjbrwyumnu.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\Recovery+tsbmu.txt kewjbrwyumnu.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\Recovery+tsbmu.png kewjbrwyumnu.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Recovery+tsbmu.png kewjbrwyumnu.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\Recovery+tsbmu.txt kewjbrwyumnu.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\fr-FR\Recovery+tsbmu.html kewjbrwyumnu.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\ja-JP\Recovery+tsbmu.txt kewjbrwyumnu.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\co\Recovery+tsbmu.txt kewjbrwyumnu.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\Recovery+tsbmu.txt kewjbrwyumnu.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png kewjbrwyumnu.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt kewjbrwyumnu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\settings.css kewjbrwyumnu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\25.png kewjbrwyumnu.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\Recovery+tsbmu.html kewjbrwyumnu.exe File opened for modification C:\Program Files\Java\Recovery+tsbmu.png kewjbrwyumnu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\library.js kewjbrwyumnu.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\Recovery+tsbmu.html kewjbrwyumnu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous.png kewjbrwyumnu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter.png kewjbrwyumnu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png kewjbrwyumnu.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-previous-static.png kewjbrwyumnu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\Recovery+tsbmu.html kewjbrwyumnu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\Recovery+tsbmu.png kewjbrwyumnu.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\Recovery+tsbmu.png kewjbrwyumnu.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\es-ES\Recovery+tsbmu.png kewjbrwyumnu.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Recovery+tsbmu.png kewjbrwyumnu.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hr\Recovery+tsbmu.txt kewjbrwyumnu.exe File opened for modification C:\Program Files\Common Files\System\en-US\Recovery+tsbmu.txt kewjbrwyumnu.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\Recovery+tsbmu.png kewjbrwyumnu.exe File opened for modification C:\Program Files\Windows NT\TableTextService\Recovery+tsbmu.png kewjbrwyumnu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\cpu.js kewjbrwyumnu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\settings.js kewjbrwyumnu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\Recovery+tsbmu.html kewjbrwyumnu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\Recovery+tsbmu.html kewjbrwyumnu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\Recovery+tsbmu.html kewjbrwyumnu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\Recovery+tsbmu.png kewjbrwyumnu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Recovery+tsbmu.png kewjbrwyumnu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg kewjbrwyumnu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\Recovery+tsbmu.txt kewjbrwyumnu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\Recovery+tsbmu.txt kewjbrwyumnu.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\Recovery+tsbmu.txt kewjbrwyumnu.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv kewjbrwyumnu.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv kewjbrwyumnu.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\Recovery+tsbmu.txt kewjbrwyumnu.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\Recovery+tsbmu.txt kewjbrwyumnu.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\Recovery+tsbmu.txt kewjbrwyumnu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\Recovery+tsbmu.png kewjbrwyumnu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\logo.png kewjbrwyumnu.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\Recovery+tsbmu.png kewjbrwyumnu.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\Recovery+tsbmu.html kewjbrwyumnu.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\Recovery+tsbmu.html kewjbrwyumnu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\es-ES\Recovery+tsbmu.txt kewjbrwyumnu.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\Recovery+tsbmu.png kewjbrwyumnu.exe File opened for modification C:\Program Files\Internet Explorer\fr-FR\Recovery+tsbmu.txt kewjbrwyumnu.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Recovery+tsbmu.txt kewjbrwyumnu.exe File opened for modification C:\Program Files\Microsoft Games\More Games\de-DE\Recovery+tsbmu.png kewjbrwyumnu.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lo\Recovery+tsbmu.png kewjbrwyumnu.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\Recovery+tsbmu.html kewjbrwyumnu.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\Recovery+tsbmu.png kewjbrwyumnu.exe -
Drops file in Windows directory 2 IoCs
Processes:
9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exedescription ioc Process File created C:\Windows\kewjbrwyumnu.exe 9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe File opened for modification C:\Windows\kewjbrwyumnu.exe 9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exekewjbrwyumnu.execmd.exekewjbrwyumnu.exeNOTEPAD.EXEDllHost.exeIEXPLORE.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kewjbrwyumnu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kewjbrwyumnu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0E352FD1-ABAC-11EF-BFDF-52AA2C275983} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid Process 1544 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
kewjbrwyumnu.exepid Process 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe 2148 kewjbrwyumnu.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exekewjbrwyumnu.exeWMIC.exeWMIC.exedescription pid Process Token: SeDebugPrivilege 2736 9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe Token: SeDebugPrivilege 2148 kewjbrwyumnu.exe Token: SeIncreaseQuotaPrivilege 2708 WMIC.exe Token: SeSecurityPrivilege 2708 WMIC.exe Token: SeTakeOwnershipPrivilege 2708 WMIC.exe Token: SeLoadDriverPrivilege 2708 WMIC.exe Token: SeSystemProfilePrivilege 2708 WMIC.exe Token: SeSystemtimePrivilege 2708 WMIC.exe Token: SeProfSingleProcessPrivilege 2708 WMIC.exe Token: SeIncBasePriorityPrivilege 2708 WMIC.exe Token: SeCreatePagefilePrivilege 2708 WMIC.exe Token: SeBackupPrivilege 2708 WMIC.exe Token: SeRestorePrivilege 2708 WMIC.exe Token: SeShutdownPrivilege 2708 WMIC.exe Token: SeDebugPrivilege 2708 WMIC.exe Token: SeSystemEnvironmentPrivilege 2708 WMIC.exe Token: SeRemoteShutdownPrivilege 2708 WMIC.exe Token: SeUndockPrivilege 2708 WMIC.exe Token: SeManageVolumePrivilege 2708 WMIC.exe Token: 33 2708 WMIC.exe Token: 34 2708 WMIC.exe Token: 35 2708 WMIC.exe Token: SeIncreaseQuotaPrivilege 912 WMIC.exe Token: SeSecurityPrivilege 912 WMIC.exe Token: SeTakeOwnershipPrivilege 912 WMIC.exe Token: SeLoadDriverPrivilege 912 WMIC.exe Token: SeSystemProfilePrivilege 912 WMIC.exe Token: SeSystemtimePrivilege 912 WMIC.exe Token: SeProfSingleProcessPrivilege 912 WMIC.exe Token: SeIncBasePriorityPrivilege 912 WMIC.exe Token: SeCreatePagefilePrivilege 912 WMIC.exe Token: SeBackupPrivilege 912 WMIC.exe Token: SeRestorePrivilege 912 WMIC.exe Token: SeShutdownPrivilege 912 WMIC.exe Token: SeDebugPrivilege 912 WMIC.exe Token: SeSystemEnvironmentPrivilege 912 WMIC.exe Token: SeRemoteShutdownPrivilege 912 WMIC.exe Token: SeUndockPrivilege 912 WMIC.exe Token: SeManageVolumePrivilege 912 WMIC.exe Token: 33 912 WMIC.exe Token: 34 912 WMIC.exe Token: 35 912 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid Process 2216 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid Process 2216 iexplore.exe 2216 iexplore.exe 3056 IEXPLORE.EXE 3056 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 50 IoCs
Processes:
9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exekewjbrwyumnu.exekewjbrwyumnu.exeiexplore.exedescription pid Process procid_target PID 2484 wrote to memory of 2736 2484 9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe 30 PID 2484 wrote to memory of 2736 2484 9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe 30 PID 2484 wrote to memory of 2736 2484 9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe 30 PID 2484 wrote to memory of 2736 2484 9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe 30 PID 2484 wrote to memory of 2736 2484 9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe 30 PID 2484 wrote to memory of 2736 2484 9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe 30 PID 2484 wrote to memory of 2736 2484 9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe 30 PID 2484 wrote to memory of 2736 2484 9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe 30 PID 2484 wrote to memory of 2736 2484 9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe 30 PID 2484 wrote to memory of 2736 2484 9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe 30 PID 2484 wrote to memory of 2736 2484 9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe 30 PID 2736 wrote to memory of 2624 2736 9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe 31 PID 2736 wrote to memory of 2624 2736 9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe 31 PID 2736 wrote to memory of 2624 2736 9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe 31 PID 2736 wrote to memory of 2624 2736 9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe 31 PID 2736 wrote to memory of 1936 2736 9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe 32 PID 2736 wrote to memory of 1936 2736 9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe 32 PID 2736 wrote to memory of 1936 2736 9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe 32 PID 2736 wrote to memory of 1936 2736 9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe 32 PID 2624 wrote to memory of 2148 2624 kewjbrwyumnu.exe 34 PID 2624 wrote to memory of 2148 2624 kewjbrwyumnu.exe 34 PID 2624 wrote to memory of 2148 2624 kewjbrwyumnu.exe 34 PID 2624 wrote to memory of 2148 2624 kewjbrwyumnu.exe 34 PID 2624 wrote to memory of 2148 2624 kewjbrwyumnu.exe 34 PID 2624 wrote to memory of 2148 2624 kewjbrwyumnu.exe 34 PID 2624 wrote to memory of 2148 2624 kewjbrwyumnu.exe 34 PID 2624 wrote to memory of 2148 2624 kewjbrwyumnu.exe 34 PID 2624 wrote to memory of 2148 2624 kewjbrwyumnu.exe 34 PID 2624 wrote to memory of 2148 2624 kewjbrwyumnu.exe 34 PID 2624 wrote to memory of 2148 2624 kewjbrwyumnu.exe 34 PID 2148 wrote to memory of 2708 2148 kewjbrwyumnu.exe 35 PID 2148 wrote to memory of 2708 2148 kewjbrwyumnu.exe 35 PID 2148 wrote to memory of 2708 2148 kewjbrwyumnu.exe 35 PID 2148 wrote to memory of 2708 2148 kewjbrwyumnu.exe 35 PID 2148 wrote to memory of 1544 2148 kewjbrwyumnu.exe 40 PID 2148 wrote to memory of 1544 2148 kewjbrwyumnu.exe 40 PID 2148 wrote to memory of 1544 2148 kewjbrwyumnu.exe 40 PID 2148 wrote to memory of 1544 2148 kewjbrwyumnu.exe 40 PID 2148 wrote to memory of 2216 2148 kewjbrwyumnu.exe 41 PID 2148 wrote to memory of 2216 2148 kewjbrwyumnu.exe 41 PID 2148 wrote to memory of 2216 2148 kewjbrwyumnu.exe 41 PID 2148 wrote to memory of 2216 2148 kewjbrwyumnu.exe 41 PID 2216 wrote to memory of 3056 2216 iexplore.exe 43 PID 2216 wrote to memory of 3056 2216 iexplore.exe 43 PID 2216 wrote to memory of 3056 2216 iexplore.exe 43 PID 2216 wrote to memory of 3056 2216 iexplore.exe 43 PID 2148 wrote to memory of 912 2148 kewjbrwyumnu.exe 44 PID 2148 wrote to memory of 912 2148 kewjbrwyumnu.exe 44 PID 2148 wrote to memory of 912 2148 kewjbrwyumnu.exe 44 PID 2148 wrote to memory of 912 2148 kewjbrwyumnu.exe 44 -
System policy modification 1 TTPs 2 IoCs
Processes:
kewjbrwyumnu.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System kewjbrwyumnu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" kewjbrwyumnu.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\kewjbrwyumnu.exeC:\Windows\kewjbrwyumnu.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\kewjbrwyumnu.exeC:\Windows\kewjbrwyumnu.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2148 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:1544
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2216 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3056
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:912
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\9FB86C~1.EXE3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1936
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
PID:2916
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5e87cb1ae99fa5589b436b8214e4faa5b
SHA17e2e226802851c9acc7ae72c51f22500507795ac
SHA25639956b0256cc387e29df6c738c66f83c9266d4c9da18f65094992b7ef21d2496
SHA51243098fffb110e8edcbf7e21d32dbc9097ea47ac6e3cd54787e8c08d0b059d952e37fe478c8d2e67b83a397b17fb2ca5f22309dd76a13c036c113edb909f594b2
-
Filesize
62KB
MD5841f99f7fc17b2eba76c48c03f3a4095
SHA1d33757068f75303a4fde5b83cb8d27e581991323
SHA25628e09be0fc9e8fa1640642e1c989ff4328cc594caa1ae2d4b3ce8b310d90144c
SHA51232f5e637a18bfef8ee9706f919accf8e943c0ad3b7f1555c8b7da00e0ab054fbca6391bf26d8baf14cdb14686d7133c0899e14b4e2b08101248124391fcd07c4
-
Filesize
1KB
MD51572858c48fa584a89c05bda2b83042d
SHA1e3c3409323d39f59ec661b55846d95224fc4ce8b
SHA256f448803ff1b490d2e4b604dc1c28cda913727fbc752a63314a13ac84621574ce
SHA512e1ff8bce3780e9a2e68cdf0773729e551b43bf3848d0fe8c798b6d8ce7ea794a1781ad43e1d0aeccda8984380cc2a6fb88a9ec3f77c99c010f6425fc11247780
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD5b68d0b86ae6c9693eaeff75fc9da3e2f
SHA15b312c58e842147c4858b0e96399794de39601c5
SHA2562f10a0ba02916265b1cb71dee60070e225d2c61ed19b055a2f4bf77be220b391
SHA5123e142c4747f0917b59778382a7d149ee43e0d2f06672863b2fcb5d092859685ff8c87f8f6121387cb04b0da9af9359edf504564e7a738041ccd5b2aa93b86b7f
-
Filesize
109KB
MD540d04c95a693595aab381dc14e006bcc
SHA159bf93414d3b3d67dc23fbeb7d9310b49557f19e
SHA256fdab46d57f9adf188e7ebc2c1565a5252eb770b07c2fe97ee5eb5edd369c68a3
SHA5128c0f26ccee306795db15e87d34d90e034bf0060c86a37b8a60a0b3fe522862925ab8961bed32ba0c7cbca474733b51e44a7ac030e23fccc099cd77e56baa0172
-
Filesize
173KB
MD5a383e31e4312e53251a267829e58c501
SHA19ecaccd3ce3b4c9a835943b309cbb13f6c4f4d72
SHA256b117715419063fdefa07a11984bdcad42b0ddfd6d8c9ffd949441db55e9b79e1
SHA512f9a3964a6f128adaada44635f0c6d41531f330a1136baee79cf0b1e6b75cfd66e9b24ca962ad0001d0951ce6e3964e61e3508770ea8d004755f6c6da90a2864d
-
Filesize
376KB
MD59fb86c5050cc496dcdc3f53ee2c59069
SHA1ee358c3adca4413b6c30b146a8b33b70a230b3c7
SHA256a5643944606ce1fc7025ba988e0186ab8d37a44af5efd077a8934e36a41d8624
SHA512ecc5f28fe85343e1574112323e2f35853b49290100d450e5a4ca708c16f07018b5ae82be70bb5408d0e92183344c12d3612a9198fa7c641f61f8a5f6c536f21d
