Analysis
-
max time kernel
148s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26/11/2024, 04:05
General
-
Target
9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe
-
Size
376KB
-
MD5
9fb86c5050cc496dcdc3f53ee2c59069
-
SHA1
ee358c3adca4413b6c30b146a8b33b70a230b3c7
-
SHA256
a5643944606ce1fc7025ba988e0186ab8d37a44af5efd077a8934e36a41d8624
-
SHA512
ecc5f28fe85343e1574112323e2f35853b49290100d450e5a4ca708c16f07018b5ae82be70bb5408d0e92183344c12d3612a9198fa7c641f61f8a5f6c536f21d
-
SSDEEP
6144:Ee3rNhMeYq4CGRTs4kadSoKVStcmTVn57CpSCwsUbg62oXd:EY5hMfqwTsTKcmTV5kINEx+d
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\Recovery+xrpqt.txt
teslacrypt
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/2964EA59E1532652
http://kkd47eh4hdjshb5t.angortra.at/2964EA59E1532652
http://ytrest84y5i456hghadefdsd.pontogrot.com/2964EA59E1532652
http://xlowfznrg4wf7dli.ONION/2964EA59E1532652
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (866) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9fb86c5050cc496dcdc3f53ee2c59069_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\cgoiwkgjwxbe.exeC:\Windows\cgoiwkgjwxbe.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\cgoiwkgjwxbe.exeC:\Windows\cgoiwkgjwxbe.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc7f5e46f8,0x7ffc7f5e4708,0x7ffc7f5e47186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,11787612001323602316,14782453029693105477,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,11787612001323602316,14782453029693105477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,11787612001323602316,14782453029693105477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11787612001323602316,14782453029693105477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11787612001323602316,14782453029693105477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,11787612001323602316,14782453029693105477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,11787612001323602316,14782453029693105477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11787612001323602316,14782453029693105477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11787612001323602316,14782453029693105477,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11787612001323602316,14782453029693105477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11787612001323602316,14782453029693105477,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:16⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\CGOIWK~1.EXE5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\9FB86C~1.EXE3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5c3f41987e225b282f36b8a51eb06919f
SHA1f69ad0b0ffb442ee35ff24cf3984d1f5e4a569bb
SHA256028a0be2453fac400f949c6452daebc0518b42035ff3f173b4ee6057952267cd
SHA512769bfdef7981c04cc7a3fb4927962f78bad106fbd0f84b05e1101a865b74a0ea2660d8a26ce3b4567562810e7690e1a57af088bbe26c83da7ff41f2bb023f220
-
Filesize
63KB
MD50078a3a1b5da948bed8f78c8f74c1b38
SHA1b63b1280227899be857b370e3930b571c811fd52
SHA256e2a488a725732d8e95c5d17d90b685c3df16f5ccaaceceb9292b394465075e5f
SHA51229fbb153a43101314d4f6bc01cbaa96c06ea64cb21a3b5f2bf36ded2597407e647d494f785b349833cedea6a384b474218c6412fea14a7bb9a4ea04596b085ee
-
Filesize
1KB
MD5a79f406b48b075985fe054a6b71109f0
SHA1a4271b2d7331b4986a4c737cbaa1424c2024b1b6
SHA2561b9c718bbb547e677623f0b8e0e1eb31350cbfd3c17322afb2e967dd7c1f4021
SHA512fe9e1abcc8c9edd88e9db8958c32dc23d68d1948f084ca59949fbf836f969430bb46939efff8f9ace9457107feb02311355b8f7440296ee819426ebec0bef194
-
Filesize
560B
MD5f32997d1a8849565f5050187ed24df9f
SHA18c63e55be1567e45d015e5a6b9ca5eb022d4bf6f
SHA25643b07512e61ec8509efb612b054d865aad446d728d1287266fdb633a7f3c471b
SHA5127d4bfeb787cff5fd66d93fdf5610d66336f0eba977dd4812b68e2e0e74afa3313a86de0c8080a9fe83915706b112fb3e97fb2b9428d4055cd2f1993e1fad8692
-
Filesize
560B
MD5a938999d5c9cf840ce01a55a98a977a8
SHA1353c970d979fb99a6c1790469a5409076a67ff47
SHA256f0252396ed6e4444c6835c179cf652fce4601bf22780392e430a488a75ebe044
SHA512ded8203bb64d20912d56ed371c52ea76ceb9f787d4eca2cf9e6b6b6791f81f9114bd423118d28394eccd867c61573cf13123357baeffe0c4b1b79ac7e6899891
-
Filesize
416B
MD53e064d3e8bf2b1a7008c6b04eeca5d73
SHA1e16a75a3b56801a3a1d2eac55435a3804b3cab9b
SHA2566d61af6f10ea396cf2ab653bf43027986c771332b9f3df75142cc907437f9fe7
SHA51268f94f84bf12d8b405f8ceaee798948b06b7ed521e8cced911e8a70d9827d0389ba14d71eec091898164831c6bec1bc4b42271701f1576ec5075c1f691ace6b9
-
Filesize
152B
MD5f426165d1e5f7df1b7a3758c306cd4ae
SHA159ef728fbbb5c4197600f61daec48556fec651c1
SHA256b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841
SHA5128d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6
-
Filesize
152B
MD56960857d16aadfa79d36df8ebbf0e423
SHA1e1db43bd478274366621a8c6497e270d46c6ed4f
SHA256f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32
SHA5126deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe
-
Filesize
5KB
MD538b3f23eb5e02f0f8d65e86358b6df25
SHA1e39e8ae6a749cd165c995633dcc81ad1a3380eec
SHA256da36b5a4d5bea00d0f31b5eddb0e0be79ff442578c352fb5e0d9595b2fff52a4
SHA512780549c38921c85c955682b185d372992cc9fe2bf04f4312a38c4e4b3f59bb4c26295a250c7602fd4557a9d72bb6576397a13e86e7c85a637f22a5f2296801b9
-
Filesize
6KB
MD5f426fa866fcf3863b67b9dd12b44fce1
SHA148651535e02d5610a7a3cc18a25d00c3a0bc5312
SHA2565c87f060304fb8beda9152988b7b712aece1d0cb6683d7777475a7f653594772
SHA5126c222b164199454b01c89caea2b24d20efd6edc95877bb2a266c10c725d12dcc78c435fdc2a11578fca6a8a074a42282de2ae3171b1c975bc820fd2268ff5ad3
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
10KB
MD533c8fc816b30201d1c23130773635d56
SHA1c310ccb1ed17d606f837d32f2ff1df8c9e8d1956
SHA2562e33695b7b95cc13600adfcf73ab26a2f255a275c9c7d00b6ef3ddb3621cd451
SHA512f09a7e5119a44ee4b2f31c76080a007852a6f85948af4ac4879ea49c493e37d037f2a269fa87ea5fae5e122dcec5e72d1c84058a79cc3b0eca88d9d04f5e1ae7
-
Filesize
77KB
MD57f059c10499d8a783e3caa9809346aab
SHA1e351ef2f7ed1a0cd3f9274129070a4c0c6cb4539
SHA2561bb4f818bdd7f442163dd1d9d5180532e361a4d4a6282b1e1843638ff5ba5d3e
SHA512b7263c9be9f606d7278323af40121c9d683bf6f3b9eb722ef9149dcb2a9b23ab4fb4218580da27d5569619bf58a79220ff8393fb441008929b01e33c4cd9cdb6
-
Filesize
47KB
MD5b16c39abd00924409b40e85e87c21634
SHA13879e31866c21e4a75b95aec8acdfa8af1eb9761
SHA256c420eb0ea299e8c736fc7adcca76b8fe096c3fc6baa9b2c0d6f4fc7d09d7a0d6
SHA512f3997fce55621256df7742cabeb359a68734b08e19f4a3a9238f2de6c92f99fb0ba3adcebd3fa50b45789cccad6d683076cd0d68e62fab38f0c9a1635e377e48
-
Filesize
74KB
MD5cba4a6cb406c94dd89300d9f41c3adc3
SHA1168069869add15ff0998814f0ef94eafd27e9078
SHA256b922f90998c15cfd4de6f6eb5cee274d502fa9322c7eb88938c4f4694c1a93ab
SHA512144686c8a269a85ef5b7d90d8e233f4f1a66164ab2d2bfae2ed45906eb851b9704dc04e197da2137e88aab5811d65efb63be0c3376e6f36e533e9dc424ff055a
-
Filesize
376KB
MD59fb86c5050cc496dcdc3f53ee2c59069
SHA1ee358c3adca4413b6c30b146a8b33b70a230b3c7
SHA256a5643944606ce1fc7025ba988e0186ab8d37a44af5efd077a8934e36a41d8624
SHA512ecc5f28fe85343e1574112323e2f35853b49290100d450e5a4ca708c16f07018b5ae82be70bb5408d0e92183344c12d3612a9198fa7c641f61f8a5f6c536f21d
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
1.9MB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
