Analysis
-
max time kernel
138s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
26-11-2024 14:43
General
-
Target
a27f11228b7c12fce6557da4f406d55b_JaffaCakes118.exe
-
Size
504KB
-
MD5
a27f11228b7c12fce6557da4f406d55b
-
SHA1
e62c6607244af642e62fbd220ff95ab8f5bf7d5a
-
SHA256
9e7c7af6833c51a346fba9007bd55f00aed8e8e60d0512ce84aae1d38d731e37
-
SHA512
14e8c40dfd2a8ea6a9764189e0f6b6a9cd3ab0f69a7f3167227f6e1425085718effbdb0bca7b57b7e15b5845edd3dd7fb3e62acc47320631653c80687e97e861
-
SSDEEP
6144:ofDdhH7Yshky2p5zrCFTYCiCA//aYyjLJtSIJOZudtJj5:ob7H7YsWJzrWTy//qZJcgHt
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# HELP DECRYPT #.txt
http://4kqd3hmqgptupi3p.249isv.bid/DC74-4B3F-9D44-005C-965A
http://4kqd3hmqgptupi3p.f0jlbj.bid/DC74-4B3F-9D44-005C-965A
http://4kqd3hmqgptupi3p.gg4dgp.bid/DC74-4B3F-9D44-005C-965A
http://4kqd3hmqgptupi3p.whmykv.bid/DC74-4B3F-9D44-005C-965A
http://4kqd3hmqgptupi3p.onion.to/DC74-4B3F-9D44-005C-965A
http://4kqd3hmqgptupi3p.onion/DC74-4B3F-9D44-005C-965A
Extracted
C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# HELP DECRYPT #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Cerber family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Contacts a large (524) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes itself 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 61 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 49 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 46 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a27f11228b7c12fce6557da4f406d55b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a27f11228b7c12fce6557da4f406d55b_JaffaCakes118.exe"1⤵
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# HELP DECRYPT #.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:537601 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# HELP DECRYPT #.txt2⤵
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im "a27f11228b7c12fce6557da4f406d55b_JaffaCakes118.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5941⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2316 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD5580b320cf875fb5e648811788556bdec
SHA1271c2e0f8b447aa0c8554cffb568e649640347da
SHA256385083288a8c6ceecb7f88bffd3930bb89d1c247a1ecfa36cd9e645c65ada587
SHA5126501e6626d78f506bcd3884c133acaac7473345a2dcc3f19a78ad6606201a57f6339da86d70971e1c883a5f858bf2a22580eb910ee4be8ae2fed6ff229d227a9
-
Filesize
10KB
MD590202cabb02112812202897186c52da4
SHA1928fafb40bac536319dfc12fd2e2f8b0c86f6ebd
SHA256c7094de5411d52af4a010c67e475b73c9b4f972231f348a21c53d9b00db6bce4
SHA5126918b28245353dc5c67a11fcfd2d787728f2dc5de63c12ab92b436e628593c11f9aab92477e73f25327f658acc9080c2ed85a43fa462cd4c2984220bcb271678
-
Filesize
90B
MD5b2a7f1d027841d59a4f2aa53338c1b17
SHA1c60dd010c891ee9f3af99e09f40e7641f4822f8a
SHA256bf7a43403d8f19592914069eac50c7a9b6e9bac6e1784e5f856df5118ee0f78b
SHA512b92763756757cacedad855064e2be007589a8deae506bfec2fe03e3bd9af441dfc77bd7fc0d1312ff971023e678622a8ccc27c90c4f019da41c96bfa58d6f0a1
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
Filesize
252B
MD55431d2fce2828fa366767d62424fb305
SHA15cc2c23f51b5fd4f5c9fff1894215ed180593dc5
SHA2569facd7bb614000fc4771f9dcf42e8290485a6c4cb20e7b3dce2bf4267a92fa7d
SHA5126219a83a1bc4526ed1593e2a3f4c3fe654dbb2f64cf0cbc18158e2cdbdf3039bfdc7a2663704703fdaf176284eea8bf6f60c265d0f636e5bb06477bc590c71c5
-
Filesize
342B
MD59e12013cba42aa7159ee39945efb6489
SHA12b1f03a828a84483342b20e826c1ceba90725c2c
SHA25660b47e482d4b66e320d39b2757d74b436b7c22f258fb6e43fa91b8dcb03f45e3
SHA5122b76d9c336dcc1298266827cd412b5ea90345e1251bd3511ad3026bcfbd1fd52d5c6b6ae09d598123e4e1d6be82e4857d0ad009748df8ab15e70402dffd86140
-
Filesize
342B
MD5e77117ea9e40350dc76effd4bd2e553a
SHA12fa131d42dfabe71cac3af0c9de79ad6f420ca1e
SHA25666e5bd181c307dae58eb4fbfad9a0cea66cc3b706033bf8a4f5bf950e2a412e0
SHA5121a9206e04ed398bce6c4a7a9d6795c5f613d7482f333fa0d28fc99bb3ee2705ee2976a36f425a8d4808208147c875a6774232a55ee06fcf0a50336195776e69a
-
Filesize
342B
MD5e277ce9c083ff95c47341901c045f827
SHA1d92aa563945fc01229e065da34c3ec0c1439bc98
SHA2565ac2fdd3d01e036898b985054a2261c8e8d16e021ca881a7b04240278d804973
SHA51239b2eed45e720772726af3d5dce2cf3eacca576ea61fe83abaadfd6d81badf43fc9bfbfbe25fbd36a51f570016b7a2492671e996f9a265090f1d99d3faa80d59
-
Filesize
342B
MD5c59fb4ec9a941c1160d5bf36e6358243
SHA173dec031600949b9e691ff2a17ca79c6faa843c0
SHA2567d7b164ee1223d7ad2d8f0772cf6b52b0bc5a1b175b846b9bbfaf5a5800bbf4d
SHA51207eb7b976b2a23f7531848073c8d51431a358423b9c4444cadffd6554eb4ff3eb1456d36fbd1fd2a75e823145111770dc930559744f74a68779b17f232a49ee2
-
Filesize
342B
MD5895b283bf2dfaed2093d6d52f951ff56
SHA1922dd0adb3f97c6221ffb182f6839974c753d608
SHA2563949a1678ed39a88188aae770c330e9448235a371bb29db93561f0b4b4291b57
SHA51291d0d77ab1f79e1ed891052522205980d1d8d98ffb96adc260a3ccfb0e02de4ec125a2a4c65fd87bad465b6eb9fd4a317042459046e265cf9a47c407b1315413
-
Filesize
342B
MD5c25b429a571a466427514b03ad12295b
SHA1da5f7794b0d5620a2ff2a9679ffdf18f5b52172a
SHA256aeb0f7e30fe7336debb16ecca5fb16ad698d435149d1def9c4fd5103876ed522
SHA512e38dc87cb96a738ae59f5b328bff99e117965e547316d18fec9209465f13fe7baffd72d590cd6a0dd33d5dc88328b024c2b16623dce7d5f923604cecca9e7cf5
-
Filesize
342B
MD544b61318c5b11194b73aad383651139e
SHA10221512ae00c100706517a44be54f26e052fa41a
SHA256f90360087208560a19dfaeeb776edee6f018ccbe56116147d8fe6dd7dcb66f41
SHA512d752ec3afaa934f1500f895ac5e67b5ccb6350a06c1de0068e070b5284ba322e71af336a8b5262140b4884312849880a91815460424a27067b459e887aa3aef2
-
Filesize
342B
MD51e199c27b667cbef2ad5d688a043da6c
SHA1d6762424ca88e1f6367a4ff119a124e6d3f6d24e
SHA256f07a7a52264dc4ff0e2b919c735216a8e1a161a5fef9f4db40b0bac1b9180f7e
SHA51211c515258de72554a8375788e8567f3cba04017ad09d36ffb16b563d2e3ffd143f75bf5bed2d5fd33a82f4db8faf7dc10b6e280bba3be5badc728e9788b17859
-
Filesize
342B
MD5a92169c3b2a06168c55b16bb2196e614
SHA17d752614793b62e024df5a5985f4ee675d39da23
SHA256c4c18ac611d066a6c61087e80acae31f1f6bb4ae7d69686de2934262f50dd65f
SHA5124380c45d3df893c834191dbe0ccdae932b7aad81d57a93ec339a70d354173a61be954cf96140d752c7b4295f62c0895c8af37d2ecaa860d021d1bc6944f0d978
-
Filesize
342B
MD57547a4b8d62df4fe008f535fffc87c14
SHA1b7abde978a087d0935def893b21be1b82cd6ab04
SHA256342a32a3cff66c0946b2af4c6690112734ebc541b1103602ceb9ba28b01b9d81
SHA512ac8324533a2ac4b01924616126ad08ab63a39d7683ad399b9622236c8d096b3c3e95af70c9717ed8dd0026d538c5cf9f8880806d6970a2cee4f7408a767a495d
-
Filesize
342B
MD53b021e4e88c1a74c0904418505b7c510
SHA14d33c555e7d0d58b09dcb32627ac131f8689f719
SHA25638cc6537fe87054fe33b8440a1253dc084fa60f5e6cd3047010b17da685ee96f
SHA512f534aee1231a8a39decab5019ccdc46642fab6296b6500f280597dbbaca189caab01d77629f8782a0b579c074ef5997344255189a697c48ba318944f3f5dbee5
-
Filesize
342B
MD57b0a2ecf2f0c5b19795efd9e9ff631da
SHA14eed60553340fca4c462e40ab22dbf6c4cf0c373
SHA25633fac661bc824795b4dbe5707b27d50b068ef615b4137b755abfb519558607ca
SHA51234a88885f08c37f0ee68510766d0a4d76345e132f384690da289b7aa252f9eba5ee2322c11d72e011d0efa7af754c7de502017913c458b49f56e58c900981c99
-
Filesize
342B
MD5038babd0705232b964039f56fd7651e8
SHA1614c5a2cfbcbc9c76ba24beeed2bc7ed641a5bc5
SHA2562837030a6991257240c5f8fb47e085853b61f57a0fb91062c1dfad50ec3662d0
SHA51270184901289ccc7eac14bed779eb98683a3ee8e1489e54524cf744d3f1629b76050046461d37ae54d1716c44376edb2634cf1d2e7001371ee6903485d77bc494
-
Filesize
342B
MD53594023913ca8e610433d322c621c4af
SHA1ff996b2fdaaa9aa579b23bac338f70dfb313d7c6
SHA256a660c919d6b32e7bcee2dbc1a59504426216b4f11dca0694ecc197e9f26abaaf
SHA512834393c3a350754583fad95a403c1e2af45385b51bdf3c618083208adc3f570fdee2b910e105f86c784812504974eaab91669bcd5d63ceda5a7fa52438f9b655
-
Filesize
342B
MD57c4bf20041b2d142edc785222966dfad
SHA12ba05f90230d26a467eadbcdc6991947a3dd1898
SHA256a0dee491e1526b9e91eeb878353e97c0ba7ed4ef95ffefc77438dae7ab50cfce
SHA512af4ff05f714a33e74981a91dbb86dd379b537626b617675fb7a13cad3028fe16030e7bb5be62f35c41b1c2f51c605e1ad2fec4b57b9b19209b14ea9ce89a2a39
-
Filesize
342B
MD581964e656a77488f1f5ff177ef784b7e
SHA1e53cf1c2710b552a9e4468ab967bb04e15a27f4c
SHA25678a3be6ca3c9319ccfd56f3981a5c1d8d8d798ea796284008a6e06010ece7186
SHA512a1a62883ee4f92061ff0f05317c6220f71d009cefbc8109c2e93f6fd23133c78a02f636b717945a6581919bf734565af1fa96f71dc7d75ca22e7d5a1c8a312e7
-
Filesize
342B
MD518ce01ed6ebd8fc020287157e98a1ef5
SHA18cf7b5158b247de3143d542f08d5d8a9ff4e9bd7
SHA2566179107df3f18c4430c57030c3c7d317233cb8fafbfdca97215d01ea65328828
SHA5125fc259644e9896979a0c191019366308dd845efa7ae0db536ce774dfae2f47402d5a7394b787733886e3ec6ca7ae378866063aa1a4eedfc51d4b8c24957a0611
-
Filesize
342B
MD56480fce9ecc92b3174392a88bfaf2326
SHA1caf6a9265600d5cce2f350f4e2eb7bc5c976f91c
SHA256bee22d58979e2bf75bc77b1152900a4b1d415ce1c5662b886e28f01a51486f1f
SHA512f30378cd159fe1c261e2f87b15f81fd8128b0c1d22b0598fa76b0eff8c3a041d784ef9d20c016005152a204fafd47edcb95f2cd4034e668ad4955ad3de5e4efe
-
Filesize
342B
MD531a851c77aa8ed9506df7613b34678b2
SHA1e4f044735e7a3210c96d3687b0c7153e2a694640
SHA256235cd63fe66fcc0c21ecf73a64754595d24f87ec9895b82b93677738f5f3cec3
SHA512d5ae351d98b64d7e7623a4c12719f7110a429ee2dfaf2ff487a92aaa47ebf753f5acd22d35b4bc46f9e4f7a6711dccc294bd5025c9ebe299a5e68e3697c54d71
-
Filesize
342B
MD507761237f66f2e6f2e04a4f4a58d244a
SHA1a88ffaeb08a68a0b8947c86786db0976c999bd8a
SHA256451b800e4ef5113e5cbc3ccc7fb3807c031cb224a1702ba1e9d2dd0f524d859e
SHA5125000a6bb0c0cbcd84bdc4d35f95c9c7464b3e7db06992641c1925d92adba94ef35a3089ec116ad4e8c959d44002106b120b36e9971eb6821f7159dd8bb61ce69
-
Filesize
342B
MD5f0cc37c4cbaacfc829fa5285f20e2673
SHA18397d4682044385459c4f0aef9e6527b7f2eedbb
SHA2562ef3232333d91b0907256c31e596c44d5449daa3e4a14f00c42b9092893f8bf5
SHA51244680bdc3753d5a856a579def54d0f968d9e64256911ed8aac1ea9afb75004b6214434ea4e10ad5cf3d5e8566861487db8d5cb794bc5cd3a9a5445dd826b229e
-
Filesize
242B
MD57e0aaa387f9f86df7c318fa4f7ae6330
SHA1dd42b10caf0fe1fe00c2db25711b4a6be64d02cd
SHA2560e8c0425ac4ac6a6d2dd2930e42f8bc39ad938f0aa726fcce885069894ec8541
SHA5126614d5ee3b564063496871ca6d01959738ba87b7acd22ad1b6994b80a1ef0e2897d09f434fc603e37be1ce1a0513083b79df4907b654de7122d18fd14b3a594a
-
Filesize
5KB
MD573f2d274a180d84766683903acf64206
SHA1da564665abb48d154ae636aef28b6708d28c139c
SHA256e442dae592b8391d35159b4b14c58d387f4b4ec1c3bcba17177ddb9369c959cf
SHA5122e41771460049513631cf1b13bf7fcfac2abd180f101a2dbee8b7ee17d145ec8f3c21ecf4fd8d68c7895aeccbb6faabb55589bf2f7af6170c6a37462a5ec431c
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
8KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
212KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB