Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
27-11-2024 04:32
General
-
Target
a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe
-
Size
336KB
-
MD5
a5eb9cf3b138e8466071ec20a6722b5c
-
SHA1
5b8db28fdc2e40fd67b3de164eb9d904122e5cef
-
SHA256
ea7be43ae12bab3a5c3e00a568f3b3564c9225a056960048eda72f9f8f9f690e
-
SHA512
499af2dfd9997cd737ebdd758d7c84e36084d5db5cf1f2eb032fd496b549e808303eb73275e9ddf378e966972c1ddbab03174ba5b9b97fd4c75c2ba1e5d14a24
-
SSDEEP
6144:81w0U6D6x4kyjf+g0uc2RTqWmx7Ikw9NShXvSmk2OpXaP/EBySkQ4:8i0Uu6ikyjcuk5y0hXaxpKkB
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+mxjho.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/6FCD24062A01422
http://tes543berda73i48fsdfsd.keratadze.at/6FCD24062A01422
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6FCD24062A01422
http://xlowfznrg4wf7dli.ONION/6FCD24062A01422
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (416) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 52 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a5eb9cf3b138e8466071ec20a6722b5c_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\afypgrntrrsh.exeC:\Windows\afypgrntrrsh.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\afypgrntrrsh.exeC:\Windows\afypgrntrrsh.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1916 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\AFYPGR~1.EXE5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\A5EB9C~1.EXE3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD56019c1af521e5fbd4bfce2fb247d8795
SHA116f1a331740077e77d7d13257b53c061f711113c
SHA256e9e8f74891cab73fe0d2aa03444c35720732a83a1fbc35b8ff499cbd8a24a505
SHA51291fce75e6ac973028dad83b6e7faa909c6bbdcb5cf4ef0bd6420f8fb287d061bed08aeeb38a704b99c11a281585c56e4df018e4c6cd94f6c7a177bf037ba08cd
-
Filesize
62KB
MD53c25d8cd5e8de32bef756f11f72b57cd
SHA19cc116fb050534d1a2dff206583d26001bc59f48
SHA256afcda42d3bd94856d4909f39dda9a4963af9ddda188f64215db525b602132f53
SHA512f845a1d775fd9cd906f2f0d5f80e528e78b03e810ac9d6176f7c98c827c1f78ed2de8b270f0311d766fd390f74a213d410977d1ce59864db5db4ac7e6df8f140
-
Filesize
1KB
MD571dbfece37fa1588ab68f9ac373754de
SHA18ab2d68afbb191a51019aad75ce4c59a15fb9a4f
SHA2563d4c81f6dfee34c0dc523ef2efabcddb3635d17b171cb0dc04fb4d2adaac8db4
SHA51268fca142aae4c0e39c8129b4d91b8644419cf162f724be7f546e7f43be8f1438e3256d5f2b38f4a2729c6568c0e522dcaf92b3a4b9e5b8155db8767c7d012a00
-
Filesize
11KB
MD542f31fa488520de3e85aefd2151bcd0d
SHA17fed662fefe8fdd7a73d4cb023c066cc07224864
SHA2567c122795f83e321245c695e721623eb03e54643bd214a1b5063fc90b0b28a2f2
SHA512743b679efbb0bcaa79b877088d6576926eb89bf7360e83ac8c2837b7c4ddbf2aec1533f3328f46c2694551a69e51a4beb943e83e557f9cf60ed9bafbcdd03f36
-
Filesize
109KB
MD521e5c1673ca1d0f97f7ca480f786bdcc
SHA1cd44c497f88caf725b623229d9604402cd170b1b
SHA2563a2385949a34a5083ebc61ce028468a2851ef9761b63aac2c4a0122adbdd62bd
SHA5129eba75ce853e60e56af0cb3aa4ce339e0956382316c62745bfdb8e8886254aaf7407f10d9937d11043797f19d7dbb76e52e28ad4b5c2001a562ed2e2c86bffff
-
Filesize
173KB
MD549164f43fdea8f663989552c30c1c6df
SHA195602227ebbe8e9e8e6f5c85173fd75c0d66a487
SHA256bc44e80051e4e71416c5dd4908ca5cb44aeb15f3fcbb2648d12213d2deba7853
SHA51283d1e65cd3d2ae343c8ba53de8875194d78a1f509e5a88f1d10f01a2474d1635d5c632a6739c58c690fc01befc7c6a3eaf1be15eca6fe1d466e1df838c506a2d
-
Filesize
342B
MD517dd0d7c81ee66dd1ba0d8906d03815c
SHA1ef1c26fa0dd6e5b79e52baf7eb2e5381a9682675
SHA256eb48d3d4663435a244d6d6007d634c98151a94ca5a0975a113651d007e0878e3
SHA51228395a9c3846efa3ec77163b7f07b23f98461c84bf08014ea1d5e273eb8d2c4913f703962765862083372c2aef118c8c10c6cb45ea571f4f1a19f433e7927c72
-
Filesize
342B
MD5e67604f206d00a970ba271d72274a0af
SHA13218a6cdb480929f60ceb0819af56ca26302c4e8
SHA256bdbe35abb652337fba338e0edb75399f3d286662fb8e905c287c53b911d8a4b1
SHA512e7f01c1761a065ba70898aa9baa682bd57b8720dc15d5d552e28001933432bda1c81f4458e8dc6a33ed860ee361507c490e7876e7f074e7544fc0cdd99383b44
-
Filesize
342B
MD5884f3db5aa7ccbf47256717a419c143f
SHA1effeddbd7dccb18f8c3de5f4dae4902b58cbed9a
SHA256c2d3a0960e6524aa258ec2ed11827fc700ef1e6b555ee3754ef3629e919fa300
SHA5120e5985b1b5ef1328ce655317ed0b9c2c412ebdeac5f934218fc9a9d7c79f2ccec1633de8112bf36f17ed84ed13ecd721d981c4c372fba065f7fa15fe91370280
-
Filesize
342B
MD5642144df745f9afe6020f9a4ed33ff3e
SHA10cd88b1e82929bc9aba516c6a3586a1470389262
SHA256deeddb102b470387a6c0e8912a792ab5cce3b4d6afacda1376ef4ccdcb3a2ff0
SHA512e28eb83929a0ee6da87f3b6f607cb9d8de0ae92c6852e59bf97f1012d0e8e4f802008e8c4ecd89f5750fd297c5e3c04a8fca391a4772df46fe3100d1fc531187
-
Filesize
342B
MD52a55f35e65f1a00796de8854a357acc1
SHA15090663f15ac2cdfd441e792a63a6e6a78f0b37f
SHA2569a1ba4c40d831aef10a061893844f8f93543cdda25ff882ef35dc1df48103275
SHA512834e3f23e1a55bdcee0135532a59f06fe6b479bb0afdcfb34f4c628a2c2a13a881feac4c99b089572e9c1173734c4393d4350a83fb8b1b60e06ad2517d67a14b
-
Filesize
342B
MD5bfd10b819165422f8ccbffae8ce13992
SHA197076f864fe457225e8135cdd4f10b669b5c8215
SHA25630796b9234d8c27f34420c258b5483e94a2d36ac8f3bab9fe5f9969207be96dd
SHA5121ad03f6a36617b6feac08bbb9242e06389ad018df03233c69fc7abc339f5407394675be3ea36e737f3ca8f552378e5cbd92acda285a4c338009236804bd12879
-
Filesize
342B
MD5b604d8668fa94532a9ba816500dcaaa6
SHA1751936d15a6b610e82410d999567d2ac69d6f451
SHA2568fc0dfc663128b537ad40fe63d2df14db9d0ab60d667d9f74b2bcba7aa3e19f3
SHA51266076de885daa48847e7c67b71f50e72349266f02854043f87720ba7a36b5f4f784fd1aaa0420999415ce09b2c20c2587619f414fa6478189d7f98811f5b0f41
-
Filesize
342B
MD51e2ab2a2e0fd93d5434e30895f95dc75
SHA1ff6949229defbc73b84022844120950dce861b93
SHA256824a7802abac9930bf5c28f49ed0532ed69d3195702735f2052d87a54093fc8f
SHA512a336223e711c45b82d10dca8e424d3556c160f2aa5eddf334451ee9e67d8d694c3f562783bfdd12cb37bad07a295b42e756139d4f43d9ed20cc00dbf3500ca41
-
Filesize
342B
MD5f9ce5666129d49b679700b08ccb855dd
SHA1012def08a487de088ae9dc71fb46773906c85e22
SHA256cab69f08a1fe81d3b7a5e9cbd9d63f26fa5d16f1bb463dbb8f14d0e9f4fe9268
SHA512776b539522c10bd36012ba8457df2dc112bbf4ec748bd442ee29ab886a640507c10f88d265815c189f8e17e7047d58058a8556780cc5f85cda4d8bbea75f6dae
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
336KB
MD5a5eb9cf3b138e8466071ec20a6722b5c
SHA15b8db28fdc2e40fd67b3de164eb9d904122e5cef
SHA256ea7be43ae12bab3a5c3e00a568f3b3564c9225a056960048eda72f9f8f9f690e
SHA512499af2dfd9997cd737ebdd758d7c84e36084d5db5cf1f2eb032fd496b549e808303eb73275e9ddf378e966972c1ddbab03174ba5b9b97fd4c75c2ba1e5d14a24
-
Filesize
8KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
8KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
4KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
3.3MB
