Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/11/2024, 18:04
Static task
static1
Behavioral task
behavioral1
Sample
b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe
-
Size
831KB
-
MD5
b2f294347754b834dfa0798a7f80dc89
-
SHA1
a62a785570f2302af02fa981a279afcb371c7d49
-
SHA256
f911d9fe94c6aa35874faa758432168c6846c24b010e8f351f874ac6830c2a2d
-
SHA512
4e5195423198d4ea5f1742e9ded4598153a1a40ae1df65796cd457c75ffdeb433cebf85d6fcc5b527d2d2409487104386ad6073e071e6843d712f05c114a265d
-
SSDEEP
24576:htVEx77FqKymt0pA+zuk4Bce6nonkZI98UWcPUIX:vk7FcmwA+zF4WXoR98A
Malware Config
Extracted
djvu
http://astdg.top/fhsgtsspen6/get.php
-
extension
.reqg
-
offline_id
ioYmb0jtMMtue7xjmkS3WQWGWLR8FTQhb2giQtt1
-
payload_url
http://securebiz.org/dl/build2.exe
http://astdg.top/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-jTbSQT8ApY Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0324gDrgo
Signatures
-
Detected Djvu ransomware 16 IoCs
resource yara_rule behavioral2/memory/3672-2-0x0000000000B30000-0x0000000000C4B000-memory.dmp family_djvu behavioral2/memory/3980-3-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3980-4-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3980-5-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3980-6-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3980-21-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1652-29-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1652-27-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/1652-26-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3208-36-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3208-43-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3208-44-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3208-49-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3208-48-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3208-46-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3208-351-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Djvu family
-
Renames multiple (51) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 1188 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 3208 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2592 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\41a18433-b16f-45d0-a8d4-7eab04f345be\\b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe\" --AutoStart" b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.2ip.ua 4 api.2ip.ua 48 api.2ip.ua -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3672 set thread context of 3980 3672 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 85 PID 1472 set thread context of 1652 1472 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 91 PID 1188 set thread context of 3208 1188 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 113 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 872 1652 WerFault.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3980 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 3980 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 3208 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 3208 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 3208 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 3208 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 3672 wrote to memory of 3980 3672 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 85 PID 3672 wrote to memory of 3980 3672 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 85 PID 3672 wrote to memory of 3980 3672 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 85 PID 3672 wrote to memory of 3980 3672 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 85 PID 3672 wrote to memory of 3980 3672 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 85 PID 3672 wrote to memory of 3980 3672 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 85 PID 3672 wrote to memory of 3980 3672 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 85 PID 3672 wrote to memory of 3980 3672 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 85 PID 3672 wrote to memory of 3980 3672 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 85 PID 3672 wrote to memory of 3980 3672 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 85 PID 3980 wrote to memory of 2592 3980 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 87 PID 3980 wrote to memory of 2592 3980 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 87 PID 3980 wrote to memory of 2592 3980 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 87 PID 3980 wrote to memory of 1472 3980 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 88 PID 3980 wrote to memory of 1472 3980 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 88 PID 3980 wrote to memory of 1472 3980 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 88 PID 1472 wrote to memory of 1652 1472 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 91 PID 1472 wrote to memory of 1652 1472 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 91 PID 1472 wrote to memory of 1652 1472 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 91 PID 1472 wrote to memory of 1652 1472 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 91 PID 1472 wrote to memory of 1652 1472 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 91 PID 1472 wrote to memory of 1652 1472 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 91 PID 1472 wrote to memory of 1652 1472 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 91 PID 1472 wrote to memory of 1652 1472 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 91 PID 1472 wrote to memory of 1652 1472 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 91 PID 1472 wrote to memory of 1652 1472 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 91 PID 1188 wrote to memory of 3208 1188 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 113 PID 1188 wrote to memory of 3208 1188 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 113 PID 1188 wrote to memory of 3208 1188 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 113 PID 1188 wrote to memory of 3208 1188 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 113 PID 1188 wrote to memory of 3208 1188 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 113 PID 1188 wrote to memory of 3208 1188 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 113 PID 1188 wrote to memory of 3208 1188 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 113 PID 1188 wrote to memory of 3208 1188 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 113 PID 1188 wrote to memory of 3208 1188 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 113 PID 1188 wrote to memory of 3208 1188 b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\41a18433-b16f-45d0-a8d4-7eab04f345be" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2592
-
-
C:\Users\Admin\AppData\Local\Temp\b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Users\Admin\AppData\Local\Temp\b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe" --Admin IsNotAutoStart IsNotTask4⤵
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 5725⤵
- Program crash
PID:872
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1652 -ip 16521⤵PID:3536
-
C:\Users\Admin\AppData\Local\41a18433-b16f-45d0-a8d4-7eab04f345be\b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exeC:\Users\Admin\AppData\Local\41a18433-b16f-45d0-a8d4-7eab04f345be\b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe --Task1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Users\Admin\AppData\Local\41a18433-b16f-45d0-a8d4-7eab04f345be\b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exeC:\Users\Admin\AppData\Local\41a18433-b16f-45d0-a8d4-7eab04f345be\b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe --Task2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3208
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD567e486b2f148a3fca863728242b6273e
SHA1452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD5af07af546da358f5c2944c628c7161ab
SHA19c89cbe9d3b6ad827e1e74805ef4c7881fc026e9
SHA256a00f5931cd2666a25850b9dea18242f7a64ce2866b443c858aac38c18315cd26
SHA512e5f3cfade8373b00a2f5c30f66728967242f2825cdc09a512ceb0ec9752ae65dedab035264f30945acf38ae9aea75d93f59bcdaf26704294aa8fb5aff78c56ed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD5c1291351ccc7724b4e3b7ec9b066dc96
SHA157086b3ad21bb07586b58f4002ff9491442e4682
SHA2563650a74da89e0622d8103958f3a607a24496c1d599d84631d4f991564c4aabcc
SHA512e13b9d0b19553e7d58f89b8516c2d707cb0ce446b126d1dde969acd305e49a467a3e56cb6c6c31f587a0888a7c5051ae92875fd202ef517bedcf56f3d57b1a42
-
C:\Users\Admin\AppData\Local\41a18433-b16f-45d0-a8d4-7eab04f345be\b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe
Filesize831KB
MD5b2f294347754b834dfa0798a7f80dc89
SHA1a62a785570f2302af02fa981a279afcb371c7d49
SHA256f911d9fe94c6aa35874faa758432168c6846c24b010e8f351f874ac6830c2a2d
SHA5124e5195423198d4ea5f1742e9ded4598153a1a40ae1df65796cd457c75ffdeb433cebf85d6fcc5b527d2d2409487104386ad6073e071e6843d712f05c114a265d