Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2024, 18:04

General

  • Target

    b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe

  • Size

    831KB

  • MD5

    b2f294347754b834dfa0798a7f80dc89

  • SHA1

    a62a785570f2302af02fa981a279afcb371c7d49

  • SHA256

    f911d9fe94c6aa35874faa758432168c6846c24b010e8f351f874ac6830c2a2d

  • SHA512

    4e5195423198d4ea5f1742e9ded4598153a1a40ae1df65796cd457c75ffdeb433cebf85d6fcc5b527d2d2409487104386ad6073e071e6843d712f05c114a265d

  • SSDEEP

    24576:htVEx77FqKymt0pA+zuk4Bce6nonkZI98UWcPUIX:vk7FcmwA+zF4WXoR98A

Malware Config

Extracted

Family

djvu

C2

http://astdg.top/fhsgtsspen6/get.php

Attributes
  • extension

    .reqg

  • offline_id

    ioYmb0jtMMtue7xjmkS3WQWGWLR8FTQhb2giQtt1

  • payload_url

    http://securebiz.org/dl/build2.exe

    http://astdg.top/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-jTbSQT8ApY Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0324gDrgo

rsa_pubkey.plain

Signatures

  • Detected Djvu ransomware 16 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

  • Djvu family
  • Renames multiple (51) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3672
    • C:\Users\Admin\AppData\Local\Temp\b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3980
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\41a18433-b16f-45d0-a8d4-7eab04f345be" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:2592
      • C:\Users\Admin\AppData\Local\Temp\b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe" --Admin IsNotAutoStart IsNotTask
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1472
        • C:\Users\Admin\AppData\Local\Temp\b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe" --Admin IsNotAutoStart IsNotTask
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1652
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 572
            5⤵
            • Program crash
            PID:872
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1652 -ip 1652
    1⤵
      PID:3536
    • C:\Users\Admin\AppData\Local\41a18433-b16f-45d0-a8d4-7eab04f345be\b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\41a18433-b16f-45d0-a8d4-7eab04f345be\b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe --Task
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1188
      • C:\Users\Admin\AppData\Local\41a18433-b16f-45d0-a8d4-7eab04f345be\b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\41a18433-b16f-45d0-a8d4-7eab04f345be\b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe --Task
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3208

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

      Filesize

      1KB

      MD5

      67e486b2f148a3fca863728242b6273e

      SHA1

      452a84c183d7ea5b7c015b597e94af8eef66d44a

      SHA256

      facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

      SHA512

      d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

      Filesize

      436B

      MD5

      971c514f84bba0785f80aa1c23edfd79

      SHA1

      732acea710a87530c6b08ecdf32a110d254a54c8

      SHA256

      f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

      SHA512

      43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

      Filesize

      174B

      MD5

      af07af546da358f5c2944c628c7161ab

      SHA1

      9c89cbe9d3b6ad827e1e74805ef4c7881fc026e9

      SHA256

      a00f5931cd2666a25850b9dea18242f7a64ce2866b443c858aac38c18315cd26

      SHA512

      e5f3cfade8373b00a2f5c30f66728967242f2825cdc09a512ceb0ec9752ae65dedab035264f30945acf38ae9aea75d93f59bcdaf26704294aa8fb5aff78c56ed

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

      Filesize

      170B

      MD5

      c1291351ccc7724b4e3b7ec9b066dc96

      SHA1

      57086b3ad21bb07586b58f4002ff9491442e4682

      SHA256

      3650a74da89e0622d8103958f3a607a24496c1d599d84631d4f991564c4aabcc

      SHA512

      e13b9d0b19553e7d58f89b8516c2d707cb0ce446b126d1dde969acd305e49a467a3e56cb6c6c31f587a0888a7c5051ae92875fd202ef517bedcf56f3d57b1a42

    • C:\Users\Admin\AppData\Local\41a18433-b16f-45d0-a8d4-7eab04f345be\b2f294347754b834dfa0798a7f80dc89_JaffaCakes118.exe

      Filesize

      831KB

      MD5

      b2f294347754b834dfa0798a7f80dc89

      SHA1

      a62a785570f2302af02fa981a279afcb371c7d49

      SHA256

      f911d9fe94c6aa35874faa758432168c6846c24b010e8f351f874ac6830c2a2d

      SHA512

      4e5195423198d4ea5f1742e9ded4598153a1a40ae1df65796cd457c75ffdeb433cebf85d6fcc5b527d2d2409487104386ad6073e071e6843d712f05c114a265d

    • memory/1472-23-0x0000000000400000-0x0000000000986000-memory.dmp

      Filesize

      5.5MB

    • memory/1472-25-0x0000000000400000-0x0000000000986000-memory.dmp

      Filesize

      5.5MB

    • memory/1652-26-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

    • memory/1652-29-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

    • memory/1652-27-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

    • memory/3208-43-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

    • memory/3208-351-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

    • memory/3208-46-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

    • memory/3208-36-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

    • memory/3208-48-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

    • memory/3208-49-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

    • memory/3208-44-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

    • memory/3672-1-0x0000000000A60000-0x0000000000AF6000-memory.dmp

      Filesize

      600KB

    • memory/3672-2-0x0000000000B30000-0x0000000000C4B000-memory.dmp

      Filesize

      1.1MB

    • memory/3980-3-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

    • memory/3980-4-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

    • memory/3980-5-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

    • memory/3980-21-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB

    • memory/3980-6-0x0000000000400000-0x0000000000537000-memory.dmp

      Filesize

      1.2MB