Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
30-11-2024 04:24
General
-
Target
b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe
-
Size
376KB
-
MD5
b4c370efce46e7abfec0b147f3118b6e
-
SHA1
d08babb7e379e05f24270b005efd42c57834d6f1
-
SHA256
ce70e4c500aa39d8d43b1fc93909894c87b68843420b359f4017bec77292fa7d
-
SHA512
61573d888601dec15e2eae0777df7a15a5205f3af28c44349aa76f29d712f32d287dedb1187ca1121262b1f7715244bb4c31cc3e878728d77a28619a9207b30f
-
SSDEEP
6144:ie3rNhMeYq4CGRTs4kadSoKVStcmTVn57CpSCwsUbg62oXd:iY5hMfqwTsTKcmTV5kINEx+d
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\Recovery+jstdm.txt
teslacrypt
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/ABC16D5FBF71CF8B
http://kkd47eh4hdjshb5t.angortra.at/ABC16D5FBF71CF8B
http://ytrest84y5i456hghadefdsd.pontogrot.com/ABC16D5FBF71CF8B
http://xlowfznrg4wf7dli.ONION/ABC16D5FBF71CF8B
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (872) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b4c370efce46e7abfec0b147f3118b6e_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\bsxcuwfhfdfh.exeC:\Windows\bsxcuwfhfdfh.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\bsxcuwfhfdfh.exeC:\Windows\bsxcuwfhfdfh.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff93046f8,0x7ffff9304708,0x7ffff93047186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,9667352701347814091,2813520320317049705,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2276 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2252,9667352701347814091,2813520320317049705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2252,9667352701347814091,2813520320317049705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,9667352701347814091,2813520320317049705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,9667352701347814091,2813520320317049705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,9667352701347814091,2813520320317049705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,9667352701347814091,2813520320317049705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,9667352701347814091,2813520320317049705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,9667352701347814091,2813520320317049705,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,9667352701347814091,2813520320317049705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,9667352701347814091,2813520320317049705,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:16⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\BSXCUW~1.EXE5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\B4C370~1.EXE3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD50c15035f77d0b3b9b8737188152f548f
SHA13f26643706e27a22b49d73e1a5d61ef543aced66
SHA2560591499fd4eb507a184b86cdc7b49798db43007bf934330ab385ac466ba8b260
SHA5127e768e4e40108dfd0bc7c620a86d072951ae61bad839dfc3f78e4604133879c61a25ce69a83edc2f0edaabb3925f66b2601e80211bfa89d5b11eeb056180ce56
-
Filesize
63KB
MD58b1c74f637dba817a97c168f6a851b77
SHA15a1911a2db1b53447f99012f263c577abe5d4848
SHA256b4647e87dbc56cf119de0ac53064e0a69d9fad5fe9a2e18dfa7c62ccae5ab14b
SHA5124af2f5310f2fb14f82660196a8c58875aeb11b57dbd79224663ef05da204b945a2a14f84ff4140e92022b9831b61f9a2c86c827d33c90b6791794e0c4d6eaf6d
-
Filesize
1KB
MD5e38675639fac11412fb93dc96b3b9ec0
SHA173977381479cbfd565a820450c889372dc1adc83
SHA256a14864ad81240487901cf756fd28f6ed412ed7b12ca91933a8b5d9d1b958c1b8
SHA512a49ec1c09b72e5f83efa9df66dfbc518c828d262e65a95ed4723aa1610ba3de7995d26cad27c963da8e5092e51a14f24704d745ddca5b0a10118722237ae08f0
-
Filesize
560B
MD5e2fa48fd25db182d91036e74a3092280
SHA1ad8e185811e02c6416ac03d8c80cc1a6362d0436
SHA256cf4e5f1a0e9e9d8923d5ed1eea9c2db343fcd194f27b6cdbbea9a346431a907b
SHA5125a1622deaf8a5f5ee1cb1eca5263a41b0d7d7ced4ee836d69603dd9fa29a8bd7fe02d8a207e0365160e5fb7e9cd0aca8437f8ad71fe63a94b829bed2cc0e73e6
-
Filesize
560B
MD5aac9ee622c1819ba80f05cec151f0cc7
SHA1bf49cd44e004491d54eb172e9f74de8b490cdfbd
SHA2563ad887839a04d81a569c05c0b325a1d1a334d4c25d77d002a631ef6a46f5c7dd
SHA5122471b45ead9659cfb3f2833ec9b37ec87e5f7d2caacc6fca18da364a20e8cebaf5f15a5a7dc96326562d04491c4c1306f16072bd0cdf5ea069c899ea858a17e2
-
Filesize
416B
MD5bc77b25750ddc73a0e1c0f99d72f64cc
SHA11b6ced856dea87950a139ca8597c96936b7d68d7
SHA256cd64443658ee79f33eed6d6b333ec5274a813fe2d961de27c76b1ad5492951a0
SHA512d58490044eefe0b774137b4b88606c48026bbce4061514e1ec1a3d93c6057ddcf711a29a31c905fa47e22e2118dc8cf31d33cf38a2f9a8651b2abef8eaeae883
-
Filesize
152B
MD5a0486d6f8406d852dd805b66ff467692
SHA177ba1f63142e86b21c951b808f4bc5d8ed89b571
SHA256c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be
SHA512065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a
-
Filesize
152B
MD5dc058ebc0f8181946a312f0be99ed79c
SHA10c6f376ed8f2d4c275336048c7c9ef9edf18bff0
SHA256378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a
SHA51236e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa
-
Filesize
6KB
MD5b1d7d2902057874b8b8afd476dade05c
SHA1491b83f22969742008bc83e4739661400ea56806
SHA2567ffbf94683547175236aa16e376e393f44bd58772920caec95fb1e762a83bba4
SHA51275da2e3ecfed04110b58544c4726693bf8dea4859e214d89fefddd45ae817e4c43de7d16d157c1340a0843c67e14623a46f71f885b23ddb55a4b25e46ea45e64
-
Filesize
5KB
MD5d53d444b1a3593a0f10e4a56f8f2352d
SHA1ebd70e1b6b09207dfbefc71c163bde46c9a15805
SHA256c55a8f1bb64cdac93d9560c694bbd530921a6f70089bafe8bf129d6dce0ac07d
SHA512394d63d19fb3309132538e8123283a1acd30dc0f8e75e902717d1078d63e7f63d4d2a2ea9a0ab1e6886cfcdb12e9e1d811aedbf277fd72f96dd3999e660e6160
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5ed363b465de1ceda273d02184c2a8190
SHA12e5db555cabd2f4424b8a928becec14d7f62eace
SHA256b954dcab054e7fff1d4c79011962e0a37fec7e050d61b516e3df15b5cb409264
SHA5129062cabfcf74ed5c7a1ea0372e9a808afcf0bc69f227bb0915e60d6dc9b0609f101a1a7fa2255eb3fd0149a57e1d9a48dc4a6005e5a177a65294a99fac446dac
-
Filesize
77KB
MD5e2929f5cd5bc791d69d9db31c27e9243
SHA1d6716e96fa514c6f64688f5ff2bf56239484c847
SHA256a0e9d67509ff15216c002fc817fa4fccc32a82452561ca94e01919256a9da372
SHA5129b5efd436f0716e9ad543307aa0487aebbc0d94966172ddeeb3416f9ba90ac268efdfed2d7ffd32bbe5e357010abd653adde28ab76eaff2136c53eadb2eee9a9
-
Filesize
74KB
MD561f15563b2202edb1ed17bb44b483316
SHA1d8ba13f01d80535c13bc8c53479870d0f1698e50
SHA2561645d8e634cf53656719d9efc64e24301ab81b00bb98e4b553e768c1e19ac1ad
SHA512c00b75c0434f59d029689d4fccd160e5a5060d6e1f76f7fa83e19fee5ea0183029357617a89433916754eca1460e3989567e8f79d4bcda5dc368cbf3e168fd1b
-
Filesize
376KB
MD5b4c370efce46e7abfec0b147f3118b6e
SHA1d08babb7e379e05f24270b005efd42c57834d6f1
SHA256ce70e4c500aa39d8d43b1fc93909894c87b68843420b359f4017bec77292fa7d
SHA51261573d888601dec15e2eae0777df7a15a5205f3af28c44349aa76f29d712f32d287dedb1187ca1121262b1f7715244bb4c31cc3e878728d77a28619a9207b30f
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
1.9MB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
