Analysis
-
max time kernel
146s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
02-12-2024 07:18
General
-
Target
b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe
-
Size
396KB
-
MD5
b774e9f49d4aa8a2a009d06a6cdb6f8a
-
SHA1
5eaf1e24c495634ecbf7c81b640d10de8a3399d2
-
SHA256
d3aef7ccd94c55c75a19d3ac6e31ac4af1cfcdd64e77be9afc4e5c8de9301686
-
SHA512
b1cdb65dd44aefae7933944a824faac70b1fe68267e245a3a1181deda7b8cb9016e502550cd73974b3fd85756602193d4db8a23e9f3622d0ed5c59a780b1aecf
-
SSDEEP
6144:CT3WR0F1lDPR+bJnm/jtowhxZWVrfQwBcTMMG26uw6fyQ7Q:CT3MA+bJmy4ZKfQRMh6
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\Recovery+qrkjg.txt
teslacrypt
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/219CC282FBE275E0
http://kkd47eh4hdjshb5t.angortra.at/219CC282FBE275E0
http://ytrest84y5i456hghadefdsd.pontogrot.com/219CC282FBE275E0
http://xlowfznrg4wf7dli.ONION/219CC282FBE275E0
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (884) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b774e9f49d4aa8a2a009d06a6cdb6f8a_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\lwdsingnnjus.exeC:\Windows\lwdsingnnjus.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\lwdsingnnjus.exeC:\Windows\lwdsingnnjus.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbf36246f8,0x7ffbf3624708,0x7ffbf36247186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,3234327328181271201,5551892473867487221,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,3234327328181271201,5551892473867487221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,3234327328181271201,5551892473867487221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,3234327328181271201,5551892473867487221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,3234327328181271201,5551892473867487221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,3234327328181271201,5551892473867487221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,3234327328181271201,5551892473867487221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,3234327328181271201,5551892473867487221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,3234327328181271201,5551892473867487221,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,3234327328181271201,5551892473867487221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,3234327328181271201,5551892473867487221,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:16⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\LWDSIN~1.EXE5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\B774E9~1.EXE3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD576154f30b870155766c40984f0be8a67
SHA17edb4b63bd0482465d8b466e6edfed7a42850ce3
SHA2567945fcbdfef31b6d9b2cafae34fc5eef6f03cee53a882eef396c1e4778d25871
SHA512ed3df1c18468edb72b73026971dbd581e030469f9399d46b84fb6bff2c089257d1614975d4c74130369ad518a0cb5e3533ef381a5a6887596647d420de5de886
-
Filesize
63KB
MD581abb361f0a8da6805cc2bb2c3d15ac7
SHA1e9952b9d02f035d2ecf4602b962cb9e9073f22bb
SHA25699f779deb9493f04adca641740ab1e25571ce936bc2187f924a411343a8627a3
SHA512f0bafaf698decaf03ff48bf3bfe5fb37d1e961ef1970054930d70e415b2bbe805c466e56af6b7b36eedcacdbdd958b02aff8b04cf414ad66d4adbd0bfa87d2ff
-
Filesize
1KB
MD5df3c40e6e7f8caf69047615351a66771
SHA1eb4641df826c8f061e2bb834f9ae64f15c4e1c5b
SHA2560aeb8a61b43a14199d40a514360812ca137cfd5a4d82a09966a605ae3b47ee8b
SHA5127fac1b6d4608ad91ce6c3efef72f47e2b44f54aa5fe9071c23be34e6c36eb4e951c13b0ff34494cf2eff97dd4f2055400011b841ef87938518bba9c3fa8ffa20
-
Filesize
560B
MD536f9b587e4bced3ae6eef46529d96326
SHA1c3851c317695584a521407f37968d493dfb230e9
SHA256269cae87663b58a5f95063b14b7e21576255397c2c3868f356d0ce0562696236
SHA5120bdca9dea8d8a6421ab22bc3412c193840826d922d1ff861eae298b055f166f89b426c6f646ec7b47e8b7c8f1ed8234407c892b4d104e44bf8b74e81ba605eb5
-
Filesize
560B
MD5cec0996f5329c303aae7c5cf4c4b0dab
SHA1ea8445210793fdf0aee78ed3cc47e4f19a1a91e8
SHA2566e4ea9e7ed46127229a7ba051b3fe0314e0157729c725494d4ed7516c11967a9
SHA5120867230cfe693fd1dfd853e02bd4285dddb945f35c9d386ae110c98a12ca10bff9a937ea4f97483e489b252e29b0dac819a7ce29c657dd540716c0ea6bd24b59
-
Filesize
416B
MD5caa84f46cf47136a6325f0ae41d1974d
SHA1b02da630c4051fbae3323e727fb180b277026703
SHA256dc2888b42be045527d3abd99657a55bba0f040b402241dac49ba2f6eef88244a
SHA5128eee7513dc1a6343ad8db030a459c82c690efa0a8894fa0100415a5a3641623515adf93de9f57e8c210f360e44fb3ea83796b5f6ca4c4ba921176d661d4402ce
-
Filesize
152B
MD5a0486d6f8406d852dd805b66ff467692
SHA177ba1f63142e86b21c951b808f4bc5d8ed89b571
SHA256c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be
SHA512065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a
-
Filesize
152B
MD5dc058ebc0f8181946a312f0be99ed79c
SHA10c6f376ed8f2d4c275336048c7c9ef9edf18bff0
SHA256378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a
SHA51236e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa
-
Filesize
5KB
MD50c479d2c0755957c21ab5d80a23e62bd
SHA1c3e3f6c555965594d6d05440c988608e7d8f3158
SHA256bd01845846b24ea003b74161cf6d30ec71ca684a799728add26ca455e795a538
SHA5120c259828e2267d0e834e31d8800ea1dd546d9def0de7de72b01e63c7b989801db1d9715dc70dd3c45f66e5e01443755773b501deaa9fafde5da72af9bd0faa5a
-
Filesize
6KB
MD540784c1fec709534df269685a9a0c40d
SHA1242cf8f2cecf8546538eda3a5c69687450289a97
SHA25604748cb63bd74bbb68724b0ca45ec6f231d08ab6ba976fc14fb30de9acc0fd82
SHA512f9ace73e58b2830f52ad1a1440754a3cd9f8dd8b6154bb0097ddf0cf2ad51885a8e34d8d196fa06deebc625b7d833b5916bb38c4dca1ad7aa54eff0dcda59fec
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD597e290f1e69d5a337554179db840db33
SHA1a81e0b252ded8cc14c9d274472ca7f34e947bfd6
SHA2561e0616e0a889bf2fbacc96c23bd54c82da1228b2cb35041d2086e0e872e30c2d
SHA5126a02ebb86c711316dfe9b75e50305f9c6a733a624e8626c123b707b665c82e492ddfaf9fafb3dbfe86b2ffccc68b75256204cd12a210ae292a09b8e65abc7dfb
-
Filesize
77KB
MD572f4771d212aa4a7ad975e126f894bbe
SHA12a1f08b89919f3ae7ce65fa9f7eeb876f4c9a405
SHA256fa665f8e01a2a12c9b610fb9d5dea83ea6d4bba1e44a2b0db8ffc1b8429eeca2
SHA51296c802ea71adc067d343cc42a0b7e76f248bc79ddeba6bf2138a9f6d15efb778ca087f6a207a05f35871aee1863da375ab1c3bc5b73fe25aa7c48faad1a37c2d
-
Filesize
74KB
MD5a93c31e96ac886df69a1536ae38285e6
SHA1da2e66f4339575eacfff44f3d7f754279abf4130
SHA25694a025f0ddbbd1be3ad29381109f011231df9a50ef8e75b2f289652906b0f5f8
SHA5124a8e2f28f187ae74645a8a1eb443bded0ee8b66c430559f5b94f2022b7b96ec4646051266b7ecc3398d0ac4ec63fa0b996d5512919ed5084f6beb5936d7a18ff
-
Filesize
396KB
MD5b774e9f49d4aa8a2a009d06a6cdb6f8a
SHA15eaf1e24c495634ecbf7c81b640d10de8a3399d2
SHA256d3aef7ccd94c55c75a19d3ac6e31ac4af1cfcdd64e77be9afc4e5c8de9301686
SHA512b1cdb65dd44aefae7933944a824faac70b1fe68267e245a3a1181deda7b8cb9016e502550cd73974b3fd85756602193d4db8a23e9f3622d0ed5c59a780b1aecf
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
2.1MB
