Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
03-12-2024 15:20
General
-
Target
be009cd5747143e0165519ec8337353d_JaffaCakes118.exe
-
Size
376KB
-
MD5
be009cd5747143e0165519ec8337353d
-
SHA1
95eeacd23cbc4ca9c2eb5c4481211c77ba5867d3
-
SHA256
7433a5e9c197d553dec3846ca48f83151ab4b17d2e4228d5433786622d575917
-
SHA512
c743f59887af3052546e9997104a72368db62ecc99940776fd50a9839e7f76307e17609cbe01271d64699623e18a9bb1b2058536d513674420fda0c3aaf5ce14
-
SSDEEP
6144:Se3rNhMeYq4CGRTs4kadSoKVStcmTVn57CpSCwsUbg62oXd:SY5hMfqwTsTKcmTV5kINEx+d
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+sqprc.txt
teslacrypt
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/448BE6971674DE59
http://kkd47eh4hdjshb5t.angortra.at/448BE6971674DE59
http://ytrest84y5i456hghadefdsd.pontogrot.com/448BE6971674DE59
http://xlowfznrg4wf7dli.ONION/448BE6971674DE59
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (409) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\be009cd5747143e0165519ec8337353d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\be009cd5747143e0165519ec8337353d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\be009cd5747143e0165519ec8337353d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\be009cd5747143e0165519ec8337353d_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\rgrbldqfkhri.exeC:\Windows\rgrbldqfkhri.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\rgrbldqfkhri.exeC:\Windows\rgrbldqfkhri.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1548 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\RGRBLD~1.EXE5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\BE009C~1.EXE3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5e8936659efe1b9a5f6eabfa6d891aa13
SHA1e96577adffd4a079653338da2e106ddd2bb34632
SHA256c44e9ba3f93290e1af23ef05d7093e8081655008a534dc8389c6a95e847f6081
SHA512b6f1b195d87cfd3d835a41db5a52e84fabba054cfd1db16adc2438db24da8c21e2ef8adbbe9f4159b82b2ea09228b775f955a72f6c3beaa70e25117b342e89db
-
Filesize
63KB
MD5956a77bb3ed611bbd439a3b5a0357be5
SHA188d36542b7c00e52dc6f960e6b6a97cb44e6dc83
SHA25671b0345a769e4df3712f561460e515f1aacd0114325bb56ceb479c8100306a2d
SHA5124a41faaaa376b94d0acab9ad31e24bd2af78bfdb89c225516f3e4c259d181224a15836a85b930bbb65afd871aa20462d6a09e2ca4fd5e0d01b17ce1538645fd6
-
Filesize
1KB
MD5e4a5075dd94dc956426ab3e9a20070cf
SHA1884829ee349420280cd96ac9b8707f3f0e41c216
SHA2562d9ed314495647a98ee878496da878d6ff2b664257a7a42a0d5bb0b717d1a717
SHA512e0edbc0685e8ceaff598706df28ce6f2271f2263242c96d7ba256b2f25d4b1530450d148fc2083a637eb1c009487a153c14c1a70fba739575c8bcc3d900a5fea
-
Filesize
11KB
MD51a0845b75093efea309f14975fb5843f
SHA1bc32aa9368a9766343980cac21d0ee67fb1e263d
SHA256b76af4690bb202db743da9bb8f199eef7ce74b1c660a5060a0956e25440f8ec9
SHA5129d1eb2960325a2c010a625034913866fea4d34e30272f10f926a8c3f10bf109b0b52fcde56553f0002024fdd56865e8ce3573c9e5881db0a76baba6adeef0c7d
-
Filesize
109KB
MD556487dd236cd773393020e6b82d805d9
SHA16bbeb6252c00fa9e40271b193b4f304d5d39e95b
SHA2568c1a44b7e99001fbf6c146699489c8f02a8f53960efe23cb85179e334635a9bf
SHA5128d75bb2b76be7793a6703ec0ffcd5ebab9ea7bcb2b2fd54bff47b0df3b20ede3141c135596ce7989301b3a865e29d6f0707d3d2fc6d0617cad8be4e31ba3b2e3
-
Filesize
173KB
MD51e95083f28c63342406f51cba4e623da
SHA1ef323962fd83d9515765a7427b5f72f11fb315e8
SHA25651633c391d2ef66b741a46f6af31b595a424e4d1970654bbb1e8c76b2de9077f
SHA5127108dc5f5745901b09bc39eb7079606e2c887d3c642f6115435f0ee93e9828e066d0c6e8ac5e1cb3653e9a5e0a87b30c77923847005f7be7146982b0e219260a
-
Filesize
342B
MD53a09b833e1d07807a288e3cce2175117
SHA1c1b59dbd35a1075e94cc1cabea5ea2c79ead0850
SHA2562aeeb1e6c46909bb4aa5f62c81c7bccfd3c4261e2c3d6ac1ce31e1caaebab388
SHA51272eeeb7d2750eff030a949f63aff93b41a510657ce713127b2dbdd248f56296ff09f1043e8ac416e4bdbe5c5458dded1a8dc1ec420828ac76824331be4a967a7
-
Filesize
342B
MD547a85bd3cbfdf00939ade8654991a184
SHA1b5a1e065569666eb026b3058be5444b7300f8a32
SHA2566113cf0bc4960488195f4e6cc88dd5d263d3c52b6ded7b7d42b3ef8e0eb15e96
SHA512df8d1840f14d219a15e7a84b2a04129901818e3192f74d25a0c42770882e9c7a9e41ce969dcd4dd160b9b13068d2c639e58abb5d16c2c82eba376e56dfe52597
-
Filesize
342B
MD563cf2be4a0cb53930c573cea1c809d1b
SHA14f33d6cf114296174fbb1cb846aaa89b1bae67e4
SHA25624d0e8551458294a51372ab27b76b0f824fc3dcf2d27260ef0c5c76b673068f1
SHA512426c70977be819cffcf7c1353c32ef01499bb47142ff63b6297919eb46c9622d82d975b8f1479d9f5237a1284f60559d51776ca9dcb2329635f68d3d2b6fe4d4
-
Filesize
342B
MD5a95281b20db37939d0f318a64e673db4
SHA1b04afa796aa832d5ca9cce26e8bcbe84bd9f449e
SHA2561f8175733924095767db443b779cb23472dbe9adafbe554a24b54a63aef754de
SHA512a93b60b142c440772561f9bb261cf4a4db9d45a7464ad502f01a31cd8ec4bbc88b2e50fc09760bc7150f038eb832aabd088bcdfc605cfc6702dbe267431cece4
-
Filesize
342B
MD56af699cfbbd0609fcaf208004ad9e76d
SHA10b9d3644d649d7490c67e9ce39e3ca07c23d6cbc
SHA256e124123a309b8a54dc9cc543627de87651f2b4ba53a03e3ce66bf475cb55306c
SHA5120629e5bb22d509bb7852bdb897816d64af14d8d57c18bad1a9469bc50772a09b9ebd3b68c6863eb7155695b5343f571627dca5ddf707618e199eb0035681b695
-
Filesize
342B
MD5b56456483dde2cf25ff5ff1ee70da4b1
SHA13ff00e2c82ba089b1e1ded350a7b5cebc2a10992
SHA256be7e686ca412f26c38f13d26c74741f6a81385a825226723b6231a3c0bf4e6f1
SHA512f7ae86e98545eb4562b28d409c474cd605353bfcd4d744d048d893f2f130aafb4fbb67e7d97a991def1988fa6b74d93197329214b1e593e4d36e5f7f783006f4
-
Filesize
342B
MD5b5ed447321896e32ea39c8a49e6099cb
SHA1984812f8a427639d500a2bfdfa481d87494e3c31
SHA2566f564ca178dfdd0b2a0c4f54913c06a266c69179b4c9c14b7e81ffad9f0e60de
SHA512e288863265e8d114b18aa962c826b7f99aeed5cf2f0eba4db473e25521ced77650717644ac96860a0b79e29647c4be507479ca5c37918ebd4651e165348432a3
-
Filesize
342B
MD56ad71d38fe2d96a0dbb0b88f9a3d193c
SHA1f68212c25110278c1e12fefc31fb90021a41dcfe
SHA25658cb492e7d5eb9d47271cd63595ce8966f820c91d9ef2de2527c24e6a9170dc9
SHA5124ba7aa5cfc677922b463c51e98de29b0b606ae9982febb683873a79a12ab07a8e6bf6003a336ec24de1d98d785e1fe57d230d8be10f989214235fa88734d987f
-
Filesize
342B
MD579ae97d6bd4c2c8a83bbe5c9fa92558e
SHA1c711c9370bd3187eff020575e21d98b4c8f0401d
SHA256216e77c4d1822af616d016c72cb9c1036f6378e29fb700ef6f7d0f105326abc7
SHA512652739d8d8fe0cfb7572688bba16cb8ba7e41f54f3206812f25644e451eca002a66abe6d673eec24fdb0ca706956cefdca6e5193f07bde89ecdfaa7443a990dd
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
376KB
MD5be009cd5747143e0165519ec8337353d
SHA195eeacd23cbc4ca9c2eb5c4481211c77ba5867d3
SHA2567433a5e9c197d553dec3846ca48f83151ab4b17d2e4228d5433786622d575917
SHA512c743f59887af3052546e9997104a72368db62ecc99940776fd50a9839e7f76307e17609cbe01271d64699623e18a9bb1b2058536d513674420fda0c3aaf5ce14
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
8KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
4KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
1.9MB
-
Filesize
8KB
