Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    129s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2024, 05:29

General

  • Target

    c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe

  • Size

    336KB

  • MD5

    c61f29c47fcfa462ea273b231d8d5ec1

  • SHA1

    72c9f9428992c9f19a4a18afa2244b8637b11d47

  • SHA256

    8a1a7fe83079ac76476b2c67ccd80cfe8dec0807fcd4336a9f5ad9a380a07fcd

  • SHA512

    12e97acfc3791ebad0e6befd594de27c1cf30824d4cabe80dd605618f5c32df0c826a0fbb177b7226474ed9c4fd41065c3b6d443fb250a9b371986684d402357

  • SSDEEP

    6144:g1w0U6D6x4kyjf+g0uc2RTqWmx7Ikw9NShXvSmk2OpXaP/EBySkQ4:gi0Uu6ikyjcuk5y0hXaxpKkB

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ftafs.txt

Family

teslacrypt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with AES More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES How did this happen ? !!! Specially for your PC was generated personal AES KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/EE7C04285F9DB 2. http://tes543berda73i48fsdfsd.keratadze.at/EE7C04285F9DB 3. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/EE7C04285F9DB If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/EE7C04285F9DB 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/EE7C04285F9DB http://tes543berda73i48fsdfsd.keratadze.at/EE7C04285F9DB http://tt54rfdjhb34rfbnknaerg.milerteddy.com/EE7C04285F9DB *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/EE7C04285F9DB
URLs

http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/EE7C04285F9DB

http://tes543berda73i48fsdfsd.keratadze.at/EE7C04285F9DB

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/EE7C04285F9DB

http://xlowfznrg4wf7dli.ONION/EE7C04285F9DB

Signatures

  • TeslaCrypt, AlphaCrypt

    Ransomware based on CryptoLocker. Shut down by the developers in 2016.

  • Teslacrypt family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (430) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Users\Admin\AppData\Local\Temp\c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Windows\mbgqpcmmuonw.exe
        C:\Windows\mbgqpcmmuonw.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2604
        • C:\Windows\mbgqpcmmuonw.exe
          C:\Windows\mbgqpcmmuonw.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2356
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2608
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:216
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:324
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:324 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2224
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2452
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\MBGQPC~1.EXE
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2800
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\C61F29~1.EXE
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2580
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:536
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ftafs.html

    Filesize

    11KB

    MD5

    5b544359821ae4fc35381466dd99a071

    SHA1

    88ef96e60e42cd5b73a29db53d82fee67bace26f

    SHA256

    5ff6870e497b37198f41da642fc6c36794c016f407e2c7d2fd13b9ac38408f1e

    SHA512

    524fc2b723f5648f165a534bdffd7422e2967a86166bd3d4c928991753c107fc3088edf8bb1f27160d2b7fbf36f50caf7693ba2741bf1d2fa6d8d491b7ff3391

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ftafs.png

    Filesize

    62KB

    MD5

    2538bf194b1f8e6631ba9adea076aaca

    SHA1

    1ecaaafaf7df28240e6875d18bedf7125a25e036

    SHA256

    783cc7b9662225f4a54260c0f08e9db76b172682eb1b9ff6b072061f2fda3c12

    SHA512

    67d4b04c0c56164f12b7a8aa32b118fecb87b710d27e224f4f540fc8a610c3e4b0b9970b3e3c2bf9d130a97c0b16a20a9ba7c464a592274eccdd0f6e6c777076

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ftafs.txt

    Filesize

    1KB

    MD5

    3d8f0c9c952597617a0719753031e9a9

    SHA1

    83614dcc2a1b1474154f50f7d4f5f9233e53a3af

    SHA256

    39ad44a94df6031b414ca0cbb9f29dbac072a9e926b2ac0acaf9ba31361b6a4a

    SHA512

    c1ce775726c22e45dfadab561756e732082d0371627953dd9e86d185a75d4bdab62816dfb1bb312118928f4f6c7b49450e54be63492082ac221ec338993c9dc2

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

    Filesize

    11KB

    MD5

    e3b8c4b0e210b66f28964853f037de3c

    SHA1

    f1cf2e3b6f38cdd138ee565207253e33a1c31bce

    SHA256

    9f750908939a31b1ec0a0f952ac340b36cd450577bb53842b637fd5059573fd6

    SHA512

    0c8ded35cc6d315f3ff12f4f0108034b86164b0f3653dc7a678372645b48461a829a5ca1976c1c7f9bde0bbdd248624d39aebd2d0bad714e82a380b4ae95a589

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

    Filesize

    109KB

    MD5

    7de24e05bb89a4a465f9f114f73baebd

    SHA1

    fcf7f155200117f5826aae31019a65ebfa725d44

    SHA256

    3cc44a110eea9fa6b3caa3d969504d0a1b0eab26eb10ffcb5121bff6b6d7a1eb

    SHA512

    05ff99f14b78d146d60c9ee565afc656dfd7af64ca005617c43d7b746217cdd511e451b07d4494eb1d4103b9734493f96fb910e8eec08af2edfded9c9e9cd215

  • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

    Filesize

    173KB

    MD5

    da2087dd0ff01b7caa2b06eadc6dea5c

    SHA1

    a82ae3a3060be1431414d8a4eace6fcc9f36b188

    SHA256

    671c7e5bc9bf4e73cee342db5cc6902c984ca880f59a8be2f1e9e67294405f2c

    SHA512

    2d6dac7ee17cf40c9621bb2f69705e72ba8d2f54ebf4dcff2cf7a5cfd46aa2e53878ce5067d98689066ff1c397ea340ab7620136043a9bc66b96a136fed93393

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2640c75477a0a4a129909e9c6678eaf0

    SHA1

    acd3172cd32d368c4eec7612e016c09be30b4d32

    SHA256

    19f347c7f10df445fa01be332c81ef142074ecd24ab8283eece950f155dc0410

    SHA512

    4a718cd8da3d9cc8e850efa248e430edc4f50e792fb9d6c1bb41a87f06aeb73884eef2e5fd4a450b4011360413f2632690e453fdb88afa3ae3da8a5771378e1c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    88c1bf2b9a7d1124d0427ab515286386

    SHA1

    96f82866cec30c7761eee5f83f2fbed8c53f4b8f

    SHA256

    8b8f8abb272cab20675ee448a4ccc83bfd1523821a6bc7b061a8b5e4f05feaa0

    SHA512

    35e3649d265bbec4887061fdccd07dfcf749de3f36cc6ae381d1b853c81f95cba95261bdfd5ffee831235d377ee367c5a400b8e3a8eaf03728790c545307bae8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1fd6fc3b5d9f2419179f40bc2eea14e8

    SHA1

    a2f8ffd732e3a2a3ecc446e478d7bdf84d378736

    SHA256

    c5fa6ada8cf067e65fac57ee4add2d44772eb22ff5271a2097a0ce6f8c6117e7

    SHA512

    b61bea7aa84f6b4e1f9d22baaecb8d0da61f72a11230fbaa23a0b5500fcd8db54cbf5d12bbf12e6822925cf53101fc0c308c3e223317ed3e8d6b12d8fa5cc7d1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ffa816ae19744aaf8846d0aa5d10f020

    SHA1

    0b7fa3f7110a85dfa86ce3cec31a3ccef895623e

    SHA256

    0695318cd0a9b595d1b01cbcb4819d05105279bf7928ec175d305432aa91524b

    SHA512

    af1a30c90b21e05127ad2d19d7c87f7c26a4382d96bd34a16f9586dc5268ead21c8bbd99724c1f6526832ff079e0b2deef3951829ab5e5c3703205060be5533c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    87ef8f1ae1c1d02e1e70b9073d65edac

    SHA1

    7d8ef26aca471094de7792e7432d1411401ddf7a

    SHA256

    c645c4fd59e5a07c673776744fe4f5fa0ceeb7ba31ca231e1321f099b49ba70a

    SHA512

    fc41a350fea74d239c2c0ecba01390b6c2ecd6b9732927e755ab2807833054eb276f8c1100a1e0a34ae1cd8c848f606592c6f77d54ee3ed5f6ce5be8b333f981

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ce524096bc92fe72a12d8f42793fa247

    SHA1

    60e6fc3511de168dfdc3521999f3273475198e47

    SHA256

    b0674ce7562d0a3bc9cd9a41ca314b1762e21e19fb2d79c66424e5e84ee5dcb5

    SHA512

    355556ce32247a3d76b9a5732f40127dc15120c888b9b275fc46bbc22959dced3c0d44eb23830d6908cd3d27db44236165a9256bbd374fb1232819aea1165dee

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6fd26184d56440cd425b633bed3094fc

    SHA1

    f5612ae751fac03c74510758a04073c9baca442d

    SHA256

    67faa6756c31c58cc0edf1247c4e183593cd14a08585d0eebc4e44ae4c04fad9

    SHA512

    5263d4012492478cfcfaba8c23f0fff1513d76b76c1483b4f406f5e71d9874efd19ddd9de2da542b4db5bb2a6b8d487604b279da4bb64ac41d7b83163242b87a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0936805f1c970e63a25250eaae9ff0e6

    SHA1

    a1514bbb09a3ca6e61b94a885d5a23773ed90247

    SHA256

    6128154d53c774975c0ef641bc22e3276e75477f0ccfe8e7c67563eb272b5d4e

    SHA512

    1303983690995046d92172a2115bcff6083fb02ecab7572733c4b0cc5e11e137fbb271ee95523feab4860ff4222a5f652ab126f75d3dfb6d8f690d76ce83646e

  • C:\Users\Admin\AppData\Local\Temp\Cab9206.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar9285.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Windows\mbgqpcmmuonw.exe

    Filesize

    336KB

    MD5

    c61f29c47fcfa462ea273b231d8d5ec1

    SHA1

    72c9f9428992c9f19a4a18afa2244b8637b11d47

    SHA256

    8a1a7fe83079ac76476b2c67ccd80cfe8dec0807fcd4336a9f5ad9a380a07fcd

    SHA512

    12e97acfc3791ebad0e6befd594de27c1cf30824d4cabe80dd605618f5c32df0c826a0fbb177b7226474ed9c4fd41065c3b6d443fb250a9b371986684d402357

  • memory/1676-6120-0x0000000000120000-0x0000000000122000-memory.dmp

    Filesize

    8KB

  • memory/2212-0-0x00000000003A0000-0x00000000003A3000-memory.dmp

    Filesize

    12KB

  • memory/2212-15-0x00000000003A0000-0x00000000003A3000-memory.dmp

    Filesize

    12KB

  • memory/2356-6113-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2356-46-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2356-45-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2356-674-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2356-947-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2356-949-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2356-52-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2356-6127-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2356-47-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2356-3239-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2356-5467-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2356-49-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2356-51-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2356-6119-0x0000000002AD0000-0x0000000002AD2000-memory.dmp

    Filesize

    8KB

  • memory/2356-6124-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2604-25-0x0000000000400000-0x0000000000748000-memory.dmp

    Filesize

    3.3MB

  • memory/2684-3-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2684-5-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2684-7-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2684-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2684-13-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2684-28-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2684-17-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2684-16-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2684-9-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB

  • memory/2684-1-0x0000000000400000-0x0000000000485000-memory.dmp

    Filesize

    532KB