Analysis
-
max time kernel
138s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
05-12-2024 05:29
General
-
Target
c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe
-
Size
336KB
-
MD5
c61f29c47fcfa462ea273b231d8d5ec1
-
SHA1
72c9f9428992c9f19a4a18afa2244b8637b11d47
-
SHA256
8a1a7fe83079ac76476b2c67ccd80cfe8dec0807fcd4336a9f5ad9a380a07fcd
-
SHA512
12e97acfc3791ebad0e6befd594de27c1cf30824d4cabe80dd605618f5c32df0c826a0fbb177b7226474ed9c4fd41065c3b6d443fb250a9b371986684d402357
-
SSDEEP
6144:g1w0U6D6x4kyjf+g0uc2RTqWmx7Ikw9NShXvSmk2OpXaP/EBySkQ4:gi0Uu6ikyjcuk5y0hXaxpKkB
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\Recovery+mhjfi.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/90E84BE4449BB097
http://tes543berda73i48fsdfsd.keratadze.at/90E84BE4449BB097
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/90E84BE4449BB097
http://xlowfznrg4wf7dli.ONION/90E84BE4449BB097
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (887) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c61f29c47fcfa462ea273b231d8d5ec1_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\bjwjfwttgqum.exeC:\Windows\bjwjfwttgqum.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\bjwjfwttgqum.exeC:\Windows\bjwjfwttgqum.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb311f46f8,0x7ffb311f4708,0x7ffb311f47186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,13957885471639122369,465997684743550758,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,13957885471639122369,465997684743550758,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,13957885471639122369,465997684743550758,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13957885471639122369,465997684743550758,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13957885471639122369,465997684743550758,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,13957885471639122369,465997684743550758,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,13957885471639122369,465997684743550758,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13957885471639122369,465997684743550758,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13957885471639122369,465997684743550758,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13957885471639122369,465997684743550758,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13957885471639122369,465997684743550758,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:16⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\BJWJFW~1.EXE5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\C61F29~1.EXE3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD51b756e67b414e82143fb8b700d1c98d8
SHA106789865cb5b63391d97f25640da416153f66808
SHA256dd2514e36305a3d69d5243fe2e05d5b21d3e4163a4cc35d319be97ad9c8c2cb5
SHA5129cb12a74eeb212eaa2d53d207b28c595595f12152ffe5d39f77be627990a433349de5caca370fb6341e3c54458d726ed816bd7da957e739f4ec1eb60d7b053c2
-
Filesize
61KB
MD5cbd26dbb44f1b24d1db93f939ead35b7
SHA1b57040baed00d10a864e51d84edf1c273fafbf65
SHA256df46a3d28f1f742a99ac5547271649aee7846bd4dac09fe63471febffd698461
SHA512a5f52d8fe13ce1c49ad71d9b431b156da2bcd6a3bffc1f0091cfdf13216eb19a044ec8c84d90b306868acd49116dca66f4d63f142a680f9533f8aaee1f86a133
-
Filesize
1KB
MD5e08afb52698031cce3f10992d61efbfd
SHA1415d9f2dcd96fcf5efdcd633a707724d059817f2
SHA256d594b57305d7a5091030512126879a2ca2a23b4bd294b9345a754472cfb686c6
SHA512afd80a3ceafb80062216b3bb9597b9496bb5031a171925c3afb998834c3f773094db49f15e210da198f89af72eddf47d52d199f482771d53ffb71addaef56efe
-
Filesize
560B
MD50133731a073cd1102b68bd5865b8067c
SHA1dce973efac3ff49793d05449481597f0d6ed748a
SHA256557145daa8b69db18f16b3ec2a04a843c11d8f932adb3dfa7c50e3f02ae6b740
SHA512e834c8df4b690448bc4fb41457888fb047b6c3dc6ad1f81a4ebd238285676afb6d55f9b5e29e378a86b6922125ac7c0c3e37ced1223a94d1f6dba8d4477526f2
-
Filesize
560B
MD55b4e6cc0b0eb639e494cb2454851aa02
SHA150614e6f706c5f76dc6b455937a49a2a23ae0b43
SHA256822fa38e2ad6152fabf84d6be1abfa71f5165e0257dafff5334d7e1c541d4059
SHA51201fa0e8b1772f3d786594ac4ef9a167987ca664a6a3d41abc92ddc2e3b537843fc13906666990b286c450f48f4b56da1ef484fc3cfb305479e9a85371b4dd02a
-
Filesize
416B
MD5784aca9929564f0f8b0eab99e9dbc469
SHA1d5c1504fbd7e25b30729c4c42076e8a22410e07e
SHA25616fcec0b4d5890fe70a3039e25caa115c7f630cbc9ba46e0d2eedce90e8dc45c
SHA51258aa911dd88d2a6ab7cf781adb40ac1a6b8af5c62fb29f93777fc432b521246e2da7c312e6abddb0230345d65e4e9f2ef51738d85c45747bd26e17cbae826811
-
Filesize
152B
MD5f426165d1e5f7df1b7a3758c306cd4ae
SHA159ef728fbbb5c4197600f61daec48556fec651c1
SHA256b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841
SHA5128d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6
-
Filesize
152B
MD56960857d16aadfa79d36df8ebbf0e423
SHA1e1db43bd478274366621a8c6497e270d46c6ed4f
SHA256f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32
SHA5126deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe
-
Filesize
6KB
MD59aa8c41ecb7b1373ffcaf9e1127a78fb
SHA1c47c936c7d866451c3272dc0e0ea38af5d03f367
SHA2569270cc8f024e5f004582a5450fad4e23b7c8a8bcf0603bb88e40824873a94d18
SHA5125bfacf1171976f5f5edd2fc99a85f1a9060b91f52a845eff65dabf677b60e1e614a0d1d1da354f7655191fdb8b320560f6b77cca56f858a137324f938f94c72d
-
Filesize
5KB
MD53f3171377ea4b1ea5a2e1fc581ee1e45
SHA162a13a52e9a45abd9390e867df63a2495021ec35
SHA256ace99c95fb9f31603d932d3453ed92297cb47b2413ff34a83b26822976f30e6b
SHA51240355c2f825f906e9513b4ee98949a004d17b9e601f3bc7366e636b723fc8aefc66844445d532d2c494a8346fd5c0dd7f3c49d989b0ca2434b3c46c77e34e4eb
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5ca828bfb3c3584d088f7ac1756e265b1
SHA1acad7229b7c78d93a7715b3d8aff43ba62c397cb
SHA2564e0f757a7549f86c09a871fd30ceae548daa4405f72963f413a02d766c7e7695
SHA5124e0e39354dd0c07472da9e438f01cc4db8bfd728a74d790c99d9522149fd8b0c44c004c52b927ff7862f3d0f0027d05c08406c6a285e5156ab0d58e459e5b22f
-
Filesize
77KB
MD5381603d3a9501177dfc1ae71de024ff5
SHA1c39e83280656ad389dd423aab23ba44eb0fd4a53
SHA2566c1b606b7d20718d9897e1c9bc52e06c0f3065ec5643bda104933b86568dfd7b
SHA512cd9017434b88d42686ee5331dd38c69e1770393a39136d3bf1dcf326017db4c380ec16f3b6765bf92d4ee14a800b9e4e31d5eee28826c330fcb1ebf141623ea7
-
Filesize
47KB
MD51503459e4e6f90b0ee1deaf910eab375
SHA13b4fab450eabdcfc5089d6a714a4313ddb05d03a
SHA256fcb7a66dda184d6a4dabe19a982a6026ccc00d4d00f2da91ca0de489a8b3cba2
SHA51289397f700926c3b4eeeb555327a3cd114a54c551b33579b8067c98e7b1d4e3415b80bfd228024be65799a6f84088361adf1ba22c49e1ab3f499fc8ba61c1e86a
-
Filesize
74KB
MD58e48b9069e1f46e498b70cc1a7406c60
SHA190ea9521be2786b2afaef082436f2601fcf270c6
SHA25696f2df39e00851f64b945cb8c15cda8634bc698d1881032701c37aa5e6c67170
SHA5127b20c799519c155c1f20888488476cd27582d4963731c21ee53b5ad8501a79f3bfc010a4e7b2711b87c0e14841d50ac5fb66e4b2318d829bf7a4974993c9e9f7
-
Filesize
336KB
MD5c61f29c47fcfa462ea273b231d8d5ec1
SHA172c9f9428992c9f19a4a18afa2244b8637b11d47
SHA2568a1a7fe83079ac76476b2c67ccd80cfe8dec0807fcd4336a9f5ad9a380a07fcd
SHA51212e97acfc3791ebad0e6befd594de27c1cf30824d4cabe80dd605618f5c32df0c826a0fbb177b7226474ed9c4fd41065c3b6d443fb250a9b371986684d402357
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
3.3MB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
