Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
07-12-2024 08:58
General
-
Target
d19e3bd15c6594a56d81d92831dadbd2_JaffaCakes118.exe
-
Size
424KB
-
MD5
d19e3bd15c6594a56d81d92831dadbd2
-
SHA1
99ba265f63c21cc992adb8a6d86c4cf3a4cb284d
-
SHA256
ba1409d897af7db9224c5fa45cffdf6e38cb724ce08052f4aad34596e1d24458
-
SHA512
8faaaa2142cdf0730965fd2c883980f88a0a4b0a05ac662950874ce48bf0de034a3e6d69a4a2fd8bf20a75a6c8b2e829b6ad033900f6c5c17f60dec643f4f16b
-
SSDEEP
12288:3mJqaEwQLysD/XDz3qzRdW1DzHpblCJxfS6:3gMLyWDbkElOR1
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_RECoVERY_+ksgot.txt
teslacrypt
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/FB689ABDB81715EE
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/FB689ABDB81715EE
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/FB689ABDB81715EE
http://xlowfznrg4wf7dli.ONION/FB689ABDB81715EE
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (874) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d19e3bd15c6594a56d81d92831dadbd2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d19e3bd15c6594a56d81d92831dadbd2_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\itkesdwwgfmi.exeC:\Windows\itkesdwwgfmi.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa12f546f8,0x7ffa12f54708,0x7ffa12f547184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,3588542363579891254,9860249854380651771,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,3588542363579891254,9860249854380651771,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:34⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,3588542363579891254,9860249854380651771,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,3588542363579891254,9860249854380651771,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,3588542363579891254,9860249854380651771,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,3588542363579891254,9860249854380651771,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,3588542363579891254,9860249854380651771,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,3588542363579891254,9860249854380651771,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,3588542363579891254,9860249854380651771,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,3588542363579891254,9860249854380651771,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,3588542363579891254,9860249854380651771,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:14⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\ITKESD~1.EXE3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\D19E3B~1.EXE2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD51137a73dc08b86c2e517fbe8507082fe
SHA1ed16917a4646b8c83fedab3c156a47342ff96f69
SHA25600f2f47d9171bb87b9df385c616ea1c3836880989a7e916ae703265c650455b9
SHA51283c95db769a334cf090e9075c8c08e26e40e57723a4a57e661f3af614b68f33fec7ec813762cd9b4ced0e8ae8408dbe6ddb55ec1ba59af32c0dbbe8ab016ca67
-
Filesize
64KB
MD588e627d2e62034205e695d05e1b0def4
SHA129fd3138d985deca0571fd45a955cdf68c0916e9
SHA25600e8b3ba7f45107f538d6eeacf766a7236373d3b0d5e526c9d7e9867996a9bee
SHA51205b9ef1128f53b31bac1fc7f879c5d44914cc6d2848a27d1ad962771bbf6a68730df581979a754463fc369c7ed789a89c369baeaefeec284f488284e7421c9fb
-
Filesize
1KB
MD5374b72c04e9374f8314c2652cc4b06af
SHA11e3f5c086a01d1b4717345282a6b399a3772ac1d
SHA2567e75c9e8a2f429f7b37bb6a00c28046b538d15b93dd7b48d088e9fe95c56eef6
SHA51277c4a6a8f9d6da604c6747102ca244817d213ae6f29a6e3e8e96eff0c9d48ed524af8bd4ee1df7886870cf8afe29c590d2e1c306b6193d50725b706ae50bf0fa
-
Filesize
560B
MD575e212c7bf1be118647305916a92cebc
SHA185b10849349f6b7a5f61e2cf93e1cafea0ea1b4b
SHA256e64cd5539a9d017e6f4794270cd04c0cee27f37e71af95357090fcded63c432e
SHA512c60b7299b3f9a4e339243e1b9c51bf5c3a1e8a9d367ec20865b0df633d494791817ea5a7e6096ca07cff4e3c64662b733df4ab6b3d50f6a8b60335c9e36da752
-
Filesize
560B
MD573cce1e510871c4d9423a5e5dd51411c
SHA1e020340ccc7ee80f50a64959bf4d3b2686292c93
SHA256122b0c6eb9e5e1d7cf8f3be6b67c7080a32db1537b484240bbc8476c2613da53
SHA512023a85891e73716b24936394f750ca16887cb8a5eee7ff55cf30c04ec8dd66f0776b7473c705e64be58e609b62aca4df4ba55e04740cefc6985592fb5a5e14f6
-
Filesize
416B
MD511dd7e1ec528ac3904ec361a884e8c25
SHA1f63d33bef64d3580fe43faa14c75519c91eb6d96
SHA25676706b480d66bf74b995e9eaaeff89225de13fe6f67492f11783fe32068a6f39
SHA512b6a284b9563fad28b5cccfe6fa6a16ee00f37642e8855311e496fbecbc0868cab226f95cfeebeabe6bd4de651dd4d89f3dbb7a0c4d5b597f9010cd131cf1749f
-
Filesize
152B
MD57de1bbdc1f9cf1a58ae1de4951ce8cb9
SHA1010da169e15457c25bd80ef02d76a940c1210301
SHA2566e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e
SHA512e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c
-
Filesize
152B
MD585ba073d7015b6ce7da19235a275f6da
SHA1a23c8c2125e45a0788bac14423ae1f3eab92cf00
SHA2565ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617
SHA512eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3
-
Filesize
5KB
MD5af0491275638a5115ea609b73c9e6dff
SHA10354598963bc1ae68d66699cc2d97b7c3e71083f
SHA256f26f69b3c3a530ce10979545a456d85bda000b9e74c418297329bc175c8f6c7e
SHA5129a2129426aabc9c7d63887e6725529d9b98db261928b75608291b71a9734a7e109eb52815135fff7b3dfe0f27d7e1b156bc2890bce0e0dd194f719ecb8e50d79
-
Filesize
6KB
MD5cba4d11a7cf53e8ad8df3372355a1711
SHA141dfe4d0fb74dabd2ff178840b000fb54126e193
SHA2563bea02309290e3a288d0ecf90e09935904b95e3c9348a3c757f80bfce049e61e
SHA512f5fba5ba6ef2ec1cac6e04f4a3e034316c8baede91bf74a9b1d97be519c836a846ab07ec95484987fd147a653e461b3de08aeb5147cf3fc9c12a76e419e9cfa1
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD52be0176a41c85e211af6aaa2a3e2104c
SHA182d2dcfd245e98ebf002dc7a8c9508ff8f212137
SHA256a71d7bff4886f69164ff737354118664cb987ee19bd79c14a441b308f2821e72
SHA5127a1cdeb191c08ab604b5bcc26d1b780a0262ea39e6c0f06bc731c3cf63bd0495dc36b63966ded6df6b18b89c551882b37a7141fefb196bc68e0abb4a4df09835
-
Filesize
77KB
MD55ef9f0a5920290642500d875ca18b706
SHA128bce8f4344c308e442dec95a2ce6bc3c85c641b
SHA256ec78a75570f4d7ff519742367a8a6adb7629adbf4fe85e85475e6f7fc9d7e4fa
SHA512b91d62c4ecf8cdb08fcffb1ddf36501d6d9f8c7b88c3282b974b0a51f0a8370dfd8b456dbf3490f71378c5a55062949403119e80553c98b34ce3d44d13968187
-
Filesize
47KB
MD52dbcdb6a00529175d449d8f705661a6b
SHA103a9db912f34556a5e6806aa93430d0de2048fdf
SHA256181b96b6f38959d4bf0dde663838e8beb94da43e52da0c984d8304b6dc4d1770
SHA5125a1a0d206bf8478e628494124ff08ca65856822b22e694ea719a0cb6c933346cb838c185757d79f7c47e4f4b7b85c0a290138fff6f56525c589827ed5b74b5b1
-
Filesize
74KB
MD53defaad57f66391f284db48e0ff4300d
SHA1eeea2994304ed1932186a99228fffd202fb037c0
SHA2565b23a4d8d8b568b626de9464e6a981bf2427ee0a7e3f7abe38195e38a404b210
SHA512d1e5f252dfd3a164c7f18db8dc70d8cc04a42f673cfeb7f9730aa5b1877c269d5176e7340196611d6c1936ff4b49c2e5dcfb29f1356a5be05d143bd7ae32e300
-
Filesize
424KB
MD5d19e3bd15c6594a56d81d92831dadbd2
SHA199ba265f63c21cc992adb8a6d86c4cf3a4cb284d
SHA256ba1409d897af7db9224c5fa45cffdf6e38cb724ce08052f4aad34596e1d24458
SHA5128faaaa2142cdf0730965fd2c883980f88a0a4b0a05ac662950874ce48bf0de034a3e6d69a4a2fd8bf20a75a6c8b2e829b6ad033900f6c5c17f60dec643f4f16b
-
Filesize
532KB
-
Filesize
692KB
-
Filesize
532KB
-
Filesize
692KB
-
Filesize
692KB
-
Filesize
692KB
-
Filesize
692KB
-
Filesize
532KB
-
Filesize
692KB
-
Filesize
532KB
-
Filesize
692KB
