Analysis
-
max time kernel
140s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
08-12-2024 17:02
General
-
Target
d818966749acd83dc9fa5d73d5a47f2e_JaffaCakes118.exe
-
Size
424KB
-
MD5
d818966749acd83dc9fa5d73d5a47f2e
-
SHA1
4c3a30cd2c8c396ff90aa4ebcba63d89a9cfce50
-
SHA256
4a015db95a1e6db8123e4b21dfe56e34fabf570261b6d2a0a11c0abb282a3363
-
SHA512
1fde3f7a05b877184a4676db15e6c4ae6efb8847dacb4226887b9f67097996e0533e2eb7b7aab11d3cbe902f8abc7b75ab4981e2b4cd115051c4a89d2d9fc446
-
SSDEEP
6144:BsPAYJDo2magV+8GUEmGM41DwAHQmjdN1AUL0yogLpWPoXbftChXW3AxfulDGgB:ep808fEmLqDwAJjpA+E+blCJxfS6
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_RECoVERY_+bkkla.txt
teslacrypt
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/B6259594299A48D2
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/B6259594299A48D2
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/B6259594299A48D2
http://xlowfznrg4wf7dli.ONION/B6259594299A48D2
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (873) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d818966749acd83dc9fa5d73d5a47f2e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d818966749acd83dc9fa5d73d5a47f2e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\onyqeknrtavl.exeC:\Windows\onyqeknrtavl.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbab9e46f8,0x7ffbab9e4708,0x7ffbab9e47184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,9639941618621450764,17778136690278525281,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,9639941618621450764,17778136690278525281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:34⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,9639941618621450764,17778136690278525281,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9639941618621450764,17778136690278525281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9639941618621450764,17778136690278525281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,9639941618621450764,17778136690278525281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,9639941618621450764,17778136690278525281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9639941618621450764,17778136690278525281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9639941618621450764,17778136690278525281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9639941618621450764,17778136690278525281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,9639941618621450764,17778136690278525281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:14⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\ONYQEK~1.EXE3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\D81896~1.EXE2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5300b772e7d094c8d08b4c3d335590571
SHA1513317b5ffb2b4c165115ae0948cb184626766c5
SHA256880689afa68b8c54507b3abe6af487b595a4f167916b83ec47863c0e02dffdeb
SHA5127d3f7d07dd02fa9ab7c556a6b70f9544ce142c14873fae65b6f57b405397a3f5bfb8967bc2f5e06b3eec8f324ccbbb2c54400f3aeacff041dae9035c4afce726
-
Filesize
64KB
MD5792964f9f717454e16906ace63db972d
SHA1e50cfe6e6c72f0a4cc8bae3740dc67184ca82624
SHA256498d90ddd7e84fae4976d64597b565d25c74890571a99e2f10869708575f9b9d
SHA512035947a473a955a57abada84c0fcdf85d452260d1fdc6e7512710f8454a3b49a8858b316b718e8b76337b7c9f10cdb371516efd73e75329f7ad8d110cd7a6ffb
-
Filesize
1KB
MD56c6fb781bfab86f19ec662f1afcb7da3
SHA19db1aadb2e2ee62557b3cb2a2d5ba3b89ee36176
SHA2566be6c375bc65361934b91202fe8bcdb27023f5607fb5044a4a2e4c35227473f7
SHA51285258e23459048669d74585c9a0314a6be9e9fd3305b87e54ea7724e7992c904192293d8f6f3a736fa1d819faf79ffc036c38a60f5a7036a4fb0d861a77ea98b
-
Filesize
560B
MD5f7d2d7c21a8404732f5695d4fda77795
SHA1cdef187d3b6f121d8bbe8b772e9f19fee1dd39a1
SHA2564f7da352dcc2fa0936347a5d8585f505ce7bf7080923496a9c009e371483a7e1
SHA51295ca1505ae270c9c1fc493d49585424252504234a53e077e66afeab1ddba18d5ceff76a8fb74c52684ca3b9f2843b0f68c34024df09fd72665ac05cbf11eab32
-
Filesize
560B
MD5bb03c8647c27ec5d87ff57e0c6f6dc71
SHA1888c0b0c1931de870329bcaa0d45f75e3c3b9fb2
SHA256c03ad78193e7f180e894d4df0a5f71150ff13121e39d11584a858dff35862c3c
SHA512a67480b45e014df7770898b86940e7c2c2405d0607d2678b5cd3b855d65a1183c2476698809f7ef1781ac1a82c8660c3ee1f49f3da2b7616f143a1cbdd60ff8f
-
Filesize
416B
MD5e13b61ea26b6ecf161a1794b5c8b4a6e
SHA1d516fa727eef8d3f6481cf10d5cacc13df9189d3
SHA256ece15afdff0a053ff722292d1613511b1e6e8995a0abbef341fc724834ffa66b
SHA512051bdab0a4eeee5d797715a43569993f750c854db0af48f894ecc865ff8821168608e213315660f21f68b6e4cf8c0254681470f81c0502dc85735d54b3cb24e3
-
Filesize
152B
MD536988ca14952e1848e81a959880ea217
SHA1a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173
-
Filesize
152B
MD5fab8d8d865e33fe195732aa7dcb91c30
SHA12637e832f38acc70af3e511f5eba80fbd7461f2c
SHA2561b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA51239a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43
-
Filesize
5KB
MD5ef146d62d0e29f2158a75e6fc84c61e9
SHA1b5bab3d7861d6c02ecc815b2424a3cec5bca9287
SHA25609f8caf10aa3f767ba02cad27ae2123296a6b64ee1450c29a4261438d2d33f99
SHA5127d1145a61009620144f36840132522d4cd9d0781b367cc6b7aa860bd19c76287852f5e9f915b38a6cf7ae6a1800ede51f3a277ce8b274a761ba198afd0298456
-
Filesize
6KB
MD5ddf402850a36ec9e5a60ab43c1a20e6c
SHA151efe7e93a889bd0c3f118c21a745305d534602b
SHA2563bd2c7344f95e1d9435520e8213693a9a5e56ae5b1772aa2ecf21bd675142cbf
SHA5127580bfebd884aabfe3e701527b7456de8ef1321bd32f366e9dfcecd9fc23f78110740bfcf8147e3f1832f1de9b170ccf3ab8e2cb8f0d3674ffcb06bbe59d8878
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD591d8095075f31a47a58cd02c7068756e
SHA196999eba042d956616f4438089d0c5d066259890
SHA256b628f6ad871d51d8d05228afd733b5411c1ecd1e5092ca34866dc5efd31b0459
SHA512dd8151d0b56c0ae4b61679108cb7bcc8eeba674987d37d2cb7bb4783d52425341c4d8d843f7afbe5f568dc740ebe11711d6f24a2317dc910f108367d37c9049b
-
Filesize
77KB
MD554a1443406e464bc671518b0f3abe427
SHA1c90ae8871a493d8f12bba9fa6a86f9229e568e15
SHA256ef4d48f101c29fca8d9efb18bffedd423dccd58321e337c3c12c9fcb66ad2775
SHA512dc0723ab9abef5767448ae36b1e7a17b5537c957c0bb416d19c4623d83282d1f64530cbc406bd20217d6ae62dba4aa8a1834269e2f1a1ac7cf577a0f4a2ee414
-
Filesize
47KB
MD595befab7951770b983b76e81cedb31d3
SHA1ece6fe77b1000e68be901574955ac8d956be5f8a
SHA2565567c2ce5686dfd593da84dae69de025c2c36b57e55ebb90086c19b4151e80cf
SHA51219e115c7b729e012588bf6d76372dd1c213ac6a1dcb154fd7a21561f71a16288ebace9a00df11a6f5f73d44a4fc860b90c19853f396bb322292d40a603897d05
-
Filesize
74KB
MD5d8dd12b8311f0d5e273ba73ac026f962
SHA19a5fd2e9532cbe4c98f5d2fbe08a4ef481b9c13e
SHA256e33cca281c4d67889b673813ed3c0123e55f9c16fdec2e4054dc7577f0207c4f
SHA512ea95ae1de9a631560cea0b4f8c6cc79bee12f93646518411c98f9ab13f7946e96065dc460629ace1e15043b3dba720f1f1156bcf2e137cf47520e63085792d48
-
Filesize
424KB
MD5d818966749acd83dc9fa5d73d5a47f2e
SHA14c3a30cd2c8c396ff90aa4ebcba63d89a9cfce50
SHA2564a015db95a1e6db8123e4b21dfe56e34fabf570261b6d2a0a11c0abb282a3363
SHA5121fde3f7a05b877184a4676db15e6c4ae6efb8847dacb4226887b9f67097996e0533e2eb7b7aab11d3cbe902f8abc7b75ab4981e2b4cd115051c4a89d2d9fc446
-
Filesize
692KB
-
Filesize
692KB
-
Filesize
692KB
-
Filesize
692KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
692KB
-
Filesize
692KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
692KB
-
Filesize
692KB
