Analysis
-
max time kernel
148s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
09-12-2024 11:15
General
-
Target
d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe
-
Size
388KB
-
MD5
d957a4ca07273763ed76ba4eedce60b2
-
SHA1
357b159b7404225fb9271bc5c6645a79d8706153
-
SHA256
ba45f2c559c3c2e0f76441928d967c31ad6b10ee3c65ada1bbd74ee8a0052dcb
-
SHA512
0b1cef4d07a43d504b2ca95c6fbfe18f7e89235db6d6a6551f9be73ab800e2126e47fe23233b77575d34a1b91b0af576f8cb14205fdb2fd2516986b4d5057ce7
-
SSDEEP
6144:XYMk7V7PQkaYO0iNq/PimTBQNEETJYOo0DldfrvwmjcMVW5OouUI5KtrQ8POyU:XnSdO0iNEPn+TGOoYzwscMSOXUIJ
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\Recovery+mvcmq.txt
teslacrypt
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/6773CF8A4C1F9AEB
http://kkd47eh4hdjshb5t.angortra.at/6773CF8A4C1F9AEB
http://ytrest84y5i456hghadefdsd.pontogrot.com/6773CF8A4C1F9AEB
http://xlowfznrg4wf7dli.ONION/6773CF8A4C1F9AEB
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (884) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d957a4ca07273763ed76ba4eedce60b2_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\unjsubluwdsi.exeC:\Windows\unjsubluwdsi.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\unjsubluwdsi.exeC:\Windows\unjsubluwdsi.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbf36246f8,0x7ffbf3624708,0x7ffbf36247186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,12374014654135953149,7099912818622389210,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,12374014654135953149,7099912818622389210,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,12374014654135953149,7099912818622389210,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12374014654135953149,7099912818622389210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12374014654135953149,7099912818622389210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,12374014654135953149,7099912818622389210,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,12374014654135953149,7099912818622389210,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12374014654135953149,7099912818622389210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12374014654135953149,7099912818622389210,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12374014654135953149,7099912818622389210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12374014654135953149,7099912818622389210,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:16⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\UNJSUB~1.EXE5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\D957A4~1.EXE3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5d869f66484edd882d4e5f713ce3b52a8
SHA1371b80071b7a50d313137ae5ad5a43074a2e26e6
SHA256fa8ad29503488aaeb6b4a3336ef1b22e857ed8b833b1b192a745b50fb781547b
SHA512ecac9b7a34198640b3cb8d8ae2eb7053b7d20de9a886a2bd56221881efbd4882de09810738533baaf74337b1d74dfb0fbfa1f6af6692bd8db49d9c2b525bd00d
-
Filesize
63KB
MD58802a783130e4f423ed57aeaf3162a16
SHA1059285ae13d689cfaab06f56c8e3e13f5f2f53af
SHA256ef98d58b58599e1f7ac286293a5098cb83c86d191878dbf8815b971f63ec05c5
SHA5127ba1ba54f58e80716fc262da41137a523f7b4a906630d48db95007e57a9e434446b82ddbcd8ae72df8566a680ddd23ddc5bb7f965c14d35ff7bd29d33a71220f
-
Filesize
1KB
MD5cda2dc2ba3cbebaa9da7ce5e896b0156
SHA149a15bc4b99d149b1219bf19966e9f933625a7c0
SHA25687f4acea9d6274bb78f8599fe4a4462449cce0782dc1ec05f693e17df4e79536
SHA5127245a153672712d4afe30696d449107cc26e942b8d5437e1362851b9b48ed9bc412ecfe45c78a5750bc2440a1c51102aa51d006b987959b947cc377c10fe679b
-
Filesize
560B
MD5718aa25f8fe496ea58fcf2517e00f3c3
SHA15a678037ee756a34fc28962dedf9d12b85688b3b
SHA2564021f44112d2ce0cd68de39df7888deeaa10ae59a59e74d9e659f7ed8d45d840
SHA5122d2c6b6eac1e50815ccb0b93af3aca378fc4797d43b72b9ecb21e588ed8cdc708a492d9d379288e2603ddfc4f336c3082400f68ec8b9443017877b15192e088b
-
Filesize
560B
MD5291cc9d2aa962afb793cc8b0391283a8
SHA1067634057f57645e17a16877c7a5dc44e0ab0816
SHA256c95e0b6d1a4f0ab9a8152397b0ba30a11526f22f43924bf2b4a575b873214ec8
SHA5122b9664206d82544feca9a0bd5c206874269d478c38ff4c850af9aeda54bf5e65611cbc5338bb6b3ae64e6491b46e63e633661c60c4ac82ea85b7440930112c73
-
Filesize
416B
MD549d78a5de0dc8d0e0c541e71a7365631
SHA1eb87b610800e2e448123964b71259ab99054c169
SHA2560d379ceaba5bee1fc91ea07d8d66776a4d2ade86fb75b337b0ba46f62382264e
SHA512264f21303908450d7f7119690b083ed4fa384c1bff0a349e3cd67d2072d8b7767083b3026ece635f69a55a5db41526bee65ee6ad09e3e021fef2450925486f4f
-
Filesize
152B
MD5a0486d6f8406d852dd805b66ff467692
SHA177ba1f63142e86b21c951b808f4bc5d8ed89b571
SHA256c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be
SHA512065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a
-
Filesize
152B
MD5dc058ebc0f8181946a312f0be99ed79c
SHA10c6f376ed8f2d4c275336048c7c9ef9edf18bff0
SHA256378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a
SHA51236e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa
-
Filesize
5KB
MD579c859177c458f70aac2879e05392c5a
SHA15114710c866b9d55f35d3f42b4ea79cf4d926ff9
SHA256e2a64d177cd4fa60e64f6c3895893ee10c228bbf9666330920b852a13cf48174
SHA512eca79767a7f3a79fe46b208ff9c1813709a48c901edec4ff9346fdf22fad0f490f6d8e0cdcdc663f7d876b4eeb533450cebc1c0e40fd452cb5a1673d62e726ac
-
Filesize
6KB
MD5b5e115a874394e74bd4e7e44573e30fc
SHA14281521671a234c243c424c4e91ca090ca99e6a8
SHA2569bb42d2f6395fb461de6891931178597beca823db54cdd0dd335034c197c8fc1
SHA512ec7ef2ee2f3229b07f62e0c59dfa7b67147da58fa989ee07709fce647138fe7c7b13dfe35d8cedfea9f24a1fb5763ea1d5eee93755b9bda7479014f103b54f11
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD588b8e3bb5f63ad496a8ebeeef5da3ea2
SHA11d1efc29c31e5a8d55c1d619db6ea01bec9237f0
SHA256b65c7544360ded2c3a70b6943975eb71b32571f8c7babdd7f972b5aee82bc02c
SHA512775ed10e2f56996ff664b552aa7230c49a3630d2c7af1b991424133f03532eaa4f2372c6e6b9daed721a83df5e238e3f17099d9f675814d5a1620314095be65a
-
Filesize
77KB
MD54a5ec578ccab68488eaeb226b352674c
SHA1b7c4a1613691fee9eb53dc14d65f9b53c88e5686
SHA256181fb49bb38790c5217c17058435709af35756a46f09d491fb7f307913ce4b1f
SHA5126722d7a0532c2f3f06d02b29cf46e348d0e75965591cbb5cef2b6e7fde2f394b99624d38b408cde0211fe195bdbcd5521cdbdcf00a5344e334e2064ce1d3f2a4
-
Filesize
74KB
MD5c986e22ff42b8d98daa79b1a62eb5bb1
SHA1f30991518757935c53e8f4f59c559eedda43f041
SHA2569c2ad285cbe8e1d49942cd3fc850157f57b05ef1d0e7de22cda5b1f601398144
SHA512e2f5581541dfa483e01809ab063091b490e4199b575a32ea03f6b8d289404f4d2786e24d1eeeff59b06228728d9b5dd6af840de0e862fc7b19ec51e8f492e403
-
Filesize
388KB
MD5d957a4ca07273763ed76ba4eedce60b2
SHA1357b159b7404225fb9271bc5c6645a79d8706153
SHA256ba45f2c559c3c2e0f76441928d967c31ad6b10ee3c65ada1bbd74ee8a0052dcb
SHA5120b1cef4d07a43d504b2ca95c6fbfe18f7e89235db6d6a6551f9be73ab800e2126e47fe23233b77575d34a1b91b0af576f8cb14205fdb2fd2516986b4d5057ce7
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
4.4MB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
