Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
09-12-2024 11:25
General
-
Target
d96103542ad88b7dd63633e1402d004d_JaffaCakes118.exe
-
Size
368KB
-
MD5
d96103542ad88b7dd63633e1402d004d
-
SHA1
f139d0cdf959da734adb8218bb9ab1070589f0ba
-
SHA256
73da1b9b157a7d2ae3a21c90a114ca7251c32545511a38a3e92b777e59009c45
-
SHA512
c39095411c803ffe51d7adc67b5ac31897fad8914c3c09ea53fee4c3123ac3655dec98af425db093405b079a81aa97e2e5f6a2dc8061a5c812347d2a476753bb
-
SSDEEP
6144:oL9rKjvNvkH1sGf7L4JZ9oL+5b/OcGBJL8dxjHtgWECmCTPqsUPpII:5jo1sWUCL+5b/DGHL8bjHtgWL1TPqsiC
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+pskth.txt
teslacrypt
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/E7EF1E76865BF565
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/E7EF1E76865BF565
http://yyre45dbvn2nhbefbmh.begumvelic.at/E7EF1E76865BF565
http://xlowfznrg4wf7dli.ONION/E7EF1E76865BF565
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (859) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 3 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d96103542ad88b7dd63633e1402d004d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d96103542ad88b7dd63633e1402d004d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d96103542ad88b7dd63633e1402d004d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d96103542ad88b7dd63633e1402d004d_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\tceklrmftfdx.exeC:\Windows\tceklrmftfdx.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\tceklrmftfdx.exeC:\Windows\tceklrmftfdx.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe57da46f8,0x7ffe57da4708,0x7ffe57da47186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,10628069311439877388,5681712931163606414,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,10628069311439877388,5681712931163606414,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,10628069311439877388,5681712931163606414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10628069311439877388,5681712931163606414,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10628069311439877388,5681712931163606414,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,10628069311439877388,5681712931163606414,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,10628069311439877388,5681712931163606414,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10628069311439877388,5681712931163606414,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10628069311439877388,5681712931163606414,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10628069311439877388,5681712931163606414,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10628069311439877388,5681712931163606414,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:16⤵
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\TCEKLR~1.EXE5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\D96103~1.EXE3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD52f2d678dbd11af87a3d6845dc0f41a58
SHA16b5c3bc61acdc192ab366835c5c222e0964b29b2
SHA25653b0f6173b40e7185468499c22b727d961845a6622a82f9ed86d257a1ec15325
SHA512692cd471b08eb8f94e106c380c6220653fffe5c66237df7143922d38379493b2d83fb98858477e5a6e6a4405205e6c187e7220e9913eb48a301afae4f4957d1f
-
Filesize
63KB
MD5a42771d7b9f737ffe2944b08b2635fe2
SHA1a426e224103455533a6cb9d525b88be2af68e1f9
SHA25616641be90e7f59e78d9450426e7143b7d249ad1e65e7d5daed441c3d0a7999b8
SHA512e714aa64eea58d17e883022bd0d53b956b68b4fc9703c770d59e1851f6bd23c0a681ad00c35facb9142d1215702044e31c2c9774ddc37bef8dfc2b2ca36ccc73
-
Filesize
1KB
MD5c8ab2b0ec8b212d5836bb020ae26a70b
SHA1bf332fff2ac4d13ea12fdf4d40a86794e5e2dd8a
SHA256c7a7cc43b9dfa50fed8e11fedea1e71bd8b55c75cebe2840ef918dddb2cfdc9c
SHA51247fc3fe6fc1281281e474709053dc3bb1abcdb4f2f030617527558922957cd0ad87052c91dc6463fad7944e82ef3d2fa72022107a3dce930d692cfd0ebb874a0
-
Filesize
560B
MD5d16c001810e34882eee1edacad2425cb
SHA13697aea012962f42b72e4ee114f1d34733fbf746
SHA256480d8b369b7296a4f249471235cc64759f9a89a82a5891b1a02268cc059c7463
SHA5126a6acdaad24fbf21afbfdf4ce1c906b731f4bf63554530a28de3bfe004cbc8710dadb283109cdbe26cb7cdb08d2c469833d71e7508cab0a8e9e80c0d7bd1ba31
-
Filesize
560B
MD544614ac743be320051756e7885831434
SHA1812aeff6166e2a50bf20e0d4ffba30ef644ada64
SHA256ab858222f909d1bde3a10b2c12384fde259ef2eb109c502cff4b6a2aa204b5f8
SHA5126acb001212b515246047275dda2b5f6e5d18ae5090d27ed4c70b442b64ca4aecf26385a0b37252ab1ba5d62d1b6af452d5103baa25f1fd6476e02915b6c0e004
-
Filesize
416B
MD56c4b527f4c9d7b040e2c17e0ab25206a
SHA15f7cdde4d167768ac466770d353929458629d918
SHA25669bd810502756a095fd3de5ba1f281cc6aa4ac70f4ff09ff85d223680f953c6c
SHA51258ac806dddc9f5c2cd690cafa1cd0603ff0f46c54449a578d2a4d9b256286923567581c2641685867a6695be8ea135b6e841e0a1047efa5db277b60c5ec18919
-
Filesize
152B
MD536988ca14952e1848e81a959880ea217
SHA1a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173
-
Filesize
152B
MD5fab8d8d865e33fe195732aa7dcb91c30
SHA12637e832f38acc70af3e511f5eba80fbd7461f2c
SHA2561b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA51239a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43
-
Filesize
5KB
MD5b09b7b2db90d7b9b959528f6df960ee4
SHA14de66ff54acb728bb463313bd20c85fc80928de4
SHA256d1240dee9e5e7dc2e53430ee49746c04090a4164c22a4df004accd1fc434d649
SHA512c03c06ae9de672a890dda30d9331b67138cd0170bc777995295babb1615244d023a154a21886a415e95dc7beb81de38848fe426a7a148f8df2aa3d497b2b2118
-
Filesize
6KB
MD5b160f9891415e167378b035a27d5e488
SHA1c25bd203a678e70edc695f11b9e1ed13626b0977
SHA256e1617074756085f8b8a558d2d063597feafe07a65f23dd1631443df41ee24465
SHA51275bf8fec059645bec5702be989baba8ae1ba3de51e5bcccae268836ba27d85c753f7dc0c713c42a5f1a400dc6e62592573e6e6d796e281258239ea7658a2cc8a
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5fcbd077f20ef91780c6193d83a095c71
SHA128461cafa2742c2c9060617f8c40a67def56c308
SHA2561960b96041755744789ccfddd6293a28989a5f8c07e5d9d3caa6d5f217f4aaed
SHA512cbc80b87a1119a5b0b94b0ca7159e3d92726ece75d75fd906b16cb6f943c7ee14ee2c9afe173f926bbb05c02af55ce5950a781aca0d4a9b0c0cf8a2a8f1ba001
-
Filesize
77KB
MD5f200cf849a6084f8ac0fa76c938a5c00
SHA16579ec1d5a52d286f746e56e71551e7084605c98
SHA2561cedddecbf3d74b6455f98c04cb8475cbcb5db72047aeaeb2e25e114ce2b29a1
SHA5125587ec142328cbac419c4adfbc1693f0c0af86bfb479b5d2b37e3d4efa1416082f6ee45a725e13ef699636a2fc8703c6296a653fc7934451130be6cee8251158
-
Filesize
47KB
MD53565904329437b51e625bec8f06f7ccf
SHA19c00545f8f20d8c67572722e6248bc38a296d6dd
SHA256bedd27ac2c65ecb2dd0624af40fec4ab11dd41b879af333a32ee2a8d6652f8e0
SHA512bf33061a3952e73339dbe52bfe37f050995e5996ab4d34fc6fffe8d3184ce7c2a0f3ac7b1bdaf0ecd5dc8f2c736f99e0d8579305b64b377d36cd72fcb028013e
-
Filesize
74KB
MD51195fce2fb08144994908d6947f7761b
SHA139ff2c06865bd9fa7bfc75b6731d869d62573c20
SHA25693e075b691e944a6cd9a6fc26e76a76bcabdc6a4f2dd44bb8214b16f4051a773
SHA512aaad30b6d26d269affe05ee36311cbd7c5c6a2ebd7f93c211a7e303edf1e2fde97068a3ee6b0521496720c7cd5fe5fe5161c840e143c5fc98e63b60ece93bd4f
-
Filesize
368KB
MD5d96103542ad88b7dd63633e1402d004d
SHA1f139d0cdf959da734adb8218bb9ab1070589f0ba
SHA25673da1b9b157a7d2ae3a21c90a114ca7251c32545511a38a3e92b777e59009c45
SHA512c39095411c803ffe51d7adc67b5ac31897fad8914c3c09ea53fee4c3123ac3655dec98af425db093405b079a81aa97e2e5f6a2dc8061a5c812347d2a476753bb
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
904KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
