Analysis
-
max time kernel
119s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
10-12-2024 20:49
General
-
Target
de6da54416ced336416b258d5e857d66_JaffaCakes118.exe
-
Size
336KB
-
MD5
de6da54416ced336416b258d5e857d66
-
SHA1
8a409c57dd33e03f70e2e583a9d4a31892316a14
-
SHA256
0dc6abd75029b2feb75b9aad880a69b165b1a07fc8b95e99b0d05ca2a415a418
-
SHA512
4e38b95ade98d984910e8c5902a896934c1e7d46814b5f02fc66581c2bda19068257f5b169cc56acabfa6c809ce21143e19de82caa1acf69610025960495c7b7
-
SSDEEP
6144:p1w0U6D6x4kyjf+g0uc2RTqWmx7Ikw9NShXvSmk2OpXaP/EBySkQ4:pi0Uu6ikyjcuk5y0hXaxpKkB
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+mipwo.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E3F953277762E91F
http://tes543berda73i48fsdfsd.keratadze.at/E3F953277762E91F
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E3F953277762E91F
http://xlowfznrg4wf7dli.ONION/E3F953277762E91F
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (407) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 52 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\de6da54416ced336416b258d5e857d66_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\de6da54416ced336416b258d5e857d66_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\de6da54416ced336416b258d5e857d66_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\de6da54416ced336416b258d5e857d66_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\hvlfermxddks.exeC:\Windows\hvlfermxddks.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\hvlfermxddks.exeC:\Windows\hvlfermxddks.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2228 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\HVLFER~1.EXE5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\DE6DA5~1.EXE3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5af98bf54c3b031349220870dcd6d5413
SHA15cf946f5c4bd6de21f423f998796aad73c9a494f
SHA256d534f068f1caa854ad345ee53e127f94162b8cf4238582b9ebe7f333eb49ccf3
SHA51257c882baba147dd0fb5811ad1938f64e865d8f3275da662fdb2e4639b0e5014609f9b7026cdb7566c615816ef803c12b52d44db2603bdd4e58ab40e5ee73fd20
-
Filesize
62KB
MD5e3c22e17970a2cf49d273be12f27432a
SHA1a51bc37f3c3886a28edd5565cd7459327583ed38
SHA256554638116d687439c15b6ad6b6a5da86e9ac16a50ac001ed6b5cfac60ab40cdd
SHA512b16de49bb4f0b6fa0e34e2f40a2aa9a770e13dc1ea59e3f04ffac87252403937024e862f264c6631006443ab6605f014158aa0079a611e8433da5ca78cb5fae1
-
Filesize
1KB
MD5f177315421dfcd13406365f8fa427e30
SHA156822ba83edf2a3255939a4e8243eb1a4c9ddede
SHA2563b566c0649cf8094baa97cae0b07909bb224fbe22e646a0d0e3e23cf776052f3
SHA512ef8fea482fd0d95dcd28545d6a3cd8ef1e5f00d1762a28114c3a35b65e53b29250e1441ff3572c799b576c7114b85a9cf86c2d403f9007016dbd6250902f3cf4
-
Filesize
11KB
MD5e876fc940f38d66f8070dc6610dbc50f
SHA1cdf6bb300d467d9fa62449ab34d32cda9f4e4c87
SHA25658cb9a18792bddba4214eca79c2bfa763fd022355ac3600b7ef8bb268df465bf
SHA512cd44cc666acce8d4eb264674f723450db45c023efa6d5dc2a24f5d15e4c7cb63c124208a7ab5009ad3e3c6f14f66444f4c3cd44e450f967282aff6eed5e00f26
-
Filesize
109KB
MD5235109d453584c4226ebb9335aa12adc
SHA1c5a7c9f95fd62a01850937ccd16e6decf0dbcec5
SHA2568d44266f38774e3c609e35fed24bf67e3493edad4d5d8acebe061581d690561e
SHA5125a9f27e49f66dc03697f73b95f26617e1a42fcd55fe884bcfc5a0f9b5057eba5d7188d7e4aaad231fe28fc8a0cbed99f4305508c079217a85a1d70f10285b4bb
-
Filesize
173KB
MD505b5770d05206bce18893b878a5fe4ef
SHA1ec5fcbbd069391386310a9d157fb2526cfc071f1
SHA256ccc4135f4f941ba2b8632fccaae23fc67abf6821db7655e888f7a39a738376e8
SHA5121ed11c1fcbdf41f41eb16a455fa2e11f9330481da6334eba5adb40244329c1d7c37ee0ceb7a3ce7cb26546f76c6b6f67ef14b53efb755831bf9e20ea8fe884f9
-
Filesize
342B
MD5d62fef09b7335cb7750ec429e78ed6bd
SHA102f88625e32be91673899b3b90b813c312c42be3
SHA2568a7978b677d8c24ee152d5dd989e198b07adb29d3531c433f6ea43f5c43dcf9d
SHA512d7fac4855dd69f91419a35833b26d5b1cce9d01e760ce407d2d3304004acdcd1a441fa34a9221e7ede855c6beca3097f9d12f3aed8e7777ac62a2bc55d8e8ee5
-
Filesize
342B
MD51878b822faa330b27bb4089ef3633ee8
SHA1071583f2bc0261d6245f8b2e5abad17255202c07
SHA2564fb4e86f119791a198b9456ad9de73991b75379f6daefcba732a0b80e1096734
SHA512a094653f643faa89dbfa4f3ab3490848b97f1e18d902b7fafa375a14ff79911d326a6fb0230ec44d28c17efa647a2e687961719509750a45dd2942afcc1aa78b
-
Filesize
342B
MD5409531c8d672f962b648976a95b5048f
SHA1f8a67079ab13834148b6a36e2aec4b3d69293424
SHA2560c8cd052f1d3fc8198fcd4b56925cbfb7586757ebc5f20cfaab60cd66362f008
SHA51232d6e872fe6ef16cc1b167bca5699f64b065ed50b574f8370f0c5253273f96be2b6c244863bf9c57b4455463484b03529972162680f7cb07585f1344971e60a4
-
Filesize
342B
MD538a803c8d4b45c455c11e7472d4f6672
SHA132e83ea58420dd2a9088bf75d0f7a0da1f54c9b5
SHA256666e11066138c0d53cd8c33ed7319d27bd8321c01ece1cdcc3db9a510a9b2410
SHA51261c9db4f3909d41c7c37e0ec8a60abf4ee726e0e06bcfb85f7daa819b0581a13799b1738b3ec6c11c45c7b05db9ae6e6dac69e72003a3048b92ee1d0d2664b85
-
Filesize
342B
MD5f6c54580577de4a9ac1b92a729ca8d2c
SHA187f258454d341af854d727ec5688a6d44422b228
SHA256ac7317710ded2880d03ca48209f92ab90c36b0897240c5da3204d6dd4fecf75a
SHA512a1431ea1781fc301adf7dffe9dfa23d2c4bb7914471b14b779856c08927fbf2e0277e05d45cf6ccb8725647ebf2aff8feaa2bda9b013fe134cd1b4f762aa934f
-
Filesize
342B
MD534090a316a542d330aae88f02ad7e33c
SHA17e06a7e948bc566eb494cb7da32cde48b6757d89
SHA256406b63c3a5df8746f294affd6060375bd2d819eb5298bccb0b426d8e72807e56
SHA512bada693e6af451ff5463b7dce90f4ac28536672558a75fb1d7bf64ae07439e6a9c30042ba5301879ff007bcb8035dff2493e878e0d461db1f2710f3598913649
-
Filesize
342B
MD5b52b5ff0b8828445757de676df8516b7
SHA118128829ee892edc58b7364a40bb78d28103fcec
SHA256fcfff6307686ef6fd974a1ca958db718e82b4404e2dbedfb2ef5e1d79d8cb300
SHA512fb35cd7faf5c987e2337dc2efb2c5f1e91582b23a84d854652225f2e92486f158d26968d553aa4afe27a088858c224ad49c88d16449ea13c72039a607acf3256
-
Filesize
342B
MD50e85213f12f483f094a5c7b447920102
SHA1a289623957a31359bfe49a74f5a99b4092df8abf
SHA2561c9bf917df5dc1e3e8668fa77d2766f5fb8b0ea89a23100a4e7f5cfab2027c8d
SHA51281ccabffe3806a2233f717c0dffcabdddbb82ca40a2ce684439c9caf32d4f7e800f1ca5d8b47ea1499dd945befbfabd99f09d2de21f82e1b948e4e32aebf90ea
-
Filesize
342B
MD5622d8b706eb9e1ada0188e115ab713a3
SHA133e99211349adcfbd3e741c43ccea99dffc7fc5e
SHA2569c456794ca29b0a5fc951da1184e62d757c8d449ba0b9e6c5f8fd2e732d3078c
SHA512ce11667149208ca2a9617f9185b2fe70e8c23a192ad495354dc141c9e0db760b593db941ef8b0f25866fcb787cbe5762c306cd279afd2de802800cff40fe3362
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
336KB
MD5de6da54416ced336416b258d5e857d66
SHA18a409c57dd33e03f70e2e583a9d4a31892316a14
SHA2560dc6abd75029b2feb75b9aad880a69b165b1a07fc8b95e99b0d05ca2a415a418
SHA5124e38b95ade98d984910e8c5902a896934c1e7d46814b5f02fc66581c2bda19068257f5b169cc56acabfa6c809ce21143e19de82caa1acf69610025960495c7b7
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
4KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
8KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
8KB
-
Filesize
532KB
-
Filesize
3.3MB
