Overview

overview

10

Static

static

3

JaffaCakes...be.exe

windows7-x64

10

JaffaCakes...be.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    11-01-2025 04:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_f75e92b4cf12745c63966bb50c82e4be.exe

  • Size

    921KB

  • MD5

    f75e92b4cf12745c63966bb50c82e4be

  • SHA1

    e58678781548262b653b34bbf3f55339d53f28cb

  • SHA256

    a1b504b8e34200d8029f6d75491d517e460162cb9df438257ee4ed85f61c18bc

  • SHA512

    2d66d1868e44956c00593d7d19d70b14475571dcd9b5eee9d15ac4fa3d473ce3a05c598c57ea31707b4deaa3469ed046b85f4e9c3f04430e652eda4d6a4f6038

  • SSDEEP

    24576:SnkXEg1ZlhKG+WWZtCpDCE5Ie534SCeTpOl13lHlI:SkXEg1ZlIzZtCpGE5j5oSHOlxRlI

Score
10/10
avoslockerdiscoveryexecutionransomware

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\GET_YOUR_FILES_BACK.txt

Ransom Note
AvosLocker Attention! Your systems have been encrypted, and your confidential documents were downloaded. In order to restore your data, you must pay for the decryption key & application. You may do so by visiting us at http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion. This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/ Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website. Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. The corporations whom don't pay or fail to respond in a swift manner have their data leaked in our blog, accessible at http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion Additional notes from attackers responsible: Hello, All your data in the company is encrypted and your important company data is backed up. I do not need money, I receive payments from many companies every day and I deal with the encryption of many companies every day. More important than money is time for me. For this reason, I have time to inflate the number and bargain like other friends who do this business. The offer I have made for your company is very reasonable and not a big deal for you. If you do not pay, the data of the company that we have backed up after 7 days will be shared publicly on the internet and you will not be able to recover any of your encrypted data. Your ID: 8c7a9b681dfa1b2b87ea459caddf2adf9413dc76664fb74063fb264116897023
URLs

http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion

http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion

Signatures

  • Avoslocker Ransomware

    Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.

    ransomwareavoslocker
  • Avoslocker family
    avoslocker
  • Renames multiple (168) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f75e92b4cf12745c63966bb50c82e4be.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f75e92b4cf12745c63966bb50c82e4be.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$a = [System.IO.File]::ReadAllText(\"F:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1536
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\581324137.png /f
        3⤵
        • Sets desktop wallpaper using registry
        • System Location Discovery: System Language Discovery
        PID:544
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\system32\rundll32.exe" user32.dll UpdatePerUserSystemParameters 0 False
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • F:\$RECYCLE.BIN\GET_YOUR_FILES_BACK.txt
    Filesize

    1KB

    MD5

    9cd17876488bd2c2b81b965620b9aa14

    SHA1

    f5305680ebd56c1eebc1797c6a7ce93117c3423c

    SHA256

    08152eb79c4f4b16badb06fe231da164570b62999357c8da8659e6d024f11127

    SHA512

    7eea1d69e706ef86c0d2343630bc3553b2d5418523d2e4aabcc66d1c0ea3754351ed4c0ab6c185eabbd313f5333d56182c0a9e873aa05b1c5e514e9a3dfceb8d

    Download Submit

  • memory/1536-415-0x0000000073C41000-0x0000000073C42000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1536-416-0x0000000073C40000-0x00000000741EB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1536-418-0x0000000073C40000-0x00000000741EB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1536-417-0x0000000073C40000-0x00000000741EB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1536-419-0x0000000073C40000-0x00000000741EB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1536-422-0x0000000073C40000-0x00000000741EB000-memory.dmp

    Filesize

    5.7MB

    Download