Overview

overview

10

Static

static

10

ed6e716945...18.dll

windows7-x64

10

ed6e716945...18.dll

windows10-1703-x64

10

ed6e716945...18.dll

windows10-2004-x64

10

ed6e716945...18.dll

windows11-21h2-x64

10

ed6e716945...18.dll

android-10-x64

ed6e716945...18.dll

android-11-x64

ed6e716945...18.dll

android-13-x64

ed6e716945...18.dll

android-9-x86

ed6e716945...18.dll

macos-10.15-amd64

1

ed6e716945...18.dll

debian-12-armhf

ed6e716945...18.dll

debian-12-mipsel

ed6e716945...18.dll

debian-9-armhf

ed6e716945...18.dll

debian-9-mips

ed6e716945...18.dll

debian-9-mipsel

ed6e716945...18.dll

ubuntu-18.04-amd64

ed6e716945...18.dll

ubuntu-20.04-amd64

Resubmissions

30-04-2024 05:29

240430-f6xncade75 10

11-04-2024 13:06

240411-qb4taafb9w 10

11-04-2024 12:33

240411-pq9seaeg2z 10

Analysis

  • max time kernel
    439s
  • max time network
    1161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-04-2024 13:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll

  • Size

    56KB

  • MD5

    ed6e7169456ef1f41f6a45812dda7d98

  • SHA1

    c82733e2d394b272db6cbf49aa8a1207c8d9fb87

  • SHA256

    85b53edb2e3476bdb29f98bd19c56baa0205e6620917e654cbe81c9745d6193d

  • SHA512

    0e7d3dbe68de4301501df68b1eeb36bf68ca3ea61091710352f68f09f8f9b8b96888ccb2419330b2fbd7b592bd98b583aaea818345c87d591b9b0a96845b8d87

  • SSDEEP

    768:65h+QW4yKs5INTjabOSQwrPG12nFb5GnVWs6k:63XWNKQ2jnSQyNnFbgN

Score
10/10
mountlockerransomware

Malware Config

Signatures

  • MountLocker Ransomware

    Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.

    ransomwaremountlocker
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll,#1
      2⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4320

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recovery\WindowsRE\RecoveryManual.html
    Filesize

    2KB

    MD5

    59abc02f56079701be867faa7d8b248a

    SHA1

    df3c0773e44f091e9da442e2df6afb5c143b238e

    SHA256

    aef108a215d5d14845c893b685a50bdff740be593660d10396894ec5a30e3a60

    SHA512

    756d9296b57661143ca5950ba96dec6099cdfb79dd7f52f9368d42affa13058c0830af2ff5ef3b8589a9d411502eb0a3590ff6450fe65fe1a3e5a04652785629

    Download Submit