Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 08:24
Static task
static1
Behavioral task
behavioral1
Sample
b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe
-
Size
208KB
-
MD5
b28e0a994aec0fed8a429852f5f96b69
-
SHA1
ae83fb72418e9ab22722b9ece02f93860b4ffc6c
-
SHA256
3d6b4312947a3a0f76abd8981c5452dfd26aadaa109d3e200d987f8e903d5ab0
-
SHA512
a9031899f7cea9153e9fa3442bfbfd001cd157347828ebcc0dace421f4571464bffac582522b3aecc0297925ec01d6ee4f208cf679ae5987a584ac583db9ac2f
-
SSDEEP
3072:DtUPpLY+c7SbgeD6gvxz+EWVAJ0mFoO6SS13P8M4yk1pE1c2i0iB:EW+c2kUPvFoOW30FpEjPiB
Malware Config
Extracted
F:\$RECYCLE.BIN\S-1-5-21-3169499791-3545231813-3156325206-1000\KRAB-DECRYPT.txt
http://gandcrabmfe6mnef.onion/5d81df479fa4965
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (262) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe -
Drops startup file 2 IoCs
Processes:
b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\KRAB-DECRYPT.txt b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\9fa4e889fa4965718.lock b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exedescription ioc process File opened (read-only) \??\X: b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened (read-only) \??\Y: b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened (read-only) \??\M: b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened (read-only) \??\O: b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened (read-only) \??\T: b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened (read-only) \??\L: b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened (read-only) \??\S: b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened (read-only) \??\Z: b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened (read-only) \??\B: b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened (read-only) \??\J: b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened (read-only) \??\K: b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened (read-only) \??\R: b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened (read-only) \??\U: b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened (read-only) \??\W: b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened (read-only) \??\H: b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened (read-only) \??\P: b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened (read-only) \??\Q: b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened (read-only) \??\I: b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened (read-only) \??\N: b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened (read-only) \??\V: b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened (read-only) \??\A: b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened (read-only) \??\E: b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened (read-only) \??\G: b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe -
Drops file in Program Files directory 16 IoCs
Processes:
b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exedescription ioc process File created C:\Program Files (x86)\9fa4e889fa4965718.lock b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened for modification C:\Program Files\ClearOptimize.ttc b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened for modification C:\Program Files\InstallShow.wmf b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened for modification C:\Program Files\PublishRestart.wm b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened for modification C:\Program Files\StepConvertTo.i64 b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File created C:\Program Files\KRAB-DECRYPT.txt b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File created C:\Program Files\9fa4e889fa4965718.lock b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File created C:\Program Files (x86)\KRAB-DECRYPT.txt b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened for modification C:\Program Files\DenyConfirm.vdx b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened for modification C:\Program Files\GetInitialize.xla b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened for modification C:\Program Files\ResumeConnect.TS b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened for modification C:\Program Files\RevokeConvert.nfo b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened for modification C:\Program Files\CompressCopy.vst b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened for modification C:\Program Files\ReadBackup.ods b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened for modification C:\Program Files\RestartEnter.mp3 b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe File opened for modification C:\Program Files\ResumeSwitch.docx b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exepid process 4620 b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe 4620 b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe 4620 b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe 4620 b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 608 wmic.exe Token: SeSecurityPrivilege 608 wmic.exe Token: SeTakeOwnershipPrivilege 608 wmic.exe Token: SeLoadDriverPrivilege 608 wmic.exe Token: SeSystemProfilePrivilege 608 wmic.exe Token: SeSystemtimePrivilege 608 wmic.exe Token: SeProfSingleProcessPrivilege 608 wmic.exe Token: SeIncBasePriorityPrivilege 608 wmic.exe Token: SeCreatePagefilePrivilege 608 wmic.exe Token: SeBackupPrivilege 608 wmic.exe Token: SeRestorePrivilege 608 wmic.exe Token: SeShutdownPrivilege 608 wmic.exe Token: SeDebugPrivilege 608 wmic.exe Token: SeSystemEnvironmentPrivilege 608 wmic.exe Token: SeRemoteShutdownPrivilege 608 wmic.exe Token: SeUndockPrivilege 608 wmic.exe Token: SeManageVolumePrivilege 608 wmic.exe Token: 33 608 wmic.exe Token: 34 608 wmic.exe Token: 35 608 wmic.exe Token: 36 608 wmic.exe Token: SeIncreaseQuotaPrivilege 608 wmic.exe Token: SeSecurityPrivilege 608 wmic.exe Token: SeTakeOwnershipPrivilege 608 wmic.exe Token: SeLoadDriverPrivilege 608 wmic.exe Token: SeSystemProfilePrivilege 608 wmic.exe Token: SeSystemtimePrivilege 608 wmic.exe Token: SeProfSingleProcessPrivilege 608 wmic.exe Token: SeIncBasePriorityPrivilege 608 wmic.exe Token: SeCreatePagefilePrivilege 608 wmic.exe Token: SeBackupPrivilege 608 wmic.exe Token: SeRestorePrivilege 608 wmic.exe Token: SeShutdownPrivilege 608 wmic.exe Token: SeDebugPrivilege 608 wmic.exe Token: SeSystemEnvironmentPrivilege 608 wmic.exe Token: SeRemoteShutdownPrivilege 608 wmic.exe Token: SeUndockPrivilege 608 wmic.exe Token: SeManageVolumePrivilege 608 wmic.exe Token: 33 608 wmic.exe Token: 34 608 wmic.exe Token: 35 608 wmic.exe Token: 36 608 wmic.exe Token: SeBackupPrivilege 4848 vssvc.exe Token: SeRestorePrivilege 4848 vssvc.exe Token: SeAuditPrivilege 4848 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exedescription pid process target process PID 4620 wrote to memory of 608 4620 b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe wmic.exe PID 4620 wrote to memory of 608 4620 b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe wmic.exe PID 4620 wrote to memory of 608 4620 b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe wmic.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b28e0a994aec0fed8a429852f5f96b69_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
F:\$RECYCLE.BIN\S-1-5-21-3169499791-3545231813-3156325206-1000\KRAB-DECRYPT.txtFilesize
8KB
MD57994d7fa9fb7e3612d9f2d8e3e85cb37
SHA184d95777e4a921ff582bbb9bb7db850546212e50
SHA25638529596980b0ce3d1237984cfe1bafff9b104d138bb2d169232c62e6250c8fe
SHA512c8a051eca4f6c967c1471466332b02a8afaf99422b97a632118220f8107df92acf6d8162efea5ee22e0345c2aedbad3ab0a6a0516ef1a28d69a46bb6c12d66f4
-
memory/4620-1-0x0000000000640000-0x0000000000740000-memory.dmpFilesize
1024KB
-
memory/4620-2-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4620-690-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/4620-691-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/4620-692-0x0000000000640000-0x0000000000740000-memory.dmpFilesize
1024KB
-
memory/4620-693-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB