Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 06:09
Static task
static1
Behavioral task
behavioral1
Sample
bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe
-
Size
956KB
-
MD5
bb0ec4dcd82c36030e90c35f2befc98b
-
SHA1
2301873031d36f4c43b829a89d11d330748e8d08
-
SHA256
2862a518501814114385ad07ab0b982c4da1ea665afc4a229649dd76f2881205
-
SHA512
cb2f35405047e55cbcf6294eb181eef41aba523c5f250f41e513b131db753cda89a410742ea24b703b110b0124006b25fb4aa2a082351e8e5d30a416e2751d10
-
SSDEEP
12288:YfrJu/17ACSq+4I6md1AxLisPgNysw8q8eku9e93888888888888W8888888888n:u8/1Mlt1CJiyiSV9f
Malware Config
Extracted
F:\$RECYCLE.BIN\S-1-5-21-2539840389-1261165778-1087677076-1000\UKPEKOLFEL-DECRYPT.txt
http://gandcrabmfe6mnef.onion/fa9a721eb3b3c11f
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (259) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe -
Drops startup file 2 IoCs
Processes:
bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\UKPEKOLFEL-DECRYPT.txt bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\b3b3c6f2b3b3c11f51a.lock bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exedescription ioc process File opened (read-only) \??\A: bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened (read-only) \??\E: bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened (read-only) \??\I: bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened (read-only) \??\K: bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened (read-only) \??\L: bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened (read-only) \??\O: bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened (read-only) \??\R: bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened (read-only) \??\H: bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened (read-only) \??\J: bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened (read-only) \??\Q: bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened (read-only) \??\V: bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened (read-only) \??\Z: bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened (read-only) \??\G: bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened (read-only) \??\N: bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened (read-only) \??\T: bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened (read-only) \??\U: bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened (read-only) \??\X: bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened (read-only) \??\B: bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened (read-only) \??\M: bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened (read-only) \??\P: bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened (read-only) \??\S: bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened (read-only) \??\W: bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened (read-only) \??\Y: bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exedescription pid process target process PID 1976 set thread context of 3960 1976 bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe -
Drops file in Program Files directory 16 IoCs
Processes:
bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files\CompleteNew.asf bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened for modification C:\Program Files\CompressSet.zip bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened for modification C:\Program Files\SkipSplit.bmp bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened for modification C:\Program Files\StopRename.wax bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened for modification C:\Program Files\WriteExit.jfif bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File created C:\Program Files (x86)\b3b3c6f2b3b3c11f51a.lock bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File created C:\Program Files\b3b3c6f2b3b3c11f51a.lock bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened for modification C:\Program Files\CopySwitch.png bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened for modification C:\Program Files\GetRead.vsw bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened for modification C:\Program Files\OpenSend.ppt bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened for modification C:\Program Files\SearchWait.mhtml bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File created C:\Program Files\UKPEKOLFEL-DECRYPT.txt bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened for modification C:\Program Files\ClearUndo.WTV bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File created C:\Program Files (x86)\UKPEKOLFEL-DECRYPT.txt bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened for modification C:\Program Files\DisableLock.avi bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe File opened for modification C:\Program Files\WaitEdit.jpeg bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 868 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exepid process 3960 bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe 3960 bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe 3960 bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe 3960 bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exewmic.exevssvc.exedescription pid process Token: SeDebugPrivilege 1976 bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4988 wmic.exe Token: SeSecurityPrivilege 4988 wmic.exe Token: SeTakeOwnershipPrivilege 4988 wmic.exe Token: SeLoadDriverPrivilege 4988 wmic.exe Token: SeSystemProfilePrivilege 4988 wmic.exe Token: SeSystemtimePrivilege 4988 wmic.exe Token: SeProfSingleProcessPrivilege 4988 wmic.exe Token: SeIncBasePriorityPrivilege 4988 wmic.exe Token: SeCreatePagefilePrivilege 4988 wmic.exe Token: SeBackupPrivilege 4988 wmic.exe Token: SeRestorePrivilege 4988 wmic.exe Token: SeShutdownPrivilege 4988 wmic.exe Token: SeDebugPrivilege 4988 wmic.exe Token: SeSystemEnvironmentPrivilege 4988 wmic.exe Token: SeRemoteShutdownPrivilege 4988 wmic.exe Token: SeUndockPrivilege 4988 wmic.exe Token: SeManageVolumePrivilege 4988 wmic.exe Token: 33 4988 wmic.exe Token: 34 4988 wmic.exe Token: 35 4988 wmic.exe Token: 36 4988 wmic.exe Token: SeIncreaseQuotaPrivilege 4988 wmic.exe Token: SeSecurityPrivilege 4988 wmic.exe Token: SeTakeOwnershipPrivilege 4988 wmic.exe Token: SeLoadDriverPrivilege 4988 wmic.exe Token: SeSystemProfilePrivilege 4988 wmic.exe Token: SeSystemtimePrivilege 4988 wmic.exe Token: SeProfSingleProcessPrivilege 4988 wmic.exe Token: SeIncBasePriorityPrivilege 4988 wmic.exe Token: SeCreatePagefilePrivilege 4988 wmic.exe Token: SeBackupPrivilege 4988 wmic.exe Token: SeRestorePrivilege 4988 wmic.exe Token: SeShutdownPrivilege 4988 wmic.exe Token: SeDebugPrivilege 4988 wmic.exe Token: SeSystemEnvironmentPrivilege 4988 wmic.exe Token: SeRemoteShutdownPrivilege 4988 wmic.exe Token: SeUndockPrivilege 4988 wmic.exe Token: SeManageVolumePrivilege 4988 wmic.exe Token: 33 4988 wmic.exe Token: 34 4988 wmic.exe Token: 35 4988 wmic.exe Token: 36 4988 wmic.exe Token: SeBackupPrivilege 2936 vssvc.exe Token: SeRestorePrivilege 2936 vssvc.exe Token: SeAuditPrivilege 2936 vssvc.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exebb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.execmd.exedescription pid process target process PID 1976 wrote to memory of 3960 1976 bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe PID 1976 wrote to memory of 3960 1976 bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe PID 1976 wrote to memory of 3960 1976 bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe PID 1976 wrote to memory of 3960 1976 bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe PID 1976 wrote to memory of 3960 1976 bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe PID 1976 wrote to memory of 3960 1976 bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe PID 1976 wrote to memory of 3960 1976 bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe PID 1976 wrote to memory of 3960 1976 bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe PID 1976 wrote to memory of 3960 1976 bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe PID 1976 wrote to memory of 3960 1976 bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe PID 3960 wrote to memory of 4988 3960 bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe wmic.exe PID 3960 wrote to memory of 4988 3960 bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe wmic.exe PID 3960 wrote to memory of 4988 3960 bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe wmic.exe PID 3960 wrote to memory of 1424 3960 bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe cmd.exe PID 3960 wrote to memory of 1424 3960 bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe cmd.exe PID 3960 wrote to memory of 1424 3960 bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe cmd.exe PID 1424 wrote to memory of 868 1424 cmd.exe timeout.exe PID 1424 wrote to memory of 868 1424 cmd.exe timeout.exe PID 1424 wrote to memory of 868 1424 cmd.exe timeout.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout -c 5 & del "C:\Users\Admin\AppData\Local\Temp\bb0ec4dcd82c36030e90c35f2befc98b_JaffaCakes118.exe" /f /q3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout -c 54⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
F:\$RECYCLE.BIN\S-1-5-21-2539840389-1261165778-1087677076-1000\UKPEKOLFEL-DECRYPT.txtFilesize
8KB
MD582e34baf2b4e19c737ba6ece48ce9c5e
SHA1c49066978f701452bfb836655bc07149eb0138e2
SHA25682815fcd67be216372ac68a79e4db0447baaf9c889012be98672e671940bf633
SHA5122fe7cbf7e6f70cb511aa88a306b8f6f871ff284a7eab2a05ca7e77a8c7ba6699c818e69ec1696805510b6738134e20e43f610abefd8bdfdb35c851e946f87b74
-
memory/1976-15-0x00000000747C0000-0x0000000074F70000-memory.dmpFilesize
7.7MB
-
memory/1976-1-0x0000000000C50000-0x0000000000D40000-memory.dmpFilesize
960KB
-
memory/1976-2-0x00000000056A0000-0x0000000005732000-memory.dmpFilesize
584KB
-
memory/1976-3-0x0000000005DA0000-0x0000000006344000-memory.dmpFilesize
5.6MB
-
memory/1976-4-0x0000000005650000-0x000000000566E000-memory.dmpFilesize
120KB
-
memory/1976-5-0x0000000005810000-0x000000000581A000-memory.dmpFilesize
40KB
-
memory/1976-6-0x00000000747C0000-0x0000000074F70000-memory.dmpFilesize
7.7MB
-
memory/1976-7-0x00000000747CE000-0x00000000747CF000-memory.dmpFilesize
4KB
-
memory/1976-8-0x00000000747C0000-0x0000000074F70000-memory.dmpFilesize
7.7MB
-
memory/1976-9-0x0000000001500000-0x000000000159C000-memory.dmpFilesize
624KB
-
memory/1976-0-0x00000000747CE000-0x00000000747CF000-memory.dmpFilesize
4KB
-
memory/3960-10-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3960-14-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3960-12-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3960-16-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3960-11-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3960-693-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3960-696-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3960-697-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB