Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 11:17
Behavioral task
behavioral1
Sample
01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe
-
Size
168KB
-
MD5
01def9f56c9af2d97800d7366551a2f1
-
SHA1
3845b36222249023360100a1b3a6f40dfd165321
-
SHA256
4a9dad6192998bba2047afd0edcde14f7d81a3171e639cac7d30615ae6b9d8a3
-
SHA512
aa2bcddc092d1d556d04b6aaaeb5dce91cb9536cc3cf420fcf2169dc603a132c72f870df13cb02e2dd8f788900995146ac1944100ed50d2803412728cbe32697
-
SSDEEP
3072:tgk9+8F/zGO4O9AFracIaDa2HtvudUYJDjnxk0RVikMbqT:Ce2eIG7aDa21e3tVi3C
Malware Config
Extracted
F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\PIEDYQ-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/cef86405e4c71c7c
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (248) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2284-0-0x0000000000400000-0x0000000000AD0000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exedescription ioc process File opened (read-only) \??\I: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\J: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\S: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\X: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\Z: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\A: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\G: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\M: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\V: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\Y: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\E: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\H: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\K: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\P: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\R: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\T: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\W: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\B: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\L: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\N: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\O: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\Q: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\U: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe -
Drops file in Program Files directory 31 IoCs
Processes:
01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files\ResetPing.TTS 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\RevokeOpen.odt 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\ConvertFromSync.mpg 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\CompareSync.sql 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\FormatCheckpoint.css 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\SearchInitialize.otf 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\PIEDYQ-MANUAL.txt 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File created C:\Program Files\PIEDYQ-MANUAL.txt 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\e4c71b91e4c71c7c11e.lock 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\CompressReceive.pps 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\DebugSearch.emz 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\GroupRestart.wma 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\LimitMove.cr2 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\ClearConvertTo.asx 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\e4c71b91e4c71c7c11e.lock 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\e4c71b91e4c71c7c11e.lock 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\PIEDYQ-MANUAL.txt 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\EditSubmit.xhtml 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\GetUnpublish.aifc 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\GrantMerge.M2TS 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\JoinExpand.mp2 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\PushDisconnect.easmx 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File created C:\Program Files (x86)\PIEDYQ-MANUAL.txt 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File created C:\Program Files (x86)\e4c71b91e4c71c7c11e.lock 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File created C:\Program Files\e4c71b91e4c71c7c11e.lock 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\PIEDYQ-MANUAL.txt 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\SearchSplit.wmv 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\UpdateBackup.htm 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\BlockSet.wmf 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\SelectSync.xlsm 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\OutTrace.vst 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 868 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exepid process 2284 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe 2284 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3056 vssvc.exe Token: SeRestorePrivilege 3056 vssvc.exe Token: SeAuditPrivilege 3056 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.execmd.exedescription pid process target process PID 2284 wrote to memory of 2404 2284 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe cmd.exe PID 2284 wrote to memory of 2404 2284 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe cmd.exe PID 2284 wrote to memory of 2404 2284 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe cmd.exe PID 2284 wrote to memory of 2404 2284 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe cmd.exe PID 2404 wrote to memory of 868 2404 cmd.exe vssadmin.exe PID 2404 wrote to memory of 868 2404 cmd.exe vssadmin.exe PID 2404 wrote to memory of 868 2404 cmd.exe vssadmin.exe PID 2404 wrote to memory of 868 2404 cmd.exe vssadmin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe"1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\PIEDYQ-MANUAL.txtFilesize
8KB
MD5373da552070dcad26cc890e9864d6dc3
SHA1ba94551b1e3c88e002343821694720baa88f5708
SHA25610d9dd29f4ffb655a813960791fbf910eb49ac520c62a3cd12a72ab6d59b64ad
SHA51236316e752e72246bf6a71f1d67f6ed6fbccda78b5cfaaa2b7e17474a9c3e3f154160e3b340a74f0834c31c31b115b0eb44e628b89f7008301879a5f3e59f0fa4
-
memory/2284-0-0x0000000000400000-0x0000000000AD0000-memory.dmpFilesize
6.8MB
-
memory/2284-3-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2284-2-0x0000000000B40000-0x0000000000C40000-memory.dmpFilesize
1024KB
-
memory/2284-659-0x0000000000400000-0x0000000000AD0000-memory.dmpFilesize
6.8MB
-
memory/2284-661-0x0000000000B40000-0x0000000000C40000-memory.dmpFilesize
1024KB
-
memory/2284-662-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB