Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 11:17
Behavioral task
behavioral1
Sample
01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe
-
Size
168KB
-
MD5
01def9f56c9af2d97800d7366551a2f1
-
SHA1
3845b36222249023360100a1b3a6f40dfd165321
-
SHA256
4a9dad6192998bba2047afd0edcde14f7d81a3171e639cac7d30615ae6b9d8a3
-
SHA512
aa2bcddc092d1d556d04b6aaaeb5dce91cb9536cc3cf420fcf2169dc603a132c72f870df13cb02e2dd8f788900995146ac1944100ed50d2803412728cbe32697
-
SSDEEP
3072:tgk9+8F/zGO4O9AFracIaDa2HtvudUYJDjnxk0RVikMbqT:Ce2eIG7aDa21e3tVi3C
Malware Config
Extracted
F:\$RECYCLE.BIN\S-1-5-21-3558294865-3673844354-2255444939-1000\YLTFWX-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/a6f2fc4580742886
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Renames multiple (250) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe -
Drops startup file 2 IoCs
Processes:
01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\YLTFWX-MANUAL.txt 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\80742f6b8074288611e.lock 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4228-0-0x0000000000400000-0x0000000000AD0000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exedescription ioc process File opened (read-only) \??\L: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\P: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\Q: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\S: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\Y: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\A: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\E: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\J: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\W: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\X: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\Z: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\H: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\I: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\N: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\O: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\R: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\V: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\B: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\K: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\T: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\U: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\G: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened (read-only) \??\M: 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files\SendExport.wmv 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File created C:\Program Files\YLTFWX-MANUAL.txt 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\NewWait.jfif 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\ProtectSave.tiff 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\SaveUninstall.jpeg 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\LockRemove.ram 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\RevokeImport.wmx 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\UseAssert.M2TS 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File created C:\Program Files (x86)\YLTFWX-MANUAL.txt 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File created C:\Program Files (x86)\80742f6b8074288611e.lock 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File created C:\Program Files\80742f6b8074288611e.lock 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\DismountWrite.pot 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\FormatEnable.i64 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe File opened for modification C:\Program Files\TestRead.zip 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2464 4228 WerFault.exe 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exepid process 4228 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe 4228 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe 4228 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe 4228 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exedescription pid process target process PID 4228 wrote to memory of 4892 4228 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe cmd.exe PID 4228 wrote to memory of 4892 4228 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe cmd.exe PID 4228 wrote to memory of 4892 4228 01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\01def9f56c9af2d97800d7366551a2f1_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 14082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4228 -ip 42281⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
F:\$RECYCLE.BIN\S-1-5-21-3558294865-3673844354-2255444939-1000\YLTFWX-MANUAL.txtFilesize
8KB
MD560b8a0bb3b4bccaf207d2a7ef180423b
SHA1a1c10bd53fd40ec748623a9086f92f1db967501d
SHA2562ec51b5dc1cb2d9fa8b6def1538bb013a2f1599114bce14f67e180f4bda11104
SHA5125ab03c1f228eb30cb636587514e736c0e1321eaa38ca5338ab73e5777be2a6af6c13be3e7da02c61db1aee4258609ed713e9a2b4acc62f1c920f119a49234f21
-
memory/4228-0-0x0000000000400000-0x0000000000AD0000-memory.dmpFilesize
6.8MB
-
memory/4228-2-0x0000000000DA0000-0x0000000000EA0000-memory.dmpFilesize
1024KB
-
memory/4228-3-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4228-659-0x0000000000400000-0x0000000000AD0000-memory.dmpFilesize
6.8MB
-
memory/4228-661-0x0000000000400000-0x0000000000AD0000-memory.dmpFilesize
6.8MB
-
memory/4228-663-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4228-662-0x0000000000DA0000-0x0000000000EA0000-memory.dmpFilesize
1024KB