Malware Analysis Report

2024-09-11 01:45

Sample ID 240415-fmz95ahg2x
Target f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118
SHA256 1e2335fef46f7320069623fff6702acb41c2877aff5fec83d94a561af37c3c7a
Tags
medusalocker evasion ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1e2335fef46f7320069623fff6702acb41c2877aff5fec83d94a561af37c3c7a

Threat Level: Known bad

The file f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

medusalocker evasion ransomware spyware stealer trojan

MedusaLocker

MedusaLocker payload

Medusalocker family

UAC bypass

Renames multiple (199) files with added filename extension

Renames multiple (170) files with added filename extension

Deletes shadow copies

Executes dropped EXE

Reads user/profile data of web browsers

Enumerates connected drives

Drops desktop.ini file(s)

Checks whether UAC is enabled

Unsigned PE

Enumerates physical storage devices

Uses Volume Shadow Copy service COM API

System policy modification

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Modify Registry
T1112
Indicator Removal
T1070
File Deletion
T1070.004
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-04-15 05:00

Signatures

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

Medusalocker family

medusalocker

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 05:00

Reported

2024-04-15 05:02

Platform

win7-20240221-en

Max time kernel

128s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe"

Signatures

MedusaLocker

ransomware medusalocker

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A

Deletes shadow copies

ransomware

Renames multiple (199) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1284 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1284 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1284 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1284 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1284 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1284 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1284 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1284 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1284 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1284 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1284 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1284 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1284 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1284 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1284 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1284 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1284 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1284 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1284 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1284 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1284 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1284 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1284 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1284 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2556 wrote to memory of 2704 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 2556 wrote to memory of 2704 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 2556 wrote to memory of 2704 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 2556 wrote to memory of 2704 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe"

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\taskeng.exe

taskeng.exe {9A9F845A-82A4-4B1C-B279-9832BF50666C} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Recovery_Instructions.html

MD5 93b5f0e01536ef8d1e1108d2011b3872
SHA1 7a8d058355dd87bd83c6c7b17ddd33b79b5230b2
SHA256 acc5783c4fe3e786d8481e427aefca5a895882843b86ae54d30154157dd18167
SHA512 7a17849d10cca3807d5c4779a799cc67cd8d310feee22f8c48a6f691c4fbd272327b961172b7b6106ff22a9940a51304c2dcc1ab46b2a2591482fc35c94ad55f

C:\Users\Default\NTUSER.DAT.LOG2

MD5 02e0c7367bfc73212b63ff39e5538e97
SHA1 67418851ee1f6525d4f38faab56b2e0c24475aa7
SHA256 4b9280ddb4206347f95cc3813a70578ae6070ca767a2e49d8483b5a7e33b7a8f
SHA512 551b7ce74f741884c17f9f2e7a398420a033ab41102129febc48a182393ec81848050263ac6dac70c2f329bee17a63cddb37c5ed8256c114141253c3ada0e8a0

C:\Users\Admin\AppData\Roaming\svhost.exe

MD5 f05df52a73ea28f25d0a85f927f2444a
SHA1 a5c00571f42bad2f17db4d4032b07318abc6f7f1
SHA256 1e2335fef46f7320069623fff6702acb41c2877aff5fec83d94a561af37c3c7a
SHA512 0b2a3a0bde6fcc23565ccdb1df49727930ad53345f91a3450455d0e8fb431a59af74a169d8c6ae2195afc340d7fde42969638f5d4de5501d1f75737be625e0b2

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 05:00

Reported

2024-04-15 05:02

Platform

win10v2004-20240226-en

Max time kernel

155s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe"

Signatures

MedusaLocker

ransomware medusalocker

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A

Renames multiple (170) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1308 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1308 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1308 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1308 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1308 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1308 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1308 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1308 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1308 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f05df52a73ea28f25d0a85f927f2444a_JaffaCakes118.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

\Device\HarddiskVolume1\Boot\Recovery_Instructions.html

MD5 a26412b671e47462a7e319fe6f997319
SHA1 33bfc8580e863ac958897a15a7a6cc5bde476482
SHA256 f5be868208c0a4932a5b57fe588bd8d0eeb98a478188205828a6ca62e19560b8
SHA512 2fb16f2cc817a5bb75d538d34dee8072527df23705cfd258ff0e1997ab85d78421e7d7f875c8d582d7c9fc22959a8484bd84cda0f4e3241b006d37929d6e6846

C:\Users\Admin\AppData\Roaming\svhost.exe

MD5 f05df52a73ea28f25d0a85f927f2444a
SHA1 a5c00571f42bad2f17db4d4032b07318abc6f7f1
SHA256 1e2335fef46f7320069623fff6702acb41c2877aff5fec83d94a561af37c3c7a
SHA512 0b2a3a0bde6fcc23565ccdb1df49727930ad53345f91a3450455d0e8fb431a59af74a169d8c6ae2195afc340d7fde42969638f5d4de5501d1f75737be625e0b2

C:\Users\Default\ntuser.dat.LOG2

MD5 2471876c265a52b7569ee2a16b481921
SHA1 3688d010df5b8db1ffbc7c985b9b9cfeeb856f9d
SHA256 c9ab6440af5d699f4a209bc2ca34768dc44fb4a0a5bb8bdc88515c08e68f7ff9
SHA512 29c4e7447a66a4971a2ad590017617dbb260e2e4f8e0c78f9f6c7b9cbe6b63a7810c5cf60c66ab4a2660d8145c33386fe1ac832701223864c16da10aec286a8a