Malware Analysis Report

2024-09-11 01:45

Sample ID 240418-yqs94aef5x
Target f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118
SHA256 45f0bb5539b7ce29c74f11c46b1f1199eae518af04ff7bb499e10f4780dc7530
Tags
medusalocker evasion ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45f0bb5539b7ce29c74f11c46b1f1199eae518af04ff7bb499e10f4780dc7530

Threat Level: Known bad

The file f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

medusalocker evasion ransomware spyware stealer trojan

MedusaLocker

Medusalocker family

MedusaLocker payload

UAC bypass

Deletes shadow copies

Renames multiple (282) files with added filename extension

Renames multiple (229) files with added filename extension

Executes dropped EXE

Reads user/profile data of web browsers

Enumerates connected drives

Checks whether UAC is enabled

Drops desktop.ini file(s)

Enumerates physical storage devices

Unsigned PE

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Modify Registry
T1112
Indicator Removal
T1070
File Deletion
T1070.004
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-04-18 19:59

Signatures

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

Medusalocker family

medusalocker

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-18 19:59

Reported

2024-04-18 20:02

Platform

win7-20231129-en

Max time kernel

126s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe"

Signatures

MedusaLocker

ransomware medusalocker

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A

Deletes shadow copies

ransomware

Renames multiple (282) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2372 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2372 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2372 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2372 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2372 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2372 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2372 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2372 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2372 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2372 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2372 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2372 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2372 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2372 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2372 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2372 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2372 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2372 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2372 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2372 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2372 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2372 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2372 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1212 wrote to memory of 1884 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 1212 wrote to memory of 1884 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 1212 wrote to memory of 1884 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 1212 wrote to memory of 1884 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe"

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\taskeng.exe

taskeng.exe {C2549CCF-3247-46A2-AC0E-8AFBEC2A7955} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW_TO_RECOVER_DATA.html

MD5 e1e85f3873e503dbcb2e2b5d3db7a1a8
SHA1 a12e40a7d045ff7715877e3c07d4d90d2ffc93f9
SHA256 303fc950e708456d2f1d66a26b0d0d09f349b74de777dd01963f5eba4f1da9ed
SHA512 a80d8339ffdb71f5fc83fb5b2d6001ec5045ee167fe71d6e39fd6280bfadeb34eafc7616fc232dd82e785e04c9c17b640feeb4e5029dc02a27e55124f1507433

C:\Users\Default\NTUSER.DAT.LOG2

MD5 3a7a2929014112844eba2b62502ab8ac
SHA1 3583d7a514322b6a93593e96169c01eb0c3f30d2
SHA256 3d2121032b1b9e9ba211daa3a1c501c4a2cbda65f09de2933d681bf611cc7079
SHA512 9e970629a37c000c1a836cdd5219ed1a963e4d91b44f215523e2f936cc4357f966a13fb284d3fc66029ffbcd192e112aa7ca434efe8cd1dbdaa643ad67b0d344

C:\Users\Admin\AppData\Roaming\svhost.exe

MD5 f8a9d3f458a7ab3af54cde87d2b0b4f6
SHA1 9984cfbbf8c86c16d0ca2fd1388ed516213a6eb8
SHA256 45f0bb5539b7ce29c74f11c46b1f1199eae518af04ff7bb499e10f4780dc7530
SHA512 324b73a4fb223d653fb56f3d0081fdd4429ca222c43069141f6df4e53538b2dd25c0f25fad14d8c96e0bbbb5b9a7de6fc93b96695315a777aa5c065035b49dff

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-18 19:59

Reported

2024-04-18 20:02

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe"

Signatures

MedusaLocker

ransomware medusalocker

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A

Renames multiple (229) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1572 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1572 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1572 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1572 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1572 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1572 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1572 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1572 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1572 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe C:\Windows\SysWOW64\Wbem\wmic.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f8a9d3f458a7ab3af54cde87d2b0b4f6_JaffaCakes118.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

\Device\HarddiskVolume1\Boot\HOW_TO_RECOVER_DATA.html

MD5 d5cf2675c16e901b4780fd6b2ae25d69
SHA1 c5e9af0807e9a0c556e20248ae0c7a320b3c00ff
SHA256 3f75074c90f8da60555c54ecc1542dd985aefa3e42c90201d8c384305499b8c2
SHA512 57fea8f55d78aa8653fec4d89f2ef68b68908357ec27ba486c60c96f73e18b60ffebe46573b1f37f2b6f9df48365e319234f648868dc0a05ad72b4f337fdb7a8

C:\Users\Admin\AppData\Roaming\svhost.exe

MD5 f8a9d3f458a7ab3af54cde87d2b0b4f6
SHA1 9984cfbbf8c86c16d0ca2fd1388ed516213a6eb8
SHA256 45f0bb5539b7ce29c74f11c46b1f1199eae518af04ff7bb499e10f4780dc7530
SHA512 324b73a4fb223d653fb56f3d0081fdd4429ca222c43069141f6df4e53538b2dd25c0f25fad14d8c96e0bbbb5b9a7de6fc93b96695315a777aa5c065035b49dff

C:\Users\Default\ntuser.dat.LOG2

MD5 b33ef1b9c905606cb769cf02e0e725f9
SHA1 c03d62c722d1e9d9734ac3e22e2dafe80ceb8a23
SHA256 b05c39930dcbfa1eb34263ca7ed4ba003654d73fefdc40c7d12f678a87f045f9
SHA512 871d35dae73bf26c71ddc06c97ebb212e177dafb62c735d9ff5f8ad7bdbeb4e62095d29a7435747347566826adc1d3827f6a6d55424ad506304d44e2f63bf644