Malware Analysis Report

2025-01-03 08:43

Sample ID 240506-cejqmagc84
Target 1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118
SHA256 21b57732a3ad05f6fd016725d55c6cd59fe733b30d4b04bc2719d14d29336d6b
Tags
gandcrab backdoor defense_evasion execution impact ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

21b57732a3ad05f6fd016725d55c6cd59fe733b30d4b04bc2719d14d29336d6b

Threat Level: Known bad

The file 1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gandcrab backdoor defense_evasion execution impact ransomware spyware stealer

Gandcrab

Deletes shadow copies

Renames multiple (253) files with added filename extension

Renames multiple (264) files with added filename extension

Checks computer location settings

Reads user/profile data of web browsers

Drops startup file

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-06 01:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-06 01:59

Reported

2024-05-06 02:01

Platform

win7-20240220-en

Max time kernel

140s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe"

Signatures

Gandcrab

ransomware backdoor gandcrab

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (264) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\OutMeasure.html C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RedoPush.eps C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SwitchDisable.xla C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SyncUpdate.dwfx C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\RPPTP-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\7b12a3797b12a4976e.lock C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\FindGet.mhtml C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\MeasureReset.mp4 C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ProtectOpen.tmp C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ResumeMount.svgz C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RPPTP-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\BackupRestore.3gp C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\LockTrace.xhtml C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\JoinSuspend.contact C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\LockDeny.html C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ShowComplete.mpeg C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SwitchRead.mhtml C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\UnlockUnpublish.txt C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\RPPTP-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\AddUninstall.rm C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\HideSkip.bmp C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\7b12a3797b12a4976e.lock C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SetNew.pptx C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\7b12a3797b12a4976e.lock C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\BlockExpand.wmf C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\CompressInitialize.edrwx C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\PublishSet.inf C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\LimitCopy.wma C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\OpenTrace.mpeg3 C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RegisterSync.htm C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\TestRestore.vsx C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\7b12a3797b12a4976e.lock C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RPPTP-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File created C:\Program Files\RPPTP-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DisableStart.xml C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RequestClose.sql C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SearchSwitch.mpp C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File created C:\Program Files\7b12a3797b12a4976e.lock C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\NewCopy.pub C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ResolveImport.mhtml C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SaveWrite.vsw C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.kakaocorp.link udp

Files

memory/1684-0-0x0000000000400000-0x00000000004A7000-memory.dmp

memory/1684-1-0x0000000000400000-0x00000000004A7000-memory.dmp

memory/1684-2-0x0000000000400000-0x00000000004A7000-memory.dmp

memory/1684-3-0x0000000000400000-0x00000000004A7000-memory.dmp

F:\$RECYCLE.BIN\RPPTP-DECRYPT.txt

MD5 23681e4631fdc81ccb5128b732b9aaf2
SHA1 205b9a18caf8785429aefc7209b1fb6614d7e419
SHA256 b3bf74710734b76b848bd5b3c2f8d443473bb1dc3f5737f9d83262b9fda92536
SHA512 b0253cf690d8c7a3d2be9427138c46216d6162e589084f870925ec0ceba2f08ae0b13f96abe9ce82a677fb41797a43e52c582c2ae039ea7138b2829ce265f95d

memory/1684-688-0x0000000000400000-0x00000000004A7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-06 01:59

Reported

2024-05-06 02:01

Platform

win10v2004-20240419-en

Max time kernel

141s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe"

Signatures

Gandcrab

ransomware backdoor gandcrab

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (253) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\EYNIPFCTA-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\345f34aa345f33446e.lock C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\RedoMeasure.pdf C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\345f34aa345f33446e.lock C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File created C:\Program Files\EYNIPFCTA-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\CompressTest.dot C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\OpenFind.mp2 C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ReadSubmit.DVR C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SelectMerge.mpg C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\EYNIPFCTA-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\AddWrite.cr2 C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\CompareFormat.potx C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SearchJoin.nfo C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\TraceWatch.bmp C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ApproveDebug.pdf C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DismountRepair.hta C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\GrantMerge.wmf C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
File created C:\Program Files\345f34aa345f33446e.lock C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1a3ae8198cd91f4e8c783e1c9be8d153_JaffaCakes118.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 www.kakaocorp.link udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

memory/1888-0-0x0000000002360000-0x000000000236D000-memory.dmp

memory/1888-1-0x0000000002560000-0x0000000002561000-memory.dmp

memory/1888-2-0x0000000000400000-0x00000000004A7000-memory.dmp

memory/1888-3-0x0000000000400000-0x00000000004A7000-memory.dmp

memory/1888-4-0x0000000000400000-0x00000000004A7000-memory.dmp

memory/1888-5-0x0000000000400000-0x00000000004A7000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2818691465-3043947619-2475182763-1000\EYNIPFCTA-DECRYPT.txt

MD5 dcbfe7316dc1bb129b5840d0f9f90ae2
SHA1 de104aa938ee98841ef1b0048919cee1420969c7
SHA256 aad5c17058e2ef432584e8f7a9e617ba16e4d4ae48be84d6b46c0ee35d64e213
SHA512 3a4490a3818a3a74f7f9e2278d869b019e5db0e7ef0f8d265752fad0b021f1441aa9383c3614d24290122db9228f1eb5f093adc557b1e1a97afb9395e1234c4b

memory/1888-681-0x0000000000400000-0x00000000004A7000-memory.dmp

memory/1888-682-0x0000000000400000-0x00000000004A7000-memory.dmp

memory/1888-684-0x0000000000400000-0x00000000004A7000-memory.dmp