Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 22:36
Static task
static1
Behavioral task
behavioral1
Sample
270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe
-
Size
344KB
-
MD5
270b70bad151a515136f553e5bc880ac
-
SHA1
77b7def336c7647c6faadaf7136d70ff1e9ba7fc
-
SHA256
db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa
-
SHA512
c198f9498d634ec4d05cf29a1bb6ade8c59a2904510464e3b292b11bcf5382d7fe603e46b6a72b14f3f996811f68101e46c467914b21ea6eccaf423df2d1a43f
-
SSDEEP
3072:v5sAzvcjE+lcO3zXgKRcP66BpwwB9RStc3Yfqr:v5jvc4+lcO3zQKSPfBJXv3YM
Malware Config
Extracted
C:\Users\Admin\Documents\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.vmfu48.win/8583-B507-F3D1-0073-114B
http://cerberhhyed5frqa.45tori.win/8583-B507-F3D1-0073-114B
http://cerberhhyed5frqa.fkr84i.win/8583-B507-F3D1-0073-114B
http://cerberhhyed5frqa.fkri48.win/8583-B507-F3D1-0073-114B
http://cerberhhyed5frqa.djre89.win/8583-B507-F3D1-0073-114B
http://cerberhhyed5frqa.onion/8583-B507-F3D1-0073-114B
Extracted
C:\Users\Admin\Documents\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (16391) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
270b70bad151a515136f553e5bc880ac_JaffaCakes118.exeefsui.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{67E60D0F-79BB-452E-B83F-05B76884D57E}\\efsui.exe\"" 270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{67E60D0F-79BB-452E-B83F-05B76884D57E}\\efsui.exe\"" efsui.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
efsui.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation efsui.exe -
Drops startup file 2 IoCs
Processes:
270b70bad151a515136f553e5bc880ac_JaffaCakes118.exeefsui.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\efsui.lnk 270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\efsui.lnk efsui.exe -
Executes dropped EXE 1 IoCs
Processes:
efsui.exepid process 4276 efsui.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
270b70bad151a515136f553e5bc880ac_JaffaCakes118.exeefsui.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\efsui = "\"C:\\Users\\Admin\\AppData\\Roaming\\{67E60D0F-79BB-452E-B83F-05B76884D57E}\\efsui.exe\"" 270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\efsui = "\"C:\\Users\\Admin\\AppData\\Roaming\\{67E60D0F-79BB-452E-B83F-05B76884D57E}\\efsui.exe\"" 270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\efsui = "\"C:\\Users\\Admin\\AppData\\Roaming\\{67E60D0F-79BB-452E-B83F-05B76884D57E}\\efsui.exe\"" efsui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\efsui = "\"C:\\Users\\Admin\\AppData\\Roaming\\{67E60D0F-79BB-452E-B83F-05B76884D57E}\\efsui.exe\"" efsui.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
efsui.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpA8FD.bmp" efsui.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2944 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 3356 taskkill.exe 3528 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
270b70bad151a515136f553e5bc880ac_JaffaCakes118.exeefsui.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop 270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{67E60D0F-79BB-452E-B83F-05B76884D57E}\\efsui.exe\"" 270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop efsui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{67E60D0F-79BB-452E-B83F-05B76884D57E}\\efsui.exe\"" efsui.exe -
Modifies registry class 1 IoCs
Processes:
efsui.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings efsui.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
efsui.exemsedge.exemsedge.exemsedge.exeidentity_helper.exepid process 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 4276 efsui.exe 1964 msedge.exe 1964 msedge.exe 3628 msedge.exe 3628 msedge.exe 3348 msedge.exe 3348 msedge.exe 308 identity_helper.exe 308 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
270b70bad151a515136f553e5bc880ac_JaffaCakes118.exeefsui.exetaskkill.exevssvc.exewmic.exeAUDIODG.EXEtaskkill.exedescription pid process Token: SeDebugPrivilege 1056 270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe Token: SeDebugPrivilege 4276 efsui.exe Token: SeDebugPrivilege 3356 taskkill.exe Token: SeBackupPrivilege 3644 vssvc.exe Token: SeRestorePrivilege 3644 vssvc.exe Token: SeAuditPrivilege 3644 vssvc.exe Token: SeIncreaseQuotaPrivilege 4972 wmic.exe Token: SeSecurityPrivilege 4972 wmic.exe Token: SeTakeOwnershipPrivilege 4972 wmic.exe Token: SeLoadDriverPrivilege 4972 wmic.exe Token: SeSystemProfilePrivilege 4972 wmic.exe Token: SeSystemtimePrivilege 4972 wmic.exe Token: SeProfSingleProcessPrivilege 4972 wmic.exe Token: SeIncBasePriorityPrivilege 4972 wmic.exe Token: SeCreatePagefilePrivilege 4972 wmic.exe Token: SeBackupPrivilege 4972 wmic.exe Token: SeRestorePrivilege 4972 wmic.exe Token: SeShutdownPrivilege 4972 wmic.exe Token: SeDebugPrivilege 4972 wmic.exe Token: SeSystemEnvironmentPrivilege 4972 wmic.exe Token: SeRemoteShutdownPrivilege 4972 wmic.exe Token: SeUndockPrivilege 4972 wmic.exe Token: SeManageVolumePrivilege 4972 wmic.exe Token: 33 4972 wmic.exe Token: 34 4972 wmic.exe Token: 35 4972 wmic.exe Token: 36 4972 wmic.exe Token: SeIncreaseQuotaPrivilege 4972 wmic.exe Token: SeSecurityPrivilege 4972 wmic.exe Token: SeTakeOwnershipPrivilege 4972 wmic.exe Token: SeLoadDriverPrivilege 4972 wmic.exe Token: SeSystemProfilePrivilege 4972 wmic.exe Token: SeSystemtimePrivilege 4972 wmic.exe Token: SeProfSingleProcessPrivilege 4972 wmic.exe Token: SeIncBasePriorityPrivilege 4972 wmic.exe Token: SeCreatePagefilePrivilege 4972 wmic.exe Token: SeBackupPrivilege 4972 wmic.exe Token: SeRestorePrivilege 4972 wmic.exe Token: SeShutdownPrivilege 4972 wmic.exe Token: SeDebugPrivilege 4972 wmic.exe Token: SeSystemEnvironmentPrivilege 4972 wmic.exe Token: SeRemoteShutdownPrivilege 4972 wmic.exe Token: SeUndockPrivilege 4972 wmic.exe Token: SeManageVolumePrivilege 4972 wmic.exe Token: 33 4972 wmic.exe Token: 34 4972 wmic.exe Token: 35 4972 wmic.exe Token: 36 4972 wmic.exe Token: 33 1600 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1600 AUDIODG.EXE Token: SeDebugPrivilege 3528 taskkill.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe 1964 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
270b70bad151a515136f553e5bc880ac_JaffaCakes118.execmd.exeefsui.exemsedge.exemsedge.exedescription pid process target process PID 1056 wrote to memory of 4276 1056 270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe efsui.exe PID 1056 wrote to memory of 4276 1056 270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe efsui.exe PID 1056 wrote to memory of 4276 1056 270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe efsui.exe PID 1056 wrote to memory of 1064 1056 270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe cmd.exe PID 1056 wrote to memory of 1064 1056 270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe cmd.exe PID 1056 wrote to memory of 1064 1056 270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe cmd.exe PID 1064 wrote to memory of 3356 1064 cmd.exe taskkill.exe PID 1064 wrote to memory of 3356 1064 cmd.exe taskkill.exe PID 1064 wrote to memory of 3356 1064 cmd.exe taskkill.exe PID 4276 wrote to memory of 2944 4276 efsui.exe vssadmin.exe PID 4276 wrote to memory of 2944 4276 efsui.exe vssadmin.exe PID 1064 wrote to memory of 4556 1064 cmd.exe PING.EXE PID 1064 wrote to memory of 4556 1064 cmd.exe PING.EXE PID 1064 wrote to memory of 4556 1064 cmd.exe PING.EXE PID 4276 wrote to memory of 4972 4276 efsui.exe wmic.exe PID 4276 wrote to memory of 4972 4276 efsui.exe wmic.exe PID 4276 wrote to memory of 1964 4276 efsui.exe msedge.exe PID 4276 wrote to memory of 1964 4276 efsui.exe msedge.exe PID 1964 wrote to memory of 5096 1964 msedge.exe msedge.exe PID 1964 wrote to memory of 5096 1964 msedge.exe msedge.exe PID 4276 wrote to memory of 2468 4276 efsui.exe NOTEPAD.EXE PID 4276 wrote to memory of 2468 4276 efsui.exe NOTEPAD.EXE PID 4276 wrote to memory of 1420 4276 efsui.exe msedge.exe PID 4276 wrote to memory of 1420 4276 efsui.exe msedge.exe PID 1420 wrote to memory of 4348 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 4348 1420 msedge.exe msedge.exe PID 4276 wrote to memory of 5080 4276 efsui.exe WScript.exe PID 4276 wrote to memory of 5080 4276 efsui.exe WScript.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe PID 1420 wrote to memory of 3504 1420 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{67E60D0F-79BB-452E-B83F-05B76884D57E}\efsui.exe"C:\Users\Admin\AppData\Roaming\{67E60D0F-79BB-452E-B83F-05B76884D57E}\efsui.exe"2⤵
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff824c446f8,0x7ff824c44708,0x7ff824c447184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,5012660229232632765,13918352787380249190,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,5012660229232632765,13918352787380249190,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,5012660229232632765,13918352787380249190,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5012660229232632765,13918352787380249190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5012660229232632765,13918352787380249190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5012660229232632765,13918352787380249190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5012660229232632765,13918352787380249190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4432 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5012660229232632765,13918352787380249190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,5012660229232632765,13918352787380249190,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4492 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,5012660229232632765,13918352787380249190,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4492 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5012660229232632765,13918352787380249190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5012660229232632765,13918352787380249190,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5012660229232632765,13918352787380249190,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5012660229232632765,13918352787380249190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5012660229232632765,13918352787380249190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:14⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.vmfu48.win/8583-B507-F3D1-0073-114B3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff824c446f8,0x7ff824c44708,0x7ff824c447184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,18078248624280672456,12701798207996437849,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,18078248624280672456,12701798207996437849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "efsui.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{67E60D0F-79BB-452E-B83F-05B76884D57E}\efsui.exe" > NUL3⤵
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "efsui.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe" > NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x50c 0x3081⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5eaa3db555ab5bc0cb364826204aad3f0
SHA1a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca
SHA256ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b
SHA512e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54b4f91fa1b362ba5341ecb2836438dea
SHA19561f5aabed742404d455da735259a2c6781fa07
SHA256d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c
SHA512fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b05db6638e08e6dc941b08f1586c5711
SHA1ea5095d77ea52ca3af7d77909ac9c173f2483d6a
SHA256cd48fa0769303308ca40a2643ac3c8cd2e7208d3c2fc9db42f835ca170cb91c9
SHA51277a4e2f73a0141c2c7896dfce934eba850aa14b2719f5fdbf62d07bb2ec1c913d25459f321c4466d3ce42360cbd9bfeaf8149c21cb2854db673c628e93b15204
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5e970f2f9808bd0a4dd11603903992e66
SHA14674254001ea3d1ed8852f5a01c9d5543690f8c9
SHA25636191334490416a299e960a902e2a7743d07209dcf910c284293513aef5c6456
SHA5127aeae1bfd0ff183e91492937c8adb19b600bc0dc624410450b58ffa11053879e06a1683b72a3f5a77c6b50792ec695d3f7201d472a4747f4a041ab7c2413fd79
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5aec74f3a1a4c041e3c97332adfdb3cc9
SHA181a918839317e15ffa2221da717cde8e9abe9296
SHA256c4defd484e1dbc526422af9059c1da20f52627a2ed84d03a3ca34cd5c60d838c
SHA512aad51b308dde81aa5301e2de42c19eff4c05687666d5078bd96b44ff15b27a4d34b76a30288f5b621e8f00587397052cc619e740d41ce651f6fd12779e3b503b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5e5196f878f5cefb76fdae96ad63c82d0
SHA10ded2f9fdcdd7774e6a5add8c83b7bc007f8f9a1
SHA2567a4de915c04ec518bd68dd1227d51234791a6968de88abc474a73ca996b5cb36
SHA5126599c782e66040f349fa67714083444a3a8475c9130646eeea7dcf075b4ad2d7348b60c06aa066d2a0fce2630a64122e1dbb2860cfd9805cb1d2f6b18cf5fe04
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\efsui.lnkFilesize
1KB
MD57847bcce8803c1f798e2713fb3de530d
SHA19d5f1a12ffd85ba2352e1af2371729b6f39d9346
SHA2561a1ea69af31d583adbcf722b3b125478a3de4fe4596d04ab438d8e33a1b7ed01
SHA51248cffec2f035f3c8e0655ca96f589ac10a37c9f61718361d0fe8aefe101784d94bb8fcd2b18c089c0299972b5ff6a0d691dd70217bb10dbe50d45936cddba5de
-
C:\Users\Admin\AppData\Roaming\{67E60D0F-79BB-452E-B83F-05B76884D57E}\efsui.exeFilesize
344KB
MD5270b70bad151a515136f553e5bc880ac
SHA177b7def336c7647c6faadaf7136d70ff1e9ba7fc
SHA256db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa
SHA512c198f9498d634ec4d05cf29a1bb6ade8c59a2904510464e3b292b11bcf5382d7fe603e46b6a72b14f3f996811f68101e46c467914b21ea6eccaf423df2d1a43f
-
C:\Users\Admin\Documents\# DECRYPT MY FILES #.htmlFilesize
12KB
MD54e3ca7399edf7b193d1a28a2eabbe813
SHA134114dabb0a2d57a0bba0a047d98f5aec6a9a6de
SHA2561d977c8e4a36619c4a9b2cb176d1fdb6e2d8b9577b0e0a4a6db9299c5bee8855
SHA512bc764835b45f0e11d2782f76af34bc72c0f5a0f76e2984302aa6d318363d1eadbdbc9510168bd942b14e140962229ade7546e447ae1b63fcc20009b19cf4409a
-
C:\Users\Admin\Documents\# DECRYPT MY FILES #.txtFilesize
10KB
MD586c6d03990bcb48d3e3e9db146d6cd2c
SHA1c0d90260ad9f8e919986307134dcfbbde1f3d7f7
SHA256c2103673f0a9cc92db12fcf05bb2a57898436b85e2c0fe2f22226fcf6e3022aa
SHA512c7fa9062886dde38674667babb19520294f6e825e0d076f5b9a9e436c05596393e3c2bd0f67d58c89f91fb98277a41f53a39eeb563cd387396ff45dd01305a75
-
C:\Users\Admin\Documents\# DECRYPT MY FILES #.urlFilesize
85B
MD526cf483980728594ed2229960b9be7e8
SHA168141cc0b2c1d5ba0fa3b4358ba8841c44812497
SHA256c6171067568682f8db475ece9a9caa9f0b604eb03663e754dc4abd8d677f0295
SHA512d7691016b25b640c02cda6598c0e17b0c9f9873f21383e003e1c98eb36c43eb29679da4c4e9e147cc0b5689ebc4b03100cd080d7f6c41419d657f4becfa7ff97
-
C:\Users\Admin\Documents\# DECRYPT MY FILES #.vbsFilesize
219B
MD535a3e3b45dcfc1e6c4fd4a160873a0d1
SHA1a0bcc855f2b75d82cbaae3a8710f816956e94b37
SHA2568ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934
SHA5126d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853
-
\??\pipe\LOCAL\crashpad_1420_POUBGSBFZIURVLZLMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1056-12-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1056-0-0x0000000000CE0000-0x0000000000CFE000-memory.dmpFilesize
120KB
-
memory/1056-2-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1056-1-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4276-336-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4276-31-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4276-327-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4276-326-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4276-325-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4276-351-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4276-343-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4276-346-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4276-349-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4276-329-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4276-347-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4276-337-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4276-32-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4276-22-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/4276-21-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/4276-11-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/4276-14-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/4276-10-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4276-463-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB