Malware Analysis Report

2025-01-03 08:39

Sample ID 240508-ygjpasef39
Target 266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118
SHA256 4db7c9dc8fda28b07914f003190788cf7632f78f55f02c304248850a4636cf28
Tags
gandcrab backdoor defense_evasion execution impact ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4db7c9dc8fda28b07914f003190788cf7632f78f55f02c304248850a4636cf28

Threat Level: Known bad

The file 266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gandcrab backdoor defense_evasion execution impact ransomware spyware stealer

Gandcrab

Deletes shadow copies

Renames multiple (223) files with added filename extension

Renames multiple (277) files with added filename extension

Checks computer location settings

Reads user/profile data of web browsers

Drops startup file

Enumerates connected drives

AutoIT Executable

Suspicious use of SetThreadContext

Sets desktop wallpaper using registry

Drops file in Program Files directory

Enumerates physical storage devices

Uses Volume Shadow Copy service COM API

Modifies system certificate store

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-08 19:45

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-08 19:45

Reported

2024-05-08 19:48

Platform

win10v2004-20240508-en

Max time kernel

129s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe"

Signatures

Gandcrab

ransomware backdoor gandcrab

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (223) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\QHAYLFWYQE-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\56c75eea56c7590440.lock C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\QHAYLFWYQE-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ConvertToWait.xla C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ResumeSubmit.vdx C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SendOut.hta C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ReceiveDismount.vstm C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WatchCopy.M2TS C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\QHAYLFWYQE-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File created C:\Program Files\56c75eea56c7590440.lock C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\PingLimit.vsd C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SaveSuspend.vdx C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\56c75eea56c7590440.lock C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DisableUnlock.bmp C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RemoveGet.vstm C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RestoreInstall.midi C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ResumeSearch.zip C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WatchPublish.au C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4236 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe
PID 4236 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe
PID 4236 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe
PID 4236 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe
PID 4236 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe
PID 2044 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2044 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2044 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe C:\Windows\SysWOW64\wbem\wmic.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.105:443 www.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.196.105:443 www.bing.com tcp
US 8.8.8.8:53 105.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 www.2mmotorsport.biz udp
DE 77.75.249.22:80 www.2mmotorsport.biz tcp
US 8.8.8.8:53 22.249.75.77.in-addr.arpa udp
DE 77.75.249.22:443 www.2mmotorsport.biz tcp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 www.haargenau.biz udp
CH 217.26.53.161:80 www.haargenau.biz tcp
CH 217.26.53.161:80 www.haargenau.biz tcp
US 8.8.8.8:53 www.bizziniinfissi.com udp
US 8.8.8.8:53 www.holzbock.biz udp
CH 94.126.20.68:80 www.holzbock.biz tcp
US 8.8.8.8:53 161.53.26.217.in-addr.arpa udp
CH 94.126.20.68:443 www.holzbock.biz tcp
US 8.8.8.8:53 68.20.126.94.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.schreiner-freiamt.ch udp
CH 94.126.20.68:443 www.schreiner-freiamt.ch tcp
US 8.8.8.8:53 www.fliptray.biz udp
US 8.8.8.8:53 www.pizcam.com udp
CH 195.15.227.239:80 www.pizcam.com tcp
CH 195.15.227.239:443 www.pizcam.com tcp
US 8.8.8.8:53 239.227.15.195.in-addr.arpa udp
US 8.8.8.8:53 www.swisswellness.com udp
DE 83.138.86.12:80 www.swisswellness.com tcp
DE 83.138.86.12:80 www.swisswellness.com tcp
US 8.8.8.8:53 www.hotelweisshorn.com udp
HK 38.207.226.122:80 www.hotelweisshorn.com tcp
US 8.8.8.8:53 122.226.207.38.in-addr.arpa udp
HK 38.207.226.122:80 www.hotelweisshorn.com tcp
US 8.8.8.8:53 www.whitepod.com udp
CH 83.166.138.7:80 www.whitepod.com tcp
CH 83.166.138.7:80 www.whitepod.com tcp

Files

memory/2044-7-0x0000000000300000-0x0000000000328000-memory.dmp

memory/4236-8-0x0000000001AF0000-0x0000000001AF1000-memory.dmp

memory/2044-1-0x0000000000300000-0x0000000000328000-memory.dmp

memory/2044-9-0x0000000000300000-0x0000000000328000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2804150937-2146708401-419095071-1000\QHAYLFWYQE-DECRYPT.txt

MD5 9dd775cab765e556d2575cc72be8413e
SHA1 853c8c1a6fe6f4afdf8d81db509a7d8956b3ab42
SHA256 69dd50f62dfd59fe019971c2a12e4bb0ac983953c33b417d5ad2b5aa0e9909fd
SHA512 241e00fac2e421010ae3f16ffce16ce96dd9ba59cb9933ae4d4a31aa8940749145cefb20f32026dadabca8bd2aa1d8af3eb064a191629cae2fe00e5f8e56e1aa

memory/2044-617-0x0000000000300000-0x0000000000328000-memory.dmp

memory/2044-620-0x0000000000300000-0x0000000000328000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-08 19:45

Reported

2024-05-08 19:48

Platform

win7-20240221-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe"

Signatures

Gandcrab

ransomware backdoor gandcrab

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (277) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\ExpandDismount.mp4 C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\7c0a4d317c0a4adf40.lock C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\SRVTHRPTFE-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\7c0a4d317c0a4adf40.lock C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\FormatGrant.php C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\PopUpdate.mpg C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\SRVTHRPTFE-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File created C:\Program Files\7c0a4d317c0a4adf40.lock C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DenyClose.xlsb C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ConvertFromSelect.zip C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ExitMerge.3gp2 C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\7c0a4d317c0a4adf40.lock C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\SRVTHRPTFE-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File created C:\Program Files\SRVTHRPTFE-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\CheckpointInitialize.clr C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ResolveOpen.html C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SendClear.txt C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\7c0a4d317c0a4adf40.lock C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\FormatWait.xlt C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\InitializePush.rmi C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RestoreUnregister.vbs C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\UndoSkip.pub C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DebugWatch.htm C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ExitConvertTo.mov C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ResetInstall.001 C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SkipRedo.avi C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\SRVTHRPTFE-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ConnectOpen.mpeg C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\InvokeRepair.pub C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\PublishBlock.pptm C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ResetUpdate.aifc C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\BlockMerge.wmx C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DismountRegister.vsdx C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1284 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe
PID 1284 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe
PID 1284 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe
PID 1284 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe
PID 1284 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe
PID 1284 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe
PID 2456 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2456 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2456 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2456 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe C:\Windows\SysWOW64\wbem\wmic.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\266d4e7af0ece9c25de82bf6b2acd2f7_JaffaCakes118.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.2mmotorsport.biz udp
DE 77.75.249.22:80 www.2mmotorsport.biz tcp
DE 77.75.249.22:443 www.2mmotorsport.biz tcp
US 8.8.8.8:53 www.haargenau.biz udp
CH 217.26.53.161:80 www.haargenau.biz tcp
CH 217.26.53.161:80 www.haargenau.biz tcp
US 8.8.8.8:53 www.bizziniinfissi.com udp
US 8.8.8.8:53 www.holzbock.biz udp
CH 94.126.20.68:80 www.holzbock.biz tcp
CH 94.126.20.68:443 www.holzbock.biz tcp
US 8.8.8.8:53 www.schreiner-freiamt.ch udp
CH 94.126.20.68:443 www.schreiner-freiamt.ch tcp
US 8.8.8.8:53 www.fliptray.biz udp
US 8.8.8.8:53 www.pizcam.com udp
CH 195.15.227.239:80 www.pizcam.com tcp
CH 195.15.227.239:443 www.pizcam.com tcp
CH 195.15.227.239:443 www.pizcam.com tcp
CH 195.15.227.239:443 www.pizcam.com tcp
CH 195.15.227.239:443 www.pizcam.com tcp
US 8.8.8.8:53 www.swisswellness.com udp
DE 83.138.86.12:80 www.swisswellness.com tcp
DE 83.138.86.12:80 www.swisswellness.com tcp
US 8.8.8.8:53 www.hotelweisshorn.com udp
HK 38.207.226.122:80 www.hotelweisshorn.com tcp
HK 38.207.226.122:80 www.hotelweisshorn.com tcp
US 8.8.8.8:53 www.whitepod.com udp
CH 83.166.138.7:80 www.whitepod.com tcp
CH 83.166.138.7:80 www.whitepod.com tcp

Files

memory/1284-0-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2456-1-0x0000000000080000-0x00000000000A8000-memory.dmp

memory/2456-12-0x0000000000080000-0x00000000000A8000-memory.dmp

memory/2456-9-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2456-3-0x0000000000080000-0x00000000000A8000-memory.dmp

memory/2456-14-0x0000000000080000-0x00000000000A8000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\SRVTHRPTFE-DECRYPT.txt

MD5 600da32977281e97f3d236a01ef2b047
SHA1 18efa0304e8f9b3a12e01bd0b6555f5a0360fb87
SHA256 ea836c1b9406461da7a083a0432a32f9c0fa95043cf5c63f01af23c5b7a25543
SHA512 047edb2204f8c9e356a03a70b2951e3bea8f5217ca092c78379daa5ff75e50f4251c0ed4ce0235ffbcb2cefaa6f0dae692e96ec08eab4170635017a5a62c712d

memory/2456-205-0x0000000000080000-0x00000000000A8000-memory.dmp

memory/2456-729-0x0000000000080000-0x00000000000A8000-memory.dmp