Overview
overview
10Static
static
331318ee805...18.exe
windows7-x64
1031318ee805...18.exe
windows10-2004-x64
10$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3403-3.htm
windows7-x64
1403-3.htm
windows10-2004-x64
1HelpButton.dll
windows7-x64
3HelpButton.dll
windows10-2004-x64
3Analysis
-
max time kernel
151s -
max time network
168s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 21:48
Static task
static1
Behavioral task
behavioral1
Sample
31318ee80570c7168708575f032ac63f_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
31318ee80570c7168708575f032ac63f_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240419-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
403-3.htm
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
403-3.htm
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
HelpButton.dll
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
HelpButton.dll
Resource
win10v2004-20240508-en
General
-
Target
31318ee80570c7168708575f032ac63f_JaffaCakes118.exe
-
Size
257KB
-
MD5
31318ee80570c7168708575f032ac63f
-
SHA1
82a8589abd62b469c4ec3c454434a75a63f8b2c6
-
SHA256
849b68c42ca9935f63aea47b02a730b64d0dcb9897e589fee3f64175bc592d84
-
SHA512
bd0e851945ad1b2fd726976e5f03f4fad934f598cb8d936c59922afeb8e2cb575dc1a20a008bede70db26f4d6a91eb73d822539c59da7f5975e4244bc65440bc
-
SSDEEP
6144:ewHysO+dCW3EWXJ44UMa6ZhZoXtMQJCIEFTcdGwJ:VO+EW3TXiNMlSXOQJpAcIwJ
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.txt
http://52uo5k3t73ypjije.7156et.bid/AD10-4B65-57FA-005C-9374
http://52uo5k3t73ypjije.8kcfnk.bid/AD10-4B65-57FA-005C-9374
http://52uo5k3t73ypjije.csv7o6.bid/AD10-4B65-57FA-005C-9374
http://52uo5k3t73ypjije.jal9lk.bid/AD10-4B65-57FA-005C-9374
http://52uo5k3t73ypjije.onion.to/AD10-4B65-57FA-005C-9374
http://52uo5k3t73ypjije.onion/AD10-4B65-57FA-005C-9374
Extracted
C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.html
Signatures
-
Cerber 2 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
Processes:
31318ee80570c7168708575f032ac63f_JaffaCakes118.exemakecab.exedescription ioc process Mutant opened shell.{0CB58E3A-4515-A5AD-2ECC-9037963119C9} 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe Mutant created shell.{0CB58E3A-4515-A5AD-2ECC-9037963119C9} makecab.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
31318ee80570c7168708575f032ac63f_JaffaCakes118.exemakecab.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" makecab.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2136 bcdedit.exe 2824 bcdedit.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
makecab.exe31318ee80570c7168708575f032ac63f_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{13610826-3503-134D-4C2C-C16FE04D06AA}\\makecab.exe\"" makecab.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{13610826-3503-134D-4C2C-C16FE04D06AA}\\makecab.exe\"" 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe -
Contacts a large (514) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2224 cmd.exe -
Drops startup file 1 IoCs
Processes:
31318ee80570c7168708575f032ac63f_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\makecab.lnk 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
makecab.exemakecab.exepid process 2348 makecab.exe 1200 makecab.exe -
Loads dropped DLL 5 IoCs
Processes:
31318ee80570c7168708575f032ac63f_JaffaCakes118.exe31318ee80570c7168708575f032ac63f_JaffaCakes118.exemakecab.exepid process 2056 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 2056 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 2656 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 2348 makecab.exe 2348 makecab.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
makecab.exe31318ee80570c7168708575f032ac63f_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\makecab = "\"C:\\Users\\Admin\\AppData\\Roaming\\{13610826-3503-134D-4C2C-C16FE04D06AA}\\makecab.exe\"" makecab.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\makecab = "\"C:\\Users\\Admin\\AppData\\Roaming\\{13610826-3503-134D-4C2C-C16FE04D06AA}\\makecab.exe\"" makecab.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\makecab = "\"C:\\Users\\Admin\\AppData\\Roaming\\{13610826-3503-134D-4C2C-C16FE04D06AA}\\makecab.exe\"" 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\makecab = "\"C:\\Users\\Admin\\AppData\\Roaming\\{13610826-3503-134D-4C2C-C16FE04D06AA}\\makecab.exe\"" 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe -
Processes:
makecab.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA makecab.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
makecab.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpC311.bmp" makecab.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
31318ee80570c7168708575f032ac63f_JaffaCakes118.exemakecab.exedescription pid process target process PID 2056 set thread context of 2656 2056 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe PID 2348 set thread context of 1200 2348 makecab.exe makecab.exe -
Drops file in Program Files directory 15 IoCs
Processes:
makecab.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.html makecab.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.txt makecab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote.ini makecab.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.html makecab.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.vbs makecab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE makecab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml makecab.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.url makecab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE makecab.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.vbs makecab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE makecab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE makecab.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.txt makecab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE makecab.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.url makecab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\makecab.exe nsis_installer_1 \Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\makecab.exe nsis_installer_2 -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2740 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1068 taskkill.exe 1344 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
31318ee80570c7168708575f032ac63f_JaffaCakes118.exemakecab.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{13610826-3503-134D-4C2C-C16FE04D06AA}\\makecab.exe\"" 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop makecab.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{13610826-3503-134D-4C2C-C16FE04D06AA}\\makecab.exe\"" makecab.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
makecab.exepid process 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe 1200 makecab.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
31318ee80570c7168708575f032ac63f_JaffaCakes118.exetaskkill.exemakecab.exevssvc.exewmic.exedescription pid process Token: SeDebugPrivilege 2656 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe Token: SeDebugPrivilege 1068 taskkill.exe Token: SeDebugPrivilege 1200 makecab.exe Token: SeBackupPrivilege 772 vssvc.exe Token: SeRestorePrivilege 772 vssvc.exe Token: SeAuditPrivilege 772 vssvc.exe Token: SeIncreaseQuotaPrivilege 2332 wmic.exe Token: SeSecurityPrivilege 2332 wmic.exe Token: SeTakeOwnershipPrivilege 2332 wmic.exe Token: SeLoadDriverPrivilege 2332 wmic.exe Token: SeSystemProfilePrivilege 2332 wmic.exe Token: SeSystemtimePrivilege 2332 wmic.exe Token: SeProfSingleProcessPrivilege 2332 wmic.exe Token: SeIncBasePriorityPrivilege 2332 wmic.exe Token: SeCreatePagefilePrivilege 2332 wmic.exe Token: SeBackupPrivilege 2332 wmic.exe Token: SeRestorePrivilege 2332 wmic.exe Token: SeShutdownPrivilege 2332 wmic.exe Token: SeDebugPrivilege 2332 wmic.exe Token: SeSystemEnvironmentPrivilege 2332 wmic.exe Token: SeRemoteShutdownPrivilege 2332 wmic.exe Token: SeUndockPrivilege 2332 wmic.exe Token: SeManageVolumePrivilege 2332 wmic.exe Token: 33 2332 wmic.exe Token: 34 2332 wmic.exe Token: 35 2332 wmic.exe Token: SeIncreaseQuotaPrivilege 2332 wmic.exe Token: SeSecurityPrivilege 2332 wmic.exe Token: SeTakeOwnershipPrivilege 2332 wmic.exe Token: SeLoadDriverPrivilege 2332 wmic.exe Token: SeSystemProfilePrivilege 2332 wmic.exe Token: SeSystemtimePrivilege 2332 wmic.exe Token: SeProfSingleProcessPrivilege 2332 wmic.exe Token: SeIncBasePriorityPrivilege 2332 wmic.exe Token: SeCreatePagefilePrivilege 2332 wmic.exe Token: SeBackupPrivilege 2332 wmic.exe Token: SeRestorePrivilege 2332 wmic.exe Token: SeShutdownPrivilege 2332 wmic.exe Token: SeDebugPrivilege 2332 wmic.exe Token: SeSystemEnvironmentPrivilege 2332 wmic.exe Token: SeRemoteShutdownPrivilege 2332 wmic.exe Token: SeUndockPrivilege 2332 wmic.exe Token: SeManageVolumePrivilege 2332 wmic.exe Token: 33 2332 wmic.exe Token: 34 2332 wmic.exe Token: 35 2332 wmic.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
31318ee80570c7168708575f032ac63f_JaffaCakes118.exe31318ee80570c7168708575f032ac63f_JaffaCakes118.execmd.exemakecab.exemakecab.exedescription pid process target process PID 2056 wrote to memory of 2656 2056 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe PID 2056 wrote to memory of 2656 2056 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe PID 2056 wrote to memory of 2656 2056 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe PID 2056 wrote to memory of 2656 2056 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe PID 2056 wrote to memory of 2656 2056 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe PID 2056 wrote to memory of 2656 2056 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe PID 2056 wrote to memory of 2656 2056 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe PID 2056 wrote to memory of 2656 2056 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe PID 2056 wrote to memory of 2656 2056 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe PID 2056 wrote to memory of 2656 2056 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe PID 2056 wrote to memory of 2656 2056 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe PID 2656 wrote to memory of 2348 2656 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe makecab.exe PID 2656 wrote to memory of 2348 2656 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe makecab.exe PID 2656 wrote to memory of 2348 2656 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe makecab.exe PID 2656 wrote to memory of 2348 2656 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe makecab.exe PID 2656 wrote to memory of 2224 2656 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe cmd.exe PID 2656 wrote to memory of 2224 2656 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe cmd.exe PID 2656 wrote to memory of 2224 2656 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe cmd.exe PID 2656 wrote to memory of 2224 2656 31318ee80570c7168708575f032ac63f_JaffaCakes118.exe cmd.exe PID 2224 wrote to memory of 1068 2224 cmd.exe taskkill.exe PID 2224 wrote to memory of 1068 2224 cmd.exe taskkill.exe PID 2224 wrote to memory of 1068 2224 cmd.exe taskkill.exe PID 2224 wrote to memory of 1068 2224 cmd.exe taskkill.exe PID 2224 wrote to memory of 1912 2224 cmd.exe PING.EXE PID 2224 wrote to memory of 1912 2224 cmd.exe PING.EXE PID 2224 wrote to memory of 1912 2224 cmd.exe PING.EXE PID 2224 wrote to memory of 1912 2224 cmd.exe PING.EXE PID 2348 wrote to memory of 1200 2348 makecab.exe makecab.exe PID 2348 wrote to memory of 1200 2348 makecab.exe makecab.exe PID 2348 wrote to memory of 1200 2348 makecab.exe makecab.exe PID 2348 wrote to memory of 1200 2348 makecab.exe makecab.exe PID 2348 wrote to memory of 1200 2348 makecab.exe makecab.exe PID 2348 wrote to memory of 1200 2348 makecab.exe makecab.exe PID 2348 wrote to memory of 1200 2348 makecab.exe makecab.exe PID 2348 wrote to memory of 1200 2348 makecab.exe makecab.exe PID 2348 wrote to memory of 1200 2348 makecab.exe makecab.exe PID 2348 wrote to memory of 1200 2348 makecab.exe makecab.exe PID 2348 wrote to memory of 1200 2348 makecab.exe makecab.exe PID 1200 wrote to memory of 2740 1200 makecab.exe vssadmin.exe PID 1200 wrote to memory of 2740 1200 makecab.exe vssadmin.exe PID 1200 wrote to memory of 2740 1200 makecab.exe vssadmin.exe PID 1200 wrote to memory of 2740 1200 makecab.exe vssadmin.exe PID 1200 wrote to memory of 2332 1200 makecab.exe wmic.exe PID 1200 wrote to memory of 2332 1200 makecab.exe wmic.exe PID 1200 wrote to memory of 2332 1200 makecab.exe wmic.exe PID 1200 wrote to memory of 2332 1200 makecab.exe wmic.exe PID 1200 wrote to memory of 2136 1200 makecab.exe bcdedit.exe PID 1200 wrote to memory of 2136 1200 makecab.exe bcdedit.exe PID 1200 wrote to memory of 2136 1200 makecab.exe bcdedit.exe PID 1200 wrote to memory of 2136 1200 makecab.exe bcdedit.exe PID 1200 wrote to memory of 2824 1200 makecab.exe bcdedit.exe PID 1200 wrote to memory of 2824 1200 makecab.exe bcdedit.exe PID 1200 wrote to memory of 2824 1200 makecab.exe bcdedit.exe PID 1200 wrote to memory of 2824 1200 makecab.exe bcdedit.exe PID 1200 wrote to memory of 2212 1200 makecab.exe iexplore.exe PID 1200 wrote to memory of 2212 1200 makecab.exe iexplore.exe PID 1200 wrote to memory of 2212 1200 makecab.exe iexplore.exe PID 1200 wrote to memory of 2212 1200 makecab.exe iexplore.exe PID 1200 wrote to memory of 2688 1200 makecab.exe NOTEPAD.EXE PID 1200 wrote to memory of 2688 1200 makecab.exe NOTEPAD.EXE PID 1200 wrote to memory of 2688 1200 makecab.exe NOTEPAD.EXE PID 1200 wrote to memory of 2688 1200 makecab.exe NOTEPAD.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f_JaffaCakes118.exe"2⤵
- Cerber
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\makecab.exe"C:\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\makecab.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\makecab.exe"C:\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\makecab.exe"4⤵
- Cerber
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html5⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2212 CREDAT:275457 /prefetch:26⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"5⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /f /im "makecab.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\makecab.exe" > NUL5⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im "makecab.exe"6⤵
- Kills process with taskkill
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.16⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /f /im "31318ee80570c7168708575f032ac63f_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f_JaffaCakes118.exe" > NUL3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "31318ee80570c7168708575f032ac63f_JaffaCakes118.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:275457 /prefetch:22⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x52c1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Indicator Removal
2File Deletion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.htmlFilesize
19KB
MD5d021536a9c4516dd3fcd9dcdb55624cb
SHA1c637648303e056137401d4992d59d85eace95be7
SHA256b6801baeedd7fe5ab3c8bcb893a8db33e38e12c57b49a8ab94fb9f1c595568f4
SHA512b48e77f10e7a1f62b9f339e10e3b3186e4dd7edfe47073972e34e8ef7b5f1168b528aca0f3b41b2c9ca828e7884c2808664caacb973eafc68d858877ea863649
-
C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.txtFilesize
10KB
MD524228ad53b1ec8034ab9fbaef430c662
SHA17b25a0970562cbf1169fa1035c36ee6d7937df95
SHA256794aadafa042dc4a8d3a470b49b401e20ccb9897112ede79d93ec377af888ff2
SHA512e783205e43ff9fa0f34d476ef36f31677624d0e98c4985c58bf2c9b13c31f29ab9d9fa4beeec6ab8091c8775c621e851f60f5ab0207e8407828c8b80cb162844
-
C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.urlFilesize
90B
MD54a749ade553f474bca53380d3da673d3
SHA1ce5725a8f2b327812eff2e52f02ce542a63c8d1b
SHA25606d0b474228a38e81da249a6689bc80874d3a9b3db135131ef0dba27333b2f18
SHA51213d78c04bca866b2787bd5b3bc2bc8e184ae790aaa101b300e49a05cb534032e5115648a6fcbc77e7f8ab63af6d5d85257ef5b4af3eba80bc4e8718b05f5c9be
-
C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.vbsFilesize
252B
MD518d46f5d8ebd3c7d6df0c7a8fd1bd64d
SHA1aeb8407457434aabce2a4c2f95fe305c5303f929
SHA256ceb35b75d397b07c84dfab3a28189e9431bdf80ec99ab65f9ccf01986bd4a8e9
SHA51235fc759be0dee77eb9e39350873c24d9693cf6f370f171814e2ce6250ea814fea8a0887442ebae9077d6e9ff81ae7034faa0afcb080401a7d4ac384d2ba42d65
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6F744CE1-0F17-11EF-9960-CAFA5A0A62FD}.datFilesize
5KB
MD52f22d5e23914bf5417ebe8521c16be58
SHA198c53dc942b30c268c172955adf7743dd11edaf5
SHA2563b9939f53cbc865ba20909e7118824253b8a361cbf200ab610657880faa68f22
SHA512a05e2b2159198696b58f70154ac8267672b0d5dbc64078e783f58f1f39fd1be106eed71966a86ea34aed8ae828f578898f9063382e227be2c47218ac7db03fcf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\json[1].jsonFilesize
297B
MD5bd0c2d8e6b0fe0de4a3869c02ee43a85
SHA121d8cca90ea489f88c2953156e6c3dec6945388b
SHA2563a3e433f615f99529721ee766ad453b75d73fe213cb1ab74ccbb4c0e32dcd533
SHA512496b1285f1e78d50dd79b05fa2cbf4a0b655bb3e4515646be3a7c7cdf85d7db6ab35577aa1e294f3d515d707ca341652b5ae9d4b22197e4480226ef8440294b6
-
C:\Users\Admin\AppData\Roaming\403-3.htmFilesize
1KB
MD5c7df00e9e0609d4216bb7404dd9c12ee
SHA13aac5a61dc12fcf9fd23280d8fc6361ef734c524
SHA2569fa88627e300794f3f5f657aed1a58a447d4cd5ce6989d49d62dca9507c3d9de
SHA51287427aca49cf20aa8d36541f589940b23e42d60eda72965f75ebdbb8342a19198c8625b8d4f9c71b4444d14ca99816d314991ff1e870da3437cbc15453d8e47f
-
C:\Users\Admin\AppData\Roaming\ChiPollywog.9mWFilesize
79KB
MD568e275edb605a67c22851ddb5a4576fd
SHA19f6b1548c529230895ff7bf1da4acaf5f0a3d259
SHA2564da115c31baae5f1310afa48ab710b9cd443f4ce2bd859d722cfdcf253578a99
SHA512c64e22115b69df57cdd4e299c555fe7c141d7cecf3c0d8f03d6ccb0bf9df27c3d39a082ee4b57484e50e95823241379dca5073bae45c7e9159f8342740322f06
-
C:\Users\Admin\AppData\Roaming\HelpButton.dllMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\makecab.lnkFilesize
1KB
MD5843621f7c7da519c3b18af33dc600df7
SHA102a07888d1d99d71899f8d82fe15c89813de8301
SHA25656cc19b8da5ec13ea65823eccf12703dac0e7940c1ea07666e0d2bab7e52d82f
SHA512eecea6b6d653c4cc10c8a30a97720adf75d58ba36de615d1ed09fabefeeff933f7dc2b8810862f74ed947b5f3a6e38508d360b5f91baf7bb8ee538ffc846ecf7
-
C:\Users\Admin\AppData\Roaming\Phenothiazine.aLpFilesize
4KB
MD54cd6691685530a80f97c5633b75a8d81
SHA1a2d8a60847c6a4c0df2e87ac5964b98806d3a2e7
SHA2561e8ea471a61594fbf877acc9c2cc26cccf2eb6bd1da7c7dd803a1b154d632c6c
SHA512d05c9d9c870c885cd7a964e669f775e5e4c9da99cd97cc1509f7e08af61fb13d97688f337fe5b9ac6c9c3c6cd14c95df4689b2715fdc531eac3d58133fbe2c48
-
C:\Users\Admin\AppData\Roaming\eclipse.plugin.provider.xmlFilesize
1KB
MD5eb0e17f9bf03d0694057850821b56792
SHA18f5ed3a32e8f45fe2f61bf5035c315498f95a16c
SHA256802ed3ac17c023e6f3bfeb98ea8a0db2bd75e8f3b08a182937ce22007cc75f8f
SHA512e3fdc8e13019f9eae4e619772ae8ce33be12c6165381a28bee2c53f0fd1f4478e8517d7fe96ca365271141f41342ed0739efd67b8bff03da72ce457fba0840ff
-
C:\Users\Admin\AppData\Roaming\eclipse.plugin.provider.xmlFilesize
914B
MD572d925da1cf45aed93d045853a5281a8
SHA1354dc025c187395a741ff630aaf6ca9ddf2d0d47
SHA25619c79b8b4731e5a4f1bff40db16c6bae24fc7d299243a45ccd8998290247413d
SHA512685081bd6829d3f825f2b50febd0df1c0db602bc9ea68c425b9bcc07b59e3860b91fbe918f485ac650cfbc14ea08f00dd98ad287d013190af829813122572c68
-
\Users\Admin\AppData\Local\Temp\nsjD902.tmp\System.dllFilesize
11KB
MD56f5257c0b8c0ef4d440f4f4fce85fb1b
SHA1b6ac111dfb0d1fc75ad09c56bde7830232395785
SHA256b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1
SHA512a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8
-
\Users\Admin\AppData\Roaming\HelpButton.dllFilesize
68KB
MD527a5e7b6a25949beeae9d66ee66759b4
SHA1c98d27eb5421cc0e12f1736d8cb6da952df25635
SHA256ca1469a748c0805bedaa6bbcf87cfea1772a004ce5fb1ef1e5f62998874d4851
SHA512426dd583044d651b790e006189d2ff42dcb883851dffa61cef2b4badaa43fde5a718e8ec4415ac928a39b81a6507ab54d2a1d0842bfbec4db89656478b610bea
-
\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\makecab.exeFilesize
257KB
MD531318ee80570c7168708575f032ac63f
SHA182a8589abd62b469c4ec3c454434a75a63f8b2c6
SHA256849b68c42ca9935f63aea47b02a730b64d0dcb9897e589fee3f64175bc592d84
SHA512bd0e851945ad1b2fd726976e5f03f4fad934f598cb8d936c59922afeb8e2cb575dc1a20a008bede70db26f4d6a91eb73d822539c59da7f5975e4244bc65440bc
-
memory/1200-96-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1200-84-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1200-97-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1200-88-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1200-87-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1200-85-0x0000000002C50000-0x0000000002C51000-memory.dmpFilesize
4KB
-
memory/1200-80-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1200-81-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2056-11-0x0000000001E40000-0x0000000001E52000-memory.dmpFilesize
72KB
-
memory/2348-63-0x0000000002B20000-0x0000000002B32000-memory.dmpFilesize
72KB
-
memory/2656-43-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2656-29-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2656-14-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2656-20-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2656-33-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2656-16-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2656-22-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2656-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2656-26-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2656-15-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2656-18-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2656-30-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2656-28-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB