Analysis

  • max time kernel
    147s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    12-05-2024 19:47

General

  • Target

    3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe

  • Size

    170KB

  • MD5

    3bc88ab2dae5dd7dc924b64e45a5e831

  • SHA1

    abae00114caf6af0927deae70295a62adb8737e7

  • SHA256

    22b08a645804b31fa9c5c3b99c45bf1abe15a10ad9fe49256e6397b4cea90186

  • SHA512

    96e7df730b4316a28d1682b28d81b32c99c877b1dad363f060cd73b512c6e407b3a8e92988b0ce9bdc681d3f08612d0dcd229af93c115082f49fbf6c50b1ff97

  • SSDEEP

    3072:t8Dsp+FNX1dFOvDlXJulh1l5Hw1PaxwJSY3pS7q/y/Ds1xZ0TAxiFK2HkoHd:t8dNXSElh1lxq7ZpQqa/ExZ0WiEQkw

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.onion.to/F397-60EA-D90A-0291-1C1F | | 2. http://cerberhhyed5frqa.onion.cab/F397-60EA-D90A-0291-1C1F | | 3. http://cerberhhyed5frqa.onion.nu/F397-60EA-D90A-0291-1C1F | | 4. http://cerberhhyed5frqa.onion.link/F397-60EA-D90A-0291-1C1F | | 5. http://cerberhhyed5frqa.tor2web.org/F397-60EA-D90A-0291-1C1F |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.onion.to/F397-60EA-D90A-0291-1C1F); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.onion.to/F397-60EA-D90A-0291-1C1F appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.onion.to/F397-60EA-D90A-0291-1C1F); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/F397-60EA-D90A-0291-1C1F | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.onion.to/F397-60EA-D90A-0291-1C1F

http://cerberhhyed5frqa.onion.cab/F397-60EA-D90A-0291-1C1F

http://cerberhhyed5frqa.onion.nu/F397-60EA-D90A-0291-1C1F

http://cerberhhyed5frqa.onion.link/F397-60EA-D90A-0291-1C1F

http://cerberhhyed5frqa.tor2web.org/F397-60EA-D90A-0291-1C1F

http://cerberhhyed5frqa.onion/F397-60EA-D90A-0291-1C1F

Extracted

Path

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://cerberhhyed5frqa.onion.to/F397-60EA-D90A-0291-1C1F" target="_blank">http://cerberhhyed5frqa.onion.to/F397-60EA-D90A-0291-1C1F</a></li> <li><a href="http://cerberhhyed5frqa.onion.cab/F397-60EA-D90A-0291-1C1F" target="_blank">http://cerberhhyed5frqa.onion.cab/F397-60EA-D90A-0291-1C1F</a></li> <li><a href="http://cerberhhyed5frqa.onion.nu/F397-60EA-D90A-0291-1C1F" target="_blank">http://cerberhhyed5frqa.onion.nu/F397-60EA-D90A-0291-1C1F</a></li> <li><a href="http://cerberhhyed5frqa.onion.link/F397-60EA-D90A-0291-1C1F" target="_blank">http://cerberhhyed5frqa.onion.link/F397-60EA-D90A-0291-1C1F</a></li> <li><a href="http://cerberhhyed5frqa.tor2web.org/F397-60EA-D90A-0291-1C1F" target="_blank">http://cerberhhyed5frqa.tor2web.org/F397-60EA-D90A-0291-1C1F</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.onion.to/F397-60EA-D90A-0291-1C1F" target="_blank">http://cerberhhyed5frqa.onion.to/F397-60EA-D90A-0291-1C1F</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.onion.to/F397-60EA-D90A-0291-1C1F" target="_blank">http://cerberhhyed5frqa.onion.to/F397-60EA-D90A-0291-1C1F</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.onion.to/F397-60EA-D90A-0291-1C1F" target="_blank">http://cerberhhyed5frqa.onion.to/F397-60EA-D90A-0291-1C1F</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/F397-60EA-D90A-0291-1C1F</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Contacts a large (16389) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 59 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Users\Admin\AppData\Local\Temp\3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Modifies Control Panel
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\MuiUnattend.exe
        "C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\MuiUnattend.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2940
        • C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\MuiUnattend.exe
          "C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\MuiUnattend.exe"
          4⤵
          • Adds policy Run key to start application
          • Drops startup file
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Sets desktop wallpaper using registry
          • Modifies Control Panel
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2764
          • C:\Windows\system32\vssadmin.exe
            "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:2320
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1936
          • C:\Windows\System32\bcdedit.exe
            "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2204
          • C:\Windows\System32\bcdedit.exe
            "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:668
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2272
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2464
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:472065 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2776
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
            5⤵
              PID:2644
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
              5⤵
                PID:2688
              • C:\Windows\system32\cmd.exe
                /d /c taskkill /t /f /im "MuiUnattend.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\MuiUnattend.exe" > NUL
                5⤵
                  PID:2044
                  • C:\Windows\system32\taskkill.exe
                    taskkill /t /f /im "MuiUnattend.exe"
                    6⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2268
                  • C:\Windows\system32\PING.EXE
                    ping -n 1 127.0.0.1
                    6⤵
                    • Runs ping.exe
                    PID:1948
            • C:\Windows\SysWOW64\cmd.exe
              /d /c taskkill /t /f /im "3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe" > NUL
              3⤵
              • Deletes itself
              • Suspicious use of WriteProcessMemory
              PID:2404
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /t /f /im "3bc88ab2dae5dd7dc924b64e45a5e831_JaffaCakes118.exe"
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2904
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 1 127.0.0.1
                4⤵
                • Runs ping.exe
                PID:2636
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:288
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:2428
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2428 CREDAT:275457 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2452
        • C:\Windows\SysWOW64\DllHost.exe
          C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
          1⤵
            PID:2196

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Execution

          Windows Management Instrumentation

          1
          T1047

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Defense Evasion

          Indicator Removal

          2
          T1070

          File Deletion

          2
          T1070.004

          Modify Registry

          4
          T1112

          Credential Access

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Network Service Discovery

          2
          T1046

          System Information Discovery

          2
          T1082

          Remote System Discovery

          1
          T1018

          Collection

          Data from Local System

          1
          T1005

          Impact

          Inhibit System Recovery

          3
          T1490

          Defacement

          1
          T1491

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
            Filesize

            10KB

            MD5

            dcdef4a832226e31054ba5a392c78549

            SHA1

            0257e4b02ec54a691fb25a2b391ffc063f8cbed1

            SHA256

            e1706dc82ba43cf99dbb68c2cfc4a80fb08a70701c3081bf0275afb2855a7b5e

            SHA512

            9c61a135a6b9a928f2ab3f22597c5f8d73659d9eb9e1347461156bca8d4d7d55519c0001f9543eabe4640e8d004787d9c6ad36f1957ece24315b97d3e60eebdc

          • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url
            Filesize

            83B

            MD5

            a42b14cd005245ba3a3fc50e2a834336

            SHA1

            8cbd1295eef95509e3665310276151104ec4cba3

            SHA256

            ed3cc55d39420547e23b9f93d6a2b7ec536052271d28573a69b793fa4b0ab378

            SHA512

            27ec033a22096207721fbe84ea4012d6dcac7a01d10a5efb3ae62fa492a6e567424502353a4dd171588d293be06d04aa72db2511970dd3f76d8504ff257ba8e4

          • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs
            Filesize

            219B

            MD5

            35a3e3b45dcfc1e6c4fd4a160873a0d1

            SHA1

            a0bcc855f2b75d82cbaae3a8710f816956e94b37

            SHA256

            8ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934

            SHA512

            6d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853

          • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html
            Filesize

            12KB

            MD5

            eed067f81c69135e85018c5d87e986ea

            SHA1

            06634661db59ee83da2355d3f511def22870061c

            SHA256

            5737919403c58ed50ad6a209e6db10f037ef6c0777c8449f0d416502a4e2ca0a

            SHA512

            b94a5fb422784af7c472d43aff74b1d6458c0d349ea4dbea7090bda1cc08ceb1f5d72733d8b5e06cc76b803aa4921a97c72002ef6da025220acf6a5d483208b9

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            304B

            MD5

            bd6928fc5b122f77c08a0ee8643475f2

            SHA1

            9aa9b56b561ee2147baa0bbd0ea92810295207fb

            SHA256

            8ba679d2beab470a31b3df97024271adeef0c5596cb7672cde59c8e756639c2e

            SHA512

            a9e9db5a1a943ec87c16fc82133dc1fcd48c0154b90fb49d69e6b3f872d3db7fa64df13213c7c6b8e4c6cb51e0ee9b7e6fe969201ad54f3c0d816227384025df

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            304B

            MD5

            25d818b84049f20eb6dce8d77193f38f

            SHA1

            850e01b34ee4cc50f50c4fa17833845f13e04ef7

            SHA256

            1687915b7aed1ebefb595d7dc7edfe9168eebe576bc47baf906b378a4ec596be

            SHA512

            bb0d423f2953fb4072d32a48f7690eca05ab2bb9b67560e9510a97c3b705e94b0b56b811c4237cff837bdcba8060068432ff242ae761d02ec94086a85d1b7192

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            304B

            MD5

            cc320f4b7afc4d45c34277e764c1e230

            SHA1

            9b4fcb330a7d26bbadf0fdf29ed7f0d89488ad09

            SHA256

            3535c0a4f472bc535a94f2987076da586d04882618db072097268ae86d1436d7

            SHA512

            e8153af9c7f757201bc3aacd55847fb1ae1261db8a0a62b0dac628263b068c76c4895185e5c6e851675351ba3f3f7641d60323063f012c1db8a0593a8169a1bd

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            304B

            MD5

            f4d6219610811d9d9d80991e591e200e

            SHA1

            f29d1b03578b36fe382edb2f9ec72b38671229d9

            SHA256

            d6df74653209156b58e545a5014e4f91849e4e3fbf48a92a2239825147df8169

            SHA512

            2d7dac56cb007bead0e749e2e7014a8895a17fc8101b058bde90e74c328b274e3f4c3b8c8bd80ed5ef99b7e29c383fd6d396f3e375fb31bec7cf0c2075c9314b

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            304B

            MD5

            cbdb0b17cdc94e36a755c8b1bc2b99ba

            SHA1

            1d1c429bc1b444e6f5e1ba2276e66ada6b62beed

            SHA256

            d65eb9232c44ad1d736edc5e60d68a209537ce1afbdb62b82aa3fcdce1cfd585

            SHA512

            78efa1eb4f2be37054419ddf947df03adca89d681af051680e49b8e43601521bf12a12817902222f1c0ad3f1a715c4c3434a53ddc35fed7a2168509badbf01b8

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            304B

            MD5

            61921e4395a8f7bf9852ae2e1c4b4c92

            SHA1

            734a9652417f88441193bb7e3a765993d70560f4

            SHA256

            acfd8b95249a8b4579f92fc9d46c8bd7569d5550fbe403edb67edb25ea51c1be

            SHA512

            27f2d128c9c4f56539c176da55c2af14c4a295c4dd85be7f4601be897f25879b0b8023fc9942b07ce29bd91a386511348246f3293772957572af387cba6ed05b

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            304B

            MD5

            0a2891fe3e8a9321e81bbe84a25f87a2

            SHA1

            7b15ae984df1441ab52621e6cb8d1855b944ecca

            SHA256

            7d88f97a31f6da63f11830ce0fb07651571c77d8e88bbf5dfc3debf8b9585a4e

            SHA512

            05c0587ba9fe1f58b241c163051debe9fab8c36d4e14a5d4ccaf90277dcc130933d948293610097497b6b562055fc406f5eb867729ba70fcf7d383bcc00dc684

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            304B

            MD5

            e874a45d288e95dbce598fc2cd6ff03e

            SHA1

            0851a631401d891db27a7f7fe25c6b58490b187f

            SHA256

            d9d10e7879825b76e8e79b1d942ca47595cb003daeda8e18a9738e6ccca8aedc

            SHA512

            c0096519a28d2eba3a3bf84e90e55d152cbf24cb64a1095411f4b3a9e55cdfd975fcba967ad9245ed3784b67a4f17dd94cd51db7ac7383db27b00f1d497ccb56

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            304B

            MD5

            299ab9b44697d42eee82a848a7dcc240

            SHA1

            e791972d9e07da596f93faefc9eccd18ea67d4b3

            SHA256

            02e8e0902716ba27608d041e4920a7908d2ae0fb078ad56bc0936b4123881cf0

            SHA512

            7c09c9535b65e55124c4bae029b0ee2a8a303bd8b0ba0f7afe886e07db00f350586cddc92038cbdd7a8b92da1090e4fe3b81d1cb83296bd1776015f55cb9c21f

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A25BBFD1-1098-11EF-82B1-CE167E742B8D}.dat
            Filesize

            5KB

            MD5

            cfbe17f82da3890c33964aa084775672

            SHA1

            8da7ab11b5c20df4f18d560df71b0c56315944b6

            SHA256

            5d3acaf5ae9a32371444c5e6b10ad36e0bfb0c81a0055601f7d50267515cd94a

            SHA512

            7f4f271a3bd068decae644b7a69c6c7b0047f5ed8a3b937de282622f2d36df212a54fe503f96dd3a3f0625816ef8c370dc8dddce4591d422482104deded0d111

          • C:\Users\Admin\AppData\Local\Temp\Cab846D.tmp
            Filesize

            65KB

            MD5

            ac05d27423a85adc1622c714f2cb6184

            SHA1

            b0fe2b1abddb97837ea0195be70ab2ff14d43198

            SHA256

            c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

            SHA512

            6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

          • C:\Users\Admin\AppData\Local\Temp\Cab853C.tmp
            Filesize

            68KB

            MD5

            29f65ba8e88c063813cc50a4ea544e93

            SHA1

            05a7040d5c127e68c25d81cc51271ffb8bef3568

            SHA256

            1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

            SHA512

            e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

          • C:\Users\Admin\AppData\Local\Temp\Tar8550.tmp
            Filesize

            177KB

            MD5

            435a9ac180383f9fa094131b173a2f7b

            SHA1

            76944ea657a9db94f9a4bef38f88c46ed4166983

            SHA256

            67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

            SHA512

            1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

          • C:\Users\Admin\AppData\Roaming\Lustreware.29L
            Filesize

            1KB

            MD5

            7d198b33fbcc5c4ca09364a1d403ba26

            SHA1

            c98ee26d73ae6348354592aee7171ae0b9a8126b

            SHA256

            0e1c39c1b96dfd186e1656afdd6faa70473c4e4165ed4a822feffa9aba3107ff

            SHA512

            0c0063f01c9e6cedaafc11a8b97fabe9c88862570ffd0af9345bebf0f754bd549a486fc622089efb74b8835b7f5fc2759624f80ea2d49b731749c7ac7e0d1112

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\MuiUnattend.lnk
            Filesize

            1KB

            MD5

            6ca682edb76b2f4a31cef7980896721b

            SHA1

            f2e45fcf706200f4d4eb8847ba990f4e68521d31

            SHA256

            1686b161ea352ac9917614868f795a2f40741eefb54b50a522f7d14679bf7b2c

            SHA512

            cc605b8d181f32eb80e3d7fc844bcf2dcf3a77e239514565514b554a217379b4d71c67b037bcd84231a9f3f9e9e8a7ac073c26e635ee42437f419b471bc81ff5

          • C:\Users\Admin\AppData\Roaming\PuckBoutique.A
            MD5

            d41d8cd98f00b204e9800998ecf8427e

            SHA1

            da39a3ee5e6b4b0d3255bfef95601890afd80709

            SHA256

            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

            SHA512

            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

          • \Users\Admin\AppData\Local\Temp\nso1141.tmp\System.dll
            Filesize

            11KB

            MD5

            883eff06ac96966270731e4e22817e11

            SHA1

            523c87c98236cbc04430e87ec19b977595092ac8

            SHA256

            44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

            SHA512

            60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

          • \Users\Admin\AppData\Roaming\CDRom.dll
            Filesize

            26KB

            MD5

            f65d5bc68f1fb11619ba6b464913dce2

            SHA1

            b67b2d285b64209eaa6a7011f244992f39509d22

            SHA256

            7b342d996d54d971e4910d0a53e7b120a926c01a3fd173d98bf00e8d52e32af4

            SHA512

            331eeabf497202aff3dcf1c8c9545b9ee60a6f02c3cb13cd827410a9b0fa63f2c29896db2ab50c06abef8a31169490dc487021ecd4c3ba51acc011af61f2e769

          • \Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\MuiUnattend.exe
            Filesize

            170KB

            MD5

            3bc88ab2dae5dd7dc924b64e45a5e831

            SHA1

            abae00114caf6af0927deae70295a62adb8737e7

            SHA256

            22b08a645804b31fa9c5c3b99c45bf1abe15a10ad9fe49256e6397b4cea90186

            SHA512

            96e7df730b4316a28d1682b28d81b32c99c877b1dad363f060cd73b512c6e407b3a8e92988b0ce9bdc681d3f08612d0dcd229af93c115082f49fbf6c50b1ff97

          • memory/2092-23-0x000000006C980000-0x000000006C98F000-memory.dmp
            Filesize

            60KB

          • memory/2588-28-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2588-44-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2588-14-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2588-11-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2588-22-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2588-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
            Filesize

            4KB

          • memory/2588-18-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2588-16-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2588-12-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2588-26-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2588-29-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2764-75-0x0000000002FA0000-0x0000000002FA1000-memory.dmp
            Filesize

            4KB

          • memory/2764-70-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2764-71-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2764-468-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2764-470-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2764-73-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2764-80-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2764-77-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2764-78-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2764-83-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2764-82-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

          • memory/2940-67-0x000000006C980000-0x000000006C98F000-memory.dmp
            Filesize

            60KB