Overview
overview
10Static
static
33ce23461e1...18.exe
windows7-x64
103ce23461e1...18.exe
windows10-2004-x64
10$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3NsResize.dll
windows7-x64
1NsResize.dll
windows10-2004-x64
3Analysis
-
max time kernel
145s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-05-2024 22:47
Static task
static1
Behavioral task
behavioral1
Sample
3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
NsResize.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
NsResize.dll
Resource
win10v2004-20240426-en
General
-
Target
3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe
-
Size
243KB
-
MD5
3ce23461e15c48785716ecef4a2f9be8
-
SHA1
f8cb374c9d216f3859cd0e681ad79fb7e7e8f84d
-
SHA256
af2c25f184a8542888750b7d150d955c638c3ee1633933b7262dcb6a1b82d0e2
-
SHA512
eb9da01bba9f172c90b8c330f8b52c6534429c72bac6b65179564fe0e82f738b7233461220163d55a92b62d665cde82e1243cdcb9f3752271707ab6f56ef9a7c
-
SSDEEP
6144:MkyacpfMzk1+nQFGbjVXgyLB5NaLVtju0r0/fk4Xc/Be1H23:MkyfYk4nXbjVLLBGLVtjuf/fk40Q1H23
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\# HELP DECRYPT #.html
Extracted
C:\Users\Admin\AppData\Roaming\# HELP DECRYPT #.txt
http://52uo5k3t73ypjije.y12acl.bid/DB98-C1D2-6C07-0046-154C
http://52uo5k3t73ypjije.f0jlbj.bid/DB98-C1D2-6C07-0046-154C
http://52uo5k3t73ypjije.cm5ohx.bid/DB98-C1D2-6C07-0046-154C
http://52uo5k3t73ypjije.jal9lk.bid/DB98-C1D2-6C07-0046-154C
http://52uo5k3t73ypjije.onion.to/DB98-C1D2-6C07-0046-154C
http://52uo5k3t73ypjije.onion/DB98-C1D2-6C07-0046-154C
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 532 bcdedit.exe 1172 bcdedit.exe -
Contacts a large (528) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe -
Loads dropped DLL 3 IoCs
Processes:
3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exepid process 408 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 408 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 408 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp8D76.bmp" 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exedescription pid process target process PID 408 set thread context of 1368 408 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe -
Drops file in Program Files directory 8 IoCs
Processes:
3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\ACADEMIC.ONE 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BLANK.ONE 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\PLANNERS.ONE 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\DESIGNER.ONE 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# HELP DECRYPT #.html 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# HELP DECRYPT #.txt 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# HELP DECRYPT #.url 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BUSINESS.ONE 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4396 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 5116 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exemsedge.exemsedge.exeidentity_helper.exepid process 1368 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 1368 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 1368 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 1368 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 1368 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 1368 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 1368 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 1368 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 1368 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 1368 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 1368 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 1368 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 1368 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 1368 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 1368 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 1368 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 1168 msedge.exe 1168 msedge.exe 4724 msedge.exe 4724 msedge.exe 2432 identity_helper.exe 2432 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exevssvc.exeWMIC.exeAUDIODG.EXEtaskkill.exedescription pid process Token: SeDebugPrivilege 1368 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe Token: SeBackupPrivilege 5064 vssvc.exe Token: SeRestorePrivilege 5064 vssvc.exe Token: SeAuditPrivilege 5064 vssvc.exe Token: SeIncreaseQuotaPrivilege 4632 WMIC.exe Token: SeSecurityPrivilege 4632 WMIC.exe Token: SeTakeOwnershipPrivilege 4632 WMIC.exe Token: SeLoadDriverPrivilege 4632 WMIC.exe Token: SeSystemProfilePrivilege 4632 WMIC.exe Token: SeSystemtimePrivilege 4632 WMIC.exe Token: SeProfSingleProcessPrivilege 4632 WMIC.exe Token: SeIncBasePriorityPrivilege 4632 WMIC.exe Token: SeCreatePagefilePrivilege 4632 WMIC.exe Token: SeBackupPrivilege 4632 WMIC.exe Token: SeRestorePrivilege 4632 WMIC.exe Token: SeShutdownPrivilege 4632 WMIC.exe Token: SeDebugPrivilege 4632 WMIC.exe Token: SeSystemEnvironmentPrivilege 4632 WMIC.exe Token: SeRemoteShutdownPrivilege 4632 WMIC.exe Token: SeUndockPrivilege 4632 WMIC.exe Token: SeManageVolumePrivilege 4632 WMIC.exe Token: 33 4632 WMIC.exe Token: 34 4632 WMIC.exe Token: 35 4632 WMIC.exe Token: 36 4632 WMIC.exe Token: SeIncreaseQuotaPrivilege 4632 WMIC.exe Token: SeSecurityPrivilege 4632 WMIC.exe Token: SeTakeOwnershipPrivilege 4632 WMIC.exe Token: SeLoadDriverPrivilege 4632 WMIC.exe Token: SeSystemProfilePrivilege 4632 WMIC.exe Token: SeSystemtimePrivilege 4632 WMIC.exe Token: SeProfSingleProcessPrivilege 4632 WMIC.exe Token: SeIncBasePriorityPrivilege 4632 WMIC.exe Token: SeCreatePagefilePrivilege 4632 WMIC.exe Token: SeBackupPrivilege 4632 WMIC.exe Token: SeRestorePrivilege 4632 WMIC.exe Token: SeShutdownPrivilege 4632 WMIC.exe Token: SeDebugPrivilege 4632 WMIC.exe Token: SeSystemEnvironmentPrivilege 4632 WMIC.exe Token: SeRemoteShutdownPrivilege 4632 WMIC.exe Token: SeUndockPrivilege 4632 WMIC.exe Token: SeManageVolumePrivilege 4632 WMIC.exe Token: 33 4632 WMIC.exe Token: 34 4632 WMIC.exe Token: 35 4632 WMIC.exe Token: 36 4632 WMIC.exe Token: 33 4700 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4700 AUDIODG.EXE Token: SeDebugPrivilege 5116 taskkill.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.execmd.exemsedge.exedescription pid process target process PID 408 wrote to memory of 1368 408 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe PID 408 wrote to memory of 1368 408 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe PID 408 wrote to memory of 1368 408 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe PID 408 wrote to memory of 1368 408 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe PID 408 wrote to memory of 1368 408 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe PID 408 wrote to memory of 1368 408 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe PID 408 wrote to memory of 1368 408 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe PID 408 wrote to memory of 1368 408 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe PID 408 wrote to memory of 1368 408 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe PID 408 wrote to memory of 1368 408 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe PID 408 wrote to memory of 1368 408 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe PID 1368 wrote to memory of 4372 1368 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe cmd.exe PID 1368 wrote to memory of 4372 1368 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe cmd.exe PID 4372 wrote to memory of 4396 4372 cmd.exe vssadmin.exe PID 4372 wrote to memory of 4396 4372 cmd.exe vssadmin.exe PID 4372 wrote to memory of 4632 4372 cmd.exe WMIC.exe PID 4372 wrote to memory of 4632 4372 cmd.exe WMIC.exe PID 4372 wrote to memory of 532 4372 cmd.exe bcdedit.exe PID 4372 wrote to memory of 532 4372 cmd.exe bcdedit.exe PID 4372 wrote to memory of 1172 4372 cmd.exe bcdedit.exe PID 4372 wrote to memory of 1172 4372 cmd.exe bcdedit.exe PID 1368 wrote to memory of 4724 1368 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe msedge.exe PID 1368 wrote to memory of 4724 1368 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe msedge.exe PID 4724 wrote to memory of 716 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 716 4724 msedge.exe msedge.exe PID 1368 wrote to memory of 1172 1368 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe NOTEPAD.EXE PID 1368 wrote to memory of 1172 1368 3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe NOTEPAD.EXE PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3064 4724 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# HELP DECRYPT #.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa3ab046f8,0x7ffa3ab04708,0x7ffa3ab047184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,4687768928159004247,6466458981641189769,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,4687768928159004247,6466458981641189769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2500 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,4687768928159004247,6466458981641189769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4687768928159004247,6466458981641189769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4687768928159004247,6466458981641189769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4687768928159004247,6466458981641189769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4687768928159004247,6466458981641189769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4687768928159004247,6466458981641189769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,4687768928159004247,6466458981641189769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,4687768928159004247,6466458981641189769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4687768928159004247,6466458981641189769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4687768928159004247,6466458981641189769,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4687768928159004247,6466458981641189769,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4687768928159004247,6466458981641189769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:14⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# HELP DECRYPT #.txt3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://52uo5k3t73ypjije.y12acl.bid/DB98-C1D2-6C07-0046-154C?auto3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa3ab046f8,0x7ffa3ab04708,0x7ffa3ab047184⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im "3ce23461e15c48785716ecef4a2f9be8_JaffaCakes118.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3e0 0x4981⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54158365912175436289496136e7912c2
SHA1813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA51274b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ce4c898f8fc7601e2fbc252fdadb5115
SHA101bf06badc5da353e539c7c07527d30dccc55a91
SHA256bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA51280fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD536f184961b4bae1964214706db7ae890
SHA1342d868b498d0841036b17f855238bec6f16c698
SHA25617fb546803a9411b10102f94fa6693907d242603cca65290af96fb36344e03b6
SHA512ad8751e175a129c5eac62a494fe9e1e3fe91225fc900d2df7e5a689f95b52cf96b9489aa3dd6ccab9c6fbd139874e62816ca577dde103dd53ef64a9974b5a0c5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5bf84bdc4d09ea08cfe2f1441c232b9af
SHA1c016ba66f4daf39f3aaa1cb20e4b084408be4284
SHA2562aeb0e447601f1bd22c347d0f92c03d059aaf4effeb4f051fdbbeb6a6f8f07b0
SHA51291f2a80816c03518e5698736df205bf5e84c426f1ffc8edecbfdf804176cff38678a8a02954c63330e3b285fdc135d1c736f1818c4883a774b4fd52e382850d8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD52d5001f9288c13a982e0a20f659b16bb
SHA11877c3965d1b44c7719b2d020d09ce031e0d2854
SHA2568d2c8a957ce5e264f721f0622135077b752cd5fe0168bc73cad65e6e31b07029
SHA5121c288489fd91201b8ccf05f49c3f3c30a87d7d01a33d89b2e0275dcd18ed28d1b527054d9b1fae9520ebb1697be39145da73924b29bb761edc47aba1e3bd3e0c
-
C:\Users\Admin\AppData\Local\Temp\nsw5823.tmp\System.dllFilesize
11KB
MD5ca332bb753b0775d5e806e236ddcec55
SHA1f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA5122de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00
-
C:\Users\Admin\AppData\Roaming\# HELP DECRYPT #.htmlFilesize
19KB
MD5117063409556b144f08c32637caa7235
SHA1e71fab96bb3e691bdefdfc47de5c7279c4dd0094
SHA2564acbe1c31047896b0527d4fcf7fdad681ef97e81495263fbdf73820759d79d6d
SHA512498cfe57cbe75bfa0b942a689dcaab757fff8a7ba06e5202b97c1b900a357b0edee982b9d6b8d66dcaf39b76bed4c326d6e7a555ca303ecc34fce53fbff60671
-
C:\Users\Admin\AppData\Roaming\# HELP DECRYPT #.txtFilesize
10KB
MD5f794c03d6e7a880589a18b0428345535
SHA1a05d477625e139675032a8a066d81c0083e9d39a
SHA2568ef62fd1ba538b55be895f07d904d9d340d5baf3581001144dbf549e74dab1b8
SHA5120d04999c4eebc4d21b765a831323f886a590a69262c6c75abb3dad31f0a9fd562dc78422cff5689acad2764e328ea4e141d2a332211152cbf688b2502daedf54
-
C:\Users\Admin\AppData\Roaming\# HELP DECRYPT #.urlFilesize
90B
MD5d803d52ce862017ef7397c8e3659bac7
SHA1b6ffaf7c6be96142683fd896e2d5e8d14091d1ad
SHA256bded4dec5f5305075af5d4dcd6eda14aa53691ad50379ee50e5863535cfa847b
SHA51276569b34581ba807dbe08dc0ee8dd69bda91fbb5d20d657a939d4ae407e10a5675f07d657b1fafb7a88776c819108215057590a9fad387d661c22d91084d8028
-
C:\Users\Admin\AppData\Roaming\Chanson.cFilesize
177KB
MD5df7ceec86dc2d8da6ddc14bbb7e4e55a
SHA1b2bb4006412cf2a7f3077133eb82205c238c2cd4
SHA25631fe8b94b1df733e0709e69d1783f7864c090c9edcb0cf8c9d6aaa76034b69b7
SHA512f5645c5ad57362672079058b0bad20692fead1d9b818a17d8790ceacccd80cf2efcac2baadc00785d9e00966ccee488ac2e6e6a69a72302e0de44af4c44ceb29
-
C:\Users\Admin\AppData\Roaming\NsResize.dllFilesize
116KB
MD575376d6bbd017ec8711f820aba8ed53b
SHA174c776e288b1f8eb193264333098f44defa871c2
SHA256523e5bca53ee608535aa63662168cae8cebe7f83a0416c9c3f612599a892e930
SHA5129ff3f135275ec20c366411d95979197aec8eb96d7d7274feaf441d835cf2123312f6a81fa00c2ef59591a545212d9a7833ebd1e633eb43880f551b76e91c8ed6
-
C:\Users\Admin\AppData\Roaming\forward_disabled.pngFilesize
1KB
MD5875ff3260a35602560fa96c60aab9b09
SHA1457c51cb571ed8c2f66860b884b3897094832563
SHA256e6ca6d6e4408a85d06dec320917eaface8871796c5bc5c7974d99b8415e49e2e
SHA512aab5a58ee6147c1d2dd40722d6ca56df336d49103f08c123936a8efe2f3250a5ce1d0e90c1c54edbb82e1014213aa78b74ea3570c3c53d9a3ad36af37e42d09f
-
\??\pipe\LOCAL\crashpad_4724_NWWNERHOGFZKTJCSMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/408-12-0x0000000002090000-0x00000000020AE000-memory.dmpFilesize
120KB
-
memory/1368-748-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1368-772-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1368-26-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1368-742-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1368-745-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1368-25-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1368-751-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1368-754-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1368-757-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1368-760-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1368-763-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1368-766-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1368-769-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1368-27-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1368-775-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1368-778-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1368-781-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1368-784-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1368-787-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1368-792-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1368-22-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1368-21-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1368-20-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1368-821-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1368-18-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1368-19-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1368-17-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1368-15-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB