Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 18:58
Static task
static1
Behavioral task
behavioral1
Sample
47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.exe
-
Size
204KB
-
MD5
47937d75be86ed7ab9c2048cee4bbaf4
-
SHA1
d7eed8c49beca46ce4be3b376611f22a0351c09c
-
SHA256
911184d3633225146e3c57884f9c1a7ed7849b8e7e575a8b33de8fd42e745b66
-
SHA512
802a1196fae9bf3f3cb8dd9abdc359ef5bfa0728dec28d70033b3341f0e6eb6aee1560307f5f7553c1f38ba279de7d6ddce2e7370c1f5d7100fed8c539cdbae8
-
SSDEEP
3072:XA1yBUlytLJVM9yQGVTcuB4rdSQTDOkoycTXiv+5oN87KppRsqYaefim1:rBUlyzVM9yQGvwPXoyc+C7Kkaw
Malware Config
Extracted
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.6oifgr.win/7107-1314-C425-0063-7F24
http://cerberhhyed5frqa.xo59ok.win/7107-1314-C425-0063-7F24
http://cerberhhyed5frqa.zx34jk.win/7107-1314-C425-0063-7F24
http://cerberhhyed5frqa.rt4e34.win/7107-1314-C425-0063-7F24
http://cerberhhyed5frqa.as13fd.win/7107-1314-C425-0063-7F24
http://cerberhhyed5frqa.onion/7107-1314-C425-0063-7F24
Extracted
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (16402) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.execliconfg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{67E60D0F-79BB-452E-B83F-05B76884D57E}\\cliconfg.exe\"" 47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{67E60D0F-79BB-452E-B83F-05B76884D57E}\\cliconfg.exe\"" cliconfg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cliconfg.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation cliconfg.exe -
Drops startup file 2 IoCs
Processes:
47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.execliconfg.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\cliconfg.lnk 47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\cliconfg.lnk cliconfg.exe -
Executes dropped EXE 1 IoCs
Processes:
cliconfg.exepid process 1744 cliconfg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.execliconfg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cliconfg = "\"C:\\Users\\Admin\\AppData\\Roaming\\{67E60D0F-79BB-452E-B83F-05B76884D57E}\\cliconfg.exe\"" 47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cliconfg = "\"C:\\Users\\Admin\\AppData\\Roaming\\{67E60D0F-79BB-452E-B83F-05B76884D57E}\\cliconfg.exe\"" 47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cliconfg = "\"C:\\Users\\Admin\\AppData\\Roaming\\{67E60D0F-79BB-452E-B83F-05B76884D57E}\\cliconfg.exe\"" cliconfg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cliconfg = "\"C:\\Users\\Admin\\AppData\\Roaming\\{67E60D0F-79BB-452E-B83F-05B76884D57E}\\cliconfg.exe\"" cliconfg.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
cliconfg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpA89F.bmp" cliconfg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3416 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 4060 taskkill.exe 5352 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.execliconfg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop 47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{67E60D0F-79BB-452E-B83F-05B76884D57E}\\cliconfg.exe\"" 47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop cliconfg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{67E60D0F-79BB-452E-B83F-05B76884D57E}\\cliconfg.exe\"" cliconfg.exe -
Modifies registry class 1 IoCs
Processes:
cliconfg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings cliconfg.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
cliconfg.exemsedge.exemsedge.exeidentity_helper.exepid process 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 1744 cliconfg.exe 2152 msedge.exe 2152 msedge.exe 4980 msedge.exe 4980 msedge.exe 3260 identity_helper.exe 3260 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.execliconfg.exetaskkill.exevssvc.exewmic.exeAUDIODG.EXEtaskkill.exedescription pid process Token: SeDebugPrivilege 2732 47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.exe Token: SeDebugPrivilege 1744 cliconfg.exe Token: SeDebugPrivilege 4060 taskkill.exe Token: SeBackupPrivilege 928 vssvc.exe Token: SeRestorePrivilege 928 vssvc.exe Token: SeAuditPrivilege 928 vssvc.exe Token: SeIncreaseQuotaPrivilege 4640 wmic.exe Token: SeSecurityPrivilege 4640 wmic.exe Token: SeTakeOwnershipPrivilege 4640 wmic.exe Token: SeLoadDriverPrivilege 4640 wmic.exe Token: SeSystemProfilePrivilege 4640 wmic.exe Token: SeSystemtimePrivilege 4640 wmic.exe Token: SeProfSingleProcessPrivilege 4640 wmic.exe Token: SeIncBasePriorityPrivilege 4640 wmic.exe Token: SeCreatePagefilePrivilege 4640 wmic.exe Token: SeBackupPrivilege 4640 wmic.exe Token: SeRestorePrivilege 4640 wmic.exe Token: SeShutdownPrivilege 4640 wmic.exe Token: SeDebugPrivilege 4640 wmic.exe Token: SeSystemEnvironmentPrivilege 4640 wmic.exe Token: SeRemoteShutdownPrivilege 4640 wmic.exe Token: SeUndockPrivilege 4640 wmic.exe Token: SeManageVolumePrivilege 4640 wmic.exe Token: 33 4640 wmic.exe Token: 34 4640 wmic.exe Token: 35 4640 wmic.exe Token: 36 4640 wmic.exe Token: SeIncreaseQuotaPrivilege 4640 wmic.exe Token: SeSecurityPrivilege 4640 wmic.exe Token: SeTakeOwnershipPrivilege 4640 wmic.exe Token: SeLoadDriverPrivilege 4640 wmic.exe Token: SeSystemProfilePrivilege 4640 wmic.exe Token: SeSystemtimePrivilege 4640 wmic.exe Token: SeProfSingleProcessPrivilege 4640 wmic.exe Token: SeIncBasePriorityPrivilege 4640 wmic.exe Token: SeCreatePagefilePrivilege 4640 wmic.exe Token: SeBackupPrivilege 4640 wmic.exe Token: SeRestorePrivilege 4640 wmic.exe Token: SeShutdownPrivilege 4640 wmic.exe Token: SeDebugPrivilege 4640 wmic.exe Token: SeSystemEnvironmentPrivilege 4640 wmic.exe Token: SeRemoteShutdownPrivilege 4640 wmic.exe Token: SeUndockPrivilege 4640 wmic.exe Token: SeManageVolumePrivilege 4640 wmic.exe Token: 33 4640 wmic.exe Token: 34 4640 wmic.exe Token: 35 4640 wmic.exe Token: 36 4640 wmic.exe Token: 33 3336 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3336 AUDIODG.EXE Token: SeDebugPrivilege 5352 taskkill.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe 4980 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.execmd.execliconfg.exemsedge.exedescription pid process target process PID 2732 wrote to memory of 1744 2732 47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.exe cliconfg.exe PID 2732 wrote to memory of 1744 2732 47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.exe cliconfg.exe PID 2732 wrote to memory of 1744 2732 47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.exe cliconfg.exe PID 2732 wrote to memory of 4188 2732 47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.exe cmd.exe PID 2732 wrote to memory of 4188 2732 47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.exe cmd.exe PID 2732 wrote to memory of 4188 2732 47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.exe cmd.exe PID 4188 wrote to memory of 4060 4188 cmd.exe taskkill.exe PID 4188 wrote to memory of 4060 4188 cmd.exe taskkill.exe PID 4188 wrote to memory of 4060 4188 cmd.exe taskkill.exe PID 1744 wrote to memory of 3416 1744 cliconfg.exe vssadmin.exe PID 1744 wrote to memory of 3416 1744 cliconfg.exe vssadmin.exe PID 4188 wrote to memory of 4476 4188 cmd.exe PING.EXE PID 4188 wrote to memory of 4476 4188 cmd.exe PING.EXE PID 4188 wrote to memory of 4476 4188 cmd.exe PING.EXE PID 1744 wrote to memory of 4640 1744 cliconfg.exe wmic.exe PID 1744 wrote to memory of 4640 1744 cliconfg.exe wmic.exe PID 1744 wrote to memory of 4980 1744 cliconfg.exe msedge.exe PID 1744 wrote to memory of 4980 1744 cliconfg.exe msedge.exe PID 4980 wrote to memory of 2328 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 2328 4980 msedge.exe msedge.exe PID 1744 wrote to memory of 1512 1744 cliconfg.exe NOTEPAD.EXE PID 1744 wrote to memory of 1512 1744 cliconfg.exe NOTEPAD.EXE PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 4860 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 2152 4980 msedge.exe msedge.exe PID 4980 wrote to memory of 2152 4980 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{67E60D0F-79BB-452E-B83F-05B76884D57E}\cliconfg.exe"C:\Users\Admin\AppData\Roaming\{67E60D0F-79BB-452E-B83F-05B76884D57E}\cliconfg.exe"2⤵
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb58f046f8,0x7ffb58f04708,0x7ffb58f047184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,9367223659108669023,14133366994136178577,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,9367223659108669023,14133366994136178577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,9367223659108669023,14133366994136178577,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9367223659108669023,14133366994136178577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9367223659108669023,14133366994136178577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9367223659108669023,14133366994136178577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9367223659108669023,14133366994136178577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4396 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9367223659108669023,14133366994136178577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,9367223659108669023,14133366994136178577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,9367223659108669023,14133366994136178577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9367223659108669023,14133366994136178577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9367223659108669023,14133366994136178577,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9367223659108669023,14133366994136178577,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9367223659108669023,14133366994136178577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9367223659108669023,14133366994136178577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2268 /prefetch:14⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.6oifgr.win/7107-1314-C425-0063-7F243⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb58f046f8,0x7ffb58f04708,0x7ffb58f047184⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "cliconfg.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{67E60D0F-79BB-452E-B83F-05B76884D57E}\cliconfg.exe" > NUL3⤵
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "cliconfg.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.exe" > NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "47937d75be86ed7ab9c2048cee4bbaf4_JaffaCakes118.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f4 0x3001⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.htmlFilesize
12KB
MD574c0360e9cd6b8f867d75d763f77c10e
SHA18286ebf4c34f7ae942ff23423f165ec6769bbdbc
SHA2561a3b8bfed22ed2b62ffd106fefc1b4be019e4d7da56ea57601e1291d336f4872
SHA512b95154b47860263647cd4406dc8fcabe505ed0cdc3be707741d8f8d6369bf68b0db64e6a6d010baa383af0ba115aa67633521d8364b9c1edcc978b19b9768147
-
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.txtFilesize
10KB
MD5577c24cfda987136bb9e4dcbc1feaf3b
SHA164e02d5117b1d430ca6f143d076beb59410e50ec
SHA2568f5847aaaef75025daaca8c8ef6bbc1d1cc52b72f6148d062cda753ae31de8df
SHA5129ddd4451b97c6af4aad3d36d2257a9585c4a71fbe4201bcad6fba191a22c162d749a228f15e99c7b68c3beb5d48444a5a5d2e981d43b47e381e2d6570e102892
-
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.urlFilesize
85B
MD58e9b80be7f8097e4b31f7e0c8eb19b81
SHA1b5c606edc1998aa2810fd5a069f2aba45a29e2d4
SHA25684c130643b09f0935c5162aa957ab50a1f243f8023c83300fe2f472f128e68dd
SHA512642b7a36177e4f34a225863788ce80150aca34525eecedcf211cf8918a26784d996ce2e6572643da3df6db3bb1817055170277b659f01c325c3c8ef56f451299
-
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.vbsFilesize
216B
MD548ac29422570636cae371b68c858b988
SHA1ff86dea198c93a8ae49ee52c6eb919fcbd259aab
SHA2563926b08f205999c2f1a24121117ecfeed31557bf6f0529416f3432321292c6b0
SHA51275019e6fd4b53528aab1af668149540e1bc372e58e4786eda1da75e7c9718dbc274cbf3f37cd38fbe7e618ea9c1b24c2534d18aecfcc3264ec55f83f206faaa3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5eaa3db555ab5bc0cb364826204aad3f0
SHA1a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca
SHA256ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b
SHA512e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54b4f91fa1b362ba5341ecb2836438dea
SHA19561f5aabed742404d455da735259a2c6781fa07
SHA256d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c
SHA512fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD59334d07a12079c9010ba3ab0100cd96e
SHA10f279314cdf5682d283403eac5000408ab08dd95
SHA25698e02a3b0eaf8f6169e0293a369c69b42554cc2c5aed7a7bb2829f6f8d4b47cb
SHA512f5cd25b8269c3fa7b79045a9c29c5983341deed93c5ddb855f49f397710cdc3702bcd7c868b736df187d7d34ad488c2f4c99a423124729aa1d857933d6fd748b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5fb7823cd8ca522504a6fce508c6365cd
SHA1a43c6f22f17ef3d1a87b4164097fc5b53658772a
SHA25664292ef5fe188388198f511a125402f6d03cb8f6f8a004e1e2c39e9aa4f58c9d
SHA51234f5ce46f2088a8be19de90cc4927bd799a6851da0e765ddc5484e429d15aba02ff702c90d4f2ffe80f4a8bbabc97ff97912fa303015a1bc77c48d2471b02cc7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD549397369628b311b158529b4fa6bea98
SHA108d65a574c6c911412491cdf9d3849043a681690
SHA256e0e955b8810ebe5007261e54df6bf5b3d2c8c50b3ce91b6e717e10fcb79f3da5
SHA5121d6e609bb746fce1c2dfeff2e99a33d791312921877ac1fefa7d27dfb6faadfbdeaeee3a3e66070ae128579c7f13ae401ecff4feb4fcce2c27b2b0292c09361d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\cliconfg.lnkFilesize
1KB
MD556ba708524cfb5b965ef22c26573285b
SHA131947ae6b20cc736169f40c73adb7e7ad9d885d7
SHA2566d44abf5779c47fef5a063f3819643a92a201bc437544feeb72031357b5f3ca7
SHA5128f7dbd6bfc1b78824f8b3762cb8d83bbc8774299efe0292eac5168c7ff6a1aa3eb41ebb9ac9c8d4b5b1c651671496ffb705b0577431d5e5ab8498b2e25ea224b
-
C:\Users\Admin\AppData\Roaming\{67E60D0F-79BB-452E-B83F-05B76884D57E}\cliconfg.exeFilesize
204KB
MD547937d75be86ed7ab9c2048cee4bbaf4
SHA1d7eed8c49beca46ce4be3b376611f22a0351c09c
SHA256911184d3633225146e3c57884f9c1a7ed7849b8e7e575a8b33de8fd42e745b66
SHA512802a1196fae9bf3f3cb8dd9abdc359ef5bfa0728dec28d70033b3341f0e6eb6aee1560307f5f7553c1f38ba279de7d6ddce2e7370c1f5d7100fed8c539cdbae8
-
\??\pipe\LOCAL\crashpad_4980_QJHFAAHWGKGMNTUHMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1744-21-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/1744-403-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/1744-22-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/1744-321-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1744-319-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1744-312-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1744-309-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1744-299-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1744-298-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1744-401-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1744-316-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1744-302-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1744-291-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1744-14-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/1744-13-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1744-30-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1744-29-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1744-10-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/2732-11-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2732-2-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2732-0-0x0000000000520000-0x000000000053F000-memory.dmpFilesize
124KB
-
memory/2732-12-0x0000000000420000-0x0000000000431000-memory.dmpFilesize
68KB
-
memory/2732-1-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB