Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 10:13
Static task
static1
Behavioral task
behavioral1
Sample
4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe
-
Size
237KB
-
MD5
4a91d6952c9e040e6c17662cfc271b62
-
SHA1
09a6a44e25bd15841b97381c603fe3a16a0dd68d
-
SHA256
89990552456235fc80e303433ef6609ce137d9c74016bf9c14218125edbe8854
-
SHA512
ccd64aefbb628ae2c39cfc5ed685f5f4b8ea0d093484290c1ade7a4174b4e556791ff23db34c97f00eb21244e4990ea696402c0f72ced0292e1b9a5c20b08950
-
SSDEEP
3072:pXbUhF2VZhu6sfLj0+QqQ3LVXkH7PUpg5+ua0Sq6ViqxFUZ4Jf5q:pQLqbid5Qbybspq9XSqAZYT
Malware Config
Extracted
C:\Users\Admin\# DECRYPT MY FILES #.txt
cerber
http://4kqd3hmqgptupi3p.thyx30.top/2A7B-2A5E-BF5B-006D-FB63
http://4kqd3hmqgptupi3p.o08a6d.top/2A7B-2A5E-BF5B-006D-FB63
http://4kqd3hmqgptupi3p.6ntrb6.top/2A7B-2A5E-BF5B-006D-FB63
http://4kqd3hmqgptupi3p.vrid8l.top/2A7B-2A5E-BF5B-006D-FB63
http://4kqd3hmqgptupi3p.onion.to/2A7B-2A5E-BF5B-006D-FB63
http://4kqd3hmqgptupi3p.onion/2A7B-2A5E-BF5B-006D-FB63
Extracted
C:\Users\Admin\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exefontdrvhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{67E60D0F-79BB-452E-B83F-05B76884D57E}\\fontdrvhost.exe\"" 4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{67E60D0F-79BB-452E-B83F-05B76884D57E}\\fontdrvhost.exe\"" fontdrvhost.exe -
Contacts a large (532) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fontdrvhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation fontdrvhost.exe -
Drops startup file 2 IoCs
Processes:
4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exefontdrvhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\fontdrvhost.lnk 4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\fontdrvhost.lnk fontdrvhost.exe -
Executes dropped EXE 2 IoCs
Processes:
fontdrvhost.exefontdrvhost.exepid process 4752 fontdrvhost.exe 4400 fontdrvhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exefontdrvhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Admin\\AppData\\Roaming\\{67E60D0F-79BB-452E-B83F-05B76884D57E}\\fontdrvhost.exe\"" 4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fontdrvhost = "\"C:\\Users\\Admin\\AppData\\Roaming\\{67E60D0F-79BB-452E-B83F-05B76884D57E}\\fontdrvhost.exe\"" 4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Admin\\AppData\\Roaming\\{67E60D0F-79BB-452E-B83F-05B76884D57E}\\fontdrvhost.exe\"" fontdrvhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fontdrvhost = "\"C:\\Users\\Admin\\AppData\\Roaming\\{67E60D0F-79BB-452E-B83F-05B76884D57E}\\fontdrvhost.exe\"" fontdrvhost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
fontdrvhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp4532.bmp" fontdrvhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1724 taskkill.exe 2708 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exefontdrvhost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop 4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{67E60D0F-79BB-452E-B83F-05B76884D57E}\\fontdrvhost.exe\"" 4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop fontdrvhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{67E60D0F-79BB-452E-B83F-05B76884D57E}\\fontdrvhost.exe\"" fontdrvhost.exe -
Modifies registry class 1 IoCs
Processes:
fontdrvhost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings fontdrvhost.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fontdrvhost.exepid process 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe 4752 fontdrvhost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exefontdrvhost.exetaskkill.exefontdrvhost.exeAUDIODG.EXEtaskkill.exedescription pid process Token: SeDebugPrivilege 916 4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe Token: SeDebugPrivilege 4752 fontdrvhost.exe Token: SeDebugPrivilege 1724 taskkill.exe Token: SeDebugPrivilege 4400 fontdrvhost.exe Token: 33 2148 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2148 AUDIODG.EXE Token: SeDebugPrivilege 2708 taskkill.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe 2392 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.execmd.exefontdrvhost.exemsedge.exemsedge.exedescription pid process target process PID 916 wrote to memory of 4752 916 4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe fontdrvhost.exe PID 916 wrote to memory of 4752 916 4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe fontdrvhost.exe PID 916 wrote to memory of 4752 916 4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe fontdrvhost.exe PID 916 wrote to memory of 3644 916 4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe cmd.exe PID 916 wrote to memory of 3644 916 4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe cmd.exe PID 916 wrote to memory of 3644 916 4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe cmd.exe PID 3644 wrote to memory of 1724 3644 cmd.exe taskkill.exe PID 3644 wrote to memory of 1724 3644 cmd.exe taskkill.exe PID 3644 wrote to memory of 1724 3644 cmd.exe taskkill.exe PID 3644 wrote to memory of 4912 3644 cmd.exe PING.EXE PID 3644 wrote to memory of 4912 3644 cmd.exe PING.EXE PID 3644 wrote to memory of 4912 3644 cmd.exe PING.EXE PID 4752 wrote to memory of 1532 4752 fontdrvhost.exe msedge.exe PID 4752 wrote to memory of 1532 4752 fontdrvhost.exe msedge.exe PID 1532 wrote to memory of 1504 1532 msedge.exe msedge.exe PID 1532 wrote to memory of 1504 1532 msedge.exe msedge.exe PID 4752 wrote to memory of 2408 4752 fontdrvhost.exe NOTEPAD.EXE PID 4752 wrote to memory of 2408 4752 fontdrvhost.exe NOTEPAD.EXE PID 4752 wrote to memory of 2392 4752 fontdrvhost.exe msedge.exe PID 4752 wrote to memory of 2392 4752 fontdrvhost.exe msedge.exe PID 2392 wrote to memory of 4352 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 4352 2392 msedge.exe msedge.exe PID 4752 wrote to memory of 4524 4752 fontdrvhost.exe WScript.exe PID 4752 wrote to memory of 4524 4752 fontdrvhost.exe WScript.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe PID 2392 wrote to memory of 3984 2392 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{67E60D0F-79BB-452E-B83F-05B76884D57E}\fontdrvhost.exe"C:\Users\Admin\AppData\Roaming\{67E60D0F-79BB-452E-B83F-05B76884D57E}\fontdrvhost.exe"2⤵
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc194d46f8,0x7ffc194d4708,0x7ffc194d47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,14919995175993477140,17326916525315298512,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1464 /prefetch:34⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://4kqd3hmqgptupi3p.thyx30.top/2A7B-2A5E-BF5B-006D-FB63?auto3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc194d46f8,0x7ffc194d4708,0x7ffc194d47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,17513602910736834890,11522093927158258697,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,17513602910736834890,11522093927158258697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:34⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,17513602910736834890,11522093927158258697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17513602910736834890,11522093927158258697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17513602910736834890,11522093927158258697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17513602910736834890,11522093927158258697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17513602910736834890,11522093927158258697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,17513602910736834890,11522093927158258697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,17513602910736834890,11522093927158258697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17513602910736834890,11522093927158258697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17513602910736834890,11522093927158258697,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17513602910736834890,11522093927158258697,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:14⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "fontdrvhost.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{67E60D0F-79BB-452E-B83F-05B76884D57E}\fontdrvhost.exe" > NUL3⤵
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "fontdrvhost.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe" > NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "4a91d6952c9e040e6c17662cfc271b62_JaffaCakes118.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\{67E60D0F-79BB-452E-B83F-05B76884D57E}\fontdrvhost.exeC:\Users\Admin\AppData\Roaming\{67E60D0F-79BB-452E-B83F-05B76884D57E}\fontdrvhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x300 0x4241⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\# DECRYPT MY FILES #.htmlFilesize
12KB
MD5860424f79a5fe26ec6a3ebdd840ba899
SHA1fe4241e4546e4856cf1a575bab02637dc94096e8
SHA256ca50106a95f82cae2b8738c86fdc2968b20f97eededbf484f07461a7e71bc694
SHA5120042d1dc4ee6d4a6f8f3b971c13a9f2a80afa8b6585c37730b5657ecc5b396c0487b89328f15bc756a60e525f802854d66c22fa5ab5a50136acbe7c4b04421a7
-
C:\Users\Admin\# DECRYPT MY FILES #.txtFilesize
10KB
MD5fdec26a49f63355bb1a9d56721828a9b
SHA12151c02fd466b21f92da5db1901463f7a755aa03
SHA256806dc7096f6e1c572f569ee0750ba82acb39971abfed9927e5c33053fd7fa4de
SHA512dc2913649696735c5a175f2ee5d75a39db7f0d601db5e7b578bf8165e7ff5f2f290495b6b23b7966442400fda5d19facfd351914c428aab9b60fee9ad4fcc2b7
-
C:\Users\Admin\# DECRYPT MY FILES #.urlFilesize
90B
MD5b7d0e8d7e91159b51afe7bee9e91343d
SHA19e764dfcc69702316da6df4077b2318ae731eb43
SHA25617170c1c243aaa5cdfe8fd2edccb0874e91dd48dadb1d695c49ebe9b4f9c1460
SHA512d16a081f3491907f1ccd1e6047c021adc5cb0dfc3ed1cce1721c1eb0adc58286a4faafdceef5fc72911aea7eddbc598151ee52ebbab797481aaa3107ec0f5e45
-
C:\Users\Admin\# DECRYPT MY FILES #.vbsFilesize
234B
MD56f84dbf74ef41dc3d861f5fb3e0f45ff
SHA13e5f17e9b9589f33ce6add7f2518a666ff2253a4
SHA256df5f432d7e0d2bd1c4dddb1fabbf1e77bd1065b9020f71abaf1a45fbb950bbb8
SHA5129f9ec25b815be7b20df26244d31848c9a4896b130241b63636d63511a290eaad78d289a9bb04592c0ba31492064671351b4c7359310f03469e27764132a20a5a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5eaa3db555ab5bc0cb364826204aad3f0
SHA1a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca
SHA256ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b
SHA512e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54b4f91fa1b362ba5341ecb2836438dea
SHA19561f5aabed742404d455da735259a2c6781fa07
SHA256d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c
SHA512fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5d1a51b5afb13f899a2fbfcfcd528c5fa
SHA1023d6114fd05b6b99ce03bd963c2c165a82b9d12
SHA256d4fd6a1313a357f0ebba7896e7accdbf8c733d16abda1edcf65416c905694cff
SHA512069e00425507a6cd1128b60e95b9da8d9531e7ee4fbefea02671b082defba2cb0251b93680eb5c5acec4e0712910e75475328df09392938ddcb647d581ce2419
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fb8dea58-d364-49f2-8522-094e15a4ec6c.tmpFilesize
5KB
MD5921334ccf9b932f12f82105d0a440ad6
SHA1efa6ebfc7f05faf6eeaf706ced4010711883c573
SHA25664145ff5711a14c98b16f349b7caa41349c46dc9fc7a4bc5bf477c7e6e89deb4
SHA512b0226148b46777180a976dc8960c805ee99d85fcab20630b0426d14285c676186575dade3a3d3825b8b4ec04667aabb704f90f3a0a16b71a5082895cb05446c0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5c42551f80d99434b3c493402d12ae4ad
SHA1ae8f846bac415a111e38232179e92d2ebca05fab
SHA2568203bc2e939d301a6bc4b13c228ed7eb3dfe30121234cf9e7fb3008d3e7476e6
SHA512bcfa48a2016fd7b6d856c1602034dcc555108f3c1326bec2bc70c2315401b563a4f5e669b0161b33f3873995b0dbba2bc6c3d0862adb76ff0c3f0d65d3839d27
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5c9e71a3dbacc7932fccd9c3b2c08afb5
SHA16351de45ba79e672c3427282a44b7fd4047a70cb
SHA2566e4b82569fc4e377226dd9058a40a6af6e09f58faf5bff28c950fd254f05e91c
SHA51225315bb69b4b764cd4ce99be9d4b6c6f10ec0d78957a44d3d11c498d49ff43d2317d69690307203a0d6cd3a3094410692c95289b9fb0078b4adb7143eea6a37f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\fontdrvhost.lnkFilesize
1KB
MD57d3afb110a9ea4f45d0553048d0f7224
SHA1e81acedad9b8cd161b2ec49d5d98d7c5c84bea53
SHA25601bf6236ad48ebdf04ecc1e8c07f67ed65fb35acda85ad3053000e9ce4cad5e9
SHA51231d244d9fc406c762c8b8beab05b8d1528882c91b4ba0295d96a32ff420d956c1e431e3dbb85e8d7ee6ae4ccbd8c5728b9c82814db81d669ff457898771509a4
-
C:\Users\Admin\AppData\Roaming\{67E60D0F-79BB-452E-B83F-05B76884D57E}\fontdrvhost.exeFilesize
237KB
MD54a91d6952c9e040e6c17662cfc271b62
SHA109a6a44e25bd15841b97381c603fe3a16a0dd68d
SHA25689990552456235fc80e303433ef6609ce137d9c74016bf9c14218125edbe8854
SHA512ccd64aefbb628ae2c39cfc5ed685f5f4b8ea0d093484290c1ade7a4174b4e556791ff23db34c97f00eb21244e4990ea696402c0f72ced0292e1b9a5c20b08950
-
\??\pipe\LOCAL\crashpad_2392_FKAJHGMNCXBEIBTKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/916-13-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/916-0-0x0000000000CB0000-0x0000000000CD1000-memory.dmpFilesize
132KB
-
memory/916-2-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/916-1-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4400-20-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4400-19-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4752-342-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4752-316-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4752-325-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4752-347-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4752-355-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4752-353-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4752-349-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4752-351-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4752-345-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4752-331-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4752-328-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4752-322-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4752-319-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4752-334-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4752-313-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4752-306-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4752-30-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4752-29-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4752-25-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4752-24-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4752-16-0x0000000006790000-0x0000000006791000-memory.dmpFilesize
4KB
-
memory/4752-430-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4752-432-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4752-12-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4752-11-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4752-10-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB