Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 07:10
Behavioral task
behavioral1
Sample
5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exe
-
Size
141KB
-
MD5
5385bc77d15ea3cc312e6b096cc1db49
-
SHA1
d62e03afacbb767a5611819e7fc763e89e5ac7af
-
SHA256
70db66462514a8185655f31284029ec4c49ecc38ad2bb6ff0cfb17f4e35ceff1
-
SHA512
453ecfef449dc3c20c462dc8943092038f979d2bc89332dd1f146535d8aef81ab9b348c8f7d6405daeb8775b006ec2dd39d9c4bb86dbac093cced224b0b979d7
-
SSDEEP
3072:DLyk7G0MseogKoyGjrndJM94IXcoApIxwDjLfA+IehhyKdOTF:DL9G0ocoyGjM94IsDVDjLGT
Malware Config
Extracted
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.xlfp45.win/FAF7-3342-903E-0063-737C
http://cerberhhyed5frqa.slr849.win/FAF7-3342-903E-0063-737C
http://cerberhhyed5frqa.ret5kr.win/FAF7-3342-903E-0063-737C
http://cerberhhyed5frqa.zgf48j.win/FAF7-3342-903E-0063-737C
http://cerberhhyed5frqa.xltnet.win/FAF7-3342-903E-0063-737C
http://cerberhhyed5frqa.onion/FAF7-3342-903E-0063-737C
Extracted
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (16397) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exeMuiUnattend.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{8397B879-9D15-5A7E-1B44-323DAE4EF631}\\MuiUnattend.exe\"" 5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{8397B879-9D15-5A7E-1B44-323DAE4EF631}\\MuiUnattend.exe\"" MuiUnattend.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MuiUnattend.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation MuiUnattend.exe -
Drops startup file 2 IoCs
Processes:
5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exeMuiUnattend.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\MuiUnattend.lnk 5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\MuiUnattend.lnk MuiUnattend.exe -
Executes dropped EXE 1 IoCs
Processes:
MuiUnattend.exepid process 3676 MuiUnattend.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4016-0-0x0000000000400000-0x0000000000428000-memory.dmp vmprotect C:\Users\Admin\AppData\Roaming\{8397B879-9D15-5A7E-1B44-323DAE4EF631}\MuiUnattend.exe vmprotect behavioral2/memory/3676-9-0x0000000000400000-0x0000000000428000-memory.dmp vmprotect behavioral2/memory/3676-12-0x0000000000400000-0x0000000000428000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
MuiUnattend.exe5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MuiUnattend = "\"C:\\Users\\Admin\\AppData\\Roaming\\{8397B879-9D15-5A7E-1B44-323DAE4EF631}\\MuiUnattend.exe\"" MuiUnattend.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\MuiUnattend = "\"C:\\Users\\Admin\\AppData\\Roaming\\{8397B879-9D15-5A7E-1B44-323DAE4EF631}\\MuiUnattend.exe\"" MuiUnattend.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MuiUnattend = "\"C:\\Users\\Admin\\AppData\\Roaming\\{8397B879-9D15-5A7E-1B44-323DAE4EF631}\\MuiUnattend.exe\"" 5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\MuiUnattend = "\"C:\\Users\\Admin\\AppData\\Roaming\\{8397B879-9D15-5A7E-1B44-323DAE4EF631}\\MuiUnattend.exe\"" 5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
MuiUnattend.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp9B80.bmp" MuiUnattend.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4008 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 4048 taskkill.exe 4748 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
MuiUnattend.exe5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop MuiUnattend.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{8397B879-9D15-5A7E-1B44-323DAE4EF631}\\MuiUnattend.exe\"" MuiUnattend.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop 5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{8397B879-9D15-5A7E-1B44-323DAE4EF631}\\MuiUnattend.exe\"" 5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exe -
Modifies registry class 1 IoCs
Processes:
MuiUnattend.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings MuiUnattend.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
MuiUnattend.exemsedge.exemsedge.exeidentity_helper.exepid process 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 3676 MuiUnattend.exe 4756 msedge.exe 4756 msedge.exe 2828 msedge.exe 2828 msedge.exe 4852 identity_helper.exe 4852 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exeMuiUnattend.exetaskkill.exevssvc.exewmic.exeAUDIODG.EXEtaskkill.exedescription pid process Token: SeDebugPrivilege 4016 5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exe Token: SeDebugPrivilege 3676 MuiUnattend.exe Token: SeDebugPrivilege 4048 taskkill.exe Token: SeBackupPrivilege 3536 vssvc.exe Token: SeRestorePrivilege 3536 vssvc.exe Token: SeAuditPrivilege 3536 vssvc.exe Token: SeIncreaseQuotaPrivilege 1860 wmic.exe Token: SeSecurityPrivilege 1860 wmic.exe Token: SeTakeOwnershipPrivilege 1860 wmic.exe Token: SeLoadDriverPrivilege 1860 wmic.exe Token: SeSystemProfilePrivilege 1860 wmic.exe Token: SeSystemtimePrivilege 1860 wmic.exe Token: SeProfSingleProcessPrivilege 1860 wmic.exe Token: SeIncBasePriorityPrivilege 1860 wmic.exe Token: SeCreatePagefilePrivilege 1860 wmic.exe Token: SeBackupPrivilege 1860 wmic.exe Token: SeRestorePrivilege 1860 wmic.exe Token: SeShutdownPrivilege 1860 wmic.exe Token: SeDebugPrivilege 1860 wmic.exe Token: SeSystemEnvironmentPrivilege 1860 wmic.exe Token: SeRemoteShutdownPrivilege 1860 wmic.exe Token: SeUndockPrivilege 1860 wmic.exe Token: SeManageVolumePrivilege 1860 wmic.exe Token: 33 1860 wmic.exe Token: 34 1860 wmic.exe Token: 35 1860 wmic.exe Token: 36 1860 wmic.exe Token: SeIncreaseQuotaPrivilege 1860 wmic.exe Token: SeSecurityPrivilege 1860 wmic.exe Token: SeTakeOwnershipPrivilege 1860 wmic.exe Token: SeLoadDriverPrivilege 1860 wmic.exe Token: SeSystemProfilePrivilege 1860 wmic.exe Token: SeSystemtimePrivilege 1860 wmic.exe Token: SeProfSingleProcessPrivilege 1860 wmic.exe Token: SeIncBasePriorityPrivilege 1860 wmic.exe Token: SeCreatePagefilePrivilege 1860 wmic.exe Token: SeBackupPrivilege 1860 wmic.exe Token: SeRestorePrivilege 1860 wmic.exe Token: SeShutdownPrivilege 1860 wmic.exe Token: SeDebugPrivilege 1860 wmic.exe Token: SeSystemEnvironmentPrivilege 1860 wmic.exe Token: SeRemoteShutdownPrivilege 1860 wmic.exe Token: SeUndockPrivilege 1860 wmic.exe Token: SeManageVolumePrivilege 1860 wmic.exe Token: 33 1860 wmic.exe Token: 34 1860 wmic.exe Token: 35 1860 wmic.exe Token: 36 1860 wmic.exe Token: 33 1860 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1860 AUDIODG.EXE Token: SeDebugPrivilege 4748 taskkill.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe 4756 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exeMuiUnattend.execmd.exemsedge.exemsedge.exedescription pid process target process PID 4016 wrote to memory of 3676 4016 5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exe MuiUnattend.exe PID 4016 wrote to memory of 3676 4016 5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exe MuiUnattend.exe PID 4016 wrote to memory of 3676 4016 5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exe MuiUnattend.exe PID 4016 wrote to memory of 3660 4016 5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exe cmd.exe PID 4016 wrote to memory of 3660 4016 5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exe cmd.exe PID 4016 wrote to memory of 3660 4016 5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exe cmd.exe PID 3676 wrote to memory of 4008 3676 MuiUnattend.exe vssadmin.exe PID 3676 wrote to memory of 4008 3676 MuiUnattend.exe vssadmin.exe PID 3660 wrote to memory of 4048 3660 cmd.exe taskkill.exe PID 3660 wrote to memory of 4048 3660 cmd.exe taskkill.exe PID 3660 wrote to memory of 4048 3660 cmd.exe taskkill.exe PID 3660 wrote to memory of 3920 3660 cmd.exe PING.EXE PID 3660 wrote to memory of 3920 3660 cmd.exe PING.EXE PID 3660 wrote to memory of 3920 3660 cmd.exe PING.EXE PID 3676 wrote to memory of 1860 3676 MuiUnattend.exe wmic.exe PID 3676 wrote to memory of 1860 3676 MuiUnattend.exe wmic.exe PID 3676 wrote to memory of 4756 3676 MuiUnattend.exe msedge.exe PID 3676 wrote to memory of 4756 3676 MuiUnattend.exe msedge.exe PID 4756 wrote to memory of 4228 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 4228 4756 msedge.exe msedge.exe PID 3676 wrote to memory of 2956 3676 MuiUnattend.exe NOTEPAD.EXE PID 3676 wrote to memory of 2956 3676 MuiUnattend.exe NOTEPAD.EXE PID 3676 wrote to memory of 4940 3676 MuiUnattend.exe msedge.exe PID 3676 wrote to memory of 4940 3676 MuiUnattend.exe msedge.exe PID 4940 wrote to memory of 1744 4940 msedge.exe msedge.exe PID 4940 wrote to memory of 1744 4940 msedge.exe msedge.exe PID 3676 wrote to memory of 4248 3676 MuiUnattend.exe WScript.exe PID 3676 wrote to memory of 4248 3676 MuiUnattend.exe WScript.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe PID 4756 wrote to memory of 3144 4756 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{8397B879-9D15-5A7E-1B44-323DAE4EF631}\MuiUnattend.exe"C:\Users\Admin\AppData\Roaming\{8397B879-9D15-5A7E-1B44-323DAE4EF631}\MuiUnattend.exe"2⤵
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff8fd46f8,0x7ffff8fd4708,0x7ffff8fd47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,14678943027510264517,8073061870366875650,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,14678943027510264517,8073061870366875650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,14678943027510264517,8073061870366875650,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14678943027510264517,8073061870366875650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2788 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14678943027510264517,8073061870366875650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2796 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14678943027510264517,8073061870366875650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14678943027510264517,8073061870366875650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2072 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14678943027510264517,8073061870366875650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,14678943027510264517,8073061870366875650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4280 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,14678943027510264517,8073061870366875650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4280 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14678943027510264517,8073061870366875650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14678943027510264517,8073061870366875650,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14678943027510264517,8073061870366875650,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14678943027510264517,8073061870366875650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14678943027510264517,8073061870366875650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2440 /prefetch:14⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.xlfp45.win/FAF7-3342-903E-0063-737C3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff8fd46f8,0x7ffff8fd4708,0x7ffff8fd47184⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "MuiUnattend.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{8397B879-9D15-5A7E-1B44-323DAE4EF631}\MuiUnattend.exe" > NUL3⤵
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "MuiUnattend.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exe" > NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "5385bc77d15ea3cc312e6b096cc1db49_JaffaCakes118.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x528 0x4b41⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5612a6c4247ef652299b376221c984213
SHA1d306f3b16bde39708aa862aee372345feb559750
SHA2569d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a
SHA51234a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD556641592f6e69f5f5fb06f2319384490
SHA16a86be42e2c6d26b7830ad9f4e2627995fd91069
SHA25602d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455
SHA512c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5f88308cb92ee54dc19639c5e76b1a515
SHA1fdb6072363d397d44bf86b86dcdcc4a01bcf2f15
SHA2566c7dd5f977975f40ccbeb739998e67729cd328a13e6740500a48e81dd46794e9
SHA512c3591dc87b96614e5e09b3fbcc109e965a7080c86fc5ac38bcbfdaeaad492a7f94653b08a4b1277aa6915bc05c1726ff9d71e4b79ec6e5caae8dbedd454605de
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD52f10a5cd6c4cd1879c0bbcfe37c5d2c9
SHA1ad8951a98ec557aa24193e904fae814f2acbdba2
SHA25646923b453caa4d7e33fbe6eb17d0b492a7af7ac81e0f841b4be94c2a274b7c1d
SHA5126d4dfdc14c2d0599245bc449bb09b1b66ed544fab0f2110be8aa5c0c769267c34ae0dca5e920713d6ac280b52d4b193be1352dca0a654b5a07d33533a75cf78b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5d9a6674ae2ec6ca95cc50305d4268513
SHA1f9213f0181ffc392987b5c6b141dca35ba1a2dc4
SHA256a1bec09a96b53ad71ddc80b0b2c96a2acaac5df33e97cdaebd1d2733efbe7707
SHA5123aa75a82081fa22b72fc738c45a66f1ab1274369b1f10c852a7ed4a1a5f4d6a6a6ed6838d8157c66f5d306d761d6366ae1c0501953a87a47555f97a532b9f848
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\MuiUnattend.lnkFilesize
1KB
MD526ae57fccbf39b9e6285c3633f7b1ba4
SHA137c786b47b968db3ac9360192c02fa9a479f0e33
SHA256e74e6311898e849ce677f843eff8cfc09e5c3e89f0de90e64fd2f541984b1f9c
SHA512c4667423e1a3650ac40948700f62d9ff3285cf1c8d43cce01139b5d761faf9f241f820e29bfdc4a90451749e6bd53655334059dad76bd15f265089669f341c2d
-
C:\Users\Admin\AppData\Roaming\{8397B879-9D15-5A7E-1B44-323DAE4EF631}\MuiUnattend.exeFilesize
141KB
MD55385bc77d15ea3cc312e6b096cc1db49
SHA1d62e03afacbb767a5611819e7fc763e89e5ac7af
SHA25670db66462514a8185655f31284029ec4c49ecc38ad2bb6ff0cfb17f4e35ceff1
SHA512453ecfef449dc3c20c462dc8943092038f979d2bc89332dd1f146535d8aef81ab9b348c8f7d6405daeb8775b006ec2dd39d9c4bb86dbac093cced224b0b979d7
-
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.htmlFilesize
12KB
MD53338917adaef9dd76d1658fd80907413
SHA12f73616833dc5e3f4671114086656ba3cb0c540b
SHA2564be970c5438fcc7e57809a29efb51c5f8e26fe71f39181d51c5db253bb7efb1e
SHA5121ccff3a823d8209d62a7c0fc9e13fcc553db4b780cc879d219c12f08ebd74067c576bd1d2d1db7a3e89dfe862fbbda7c14163996e462e6d2fc6cecfe4905e90c
-
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.txtFilesize
10KB
MD5f1990747a012cc6661813549b1c38096
SHA1a38378da07857f2e4bea529f47768225d4ae3466
SHA256c006758a6b2c9ae1e550ea3830c65ae08e15b5743b354fad2b245c7aecf2fe91
SHA512f02885df774b58e4e100dd634c2acf724f82437410f3ea07541d6ba88104a449e5752ad748f9242bf2e6092c211a4b9d593a4b0a5053537f89b70ed5d2ad5221
-
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.urlFilesize
85B
MD5b971acc2512b58daab210f6ff4e65301
SHA1461d9d3956bc2bd4c0cd10f5f151601deb226730
SHA256a64e081f41d094a6e0a03046dfe14a6229028a4ae5911dbc0ecaf8f4a1748ae4
SHA5123c1b31205eea6361b2debe9b1298626a8884f6153eba365cef2117de0c4af8c11b0f6ec2f55182889e2f68392690a126498594ce51f4a5f7748a3de08811c6a4
-
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.vbsFilesize
219B
MD535a3e3b45dcfc1e6c4fd4a160873a0d1
SHA1a0bcc855f2b75d82cbaae3a8710f816956e94b37
SHA2568ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934
SHA5126d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853
-
\??\pipe\LOCAL\crashpad_4756_HBIZEGXFHFEYVFEYMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3676-13-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3676-401-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3676-22-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3676-20-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3676-18-0x00000000034E0000-0x00000000034E1000-memory.dmpFilesize
4KB
-
memory/3676-422-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3676-14-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3676-26-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3676-12-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3676-9-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4016-0-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4016-3-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4016-2-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4016-1-0x0000000000426000-0x0000000000427000-memory.dmpFilesize
4KB
-
memory/4016-16-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB