Analysis

  • max time kernel
    128s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 00:20

General

  • Target

    579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe

  • Size

    143KB

  • MD5

    579c76a735fd8d53f4731463096a79e6

  • SHA1

    17bac06d246708335586273c4d1149dd42cf3618

  • SHA256

    9e359005b4bc7f7f5db77c5448af5bf22fb71ecdd618b129b35cb6b07c452957

  • SHA512

    f1d29bd55e86007e1d69028a31ee8c8ddbbda53d00f615746ef51b574b9f1a9b16b14e7c488ef3c75bc436861c2a11808fd5898fe8098ae7c88bc392954b7431

  • SSDEEP

    3072:cltLV7H8x7nyQ7RSP8yEqGm88E35zEQTZugj/p6kiPEWU:clD7H8x7ynP8y1CZ2Qgsh2q

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.slr849.win/F4F5-F7C6-D3DB-0063-7503 | | 2. http://cerberhhyed5frqa.zgf48j.win/F4F5-F7C6-D3DB-0063-7503 | | 3. http://cerberhhyed5frqa.xltnet.win/F4F5-F7C6-D3DB-0063-7503 | | 4. http://cerberhhyed5frqa.xmfhr6.win/F4F5-F7C6-D3DB-0063-7503 | | 5. http://cerberhhyed5frqa.cmfhty.win/F4F5-F7C6-D3DB-0063-7503 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.slr849.win/F4F5-F7C6-D3DB-0063-7503); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.slr849.win/F4F5-F7C6-D3DB-0063-7503 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.slr849.win/F4F5-F7C6-D3DB-0063-7503); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/F4F5-F7C6-D3DB-0063-7503 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.slr849.win/F4F5-F7C6-D3DB-0063-7503

http://cerberhhyed5frqa.zgf48j.win/F4F5-F7C6-D3DB-0063-7503

http://cerberhhyed5frqa.xltnet.win/F4F5-F7C6-D3DB-0063-7503

http://cerberhhyed5frqa.xmfhr6.win/F4F5-F7C6-D3DB-0063-7503

http://cerberhhyed5frqa.cmfhty.win/F4F5-F7C6-D3DB-0063-7503

http://cerberhhyed5frqa.onion/F4F5-F7C6-D3DB-0063-7503

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://cerberhhyed5frqa.slr849.win/F4F5-F7C6-D3DB-0063-7503" target="_blank">http://cerberhhyed5frqa.slr849.win/F4F5-F7C6-D3DB-0063-7503</a></li> <li><a href="http://cerberhhyed5frqa.zgf48j.win/F4F5-F7C6-D3DB-0063-7503" target="_blank">http://cerberhhyed5frqa.zgf48j.win/F4F5-F7C6-D3DB-0063-7503</a></li> <li><a href="http://cerberhhyed5frqa.xltnet.win/F4F5-F7C6-D3DB-0063-7503" target="_blank">http://cerberhhyed5frqa.xltnet.win/F4F5-F7C6-D3DB-0063-7503</a></li> <li><a href="http://cerberhhyed5frqa.xmfhr6.win/F4F5-F7C6-D3DB-0063-7503" target="_blank">http://cerberhhyed5frqa.xmfhr6.win/F4F5-F7C6-D3DB-0063-7503</a></li> <li><a href="http://cerberhhyed5frqa.cmfhty.win/F4F5-F7C6-D3DB-0063-7503" target="_blank">http://cerberhhyed5frqa.cmfhty.win/F4F5-F7C6-D3DB-0063-7503</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.slr849.win/F4F5-F7C6-D3DB-0063-7503" target="_blank">http://cerberhhyed5frqa.slr849.win/F4F5-F7C6-D3DB-0063-7503</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.slr849.win/F4F5-F7C6-D3DB-0063-7503" target="_blank">http://cerberhhyed5frqa.slr849.win/F4F5-F7C6-D3DB-0063-7503</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.slr849.win/F4F5-F7C6-D3DB-0063-7503" target="_blank">http://cerberhhyed5frqa.slr849.win/F4F5-F7C6-D3DB-0063-7503</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/F4F5-F7C6-D3DB-0063-7503</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Contacts a large (16389) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 61 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1844
    • C:\Users\Admin\AppData\Roaming\{D829B335-8529-7C36-6396-4FE23232B17C}\vssadmin.exe
      "C:\Users\Admin\AppData\Roaming\{D829B335-8529-7C36-6396-4FE23232B17C}\vssadmin.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Sets desktop wallpaper using registry
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\system32\vssadmin.exe
        "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2376
      • C:\Windows\system32\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2532
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1600
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1488
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3484
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3484 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3568
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3484 CREDAT:537601 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3672
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        3⤵
          PID:3508
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
          3⤵
            PID:3852
          • C:\Windows\system32\cmd.exe
            /d /c taskkill /t /f /im "vssadmin.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{D829B335-8529-7C36-6396-4FE23232B17C}\vssadmin.exe" > NUL
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3316
            • C:\Windows\system32\taskkill.exe
              taskkill /t /f /im "vssadmin.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2696
            • C:\Windows\system32\PING.EXE
              ping -n 1 127.0.0.1
              4⤵
              • Runs ping.exe
              PID:2508
        • C:\Windows\SysWOW64\cmd.exe
          /d /c taskkill /t /f /im "579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe" > NUL
          2⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:2944
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /t /f /im "579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe"
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2572
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 127.0.0.1
            3⤵
            • Runs ping.exe
            PID:2360
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2260
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3608
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3608 CREDAT:275457 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3732
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
        1⤵
          PID:3924

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Execution

        Windows Management Instrumentation

        1
        T1047

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Defense Evasion

        Indicator Removal

        2
        T1070

        File Deletion

        2
        T1070.004

        Modify Registry

        4
        T1112

        Credential Access

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Network Service Discovery

        2
        T1046

        System Information Discovery

        2
        T1082

        Remote System Discovery

        1
        T1018

        Collection

        Data from Local System

        1
        T1005

        Impact

        Inhibit System Recovery

        3
        T1490

        Defacement

        1
        T1491

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\# DECRYPT MY FILES #.html
          Filesize

          12KB

          MD5

          1f98259b1583ddf3c65bab2eb534b493

          SHA1

          643f554572e0954442dc150dc14a5f277593340b

          SHA256

          53453306b1cbbf542acfc7ed6d26740f2e9ca96699048d085c8984452e691d3a

          SHA512

          1838329ba80d35d3f0e59013b5f1acc1ce2b43443730928d219d0c366fb1758139817de9b7828b93b30c1e90fa4180deae26ccc858e8321fc3fd63ea83d52fb8

        • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\# DECRYPT MY FILES #.txt
          Filesize

          10KB

          MD5

          00860ddac36a6d3a69262fbc2936b1f7

          SHA1

          6e118e7cb4b12cbc25a84eda17466d0ddea9aa16

          SHA256

          8f836b8d53af6b95f771924b03ccb670269ad77c71eeaf863c434093ff67765c

          SHA512

          216d002df68e7a38d17b0532dca4a2826555bfa7acef760e3ebc6e63248484d8342b204f01dc9dc47137fd96cf76c343e13c00005a0fcd0877a667b6a36dcc5d

        • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs
          Filesize

          219B

          MD5

          35a3e3b45dcfc1e6c4fd4a160873a0d1

          SHA1

          a0bcc855f2b75d82cbaae3a8710f816956e94b37

          SHA256

          8ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934

          SHA512

          6d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853

        • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url
          Filesize

          85B

          MD5

          30413d233dd141c117e7a4dd3017d8d0

          SHA1

          d8e04e634c5cdb5636bb4c8416eee41ac95b40ec

          SHA256

          6ef8b40bf7a66ea80f1b31fcefbb6b0c9b2ccdc11e292a4e28ef97881c202ae3

          SHA512

          714f2c6d8f12779c537e8b1c71cd41f3ae506e881a11aaa7c8dec4e9cb127a5bbdd18061139b6a6b9062574a15cfe84a3f30336fe39509c74a1ccb98aa0e6423

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          68KB

          MD5

          29f65ba8e88c063813cc50a4ea544e93

          SHA1

          05a7040d5c127e68c25d81cc51271ffb8bef3568

          SHA256

          1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

          SHA512

          e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          fa2bb210561ac13d59bdbd9a6d07744e

          SHA1

          64048a7130eda1d3baaf3f542b77476704e08800

          SHA256

          e48993b2ce2414ff59c1f95eaa7128f84fef9c29d10c7214651d83b215aee680

          SHA512

          07bd68534d26567989548fc506c947287332e7b69fa4d99fb1b8fdb1230a0d44914f3a830b5cae28cc3a003d223e6749129adf7e8c75537707c7bcea8f611b99

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          7815b9464e76b364227c838ac2d0712a

          SHA1

          c2a2bf8aebcc5dad6e53c1462a3490d2d0f58ffe

          SHA256

          28dd6910e0f6178d2a6e7f96d46d05d8282510197ead9e0881438b87114b6976

          SHA512

          9bad8e2d35d54286aa8fcd5337e56d452868dbe0a8034257c384dcddae6ce2af3c4093859c808e4ee44dce44411f5fa99569b4bb615939173caed58a5b8a3bb6

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          9a191e950db63a498c775f4e7f3e7370

          SHA1

          fc3e1c3693d6417077acffa50c68c299c086520f

          SHA256

          6f55d7a98d6d2ec3148d81b19dfaf0a52d9c21f49badedf0e07791c73c4fd275

          SHA512

          239793917a810f3eb2f48f8f9a7654cdb39a973a0245343f80e0022e7c4e5e9fd5d3611e81dc2783295459e69ded844001b5f4c52fe37c29d7b021baf75e7de0

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          76405f59765ff2a4fa579ea149b47fbd

          SHA1

          e1da4f11f8741f0465d0e8caebc8527fc545afcf

          SHA256

          498e1b3c992882887671388d25790c7ae2af0a7e15ada8f9107265e908dac130

          SHA512

          0f4b05888572a08cbd4a3ebcce8adfc301fef9fda4f5de361613a11d03a06b2deb0e919490cd8562c5f7e278b9b54b76c246706e952bb84e2df5a6924c408831

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          324a9d6f38828d08578549d89c2ae895

          SHA1

          dd61b8df5c5030e5ce2822a16b80ae84d7ab7516

          SHA256

          a9682cc55ca91c33e41f98ac7b9e60a670516c5bb39896f89eda8e1d0eb88a0a

          SHA512

          8d5ef03a13c789e531b79a5b60e6c97476c892ec5e3fa8f9247605ec51c230594fef1397e35a78a8ca85cecf84facb34e77edfc369f1ce599e939ea739a65b40

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          7f5cfd1fa58c35214b0eaaebbf8d2897

          SHA1

          7730b302bc297de4a4a4c03df9f56b1549e4ccb6

          SHA256

          786d878534de0d1728d36658ab498738308b7cbdcb3111f916010a49da49f733

          SHA512

          a56d520c88344219408c0c2c6c9f0eb407f89b623d8cde11e5e735eb7e4f46724f987ae024f762c8a8781ecf036a6b4c687851e4e7f8b30bf83e289da487ff91

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          9534e90d67e0c1eb19466fc7213932f9

          SHA1

          585bc65f57a4211686d4866d9557e84e36dcf4c9

          SHA256

          59f7fcdd4d040341706051cac65ae00a4bfd92e6fac82a501d7f4e21a2b8d49b

          SHA512

          c7145065838a58930c6dbdd564f25c8d41f6b945c922882dcc7ecf779f3cd3b5de992a05a47b6ba2d6fb2787ea00ac846885054f8708880ea949419b92bbbd70

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          6e557b7e244717e88bf591685c4e57e7

          SHA1

          769c105131fffc110ad237750b6abf34e22d5022

          SHA256

          159f282523efddaa206c7742e45a24902e9c474fc4fa9e588e969bdb84b380ea

          SHA512

          dd242a2f5914188c1b7e2f546d5b7a3e8fd1827ec7d6171d4edbbc14621645f87db4a80d256366e8bace1b36514b81cad5c359e673a98bb369b9e68e995b6f7c

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          d054688e7eaeb484902b1fb1dfd95333

          SHA1

          f9bbe5439249d5b54f7201f862716ce1b7422cc1

          SHA256

          964b7a82aab49255dad44ee139da9d977ea4a3842e73bc33bb39d76317fc70ee

          SHA512

          904681e4a38c90839baef789d8bf3c9e6d6d257ced49092f80940242c1b69c71eb93acf3fec16634c76469702339e1d7bb75862a0db210664340e59d6e7562bb

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          c7e8adf10fed92a8d3e951adfc0dad06

          SHA1

          022928d2c8b797e1f4af4f739192b06e30209d5e

          SHA256

          b1dc3c0d5d5718d0a9eacf2ccb5e6348a5bbe9127d66f277c9ac776da2853a7f

          SHA512

          2cfc481d43e43e5af08c07f52efa6f33d3de0fa96dd3ae044a0ecd938e235f72180f8bd65424575fbb13175c9d3a251c230123b00622cbc3a725aa4ddef1431a

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          c3bb151753d0549cb1b36ce175f9ddf1

          SHA1

          e54fefdbe678e2106479cfbe08bef0076849fc3c

          SHA256

          3d19164468d9673b1a7e74695d1f9f806d5d0215832c7364f6d2c569fe2f6bfe

          SHA512

          101956aa361dbbf10800f11c756e9686a3e28e57a5f207e5128b940a3e50e90307d66ef0c29b4a086430804661057ccfe238cd6ec337953ffd7a57a8cbc0e1f9

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          92f0b3d63553eda89f375598ac88d1e0

          SHA1

          2319d13bda8844d012d68bffd77af575a6ad20f8

          SHA256

          7e503f0f36349f49abf59bd00457779df7f2d43a817dcc4bc73ed1775555b936

          SHA512

          7403e87c2792138b4f62275014d5304b8828cee2f9d0c5a4779ffb59fe3d86e5d064d8426d65d9bda02fae53bb34996abadaf576323bb1f592a2a3cd348e5c4a

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          58510f733993d7380dad9ef191b56122

          SHA1

          5bc6e04f0e9fd88c4811a6352617f1e22d598e0d

          SHA256

          be64b71b44eb7a8652496c7056102b2557a33972b9ed3d5369fc100079dc1361

          SHA512

          7bce622f0c1fc4a2263444f6be819802c041fa933931e3cdb2f3660f6d103046102a76843bc1b4a84e8ab2076a224695d682fae9710386b5f80faa52d57fef1e

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          59a6877771fd05de0d11087571fa72ff

          SHA1

          1b0c27f221ff84591c3d6a3be4ff1da5454c538a

          SHA256

          5238327a73b9d357aec5807ca8ea8baa244dc011b53503b55978cef3f3567cb2

          SHA512

          0fb3cd4dd8c1b994962f29c81200a567841197b0e502f55c5c5da3320b036172cc4d34b39fa701daaefed70dc04d1f8ca69af5c30c37c37d94bd93051ac669b4

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          071ee1069e073a768fb3065169b7466d

          SHA1

          ee6326814e60c651b02a8729350e30c9231476b3

          SHA256

          0390355f0ae13d53697af411b26b9fac981fc78f99c941b3a48a40a04196a288

          SHA512

          37c840aaa3bac1d11d2c7778fa4aa5e737f3c5f3d3883ce95d1a73bc1af59540bba6bd29e1ba628f50ad748c90b3567ef9336dcef6428a1825488959d2259bf8

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          c0c32c4b3be485bc17853a3175b2f809

          SHA1

          eda20ab3d1c92c605f91e6333a9caa583cfc2962

          SHA256

          5038849b28708fbd71b603a2260c791aa69a9cda1f2ebc30660c11e6236acdde

          SHA512

          4f8802dd2aebd8ccc0206bdf620501a98701b3f40aeade00e782cd8d8c2336029acf2400214e384f97effc042195a486a017bbb0d416678d47ced60d8c630daa

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          450da88be0265bc2aa02b0481fea0d95

          SHA1

          a72a7a92f311e92180a5ad2dcbf206628165b3f7

          SHA256

          0347a5f318f6ea9f1113d574f39a74b34b8e8af4c60f2a2e13bfbb576202dd8b

          SHA512

          4c07837f6a04494db6ba5ff6202768dc0077f3775e88f4948f862fa873a23c8845d12acbc07c50473d3deabd66e9276e6edf10be41bc004fcd26a725d499fdb4

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          45db43fc9f2dd514b57fa96708cd271f

          SHA1

          af748a0fad487535845aa3b498dbce1a70f545d3

          SHA256

          37e26fccd79b7d8034a50397978d8e840358b31ffcf12b5ffb8904071b19257d

          SHA512

          59a4307d88ee0d03d5b7ec355f3438fc73d07065ffb0565c1c036f537b22b7ac1f2af665d334efa8954ee627e99e6e3ff9da1ae1f612e8986eec6402dd19cd0f

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C4707CF1-1575-11EF-A4A3-CE86F81DDAFE}.dat
          Filesize

          6KB

          MD5

          048595ccefa3a6e29ebede104c59d9ce

          SHA1

          958b211faf436131af36d6e6e4d43a888d39b09c

          SHA256

          e4287dec1003305ebe3d62b9999130d24fbb418f1d83c9a8aac0a226a8040494

          SHA512

          ded577f8a943f6590d4d2695d8580f3300a4807c35a836b6e7148d7cd7eb22696ee7b47e8e15baa8d1d3c3b90c1319e67e8aea5a34fe2657edec5f045302493e

        • C:\Users\Admin\AppData\Local\Temp\Cab253F.tmp
          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        • C:\Users\Admin\AppData\Local\Temp\Tar27C6.tmp
          Filesize

          177KB

          MD5

          435a9ac180383f9fa094131b173a2f7b

          SHA1

          76944ea657a9db94f9a4bef38f88c46ed4166983

          SHA256

          67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

          SHA512

          1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\vssadmin.lnk
          Filesize

          1KB

          MD5

          c28254b9956f17ea4ed1defb29075b95

          SHA1

          2acb9fb21df0e26aa1d338257aa4c157c11495b0

          SHA256

          a6f341d142d96c89d7df7327e55db796b46524b803c0e9469d4da502fa5a228c

          SHA512

          6c73f90ea1c6c613f455a8b0c51945c2f9c95a8c550e9535965078e749cdbe9a1ce7c8d237a2d5ba91174818ffe61ee048f6114213b0e421f0ae366a71ce6542

        • \Users\Admin\AppData\Roaming\{D829B335-8529-7C36-6396-4FE23232B17C}\vssadmin.exe
          Filesize

          143KB

          MD5

          579c76a735fd8d53f4731463096a79e6

          SHA1

          17bac06d246708335586273c4d1149dd42cf3618

          SHA256

          9e359005b4bc7f7f5db77c5448af5bf22fb71ecdd618b129b35cb6b07c452957

          SHA512

          f1d29bd55e86007e1d69028a31ee8c8ddbbda53d00f615746ef51b574b9f1a9b16b14e7c488ef3c75bc436861c2a11808fd5898fe8098ae7c88bc392954b7431

        • memory/1844-1-0x0000000000400000-0x000000000042A000-memory.dmp
          Filesize

          168KB

        • memory/1844-0-0x0000000000020000-0x0000000000036000-memory.dmp
          Filesize

          88KB

        • memory/1844-14-0x0000000000400000-0x000000000042A000-memory.dmp
          Filesize

          168KB

        • memory/1988-26-0x0000000000400000-0x000000000042A000-memory.dmp
          Filesize

          168KB

        • memory/1988-22-0x0000000000400000-0x000000000042A000-memory.dmp
          Filesize

          168KB

        • memory/1988-23-0x0000000000400000-0x000000000042A000-memory.dmp
          Filesize

          168KB

        • memory/1988-17-0x0000000000400000-0x000000000042A000-memory.dmp
          Filesize

          168KB

        • memory/1988-16-0x0000000000400000-0x000000000042A000-memory.dmp
          Filesize

          168KB

        • memory/1988-970-0x0000000000400000-0x000000000042A000-memory.dmp
          Filesize

          168KB

        • memory/1988-480-0x0000000000400000-0x000000000042A000-memory.dmp
          Filesize

          168KB

        • memory/1988-483-0x00000000038C0000-0x00000000038C2000-memory.dmp
          Filesize

          8KB