Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 00:20
Static task
static1
Behavioral task
behavioral1
Sample
579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe
-
Size
143KB
-
MD5
579c76a735fd8d53f4731463096a79e6
-
SHA1
17bac06d246708335586273c4d1149dd42cf3618
-
SHA256
9e359005b4bc7f7f5db77c5448af5bf22fb71ecdd618b129b35cb6b07c452957
-
SHA512
f1d29bd55e86007e1d69028a31ee8c8ddbbda53d00f615746ef51b574b9f1a9b16b14e7c488ef3c75bc436861c2a11808fd5898fe8098ae7c88bc392954b7431
-
SSDEEP
3072:cltLV7H8x7nyQ7RSP8yEqGm88E35zEQTZugj/p6kiPEWU:clD7H8x7ynP8y1CZ2Qgsh2q
Malware Config
Extracted
C:\Users\Admin\Music\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.slr849.win/1921-4BAF-6279-0063-794C
http://cerberhhyed5frqa.zgf48j.win/1921-4BAF-6279-0063-794C
http://cerberhhyed5frqa.xltnet.win/1921-4BAF-6279-0063-794C
http://cerberhhyed5frqa.xmfhr6.win/1921-4BAF-6279-0063-794C
http://cerberhhyed5frqa.cmfhty.win/1921-4BAF-6279-0063-794C
http://cerberhhyed5frqa.onion/1921-4BAF-6279-0063-794C
Extracted
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (16401) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exeieUnatt.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\ieUnatt.exe\"" 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\ieUnatt.exe\"" ieUnatt.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ieUnatt.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation ieUnatt.exe -
Drops startup file 2 IoCs
Processes:
579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exeieUnatt.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ieUnatt.lnk 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ieUnatt.lnk ieUnatt.exe -
Executes dropped EXE 1 IoCs
Processes:
ieUnatt.exepid process 1816 ieUnatt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exeieUnatt.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ieUnatt = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\ieUnatt.exe\"" 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ieUnatt = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\ieUnatt.exe\"" ieUnatt.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ieUnatt = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\ieUnatt.exe\"" ieUnatt.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ieUnatt = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\ieUnatt.exe\"" 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
ieUnatt.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpD8C7.bmp" ieUnatt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 880 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 712 taskkill.exe 5848 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exeieUnatt.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\ieUnatt.exe\"" 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop ieUnatt.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\ieUnatt.exe\"" ieUnatt.exe -
Modifies registry class 1 IoCs
Processes:
ieUnatt.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings ieUnatt.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
ieUnatt.exemsedge.exemsedge.exeidentity_helper.exepid process 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 1816 ieUnatt.exe 2392 msedge.exe 2392 msedge.exe 4568 msedge.exe 4568 msedge.exe 2284 identity_helper.exe 2284 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exetaskkill.exeieUnatt.exevssvc.exewmic.exeAUDIODG.EXEtaskkill.exedescription pid process Token: SeDebugPrivilege 1764 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe Token: SeDebugPrivilege 712 taskkill.exe Token: SeDebugPrivilege 1816 ieUnatt.exe Token: SeBackupPrivilege 3152 vssvc.exe Token: SeRestorePrivilege 3152 vssvc.exe Token: SeAuditPrivilege 3152 vssvc.exe Token: SeIncreaseQuotaPrivilege 1104 wmic.exe Token: SeSecurityPrivilege 1104 wmic.exe Token: SeTakeOwnershipPrivilege 1104 wmic.exe Token: SeLoadDriverPrivilege 1104 wmic.exe Token: SeSystemProfilePrivilege 1104 wmic.exe Token: SeSystemtimePrivilege 1104 wmic.exe Token: SeProfSingleProcessPrivilege 1104 wmic.exe Token: SeIncBasePriorityPrivilege 1104 wmic.exe Token: SeCreatePagefilePrivilege 1104 wmic.exe Token: SeBackupPrivilege 1104 wmic.exe Token: SeRestorePrivilege 1104 wmic.exe Token: SeShutdownPrivilege 1104 wmic.exe Token: SeDebugPrivilege 1104 wmic.exe Token: SeSystemEnvironmentPrivilege 1104 wmic.exe Token: SeRemoteShutdownPrivilege 1104 wmic.exe Token: SeUndockPrivilege 1104 wmic.exe Token: SeManageVolumePrivilege 1104 wmic.exe Token: 33 1104 wmic.exe Token: 34 1104 wmic.exe Token: 35 1104 wmic.exe Token: 36 1104 wmic.exe Token: SeIncreaseQuotaPrivilege 1104 wmic.exe Token: SeSecurityPrivilege 1104 wmic.exe Token: SeTakeOwnershipPrivilege 1104 wmic.exe Token: SeLoadDriverPrivilege 1104 wmic.exe Token: SeSystemProfilePrivilege 1104 wmic.exe Token: SeSystemtimePrivilege 1104 wmic.exe Token: SeProfSingleProcessPrivilege 1104 wmic.exe Token: SeIncBasePriorityPrivilege 1104 wmic.exe Token: SeCreatePagefilePrivilege 1104 wmic.exe Token: SeBackupPrivilege 1104 wmic.exe Token: SeRestorePrivilege 1104 wmic.exe Token: SeShutdownPrivilege 1104 wmic.exe Token: SeDebugPrivilege 1104 wmic.exe Token: SeSystemEnvironmentPrivilege 1104 wmic.exe Token: SeRemoteShutdownPrivilege 1104 wmic.exe Token: SeUndockPrivilege 1104 wmic.exe Token: SeManageVolumePrivilege 1104 wmic.exe Token: 33 1104 wmic.exe Token: 34 1104 wmic.exe Token: 35 1104 wmic.exe Token: 36 1104 wmic.exe Token: 33 996 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 996 AUDIODG.EXE Token: SeDebugPrivilege 5848 taskkill.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
579c76a735fd8d53f4731463096a79e6_JaffaCakes118.execmd.exeieUnatt.exemsedge.exedescription pid process target process PID 1764 wrote to memory of 1816 1764 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe ieUnatt.exe PID 1764 wrote to memory of 1816 1764 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe ieUnatt.exe PID 1764 wrote to memory of 1816 1764 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe ieUnatt.exe PID 1764 wrote to memory of 872 1764 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe cmd.exe PID 1764 wrote to memory of 872 1764 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe cmd.exe PID 1764 wrote to memory of 872 1764 579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe cmd.exe PID 872 wrote to memory of 712 872 cmd.exe taskkill.exe PID 872 wrote to memory of 712 872 cmd.exe taskkill.exe PID 872 wrote to memory of 712 872 cmd.exe taskkill.exe PID 872 wrote to memory of 1960 872 cmd.exe PING.EXE PID 872 wrote to memory of 1960 872 cmd.exe PING.EXE PID 872 wrote to memory of 1960 872 cmd.exe PING.EXE PID 1816 wrote to memory of 880 1816 ieUnatt.exe vssadmin.exe PID 1816 wrote to memory of 880 1816 ieUnatt.exe vssadmin.exe PID 1816 wrote to memory of 1104 1816 ieUnatt.exe wmic.exe PID 1816 wrote to memory of 1104 1816 ieUnatt.exe wmic.exe PID 1816 wrote to memory of 4568 1816 ieUnatt.exe msedge.exe PID 1816 wrote to memory of 4568 1816 ieUnatt.exe msedge.exe PID 4568 wrote to memory of 4640 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 4640 4568 msedge.exe msedge.exe PID 1816 wrote to memory of 3716 1816 ieUnatt.exe NOTEPAD.EXE PID 1816 wrote to memory of 3716 1816 ieUnatt.exe NOTEPAD.EXE PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 992 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 2392 4568 msedge.exe msedge.exe PID 4568 wrote to memory of 2392 4568 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\ieUnatt.exe"C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\ieUnatt.exe"2⤵
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc024c46f8,0x7ffc024c4708,0x7ffc024c47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,3887724422218611500,18205023524711260734,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,3887724422218611500,18205023524711260734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,3887724422218611500,18205023524711260734,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3887724422218611500,18205023524711260734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3887724422218611500,18205023524711260734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3887724422218611500,18205023524711260734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3887724422218611500,18205023524711260734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3887724422218611500,18205023524711260734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,3887724422218611500,18205023524711260734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,3887724422218611500,18205023524711260734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3887724422218611500,18205023524711260734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3887724422218611500,18205023524711260734,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3887724422218611500,18205023524711260734,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3887724422218611500,18205023524711260734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3887724422218611500,18205023524711260734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2000 /prefetch:14⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.slr849.win/1921-4BAF-6279-0063-794C3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc024c46f8,0x7ffc024c4708,0x7ffc024c47184⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "ieUnatt.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\ieUnatt.exe" > NUL3⤵
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "ieUnatt.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe" > NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "579c76a735fd8d53f4731463096a79e6_JaffaCakes118.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x414 0x3d81⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.htmlFilesize
12KB
MD5751d696f11993b6fcbd0068d5dc92a39
SHA193f0ae0c7bdb4b8e50e7c5108b9c517e0fbf5760
SHA256db85a03a4074b37b66e6324cdf63b6513400a2d05c76674b472876cd53defe9d
SHA5122d7bf8b8412ab29d22c0ad170aff627d59e14a710bde45d60e6216c817a07b063e5fca34bc032e6f94cbb6980b54c90cb3df78abafcb2938ba891b647d04e9e5
-
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.vbsFilesize
219B
MD535a3e3b45dcfc1e6c4fd4a160873a0d1
SHA1a0bcc855f2b75d82cbaae3a8710f816956e94b37
SHA2568ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934
SHA5126d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b2a1398f937474c51a48b347387ee36a
SHA1922a8567f09e68a04233e84e5919043034635949
SHA2562dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6
SHA5124a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51ac52e2503cc26baee4322f02f5b8d9c
SHA138e0cee911f5f2a24888a64780ffdf6fa72207c8
SHA256f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4
SHA5127670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD55d67453bb4adbab102f45aac7e9c6755
SHA159562840c5e4cc1cd75d57ab0726ca2de84abfd2
SHA256c67fc534e24812a4d6872cbe7fcb5d651a5fbe4924456412845960d8da307c9f
SHA51219a840145c7efb4af45a640c641aa9b0e03e7240f7186096f2db37d38398c66e1efbbfefb34542b131cdd52bff39ee0fd02ea9f71483603bb7945de3922d4f4d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD50540f3ee29e23fff555736a790c3dbf8
SHA18ffecbc81b7c641a74de8db00d804084720252be
SHA25657a5770cec88630c426230eef7c7ea40b21ddf1b90de610ca55b2ead7de500ad
SHA5127aec73ca6a7bc8825042deb783d7e202b26e653203f3faf72686977db19ed1426b16716b29b1af100e01c8c2b44698f5917772f6306e5f7919e6b213b02915e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD54f89caf514216b7dd7a3c3ca96d5f091
SHA1c985ba92be38554fe051db2e6305f6fb9d16bb99
SHA256bbdff0518bd7cc7dd1b5c0a8b31e93722fd5de7a61f68bdaa7c295c294a3d412
SHA512ab49fcca5221b95af7a0db677260004f2488845ae648a8a45b52255b87ae67274a739f1b97a39cbcaf3b777720b282da48bb116e65e539c64672aafe9aaa8ef1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ieUnatt.lnkFilesize
1KB
MD5b3a14f79a4da283cf59862d059a86a32
SHA1ebec6696ce041230d9be133469a6b71ce30fd744
SHA25681824b727081c2232966c261fa302c3ed39e81c4c563a2ef487b1bc8a7e8743d
SHA5127f626ce3fa273566d665747a7114cccab5bb9110d5a0b3fa85ee86381a87baa2cfa291bd75cd4a1b7f77310fdba929a4664e0be82a855cc9c3f0a1d10278d292
-
C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\ieUnatt.exeFilesize
143KB
MD5579c76a735fd8d53f4731463096a79e6
SHA117bac06d246708335586273c4d1149dd42cf3618
SHA2569e359005b4bc7f7f5db77c5448af5bf22fb71ecdd618b129b35cb6b07c452957
SHA512f1d29bd55e86007e1d69028a31ee8c8ddbbda53d00f615746ef51b574b9f1a9b16b14e7c488ef3c75bc436861c2a11808fd5898fe8098ae7c88bc392954b7431
-
C:\Users\Admin\Music\# DECRYPT MY FILES #.txtFilesize
10KB
MD5f2fdf12bf9886583cdf2f8c6f0186452
SHA1b99d92db6d0528d1a0c3d67ff4dcc1b2d8a21af4
SHA25623f1072a70f6de97ee23be4353d68248a2ae21820ff6994f0fb0bed90866cb9f
SHA5122e447dc9a96dd6f7ccc3f78cdd8372cacd8c9b2495eb9f2d462ea6cff057fd13c3a22035f80b29948395c5e4bf4187de8b11c2d7a66937a7010f35aeb71a9537
-
C:\Users\Admin\Music\# DECRYPT MY FILES #.urlFilesize
85B
MD564a0e1036e2fb8f1d5988e9972ffeddc
SHA174c937279725fc3356da42d17f2dcdc28cfa32d6
SHA256021d18b918b3c92e3560885dd78d46c98e5f0752970e48b0ee77e5120536a661
SHA5125a98ec4fc8996b6b961770ca09b7e70c94c48a986057d8f06c9792b3b8a0c3c16aec3f21b501b5cf0f38a44752216b099eda66d8e665a1c35aababc8d3f64ec6
-
\??\pipe\LOCAL\crashpad_4568_GTMCBYDTESFXEAHEMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1764-0-0x0000000000570000-0x0000000000586000-memory.dmpFilesize
88KB
-
memory/1764-10-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1764-1-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1816-22-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1816-18-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1816-16-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1816-14-0x00000000034E0000-0x00000000034E1000-memory.dmpFilesize
4KB
-
memory/1816-12-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1816-336-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1816-11-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1816-377-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB