Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-05-2024 06:56

General

  • Target

    591ad86e048de0e146e95de06cde9086_JaffaCakes118.exe

  • Size

    336KB

  • MD5

    591ad86e048de0e146e95de06cde9086

  • SHA1

    743932fdb8c94eed98a5b1b1f134de8d8f8f12c6

  • SHA256

    08bceaa70981fe11a2cd2f4d24475bcc692b577f1747c092fb10b6bc20a5e1c0

  • SHA512

    e3fb3f7a85a6c49318b012834c8e7daf2a8abf782d5687d956eeec9b45ac2e63b5e94631ae9ebdb2ae3545a5ae1ef8042abbdb461c0be35891541e4a3912efa9

  • SSDEEP

    6144:1t75WZK9JIwfCQoSZxEGBN9WguHB19cJAkcsAu86FzUqyfDgO9/UGEXx4:/lWaIeDoSLpBOhHB19cJAkcst86FzULX

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_READ_THI$_FILE_84LQ1V_.hta

Family

cerber

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>C&#069;RBE&#82; &#82;ANSOMWA&#82;&#069;: Instructi&#111;ns</title> <HTA:APPLICATION APPLICATIONNAME="Obwgx" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } ul { list-style-type: none; margin: 0; padding: 0; } .button { color: #04a; cursor: pointer; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .h { display: none; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #efe; border: 2pt solid #bda; display: inline-block; padding: 1.5%; text-align: center; } .updating { color: red; display: none; padding-left: 35px; background: url('data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=') left no-repeat; } #change_language { float: right; } #change_language, #texts div { display: none; } </style> </head> <body> <div class="container"> <div class="header"> <a id="change_language" href="#" onclick="return changeLanguage1();" title="English">&#9745; English</a> <h1>C&#069;&#82;BE&#82; &#82;ANSOMWA&#82;&#069;</h1> <small id="title">Instructions</small> </div> <div id="languages"> <p>&#9745; Select your language</p> <ul> <li><a href="#" title="English" onclick="return showBlock('en');">English</a></li> <li><a href="#" title="Arabic" onclick="return showBlock('ar');">العربية</a></li> <li><a href="#" title="Chinese" onclick="return showBlock('zh');">中文</a></li> <li><a href="#" title="Dutch" onclick="return showBlock('nl');">Nederlands</a></li> <li><a href="#" title="French" onclick="return showBlock('fr');">Français</a></li> <li><a href="#" title="German" onclick="return showBlock('de');">Deutsch</a></li> <li><a href="#" title="Italian" onclick="return showBlock('it');">Italiano</a></li> <li><a href="#" title="Japanese" onclick="return showBlock('ja');">日本語</a></li> <li><a href="#" title="Korean" onclick="return showBlock('ko');">한국어</a></li> <li><a href="#" title="Polish" onclick="return showBlock('pl');">Polski</a></li> <li><a href="#" title="Portuguese" onclick="return showBlock('pt');">Português</a></li> <li><a href="#" title="Spanish" onclick="return showBlock('es');">Español</a></li> <li><a href="#" title="Turkish" onclick="return showBlock('tr');">Türkçe</a></li> </ul> </div> <div id="texts"> <div id="en"> <p>Can't yo<span class="h">Wr64UFs1</span>u find the necessary files?<br>Is the c<span class="h">p7</span>ontent of your files not readable?</p> <p>It is normal be<span class="h">LCstvD</span>cause the files' names and the data in your files have been encryp<span class="h">Pf</span>ted by "Ce<span class="h">v</span>r&#98;er&nbsp;Rans&#111;mware".</p> <p>It me<span class="h">nx1Ew8</span>ans your files are NOT damage<span class="h">fCFm</span>d! Your files are modified only. This modification is reversible.<br>F<span class="h">Z5EB</span>rom now it is not poss<span class="h">jMfNLicc</span>ible to use your files until they will be decrypted.</p> <p>The only way to dec<span class="h">z</span>rypt your files safely is to &#98;uy the special decryption software "C<span class="h">LOBvV52ofW</span>er&#98;er&nbsp;Decryptor".</p> <p>Any attempts to rest<span class="h">E</span>ore your files with the thir<span class="h">5Vkw5L7QQ</span>d-party software will be fatal for your files!</p> <hr> <p class="w331208">You can proc<span class="h">MzUSKzHPLs</span>eed with purchasing of the decryption softw<span class="h">9CoChlFqxa</span>are at your personal page:</p> <p><span class="info"><span class="updating">Ple<span class="h">BJ61gK</span>ase wait...</span><a class="url" href="http://p27dokhpz2n7nvgr.1czh7o.top/C167-D458-6DF8-0446-9F9E" target="_blank">http://p27dokhpz2n7nvgr.1czh7o.top/C167-D458-6DF8-0446-9F9E</a><hr><a href="http://p27dokhpz2n7nvgr.1hpvzl.top/C167-D458-6DF8-0446-9F9E" target="_blank">http://p27dokhpz2n7nvgr.1hpvzl.top/C167-D458-6DF8-0446-9F9E</a><hr><a href="http://p27dokhpz2n7nvgr.1pglcs.top/C167-D458-6DF8-0446-9F9E" target="_blank">http://p27dokhpz2n7nvgr.1pglcs.top/C167-D458-6DF8-0446-9F9E</a><hr><a href="http://p27dokhpz2n7nvgr.1cewld.top/C167-D458-6DF8-0446-9F9E" target="_blank">http://p27dokhpz2n7nvgr.1cewld.top/C167-D458-6DF8-0446-9F9E</a><hr><a href="http://p27dokhpz2n7nvgr.1js3tl.top/C167-D458-6DF8-0446-9F9E" target="_blank">http://p27dokhpz2n7nvgr.1js3tl.top/C167-D458-6DF8-0446-9F9E</a></span></p> <p>If t<span class="h">JFT</span>his page cannot be opened &nbsp;<span class="button" onclick="return updUrl('en');">cli<span class="h">GPHVS61</span>ck here</span>&nbsp; to get a new addr<span class="h">9FornTa</span>ess of your personal page.<br><br>If the addre<span class="h">LK</span>ss of your personal page is the same as befo<span class="h">F2hBT028</span>re after you tried to get a new one,<br>you c<span class="h">r87z</span>an try to get a new address in one hour.</p> <p>At th<span class="h">Py98m6gTs5</span>is p&#097;ge you will receive the complete instr<span class="h">Ony26Fx</span>uctions how to buy the decrypti<span class="h">4e0</span>on software for restoring all your files.</p> <p>Also at this p&#097;ge you will be able to res<span class="h">CvG</span>tore any one file for free to be sure "Cer&#98;e<span class="h">rqYKMWMWix</span>r&nbsp;Decryptor" will help you.</p> <hr> <p>If your per<span class="h">CVJUYi</span>sonal page is not availa<span class="h">FzkgrTcQ</span>ble for a long period there is another way to open your personal page - insta<span class="h">Ax</span>llation and use of Tor&nbsp;Browser:</p> <ol> <li>run your Inte<span class="h">LJl</span>rnet browser (if you do not know wh&#097;t it is run the Internet&nbsp;Explorer);</li> <li>ent<span class="h">H7Onm</span>er or copy the &#097;ddress <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/downlo&#097;d/download-easy.html.en</a> into the address bar of your browser &#097;nd press ENTER;</li> <li>wait for the site load<span class="h">mvSamoXA</span>ing;</li> <li>on the site you will be offered to do<span class="h">qxRRQ</span>wnload Tor&nbsp;Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>ru<span class="h">8l0smA</span>n Tor&nbsp;Browser;</li> <li>connect with the butt<span class="h">L149dv18X</span>on "Connect" (if you use the English version);</li> <li>a normal Internet bro<span class="h">M5</span>wser window will be opened &#097;fter the initialization;</li> <li>type or copy the add<span class="h">5YhV8cXgE</span>ress <br><span class="info">http://p27dokhpz2n7nvgr.onion/C167-D458-6DF8-0446-9F9E</span><br> in this browser address bar;</li> <li>pre<span class="h">oVEK</span>ss ENTER;</li> <li>the site sho<span class="h">LuHP</span>uld be loaded; if for some reason the site is not lo<span class="h">F05N5kK</span>ading wait for a moment and try again.</li> </ol> <p>If you have any pr<span class="h">SY154</span>oblems during installation or use of Tor&nbsp;Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searc<span class="h">qj01doZimt</span>h bar "Install Tor&nbsp;Browser Windows" and you will find a lot of training videos about Tor&nbsp;Browser installation and use.</p> <hr> <p><strong>Addit<span class="h">jEv46</span>ional information:</strong></p> <p>You will fi<span class="h">0VyOgZ</span>nd the instru<span class="h">qifsvhm2Pf</span>cti&#111;ns ("*_READ_THIS_FILE_*.hta") for re<span class="h">dlwrX</span>st&#111;ring y&#111;ur files in &#097;ny f<span class="h">B3PqOUxxA4</span>&#111;lder with your enc<span class="h">yFMPSb40C</span>rypted files.</p> <p>The instr<span class="h">TIGNARrj</span>ucti&#111;ns "*_READ_THIS_FILE_*.hta" in the f<span class="h">xXge</span>&#111;lder<span class="h">heOLChJ</span>s with your encry<span class="h">RQmpaxOU</span>pted files are not vir<span class="h">V</span>uses! The instruc<span class="h">ILiBzknJJV</span>tions "*_READ_THIS_FILE_*.hta" will he<span class="h">ew</span>lp you to dec<span class="h">1j</span>rypt your files.</p> <p>Remembe<span class="h">Vb</span>r! The w&#111;rst si<span class="h">8</span>tu&#097;tion already happ<span class="h">VToZO6GJ</span>ened and n&#111;w the future of your files de<span class="h">1m5ZBr1M</span>pends on your determ<span class="h">He2C43</span>ination and speed of your actions.</p> </div> <div id="ar" style="direction: rtl;"> <p>لا يمكنك العثور على الملفات الضرورية؟<br>هل محتوى الملفات غير قابل للقراءة؟</p> <p>هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cer&#98;er&nbsp;Rans&#111;mware".</p> <p>وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا.<br>ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها.</p> <p>الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cer&#98;er&nbsp;Decryptor".</p> <p>إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك!</p> <hr> <p>يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية:</p> <p><span class="info"><span class="updating">أرجو الإنتظار...</span><a class="url" href="http://p27dokhpz2n7nvgr.1czh7o.top/C167-D458-6DF8-0446-9F9E" target="_blank">http://p27dokhpz2n7nvgr.1czh7o.top/C167-D458-6DF8-0446-9F9E</a><hr><a href="http://p27dokhpz2n7nvgr.1hpvzl.top/C167-D458-6DF8-0446-9F9E" target="_blank">http://p27dokhpz2n7nvgr.1hpvzl.top/C167-D458-6DF8-0446-9F9E</a><hr><a href="http://p27dokhpz2n7nvgr.1pglcs.top/C167-D458-6DF8-0446-9F9E" target="_blank">http://p27dokhpz2n7nvgr.1pglcs.top/C167-D458-6DF8-0446-9F9E</a><hr><a href="http://p27dokhpz2n7nvgr.1cewld.top/C167-D458-6DF8-0446-9F9E" target="_blank">http://p27dokhpz2n7nvgr.1cewld.top/C167-D458-6DF8-0446-9F9E</a><hr><a href="http://p27dokhpz2n7nvgr.1js3tl.top/C167-D458-6DF8-0446-9F9E" target="_blank">http://p27dokhpz2n7nvgr.1js3tl.top/C167-D458-6DF8-0446-9F9E</a></span></p> <p>في حالة تعذر فتح هذه الصفحة &nbsp;<span class="button" onclick="return updUrl('ar');">انقر هنا</span>&nbsp; لإنشاء عنوان جديد لصفحتك الشخصية.</p> <p>في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك.</p> <p>في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cer&#98;er&nbsp;Decryptor" سوف يساعدك.</p> <hr> <p>إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor:</p> <ol> <li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li> <li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li> <li>انتظر لتحميل الموقع;</li> <li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li> <li>قم بتشغيل متصفح Tor;</li> <li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li> <li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li> <li>قم بكتابة أو نسخ العنوان <br><span class="info">http://p27dokhpz2n7nvgr.onion/C167-D458-6DF8-0446-9F9E</span><br> في شريط العنوان في المتصفح;</li> <li>اضغط ENTER;</li> <li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li> </ol> <p>إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه.</p> <hr> <p><strong>معلومات إضافية:</strong></p> <p>سوف تجد إرشادات استعادة الملفات الخاصة بك ("*_READ_THIS_FILE_*") في أي مجلد مع ملفاتك المشفرة.</p> <p>الإرشادات ("*_READ_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_READ_THIS_FILE_*") سوف تساعدك على فك تشفير الملفات الخاصة بك.</p> <p>تذكر أن أسوأ موقف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك.</p> </div> <div id="zh"> <p>您找不到所需的文件?<br>您文件的内容无法阅读?</p> <p>这是正常的,因为您文件的文件名和数据已经被“Cer&#98;er&nbsp;Rans&#111;mware”加密了。</p> <p>这意味着您的文件并没有损坏!您的文件只是被修改了,这个修改是可逆的,解密之前您无法使用您的文件。</p>

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_READ_THI$_FILE_IWD6SG2_.txt

Ransom Note
CERBER RAN$OMWARE --- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! --- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: --- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/C167-D458-6DF8-0446-9F9E Note! This page is available via "Tor Browser" only. --- Also you can use temporary addresses on your personal page without using "Tor Browser". --- 1. http://p27dokhpz2n7nvgr.1czh7o.top/C167-D458-6DF8-0446-9F9E 2. http://p27dokhpz2n7nvgr.1hpvzl.top/C167-D458-6DF8-0446-9F9E 3. http://p27dokhpz2n7nvgr.1pglcs.top/C167-D458-6DF8-0446-9F9E 4. http://p27dokhpz2n7nvgr.1cewld.top/C167-D458-6DF8-0446-9F9E 5. http://p27dokhpz2n7nvgr.1js3tl.top/C167-D458-6DF8-0446-9F9E --- Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://p27dokhpz2n7nvgr.onion/C167-D458-6DF8-0446-9F9E

http://p27dokhpz2n7nvgr.1czh7o.top/C167-D458-6DF8-0446-9F9E

http://p27dokhpz2n7nvgr.1hpvzl.top/C167-D458-6DF8-0446-9F9E

http://p27dokhpz2n7nvgr.1pglcs.top/C167-D458-6DF8-0446-9F9E

http://p27dokhpz2n7nvgr.1cewld.top/C167-D458-6DF8-0446-9F9E

http://p27dokhpz2n7nvgr.1js3tl.top/C167-D458-6DF8-0446-9F9E

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Contacts a large (1104) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\591ad86e048de0e146e95de06cde9086_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\591ad86e048de0e146e95de06cde9086_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:760
    • C:\Users\Admin\AppData\Local\Temp\591ad86e048de0e146e95de06cde9086_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\591ad86e048de0e146e95de06cde9086_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4112
      • C:\Windows\SysWOW64\netsh.exe
        C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
        3⤵
        • Modifies Windows Firewall
        PID:2708
      • C:\Windows\SysWOW64\netsh.exe
        C:\Windows\system32\netsh.exe advfirewall reset
        3⤵
        • Modifies Windows Firewall
        PID:4388
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_READ_THI$_FILE_HES9NE1_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
          PID:5076
        • C:\Windows\SysWOW64\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_READ_THI$_FILE_E4WXUG_.txt
          3⤵
            PID:3248
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3012
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im "591ad86e048de0e146e95de06cde9086_JaffaCakes118.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2468
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 1 127.0.0.1
              4⤵
              • Runs ping.exe
              PID:4704
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x384 0x470
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4084

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Privilege Escalation

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Defense Evasion

      Impair Defenses

      1
      T1562

      Disable or Modify System Firewall

      1
      T1562.004

      Modify Registry

      1
      T1112

      Discovery

      Network Service Discovery

      1
      T1046

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Remote System Discovery

      1
      T1018

      Impact

      Defacement

      1
      T1491

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_READ_THI$_FILE_IWD6SG2_.txt
        Filesize

        1KB

        MD5

        9120dfe0242cee9d1754f1a8935dee30

        SHA1

        da43a5c78be202b2856a806c6cc3c78aca695017

        SHA256

        d7cc6cfcbc37b31cad39c3a665e1130c47ddd7c68629632b3dac7b0db6690a3e

        SHA512

        2d4da287e4403bc557a668ea0f1049c34eecd4c81d7de93afb37d83c42ef95228926ead82d5b199ccefe5266adf2d7626650d223a4da081fce1df0badd29a57e

      • C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_READ_THI$_FILE_TYJ31_.jpeg
        Filesize

        150KB

        MD5

        e2afd1a5a0cee190835f99683c581f80

        SHA1

        2088d1a1fe541dfa4d725ae8a6d348d87176ea8f

        SHA256

        a2ae9ffcd5f13c97041f0e9676fae00c27c22f872ece1a016aaf2880c6f123d5

        SHA512

        2acc1c646fd2077a8f838a8c17839eb4661d3cbc213266be600a8d25d4ac118db44b1efd099cc7dda34e05ba8b7552d19f41f9c47146033933773092b3fab9b2

      • C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_READ_THI$_FILE_84LQ1V_.hta
        Filesize

        75KB

        MD5

        ce967bd7b4a5b7e281a59882cc195956

        SHA1

        356f218bf6ebfcec03c8f8b852fe191a0b6ca7f9

        SHA256

        00ee139c95f16414f0e1f0196e2432f5250c5d6518a1d282f35c7e746136cc68

        SHA512

        ad8d7e415107c358df69bf273e3d638514768fce552df836bb7c8eccd0b76304c4d0366446887b790db77f46ed09a3c5a983c98cbd9ed2b34ee183bbf84c4699

      • memory/760-6-0x0000000000EA0000-0x0000000000EF1000-memory.dmp
        Filesize

        324KB

      • memory/760-0-0x0000000000EA0000-0x0000000000EF1000-memory.dmp
        Filesize

        324KB

      • memory/4112-4-0x0000000000EA0000-0x0000000000EF1000-memory.dmp
        Filesize

        324KB

      • memory/4112-7-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/4112-10-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/4112-14-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/4112-1-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/4112-5-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/4112-3-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/4112-384-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/4112-412-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/4112-413-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB