Analysis

  • max time kernel
    123s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    20-05-2024 11:06

General

  • Target

    5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe

  • Size

    133KB

  • MD5

    5ebf1b0c233e9ef06a63623c7116e4a6

  • SHA1

    75c59361b6a8965ddf7f48bfd761fc75be410767

  • SHA256

    7ef1ecfe0e7f3ca00837d52dbc783359db692302109ad833168e4d8d781d5988

  • SHA512

    8448fe724907df5d72069604740b16783ce1ec38db1eb140b17c15c684f9840b7ee80a728e71dfec1ee87c017adfce6b0b7dc29dcc8ef2c91f42112769d0aff6

  • SSDEEP

    3072:4jYFtrnz2QVsDReiq9GCMDAhU0jqI07PWQZBmJoAGHjRumwA:4sneQi+GnDAa0p0rWQiJoAGHdv

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #CerberRansomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.6oifgr.win/379B-3E00-5EC1-0291-22D7 | | 2. http://cerberhhyed5frqa.xo59ok.win/379B-3E00-5EC1-0291-22D7 | | 3. http://cerberhhyed5frqa.zx34jk.win/379B-3E00-5EC1-0291-22D7 | | 4. http://cerberhhyed5frqa.rt4e34.win/379B-3E00-5EC1-0291-22D7 | | 5. http://cerberhhyed5frqa.as13fd.win/379B-3E00-5EC1-0291-22D7 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.6oifgr.win/379B-3E00-5EC1-0291-22D7); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.6oifgr.win/379B-3E00-5EC1-0291-22D7 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.6oifgr.win/379B-3E00-5EC1-0291-22D7); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/379B-3E00-5EC1-0291-22D7 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.6oifgr.win/379B-3E00-5EC1-0291-22D7

http://cerberhhyed5frqa.xo59ok.win/379B-3E00-5EC1-0291-22D7

http://cerberhhyed5frqa.zx34jk.win/379B-3E00-5EC1-0291-22D7

http://cerberhhyed5frqa.rt4e34.win/379B-3E00-5EC1-0291-22D7

http://cerberhhyed5frqa.as13fd.win/379B-3E00-5EC1-0291-22D7

http://cerberhhyed5frqa.onion/379B-3E00-5EC1-0291-22D7

Extracted

Path

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #CerberRansomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://cerberhhyed5frqa.6oifgr.win/379B-3E00-5EC1-0291-22D7" target="_blank">http://cerberhhyed5frqa.6oifgr.win/379B-3E00-5EC1-0291-22D7</a></li> <li><a href="http://cerberhhyed5frqa.xo59ok.win/379B-3E00-5EC1-0291-22D7" target="_blank">http://cerberhhyed5frqa.xo59ok.win/379B-3E00-5EC1-0291-22D7</a></li> <li><a href="http://cerberhhyed5frqa.zx34jk.win/379B-3E00-5EC1-0291-22D7" target="_blank">http://cerberhhyed5frqa.zx34jk.win/379B-3E00-5EC1-0291-22D7</a></li> <li><a href="http://cerberhhyed5frqa.rt4e34.win/379B-3E00-5EC1-0291-22D7" target="_blank">http://cerberhhyed5frqa.rt4e34.win/379B-3E00-5EC1-0291-22D7</a></li> <li><a href="http://cerberhhyed5frqa.as13fd.win/379B-3E00-5EC1-0291-22D7" target="_blank">http://cerberhhyed5frqa.as13fd.win/379B-3E00-5EC1-0291-22D7</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.6oifgr.win/379B-3E00-5EC1-0291-22D7" target="_blank">http://cerberhhyed5frqa.6oifgr.win/379B-3E00-5EC1-0291-22D7</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.6oifgr.win/379B-3E00-5EC1-0291-22D7" target="_blank">http://cerberhhyed5frqa.6oifgr.win/379B-3E00-5EC1-0291-22D7</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.6oifgr.win/379B-3E00-5EC1-0291-22D7" target="_blank">http://cerberhhyed5frqa.6oifgr.win/379B-3E00-5EC1-0291-22D7</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/379B-3E00-5EC1-0291-22D7</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Contacts a large (16390) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 61 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\charmap.exe
      "C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\charmap.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Sets desktop wallpaper using registry
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2084
      • C:\Windows\system32\vssadmin.exe
        "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2536
      • C:\Windows\system32\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:288
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1916
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1868
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1880
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1880 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1976
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1880 CREDAT:537601 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1144
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        3⤵
          PID:1600
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
          3⤵
            PID:3008
          • C:\Windows\system32\cmd.exe
            /d /c taskkill /t /f /im "charmap.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\charmap.exe" > NUL
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2208
            • C:\Windows\system32\taskkill.exe
              taskkill /t /f /im "charmap.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2744
            • C:\Windows\system32\PING.EXE
              ping -n 1 127.0.0.1
              4⤵
              • Runs ping.exe
              PID:1468
        • C:\Windows\SysWOW64\cmd.exe
          /d /c taskkill /t /f /im "5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe" > NUL
          2⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:2572
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /t /f /im "5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe"
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2516
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 127.0.0.1
            3⤵
            • Runs ping.exe
            PID:2412
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2416
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3068
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3068 CREDAT:275457 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:912
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
        1⤵
          PID:2608

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Execution

        Windows Management Instrumentation

        1
        T1047

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Defense Evasion

        Indicator Removal

        2
        T1070

        File Deletion

        2
        T1070.004

        Modify Registry

        4
        T1112

        Credential Access

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Network Service Discovery

        2
        T1046

        System Information Discovery

        2
        T1082

        Remote System Discovery

        1
        T1018

        Collection

        Data from Local System

        1
        T1005

        Impact

        Inhibit System Recovery

        3
        T1490

        Defacement

        1
        T1491

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html
          Filesize

          12KB

          MD5

          97362d6282e3425886888f0e5a1d4fe2

          SHA1

          f89c327cf280d69e179440e07f28197648b861d8

          SHA256

          26daaace5229909d19a8a60c45ea5b73ab92e31680637ac954f0e7d3286e1a1b

          SHA512

          539af7d24dfabb3915b8c73c67ccb836e342efce642b0e3cf99392b8fb4d1ccdb1ae95added4f1e19d69dfc197d3e1443cd82ff46689bbe884fc8731f13e5115

        • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
          Filesize

          10KB

          MD5

          38630cba948af520acd0cfcbef110e41

          SHA1

          0cc2c1c73c64481dbb05654d8abf9b469ae60c05

          SHA256

          691afe7f1bb50df3303235a5f73f11af7e589b7f51e1b625683374f438558846

          SHA512

          116393a8028d1cdc9fa03f37f37d3e2946c2996355c7ea9ff0a24e14b2f81652745df15fc8dcfc1dd03b45061cbac8c2f408b7bf6381b88bb68c8d4d780d9fcf

        • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url
          Filesize

          85B

          MD5

          f77cb86f0ab4092a94f5880128d2e6f2

          SHA1

          919bae849eb52fa760972de8496caf2519f7a318

          SHA256

          6291d9fd7c2e81680804afe373bdf8522a0575f629df8d8a37ad8a2a2c16889e

          SHA512

          286f2023eb0dd9f0ea9afa469679bbbb6f753d7b64990bf74213a8affe12a0c8144b23cf448c8b03f279ad2c2d36bd8b30dec14c3a5f6ed594fde9b646471628

        • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs
          Filesize

          216B

          MD5

          48ac29422570636cae371b68c858b988

          SHA1

          ff86dea198c93a8ae49ee52c6eb919fcbd259aab

          SHA256

          3926b08f205999c2f1a24121117ecfeed31557bf6f0529416f3432321292c6b0

          SHA512

          75019e6fd4b53528aab1af668149540e1bc372e58e4786eda1da75e7c9718dbc274cbf3f37cd38fbe7e618ea9c1b24c2534d18aecfcc3264ec55f83f206faaa3

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          68KB

          MD5

          29f65ba8e88c063813cc50a4ea544e93

          SHA1

          05a7040d5c127e68c25d81cc51271ffb8bef3568

          SHA256

          1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

          SHA512

          e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          5e4dc6e12e1c13425a80d744653a7582

          SHA1

          672ec2eb89e7d80825d3e3b8e251ffc7eca63ed5

          SHA256

          963fe2b4801ad270e6e2d6be337c9ee0464124a068249a5dae1371196407bd48

          SHA512

          dd79265a4ee1d3bb87419b71a5d9b100e999f2accae30f2c5baf1ffadcc19a27ab6b48ffeb7987974aaef0362bf4f51a52fab518505a01f3872b1f370b651237

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          af031eae7d5c839d122b777196967b85

          SHA1

          4845a04fa686c363f37a0b8f29bfc89153504e4d

          SHA256

          c3ba8096646f75ff75b5ff9e83acf5ba925ca15debf982f21c88bc5e12c0a61b

          SHA512

          18d4861833c33248c3bf64ceed03e3c07193b5f0c39eee6fe666e31e2a4bce053bff6eae95871fc2c42acfa2bb61e0185005ac93386d6199996c7ff65d5850e4

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          512d5ff1ba6b2e253edd134b9dd1735e

          SHA1

          7bd474e99608567c1a59b9144aab8e20b624ac7e

          SHA256

          7e4979e4037f207e95ab6c14a19b41270a395616811e8821ee3534b9aed8790d

          SHA512

          d463c91f2ecdfea5862c37f3a260bf3e2a473a74ce4a418c617674832ccad02c8b15fde48ccce25001d4eb8905ee5a8223843c391c7ab9fdf8f0f1823cf87f6d

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          f093a5f35cb042ae207ef392d1def462

          SHA1

          4d80dab2375e26aae45fb19631ea6a29a8d3bb12

          SHA256

          dbea299d1920e131ebca2b660ac86a5486bead638dece4290392c90630ac642d

          SHA512

          a9295b9c4bf02bfb28a531dca8fb15f9516e59d32f029a8d384968347ba51ac9e7fcdf7e644125a382ac36fab625f6643e986ec35c8cf8554c8c9401dba29f2b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          4746199d2595d69040db533da73b080c

          SHA1

          87a87caf44b4b6d567865773176f93d8187f58b9

          SHA256

          5ba99bb0f2dd6ea096e719253f9a457604affedbdcc1345d702371e34c274e3e

          SHA512

          374308cdbe4d5b5a4d024e1229dd26b40e348fc537c4ccdaa9073c462be9dd7b41a764bb9bc76b0b2fcaa024316918404b99d010381034b98297d7bb5a039e0b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          7603b2e81945390a4290085f4d5c4fc1

          SHA1

          caa204f6c0b8a9fc8e6f94935008a8c2884d23af

          SHA256

          390482b712c933de7c79513e7c1d7684bfc526a21ffde3ebd495f08836961487

          SHA512

          37556bf6a8fe62aef08bfba7aed5335b11303fe8cd47e5c474ad3519b2a98da862af0658aafcf8b863dfad83af6f25dc7b145b11147c044444559fb898a66afc

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          44c546d39385a0bebedfae009f366fdd

          SHA1

          3704b12a682fbf99a3e1062aebad340779bc5191

          SHA256

          8a445004b8fad1f429cc1bde880d9dca0dddc0560d05da0891d08667e8e72710

          SHA512

          9756c1417311b94e4624f07490901f4d7ff74bf4fd9d751566ddba324dbbe5ce768dfe88361cb721ca7dc91786ffdbbdf6be833e0a2f1657dc1ded7c35f26af6

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          d67497ec1d4cac657844fa3a2317cbea

          SHA1

          fb8cec21dc3f83860f2053e39e7f102a9a3f61e4

          SHA256

          ca24ab7900ab70fcea4c1e5bca3a882c580b8c390c41eaeb2f63f95cf42ddfe0

          SHA512

          cb35f94ef6ab72a320d11b4dec212823c43fb054acebda752a462ff32e145de55a7a3fd599ef24aa879ea390dbc4b33bafb17b52880f9dd78f10713a649a3686

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          ded4188dfe99b6de0bb49231c4ee6704

          SHA1

          fd097b654334e763e1f5aa8ae9b2dad0e061dc23

          SHA256

          6457cabb1fba6a8bb981974a3e631a858331e35b8cdb436483b5f68e2fc4dce0

          SHA512

          67b59c8248f6238fd17e90c0f8f16a64ba9e6d77d78ab3acb9d693fa6d3e7cfd592f35c31632fb628f9510518765ad1501794ddc9c4ff2c4f0e475521631a42c

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          b19787acacb4e8d700ce4bfd3a31c84e

          SHA1

          437165fca5f6fe0c1e5b95e41f35daac639c3b5f

          SHA256

          457ff9e1207e4b5a25a385043dc699a1cab25ca14a520df3c28cc2c880e591f6

          SHA512

          c5f9eb7b8c5120822614a398bade1ea6809326d7f486375d6d6379d4f7f5b1710ed8bbe7d87e7dd816951684952a6005ba5486f7dd1989f78d0fae641a920a6b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          d07050f0264ded56ca3b71ff2562667d

          SHA1

          c3535ec871d8bfa9a670e69cf3b41252250f35a6

          SHA256

          403095d2b8ef15f110bac0202eb490348223a6cf25c529c3e4b6a012dfa46ef8

          SHA512

          4909de6bd707a9c0b54cb2dacd7098fbec78029eba89e0234095e7105792da113fa1a663d353ee7d57b6633293eb8cca01cbd79600cb9779e3539b4841884823

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          acfe00532e841d3ec707c866451d90ea

          SHA1

          f5dc11d664aefabb5ee5c741936c2b8c7ae87ed8

          SHA256

          8a16504e0f7cba8e2602deaf66681c589e172f1fa80c5cd66cf8687061d57944

          SHA512

          c0820679b58f22b55cf53c4ca30892339e8bac1293b4c965e993864d5e425352fabbd1b4303b485cea69fc7ff6277f04bf5ac47c412735b2fd1d018f2d9747fd

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          cd610354798299edd5e40f871d2f8b75

          SHA1

          49b0645bf6507077dbd336e8e96abd3e331184d4

          SHA256

          77e949febbd72563cbd99929d06fcce91f8f22928b2ca6920edcac0e6e1bbc7a

          SHA512

          702357113c937fe79854673c9d3c309716009af9e05a7cafb268e55b68c6119b8a06292cf0e40ddcbe868a7e1e204ed3f90035c463e40cd47bf1d3f8f464efe7

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          b50eeec667248a97ea99b51ed199e197

          SHA1

          d8c67c20ae218beab3f81b23d0529c33b3918664

          SHA256

          f1d83ff95fa5722c36db125a971c4c12d183956a35e5d43a4a73354e0d3daa98

          SHA512

          ab97b179a8b3eefce3fd32be40e9f54b8ece6eda10887a3671ba96e2bc71b7f077884b8dd8cfdc217de434649d781d14296b27c3f0d62e114856d442a84ccbc9

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          322ea6edfea8bfa66228967a198ba5e1

          SHA1

          36e79421054e3b61ee12678909338e811b96574c

          SHA256

          c2efeb354480565011d25f277b7afc585825a47021b714e9b55b7ef621d9e1d2

          SHA512

          53bed71dc1c1bc528f2fd412c5059f192191d64494f4c7708b6bb89d02f86ff70a6a0aebe3066e2b22d207c5b37df14daf08201bbadd20c21086ca348b6eef4d

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          05f227f52089ed4b57494c3820f9edb8

          SHA1

          afdd45eb84a2713bba96c339e933f4b37f180b4d

          SHA256

          2f7d6c6b8768b0b749eae00d8b41f8bd64c48bc2e7a6bb8eef66c557284e02fa

          SHA512

          2b4483d9253b74af586509f7c0d95a40415c868ad6139eff850b2745834be37da9b8e95b30e2ef4b8082a903adade36232e86a17fdc1864550c0d091ba5d9551

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          7bcd0bf0d4fe477c6ba31b821949c652

          SHA1

          d72d6b7e5b5b5d292640313b235460e88c7d9217

          SHA256

          5885577a6244479a5bc7b50961ec359a06ce6cef2a1452b3597e49feb886be8f

          SHA512

          d6aad2a5a227820111fc466fc374d3bfe3bdd4575ba6d9dabfe19448f64f47076a4ec9f56ebce37edac8d2bcee36680d491adc4ae05f99b2d24597847321ff47

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          6c77add73e0bdeb8de2e7ee55e4b41c8

          SHA1

          ab2d425bac7f1c0308c6bca62a8abd258d1b3c3d

          SHA256

          96315d31d577b9d898bade0514bf6dddc6dfb172c357d6123758844eebf7e0cc

          SHA512

          b89349fdd20648cbf9ff43f51912d96d90c091c1b82c6f99d47d63814142c75972367ae7095d137155858d40d6e64f3ca6cdeecce15804227791ec589759b61c

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{287FF301-1699-11EF-BF93-66356D7B1278}.dat
          Filesize

          5KB

          MD5

          0b536c3d5dc3603b5724aef307761483

          SHA1

          366eb00af9fee02b36d02d3a946528596d3db008

          SHA256

          20b8825332def03960f08ca75c0e5460fd21b64f4f56c92fbfd13704092b431c

          SHA512

          e7c3f9dadb1d34954568807842ca61511f9163b2b5b36b13bd9c90b7567effcfeafadb20a19d183ce9adc959d088639c7706d1e38f36b28eaeba70cccd26591e

        • C:\Users\Admin\AppData\Local\Temp\Cab224.tmp
          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        • C:\Users\Admin\AppData\Local\Temp\Tar2F8.tmp
          Filesize

          177KB

          MD5

          435a9ac180383f9fa094131b173a2f7b

          SHA1

          76944ea657a9db94f9a4bef38f88c46ed4166983

          SHA256

          67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

          SHA512

          1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\charmap.lnk
          Filesize

          1KB

          MD5

          f6fecebbdb1f935863295345ce37f5c3

          SHA1

          e066fc86a5d2528179df5f98c60a57b808d3496a

          SHA256

          ba560a92328af3afbd1862d3345426f9b554cd25a9724dbf9a3013c4485eadd6

          SHA512

          bbaa6a842f16047aeccde8ede651df5a2ea2840649ee82323dec96121a7904d45dc33fb3c2c00b13667904c1a02a638c48a55c22e0af7758c3ff09c2aa666f5b

        • \Users\Admin\AppData\Roaming\{F2EF5B1B-C654-DF2E-50D6-9E70A4C82B60}\charmap.exe
          Filesize

          133KB

          MD5

          5ebf1b0c233e9ef06a63623c7116e4a6

          SHA1

          75c59361b6a8965ddf7f48bfd761fc75be410767

          SHA256

          7ef1ecfe0e7f3ca00837d52dbc783359db692302109ad833168e4d8d781d5988

          SHA512

          8448fe724907df5d72069604740b16783ce1ec38db1eb140b17c15c684f9840b7ee80a728e71dfec1ee87c017adfce6b0b7dc29dcc8ef2c91f42112769d0aff6

        • memory/1636-0-0x00000000001B0000-0x00000000001C6000-memory.dmp
          Filesize

          88KB

        • memory/1636-14-0x0000000000400000-0x000000000042A000-memory.dmp
          Filesize

          168KB

        • memory/1636-1-0x0000000000400000-0x000000000042A000-memory.dmp
          Filesize

          168KB

        • memory/2084-922-0x0000000000400000-0x000000000042A000-memory.dmp
          Filesize

          168KB

        • memory/2084-445-0x0000000000400000-0x000000000042A000-memory.dmp
          Filesize

          168KB

        • memory/2084-432-0x0000000005370000-0x0000000005372000-memory.dmp
          Filesize

          8KB

        • memory/2084-21-0x0000000000400000-0x000000000042A000-memory.dmp
          Filesize

          168KB

        • memory/2084-22-0x0000000000400000-0x000000000042A000-memory.dmp
          Filesize

          168KB

        • memory/2084-19-0x00000000036C0000-0x00000000036C1000-memory.dmp
          Filesize

          4KB

        • memory/2084-15-0x0000000000400000-0x000000000042A000-memory.dmp
          Filesize

          168KB

        • memory/2084-24-0x0000000000400000-0x000000000042A000-memory.dmp
          Filesize

          168KB