Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 11:06
Static task
static1
Behavioral task
behavioral1
Sample
5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe
-
Size
133KB
-
MD5
5ebf1b0c233e9ef06a63623c7116e4a6
-
SHA1
75c59361b6a8965ddf7f48bfd761fc75be410767
-
SHA256
7ef1ecfe0e7f3ca00837d52dbc783359db692302109ad833168e4d8d781d5988
-
SHA512
8448fe724907df5d72069604740b16783ce1ec38db1eb140b17c15c684f9840b7ee80a728e71dfec1ee87c017adfce6b0b7dc29dcc8ef2c91f42112769d0aff6
-
SSDEEP
3072:4jYFtrnz2QVsDReiq9GCMDAhU0jqI07PWQZBmJoAGHjRumwA:4sneQi+GnDAa0p0rWQiJoAGHdv
Malware Config
Extracted
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.6oifgr.win/ABF8-4395-AA22-0291-2636
http://cerberhhyed5frqa.xo59ok.win/ABF8-4395-AA22-0291-2636
http://cerberhhyed5frqa.zx34jk.win/ABF8-4395-AA22-0291-2636
http://cerberhhyed5frqa.rt4e34.win/ABF8-4395-AA22-0291-2636
http://cerberhhyed5frqa.as13fd.win/ABF8-4395-AA22-0291-2636
http://cerberhhyed5frqa.onion/ABF8-4395-AA22-0291-2636
Extracted
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (16405) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exerdrleakdiag.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5B76921C-F710-0C00-7C90-036FED3C4413}\\rdrleakdiag.exe\"" 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5B76921C-F710-0C00-7C90-036FED3C4413}\\rdrleakdiag.exe\"" rdrleakdiag.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rdrleakdiag.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation rdrleakdiag.exe -
Drops startup file 2 IoCs
Processes:
rdrleakdiag.exe5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\rdrleakdiag.lnk rdrleakdiag.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\rdrleakdiag.lnk 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
rdrleakdiag.exepid process 5092 rdrleakdiag.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exerdrleakdiag.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rdrleakdiag = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5B76921C-F710-0C00-7C90-036FED3C4413}\\rdrleakdiag.exe\"" 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rdrleakdiag = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5B76921C-F710-0C00-7C90-036FED3C4413}\\rdrleakdiag.exe\"" 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rdrleakdiag = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5B76921C-F710-0C00-7C90-036FED3C4413}\\rdrleakdiag.exe\"" rdrleakdiag.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rdrleakdiag = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5B76921C-F710-0C00-7C90-036FED3C4413}\\rdrleakdiag.exe\"" rdrleakdiag.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 32 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
rdrleakdiag.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp1D62.bmp" rdrleakdiag.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3740 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1816 taskkill.exe 5580 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exerdrleakdiag.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5B76921C-F710-0C00-7C90-036FED3C4413}\\rdrleakdiag.exe\"" 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop rdrleakdiag.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5B76921C-F710-0C00-7C90-036FED3C4413}\\rdrleakdiag.exe\"" rdrleakdiag.exe -
Modifies registry class 1 IoCs
Processes:
rdrleakdiag.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings rdrleakdiag.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
Processes:
rdrleakdiag.exemsedge.exemsedge.exeidentity_helper.exepid process 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 5092 rdrleakdiag.exe 4388 msedge.exe 4388 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 1380 identity_helper.exe 1380 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exetaskkill.exerdrleakdiag.exevssvc.exewmic.exeAUDIODG.EXEtaskkill.exedescription pid process Token: SeDebugPrivilege 4188 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe Token: SeDebugPrivilege 1816 taskkill.exe Token: SeDebugPrivilege 5092 rdrleakdiag.exe Token: SeBackupPrivilege 3876 vssvc.exe Token: SeRestorePrivilege 3876 vssvc.exe Token: SeAuditPrivilege 3876 vssvc.exe Token: SeIncreaseQuotaPrivilege 1380 wmic.exe Token: SeSecurityPrivilege 1380 wmic.exe Token: SeTakeOwnershipPrivilege 1380 wmic.exe Token: SeLoadDriverPrivilege 1380 wmic.exe Token: SeSystemProfilePrivilege 1380 wmic.exe Token: SeSystemtimePrivilege 1380 wmic.exe Token: SeProfSingleProcessPrivilege 1380 wmic.exe Token: SeIncBasePriorityPrivilege 1380 wmic.exe Token: SeCreatePagefilePrivilege 1380 wmic.exe Token: SeBackupPrivilege 1380 wmic.exe Token: SeRestorePrivilege 1380 wmic.exe Token: SeShutdownPrivilege 1380 wmic.exe Token: SeDebugPrivilege 1380 wmic.exe Token: SeSystemEnvironmentPrivilege 1380 wmic.exe Token: SeRemoteShutdownPrivilege 1380 wmic.exe Token: SeUndockPrivilege 1380 wmic.exe Token: SeManageVolumePrivilege 1380 wmic.exe Token: 33 1380 wmic.exe Token: 34 1380 wmic.exe Token: 35 1380 wmic.exe Token: 36 1380 wmic.exe Token: SeIncreaseQuotaPrivilege 1380 wmic.exe Token: SeSecurityPrivilege 1380 wmic.exe Token: SeTakeOwnershipPrivilege 1380 wmic.exe Token: SeLoadDriverPrivilege 1380 wmic.exe Token: SeSystemProfilePrivilege 1380 wmic.exe Token: SeSystemtimePrivilege 1380 wmic.exe Token: SeProfSingleProcessPrivilege 1380 wmic.exe Token: SeIncBasePriorityPrivilege 1380 wmic.exe Token: SeCreatePagefilePrivilege 1380 wmic.exe Token: SeBackupPrivilege 1380 wmic.exe Token: SeRestorePrivilege 1380 wmic.exe Token: SeShutdownPrivilege 1380 wmic.exe Token: SeDebugPrivilege 1380 wmic.exe Token: SeSystemEnvironmentPrivilege 1380 wmic.exe Token: SeRemoteShutdownPrivilege 1380 wmic.exe Token: SeUndockPrivilege 1380 wmic.exe Token: SeManageVolumePrivilege 1380 wmic.exe Token: 33 1380 wmic.exe Token: 34 1380 wmic.exe Token: 35 1380 wmic.exe Token: 36 1380 wmic.exe Token: 33 2488 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2488 AUDIODG.EXE Token: SeDebugPrivilege 5580 taskkill.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.execmd.exerdrleakdiag.exemsedge.exedescription pid process target process PID 4188 wrote to memory of 5092 4188 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe rdrleakdiag.exe PID 4188 wrote to memory of 5092 4188 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe rdrleakdiag.exe PID 4188 wrote to memory of 5092 4188 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe rdrleakdiag.exe PID 4188 wrote to memory of 2940 4188 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe cmd.exe PID 4188 wrote to memory of 2940 4188 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe cmd.exe PID 4188 wrote to memory of 2940 4188 5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe cmd.exe PID 2940 wrote to memory of 1816 2940 cmd.exe taskkill.exe PID 2940 wrote to memory of 1816 2940 cmd.exe taskkill.exe PID 2940 wrote to memory of 1816 2940 cmd.exe taskkill.exe PID 2940 wrote to memory of 4044 2940 cmd.exe PING.EXE PID 2940 wrote to memory of 4044 2940 cmd.exe PING.EXE PID 2940 wrote to memory of 4044 2940 cmd.exe PING.EXE PID 5092 wrote to memory of 3740 5092 rdrleakdiag.exe vssadmin.exe PID 5092 wrote to memory of 3740 5092 rdrleakdiag.exe vssadmin.exe PID 5092 wrote to memory of 1380 5092 rdrleakdiag.exe wmic.exe PID 5092 wrote to memory of 1380 5092 rdrleakdiag.exe wmic.exe PID 5092 wrote to memory of 3296 5092 rdrleakdiag.exe msedge.exe PID 5092 wrote to memory of 3296 5092 rdrleakdiag.exe msedge.exe PID 3296 wrote to memory of 4832 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 4832 3296 msedge.exe msedge.exe PID 5092 wrote to memory of 3988 5092 rdrleakdiag.exe NOTEPAD.EXE PID 5092 wrote to memory of 3988 5092 rdrleakdiag.exe NOTEPAD.EXE PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 2860 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 4388 3296 msedge.exe msedge.exe PID 3296 wrote to memory of 4388 3296 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{5B76921C-F710-0C00-7C90-036FED3C4413}\rdrleakdiag.exe"C:\Users\Admin\AppData\Roaming\{5B76921C-F710-0C00-7C90-036FED3C4413}\rdrleakdiag.exe"2⤵
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff675e46f8,0x7fff675e4708,0x7fff675e47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3400 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3400 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7320028344173962327,17827405754348939743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1868 /prefetch:14⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.6oifgr.win/ABF8-4395-AA22-0291-26363⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff675e46f8,0x7fff675e4708,0x7fff675e47184⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "rdrleakdiag.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{5B76921C-F710-0C00-7C90-036FED3C4413}\rdrleakdiag.exe" > NUL3⤵
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "rdrleakdiag.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe" > NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "5ebf1b0c233e9ef06a63623c7116e4a6_JaffaCakes118.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4a0 0x4f01⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.htmlFilesize
12KB
MD56fd8bbe248d7a694df0dfeaeebbac608
SHA1d24cd36d733cca919dd334258ea99d78603cdb13
SHA2568f8fddb69819a78f9964ff122c892fe249616fdb07f2db4525e19be1111cbd7b
SHA512f581093b60df7cdbf8ec5639c570d20330cb4ca58b4e4d64778d29128949bccddb0d5bafb50e26a2e450fc6182e94a3907414e6f18e8e2e86399d37fbd57d55d
-
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.txtFilesize
10KB
MD586b36f3c869d0e05050b3677bcf74a7c
SHA1926c60b084cc585f4ff694cb60d0227be1aeafe3
SHA256ff09ec7a4ff6715a4b4baef943200e590f9dcf341fdd06851590c0cf798e4706
SHA512bb1d8c85810d1dd3caad382c5dfb721d1504aa5b5afb41a7b3c9839816d9f73e12eeb9544d16236d3156abbd4b2e4cb7e73d2d8e8ba744c89e39959ba98b6bb9
-
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.urlFilesize
85B
MD5caa5151d324b69d087b71305850d8000
SHA10af67308be0646f4a4856b2cd4afd84ac0474fbb
SHA256db42542d67e61ff70e8a8bed199fa70f07b8d47ca100bb7ffa2f4d03c59471b7
SHA5122627122e6dead1eee4f601e232db58e0820e6e898dde50416f19443e486d20a9f5eac54729569791cb08de198a5c8b46b32d0eb41e58f57bb8f5419ae4dc4ea0
-
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.vbsFilesize
216B
MD548ac29422570636cae371b68c858b988
SHA1ff86dea198c93a8ae49ee52c6eb919fcbd259aab
SHA2563926b08f205999c2f1a24121117ecfeed31557bf6f0529416f3432321292c6b0
SHA51275019e6fd4b53528aab1af668149540e1bc372e58e4786eda1da75e7c9718dbc274cbf3f37cd38fbe7e618ea9c1b24c2534d18aecfcc3264ec55f83f206faaa3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5f50dd464b01f37d2da2aab749ef211c3
SHA14457e339988a9cf806dc1a6df347b33c589e62ba
SHA256da557d9c051750f8792d22f779085dc17584bda11cd1a36a5d12b7d8f9e0a1fc
SHA512fa8b9d2eceabbd2c0736ee8f76ada28584a1e291b793e07cb27ba05485c29f2fbe89f7047dc42690eefea8dd475473189c8a68d7c775a46c17a690c9f4049149
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5cb6e462b01303f2a9fa86254001d5b60
SHA152002ff38442ea346f89a399c07f48ee87faa915
SHA2567d9bebcc36db582b1dd795455226045b98cc0e7df78742fbccf298b01e0508c3
SHA512d5861700e20bb1d5d9195c29f2394da53712ae5d837d947af3767c03f393acf5b0928a288f96d5fac57f3367e81f0442e23e2d75749108d4dadf5a7e9df38f97
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5ed2fa4d6a629c318817fe66834ebfa19
SHA1a7ad732704f07bd5e096617d30e8e9885bc3c285
SHA25692d0ecb4226cdfc7a03ee31daee0249da419f8c8e88ac7a9082140c6e0560ce8
SHA512f6d46d28263e5e3d4c87d42bf63e70270710f26c4b6c85a7fdad2cae0fd814dde719000d7f4416769585df1bb8a0282b46eb1020e0e5740d525419a1cae9e408
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\rdrleakdiag.lnkFilesize
1KB
MD5b9d56d0b17e0478ba56d6abfd2302e72
SHA1957e5cb5ed2b35e165fd32d17ca6d137502d3719
SHA256f37bcee2eb36c9fc1df61fdb011f8f2b52c19d5290aa4a597629da7742ad72bc
SHA512c96cd13ef760a8129e1c3330334fcfd1a98071c6142719d968aa5b6e8240d9e641cd6f7732378632d30625d7444db2076bb887d6523a8efac8ab7806c4fb8875
-
C:\Users\Admin\AppData\Roaming\{5B76921C-F710-0C00-7C90-036FED3C4413}\rdrleakdiag.exeFilesize
133KB
MD55ebf1b0c233e9ef06a63623c7116e4a6
SHA175c59361b6a8965ddf7f48bfd761fc75be410767
SHA2567ef1ecfe0e7f3ca00837d52dbc783359db692302109ad833168e4d8d781d5988
SHA5128448fe724907df5d72069604740b16783ce1ec38db1eb140b17c15c684f9840b7ee80a728e71dfec1ee87c017adfce6b0b7dc29dcc8ef2c91f42112769d0aff6
-
\??\pipe\LOCAL\crashpad_3296_URGBTYWEAOPBQSFEMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4188-1-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/4188-10-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/4188-0-0x0000000000690000-0x00000000006A6000-memory.dmpFilesize
88KB
-
memory/5092-14-0x00000000039A0000-0x00000000039A1000-memory.dmpFilesize
4KB
-
memory/5092-11-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/5092-12-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/5092-24-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/5092-19-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/5092-321-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/5092-17-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/5092-16-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/5092-342-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB