Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 06:34
Static task
static1
Behavioral task
behavioral1
Sample
6653ef20d2a3a6ef656d9c886ebabd93_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6653ef20d2a3a6ef656d9c886ebabd93_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
6653ef20d2a3a6ef656d9c886ebabd93_JaffaCakes118.exe
-
Size
392KB
-
MD5
6653ef20d2a3a6ef656d9c886ebabd93
-
SHA1
bb0cc0b05bb70a3d347faa94fb36a35c771b0692
-
SHA256
48ff838a7fe98ec2c5bb59a8a76100047abcfa6db824f4982b8e7fdf2110f05d
-
SHA512
b68b37147ce0d1389d62f5f72ebb616edc7d2ed2aaa484e85f6dc4b6070c9ce973a523e11e311686dc0efb0757fe52dcfa430afb1f48f98ecfdc257c6f3cc360
-
SSDEEP
3072:viHZTdn6oWzjNtxPPnGau7GMuOYHAifZEeKPi6u7KzrN7ivE5oY4KppRsqYaefiU:QZqPtvGauSM4HAifkGOzrN+HKkalM
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.xlfp45.win/A31E-D12C-FA0D-0291-98F0
http://cerberhhyed5frqa.slr849.win/A31E-D12C-FA0D-0291-98F0
http://cerberhhyed5frqa.ret5kr.win/A31E-D12C-FA0D-0291-98F0
http://cerberhhyed5frqa.zgf48j.win/A31E-D12C-FA0D-0291-98F0
http://cerberhhyed5frqa.xltnet.win/A31E-D12C-FA0D-0291-98F0
http://cerberhhyed5frqa.onion/A31E-D12C-FA0D-0291-98F0
Extracted
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (16400) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
6653ef20d2a3a6ef656d9c886ebabd93_JaffaCakes118.exesdchange.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5B76921C-F710-0C00-7C90-036FED3C4413}\\sdchange.exe\"" 6653ef20d2a3a6ef656d9c886ebabd93_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5B76921C-F710-0C00-7C90-036FED3C4413}\\sdchange.exe\"" sdchange.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
sdchange.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation sdchange.exe -
Drops startup file 2 IoCs
Processes:
6653ef20d2a3a6ef656d9c886ebabd93_JaffaCakes118.exesdchange.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\sdchange.lnk 6653ef20d2a3a6ef656d9c886ebabd93_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\sdchange.lnk sdchange.exe -
Executes dropped EXE 1 IoCs
Processes:
sdchange.exepid process 2424 sdchange.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
6653ef20d2a3a6ef656d9c886ebabd93_JaffaCakes118.exesdchange.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sdchange = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5B76921C-F710-0C00-7C90-036FED3C4413}\\sdchange.exe\"" 6653ef20d2a3a6ef656d9c886ebabd93_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdchange = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5B76921C-F710-0C00-7C90-036FED3C4413}\\sdchange.exe\"" 6653ef20d2a3a6ef656d9c886ebabd93_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sdchange = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5B76921C-F710-0C00-7C90-036FED3C4413}\\sdchange.exe\"" sdchange.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdchange = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5B76921C-F710-0C00-7C90-036FED3C4413}\\sdchange.exe\"" sdchange.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
sdchange.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpA16B.bmp" sdchange.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 5056 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 3124 taskkill.exe 3900 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
6653ef20d2a3a6ef656d9c886ebabd93_JaffaCakes118.exesdchange.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop 6653ef20d2a3a6ef656d9c886ebabd93_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5B76921C-F710-0C00-7C90-036FED3C4413}\\sdchange.exe\"" 6653ef20d2a3a6ef656d9c886ebabd93_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop sdchange.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{5B76921C-F710-0C00-7C90-036FED3C4413}\\sdchange.exe\"" sdchange.exe -
Modifies registry class 1 IoCs
Processes:
sdchange.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings sdchange.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
sdchange.exemsedge.exemsedge.exeidentity_helper.exepid process 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2424 sdchange.exe 2148 msedge.exe 2148 msedge.exe 3112 msedge.exe 3112 msedge.exe 5920 identity_helper.exe 5920 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
6653ef20d2a3a6ef656d9c886ebabd93_JaffaCakes118.exesdchange.exetaskkill.exevssvc.exewmic.exeAUDIODG.EXEtaskkill.exedescription pid process Token: SeDebugPrivilege 4196 6653ef20d2a3a6ef656d9c886ebabd93_JaffaCakes118.exe Token: SeDebugPrivilege 2424 sdchange.exe Token: SeDebugPrivilege 3124 taskkill.exe Token: SeBackupPrivilege 5388 vssvc.exe Token: SeRestorePrivilege 5388 vssvc.exe Token: SeAuditPrivilege 5388 vssvc.exe Token: SeIncreaseQuotaPrivilege 4556 wmic.exe Token: SeSecurityPrivilege 4556 wmic.exe Token: SeTakeOwnershipPrivilege 4556 wmic.exe Token: SeLoadDriverPrivilege 4556 wmic.exe Token: SeSystemProfilePrivilege 4556 wmic.exe Token: SeSystemtimePrivilege 4556 wmic.exe Token: SeProfSingleProcessPrivilege 4556 wmic.exe Token: SeIncBasePriorityPrivilege 4556 wmic.exe Token: SeCreatePagefilePrivilege 4556 wmic.exe Token: SeBackupPrivilege 4556 wmic.exe Token: SeRestorePrivilege 4556 wmic.exe Token: SeShutdownPrivilege 4556 wmic.exe Token: SeDebugPrivilege 4556 wmic.exe Token: SeSystemEnvironmentPrivilege 4556 wmic.exe Token: SeRemoteShutdownPrivilege 4556 wmic.exe Token: SeUndockPrivilege 4556 wmic.exe Token: SeManageVolumePrivilege 4556 wmic.exe Token: 33 4556 wmic.exe Token: 34 4556 wmic.exe Token: 35 4556 wmic.exe Token: 36 4556 wmic.exe Token: SeIncreaseQuotaPrivilege 4556 wmic.exe Token: SeSecurityPrivilege 4556 wmic.exe Token: SeTakeOwnershipPrivilege 4556 wmic.exe Token: SeLoadDriverPrivilege 4556 wmic.exe Token: SeSystemProfilePrivilege 4556 wmic.exe Token: SeSystemtimePrivilege 4556 wmic.exe Token: SeProfSingleProcessPrivilege 4556 wmic.exe Token: SeIncBasePriorityPrivilege 4556 wmic.exe Token: SeCreatePagefilePrivilege 4556 wmic.exe Token: SeBackupPrivilege 4556 wmic.exe Token: SeRestorePrivilege 4556 wmic.exe Token: SeShutdownPrivilege 4556 wmic.exe Token: SeDebugPrivilege 4556 wmic.exe Token: SeSystemEnvironmentPrivilege 4556 wmic.exe Token: SeRemoteShutdownPrivilege 4556 wmic.exe Token: SeUndockPrivilege 4556 wmic.exe Token: SeManageVolumePrivilege 4556 wmic.exe Token: 33 4556 wmic.exe Token: 34 4556 wmic.exe Token: 35 4556 wmic.exe Token: 36 4556 wmic.exe Token: 33 1696 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1696 AUDIODG.EXE Token: SeDebugPrivilege 3900 taskkill.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6653ef20d2a3a6ef656d9c886ebabd93_JaffaCakes118.execmd.exesdchange.exemsedge.exedescription pid process target process PID 4196 wrote to memory of 2424 4196 6653ef20d2a3a6ef656d9c886ebabd93_JaffaCakes118.exe sdchange.exe PID 4196 wrote to memory of 2424 4196 6653ef20d2a3a6ef656d9c886ebabd93_JaffaCakes118.exe sdchange.exe PID 4196 wrote to memory of 2424 4196 6653ef20d2a3a6ef656d9c886ebabd93_JaffaCakes118.exe sdchange.exe PID 4196 wrote to memory of 4892 4196 6653ef20d2a3a6ef656d9c886ebabd93_JaffaCakes118.exe cmd.exe PID 4196 wrote to memory of 4892 4196 6653ef20d2a3a6ef656d9c886ebabd93_JaffaCakes118.exe cmd.exe PID 4196 wrote to memory of 4892 4196 6653ef20d2a3a6ef656d9c886ebabd93_JaffaCakes118.exe cmd.exe PID 4892 wrote to memory of 3124 4892 cmd.exe taskkill.exe PID 4892 wrote to memory of 3124 4892 cmd.exe taskkill.exe PID 4892 wrote to memory of 3124 4892 cmd.exe taskkill.exe PID 2424 wrote to memory of 5056 2424 sdchange.exe vssadmin.exe PID 2424 wrote to memory of 5056 2424 sdchange.exe vssadmin.exe PID 4892 wrote to memory of 3904 4892 cmd.exe PING.EXE PID 4892 wrote to memory of 3904 4892 cmd.exe PING.EXE PID 4892 wrote to memory of 3904 4892 cmd.exe PING.EXE PID 2424 wrote to memory of 4556 2424 sdchange.exe wmic.exe PID 2424 wrote to memory of 4556 2424 sdchange.exe wmic.exe PID 2424 wrote to memory of 3112 2424 sdchange.exe msedge.exe PID 2424 wrote to memory of 3112 2424 sdchange.exe msedge.exe PID 3112 wrote to memory of 2412 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 2412 3112 msedge.exe msedge.exe PID 2424 wrote to memory of 3344 2424 sdchange.exe NOTEPAD.EXE PID 2424 wrote to memory of 3344 2424 sdchange.exe NOTEPAD.EXE PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 564 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 2148 3112 msedge.exe msedge.exe PID 3112 wrote to memory of 2148 3112 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6653ef20d2a3a6ef656d9c886ebabd93_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6653ef20d2a3a6ef656d9c886ebabd93_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Users\Admin\AppData\Roaming\{5B76921C-F710-0C00-7C90-036FED3C4413}\sdchange.exe"C:\Users\Admin\AppData\Roaming\{5B76921C-F710-0C00-7C90-036FED3C4413}\sdchange.exe"2⤵
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:5056 -
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4556 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa03c346f8,0x7ffa03c34708,0x7ffa03c347184⤵PID:2412
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,16704978945674067623,983265838290550882,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:24⤵PID:564
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,16704978945674067623,983265838290550882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:2148 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,16704978945674067623,983265838290550882,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:84⤵PID:4064
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16704978945674067623,983265838290550882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:14⤵PID:4504
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16704978945674067623,983265838290550882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:14⤵PID:2376
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16704978945674067623,983265838290550882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:14⤵PID:5224
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16704978945674067623,983265838290550882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:14⤵PID:2944
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16704978945674067623,983265838290550882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:14⤵PID:1156
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,16704978945674067623,983265838290550882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 /prefetch:84⤵PID:284
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,16704978945674067623,983265838290550882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:5920 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16704978945674067623,983265838290550882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:14⤵PID:4312
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16704978945674067623,983265838290550882,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:14⤵PID:3896
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16704978945674067623,983265838290550882,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:14⤵PID:1848
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16704978945674067623,983265838290550882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:14⤵PID:4884
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16704978945674067623,983265838290550882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:14⤵PID:4780
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵PID:3344
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.xlfp45.win/A31E-D12C-FA0D-0291-98F03⤵PID:3620
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa03c346f8,0x7ffa03c34708,0x7ffa03c347184⤵PID:1984
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵PID:1944
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "sdchange.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{5B76921C-F710-0C00-7C90-036FED3C4413}\sdchange.exe" > NUL3⤵PID:4292
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "sdchange.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3900 -
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
PID:2668 -
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "6653ef20d2a3a6ef656d9c886ebabd93_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\6653ef20d2a3a6ef656d9c886ebabd93_JaffaCakes118.exe" > NUL2⤵
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "6653ef20d2a3a6ef656d9c886ebabd93_JaffaCakes118.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3124 -
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
PID:3904
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5388
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5764
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2248
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x310 0x50c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD58f3f3e2ba5d72b3207b1763fe97f45de
SHA19a85a1f66ba0e05a23047243424c426bcffe1b8e
SHA25635611e9a704625f61592a377138818b2af465dc78323baa4f3b265604ec44eab
SHA512418efbb321f256b09aacee077d8caae27f1e1a0687cbdadca377d8d4a87e3b088f6fb5506f6c591b19fdb609dc9a346e8ce24479eed82af1bb0e6eaf6303ab66
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5bbfa4d857933db54e555f84af3732a51
SHA133d61e86cfa13fbc36bcff55382647424013eb84
SHA256c37620ffc84bfb206ef5aab8873942f2463510bd80c6497f52e31583c8888322
SHA5124ee856ffdf72c63f39770b576a58e526685792bc13f9086cedfe8c4a4aebc859892c347b39a5801a60b757850630687623d345ad09445a1b03d60f0643e2be28
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD57bdfbb97ee11e60a900e5482cb277c2e
SHA1a55ed5967b8b32e7b82fea322762c1676c98d94e
SHA256662b8a830cb62b1b688ac21f8f1c314626d2d3e2f1541113ede91ac27e7bfb11
SHA512237e96ce8eda41ff92485e95f593836294581ddf4bc66f758dbe58d5f89fdd296a6822be8f2db11568d95598ac75f0325966ff422a15d78729978a938a0a7f69
-
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.htmlFilesize
12KB
MD560a1ed5bad6cb4fe9666235ee9fa43f3
SHA1205b41c1a84653a02236e70d1511bcb1686b3c3e
SHA256fd2206a99f7f475a631eede2a06cfe35d179ad8923f1fc17e0990a1b0c13ce31
SHA512cfd5950dd9656b7f1ca2515f1233c2cc988741afc14919a036ecad3fbc7ca6123ed985ee75c4cefef14d65d6ae14c4b599ae4fff064d429ad3765cae75c364c8
-
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.txtFilesize
10KB
MD5cb1a74eade71239a5d7bff90d481d664
SHA1340d16e88013a5af1f670d74ef72f6d0030393bc
SHA256dce64f855d132271477ddbdf3ae45a63f285ad6137a71455765a82a68b00846f
SHA512f0250e2899f4469eed3a59694a481dee5367ecdfa773c996555ee50328a0a37efcc82584481dbd2a10ad6159ecf7f41afedce76e735cf1647648528d0a2423ab
-
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.urlFilesize
85B
MD5253a92d38496a66c632c3e771834f71c
SHA1c7937b9e979a232726694b0933f2d677491492b5
SHA256e1da3788676e5145fd52e30f95f97c42a4eae44c85920e92069a23bcbffcf6ec
SHA512eb6220b453360c47f1a670fb6827d9191ee3dd47d87ef5b09c72ae0a599362bd6d422780729952540d00e5ec60aedd323c71b11e78d98c1d96469cb3f14a24d4
-
C:\Users\Admin\AppData\Roaming\# DECRYPT MY FILES #.vbsFilesize
219B
MD535a3e3b45dcfc1e6c4fd4a160873a0d1
SHA1a0bcc855f2b75d82cbaae3a8710f816956e94b37
SHA2568ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934
SHA5126d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\sdchange.lnkFilesize
1KB
MD5a18d3195d58075cf9fcc1ae7758dfc41
SHA1b8d430bda73d9c495cb2b55999710c3240175954
SHA2561b6635572bdba53285476f79d9fdba9cda09634d2ab327daa60d85de25328d8a
SHA51272a5c4c0aac69f682a12e41ca006d40163d1eef6e94851eebb567e3177fe4416235e083f9d6465e6f5d2ca0aaafc3c843bd3fa9940784a53173a21c8a0f4d2ac
-
C:\Users\Admin\AppData\Roaming\{5B76921C-F710-0C00-7C90-036FED3C4413}\sdchange.exeFilesize
392KB
MD56653ef20d2a3a6ef656d9c886ebabd93
SHA1bb0cc0b05bb70a3d347faa94fb36a35c771b0692
SHA25648ff838a7fe98ec2c5bb59a8a76100047abcfa6db824f4982b8e7fdf2110f05d
SHA512b68b37147ce0d1389d62f5f72ebb616edc7d2ed2aaa484e85f6dc4b6070c9ce973a523e11e311686dc0efb0757fe52dcfa430afb1f48f98ecfdc257c6f3cc360
-
\??\pipe\LOCAL\crashpad_3112_RRRIHJAJDXWCHYXKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2424-22-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2424-294-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2424-296-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2424-308-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2424-306-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2424-304-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2424-302-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2424-301-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2424-300-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2424-299-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2424-298-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2424-297-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2424-295-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2424-30-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2424-293-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2424-282-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2424-281-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2424-29-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2424-391-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2424-311-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2424-21-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2424-11-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2424-12-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2424-10-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/4196-13-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4196-2-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4196-1-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4196-0-0x0000000000610000-0x000000000062F000-memory.dmpFilesize
124KB