Analysis
-
max time kernel
123s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
25-05-2024 12:46
General
-
Target
71fef8e6944f516de0b5f001804d0125_JaffaCakes118.exe
-
Size
243KB
-
MD5
71fef8e6944f516de0b5f001804d0125
-
SHA1
c29db1c7dca8ba469f7755a72d6fe4331011aa1e
-
SHA256
adac4ae228d5d9697825ee08a31d125b91a4539f3cff25e68ae3c8e1a70c34f5
-
SHA512
272887eceb0112639516cb785d1f2ce89646be2e6a455de30be758baadc754aa0f20d6c2346f4f2a0503d26018391dd5ff650bf45874b8baf25d195f0d64cd4d
-
SSDEEP
6144:MkyacpfMzk1+nQFGbjVXgyLB5NaLVtju0r0/fk4Xc/Be1H2E:MkyfYk4nXbjVLLBGLVtjuf/fk40Q1H2E
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Music\# HELP DECRYPT #.txt
Ransom Note
C_E_R_B_E_R R_A_N_S_O_M_W_A_R_E
#########################################################################
Cannot you find the files you need?
Is the content of the files that you looked for not readable???
It is normal because the files' names, as well as the data in your files
have been encrypted.
Great!
You have turned to be a part of a big community "#Cerb3r Ransomware".
#########################################################################
!!! If you are reading this message it means the software "Cerber" has
!!! been removed from your computer.
!!! HTML instruction ("# DECRYPT MY FILES #.html") always contains a
!!! working domain of your personal page!
#########################################################################
What is encryption?
-------------------
Encryption is a reversible modification of information for security
reasons but providing full access to it for authorized users.
To become an authorized user and keep the modification absolutely
reversible (in other words to have a possibility to decrypt your files)
you should have an individual private key.
But not only it.
It is required also to have the special decryption software
(in your case "Cerber Decryptor" software) for safe and complete
decryption of all your files and data.
#########################################################################
Everything is clear for me but what should I do?
------------------------------------------------
The first step is reading these instructions to the end.
Your files have been encrypted with the "Cerber Ransomware" software; the
instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt")
in the folders with your encrypted files are not viruses, they will
help you.
After reading this text the most part of people start searching in the
Internet the words the "Cerber Ransomware" where they find a lot of
ideas, recommendations and instructions.
It is necessary to realize that we are the ones who closed the lock on
your files and we are the only ones who have this secret key to
open them.
!!! Any attempts to return your files with the third-party tools can
!!! be fatal for your encrypted files.
The most part of the third-party software change data within the
encrypted file to restore it but this causes damage to the files.
Finally it will be impossible to decrypt your files.
When you make a puzzle, but some items are lost, broken or not put in its
place - the puzzle items will never match, the same way the third-party
software will ruin your files completely and irreversibly.
You should realize that any intervention of the third-party software to
restore files encrypted with the "Cerber Ransomware" software may be
fatal for your files.
#########################################################################
!!! There are several plain steps to restore your files but if you do
!!! not follow them we will not be able to help you, and we will not try
!!! since you have read this warning already.
#########################################################################
For your information the software to decrypt your files (as well as the
private key provided together) are paid products.
After purchase of the software package you will be able to:
1. decrypt all your files;
2. work with your documents;
3. view your photos and other media;
4. continue your usual and comfortable work at the computer.
If you understand all importance of the situation then we propose to you
to go directly to your personal page where you will receive the complete
instructions and guarantees to restore your files.
#########################################################################
There is a list of temporary addresses to go on your personal page below:
_______________________________________________________________________
|
| 1. http://52uo5k3t73ypjije.o8hpwj.top/DF3F-92AA-1038-0046-15C3
|
| 2. http://52uo5k3t73ypjije.uwckha.top/DF3F-92AA-1038-0046-15C3
|
| 3. http://52uo5k3t73ypjije.whmykv.bid/DF3F-92AA-1038-0046-15C3
|
| 4. http://52uo5k3t73ypjije.y12acl.bid/DF3F-92AA-1038-0046-15C3
|
| 5. http://52uo5k3t73ypjije.onion.to/DF3F-92AA-1038-0046-15C3
|_______________________________________________________________________
#########################################################################
What should you do with these addresses?
----------------------------------------
If you read the instructions in TXT format (if you have instruction in
HTML (the file with an icon of your Internet browser) then the easiest
way is to run it):
1. take a look at the first address (in this case it is
http://52uo5k3t73ypjije.o8hpwj.top/DF3F-92AA-1038-0046-15C3);
2. select it with the mouse cursor holding the left mouse button and
moving the cursor to the right;
3. release the left mouse button and press the right one;
4. select "Copy" in the appeared menu;
5. run your Internet browser (if you do not know what it is run the
Internet Explorer);
6. move the mouse cursor to the address bar of the browser (this is the
place where the site address is written);
7. click the right mouse button in the field where the site address
is written;
8. select the button "Insert" in the appeared menu;
9. then you will see the address
http://52uo5k3t73ypjije.o8hpwj.top/DF3F-92AA-1038-0046-15C3
appeared there;
10. press ENTER;
11. the site should be loaded; if it is not loaded repeat the same
instructions with the second address and continue until the last
address if falling.
If for some reason the site cannot be opened check the connection to the
Internet; if the site still cannot be opened take a look at the
instructions on omitting the point about working with the addresses in
the HTML instructions.
If you browse the instructions in HTML format:
1. click the left mouse button on the first address (in this case it is
http://52uo5k3t73ypjije.o8hpwj.top/DF3F-92AA-1038-0046-15C3);
2. in a new tab or window of your web browser the site should be loaded;
if it is not loaded repeat the same instructions with the second
address and continue until the last address.
If for some reason the site cannot be opened check the connection to
the Internet.
#########################################################################
Unfortunately these sites are short-term since the antivirus companies
are interested in you do not have a chance to restore your files but
continue to buy their products.
Unlike them we are ready to help you always.
If you need our help but the temporary sites are not available:
1. run your Internet browser (if you do not know what it is run the
Internet Explorer);
2. enter or copy the address
https://www.torproject.org/download/download-easy.html.en into the
address bar of your browser and press ENTER;
3. wait for the site loading;
4. on the site you will be offered to download Tor Browser; download and
run it, follow the installation instructions, wait until the
installation is completed;
5. run Tor Browser;
6. connect with the button "Connect" (if you use the English version);
7. a normal Internet browser window will be opened after
the initialization;
8. type or copy the address
________________________________________________________
| |
| http://52uo5k3t73ypjije.onion/DF3F-92AA-1038-0046-15C3 |
|________________________________________________________|
in this browser address bar;
9. press ENTER;
10. the site should be loaded; if for some reason the site is not loading
wait for a moment and try again.
If you have any problems during installation or operation of Tor Browser,
please, visit https://www.youtube.com/ and type request in the search bar
"install tor browser windows" and you will find a lot of training videos
about Tor Browser installation and operation.
If TOR address is not available for a long period (2-3 days) it means you
are late; usually you have about 2-3 weeks after reading the instructions
to restore your files.
#########################################################################
Additional information:
You will find the instructions for restoring your files in those folders
where you have your encrypted files only.
The instructions are made in two file formats - HTML and TXT for
your convenience.
Unfortunately antivirus companies cannot protect or restore your files
but they can make the situation worse removing the instructions how to
restore your encrypted files.
The instructions are not viruses; they have informative nature only, so
any claims on the absence of any instruction files you can send to your
antivirus company.
#########################################################################
Cerber Ransomware Project is not malicious and is not intended to harm a
person and his/her information data.
The project is created for the sole purpose of instruction regarding
information security, as well as certification of antivirus software for
their suitability for data protection.
Together we make the Internet a better and safer place.
#########################################################################
If you look through this text in the Internet and realize that something
is wrong with your files but you do not have any instructions to restore
your files, please, contact your antivirus support.
#########################################################################
Remember that the worst situation already happened and now it depends on
your determination and speed of your actions the further life of
your files.
URLs
http://52uo5k3t73ypjije.o8hpwj.top/DF3F-92AA-1038-0046-15C3
http://52uo5k3t73ypjije.uwckha.top/DF3F-92AA-1038-0046-15C3
http://52uo5k3t73ypjije.whmykv.bid/DF3F-92AA-1038-0046-15C3
http://52uo5k3t73ypjije.y12acl.bid/DF3F-92AA-1038-0046-15C3
http://52uo5k3t73ypjije.onion.to/DF3F-92AA-1038-0046-15C3
http://52uo5k3t73ypjije.onion/DF3F-92AA-1038-0046-15C3
Extracted
Path
C:\Users\Admin\Music\# HELP DECRYPT #.html
Ransom Note
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Cerber Ransomware</title>
<style>
a {
color: #47c;
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
body {
background-color: #e7e7e7;
color: #333;
font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";
font-size: 16px;
line-height: 1.6;
margin: 0;
padding: 0;
}
hr {
background-color: #e7e7e7;
border: 0 none;
border-bottom: 1px solid #c7c7c7;
height: 5px;
margin: 30px 0;
}
li {
padding: 0 0 7px 7px;
}
ol {
padding-left: 3em;
}
.container {
background-color: #fff;
border: 1px solid #c7c7c7;
margin: 40px;
padding: 40px 40px 20px 40px;
}
.info, .tor {
background-color: #efe;
border: 1px solid #bda;
display: block;
padding: 0px 20px;
}
.logo {
font-size: 12px;
font-weight: bold;
line-height: 1;
margin: 0;
}
.upd_on {
color: red;
display: block;
}
.upd_off {
display: none;
float: left;
}
.tor {
padding: 10px 0;
text-align: center;
}
.url {
margin-right: 5px;
}
.warning {
background-color: #f5e7e7;
border: 1px solid #ebccd1;
color: #a44;
display: block;
padding: 15px 10px;
text-align: center;
}
</style>
</head>
<body>
<div class="container">
<h3>C E R B E R R A N S O M W A R E</h3>
<hr>
<p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p>
<p>It is normal because the files' names, as well as the data in your files have been encrypted.</p>
<p>Great!<br>You have turned to be a part of a big community "#C3rber Ransomware".</p>
<hr>
<p><span class="warning">If you are reading this message it means the software "Cerber" has been removed from your computer.</span></p>
<hr>
<h3>What is encryption?</h3>
<p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p>
<p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p>
<p>But not only it.</p>
<p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p>
<hr>
<h3>Everything is clear for me but what should I do?</h3>
<p>The first step is reading these instructions to the end.</p>
<p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p>
<p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p>
<p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p>
<p><span class="warning">!Any attempts to get back your files with the third-party tools can be fatal for your encrypted files!</span></p>
<p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p>
<p>Finally it will be impossible to decrypt your files!</p>
<p>When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p>
<p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p>
<hr>
<p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p>
<hr>
<p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p>
<p>After purchase of the software package you will be able to:</p>
<ol>
<li>decrypt all your files;</li>
<li>work with your documents;</li>
<li>view your photos and other media;</li>
<li>continue your usual and comfortable work at the computer.</li>
</ol>
<p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p>
<hr>
<div class="info">
<p>There is a list of temporary addresses to go on your personal page below:</p>
<ol>
<li><span class="upd_off" id="upd_1">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.o8hpwj.top/DF3F-92AA-1038-0046-15C3" id="url_1" target="_blank">http://52uo5k3t73ypjije.o8hpwj.top/DF3F-92AA-1038-0046-15C3</a>(<a href="#updateUrl" onClick="return updateUrl();" style="color: red;">Get a NEW address!</a>)</li>
<li><a href="http://52uo5k3t73ypjije.uwckha.top/DF3F-92AA-1038-0046-15C3" target="_blank">http://52uo5k3t73ypjije.uwckha.top/DF3F-92AA-1038-0046-15C3</a></li>
<li><a href="http://52uo5k3t73ypjije.whmykv.bid/DF3F-92AA-1038-0046-15C3" target="_blank">http://52uo5k3t73ypjije.whmykv.bid/DF3F-92AA-1038-0046-15C3</a></li>
<li><a href="http://52uo5k3t73ypjije.y12acl.bid/DF3F-92AA-1038-0046-15C3" target="_blank">http://52uo5k3t73ypjije.y12acl.bid/DF3F-92AA-1038-0046-15C3</a></li>
<li><a href="http://52uo5k3t73ypjije.onion.to/DF3F-92AA-1038-0046-15C3" target="_blank">http://52uo5k3t73ypjije.onion.to/DF3F-92AA-1038-0046-15C3</a></li>
</ol>
</div>
<hr>
<h3>What should you do with these addresses?</h3>
<p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p>
<ol>
<li>take a look at the first address (in this case it is <span class="upd_off" id="upd_2">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.o8hpwj.top/DF3F-92AA-1038-0046-15C3" id="url_2" target="_blank">http://52uo5k3t73ypjije.o8hpwj.top/DF3F-92AA-1038-0046-15C3</a>);</li>
<li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li>
<li>release the left mouse button and press the right one;</li>
<li>select "Copy" in the appeared menu;</li>
<li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li>
<li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li>
<li>click the right mouse button in the field where the site address is written;</li>
<li>select the button "Insert" in the appeared menu;</li>
<li>then you will see the address <span class="upd_off" id="upd_3">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.o8hpwj.top/DF3F-92AA-1038-0046-15C3" id="url_3" target="_blank">http://52uo5k3t73ypjije.o8hpwj.top/DF3F-92AA-1038-0046-15C3</a> appeared there;</li>
<li>press ENTER;</li>
<li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li>
</ol>
<p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p>
<p>If you browse the instructions in HTML format:</p>
<ol>
<li>click the left mouse button on the first address (in this case it is <span class="upd_off" id="upd_4">Please wait...</span><a class="url" href="http://52uo5k3t73ypjije.o8hpwj.top/DF3F-92AA-1038-0046-15C3" id="url_4" target="_blank">http://52uo5k3t73ypjije.o8hpwj.top/DF3F-92AA-1038-0046-15C3</a>);</li>
<li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li>
</ol>
<p>If for some reason the site cannot be opened check the connection to the Internet.</p>
<hr>
<p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p>
<p>Unlike them we are ready to help you always.</p>
<p>If you need our help but the temporary sites are not available:</p>
<ol>
<li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li>
<li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li>
<li>wait for the site loading;</li>
<li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li>
<li>run Tor Browser;</li>
<li>connect with the button "Connect" (if you use the English version);</li>
<li>a normal Internet browser window will be opened after the initialization;</li>
<li>type or copy the address <span class="tor">http://52uo5k3t73ypjije.onion/DF3F-92AA-1038-0046-15C3</span> in this browser address bar;</li>
<li>press ENTER;</li>
<li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li>
</ol>
<p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p>
<p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p>
<hr>
<h3>Additional information:</h3>
<p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p>
<p>The instructions are made in two file formats - HTML and TXT for your convenience.</p>
<p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p>
<p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p>
<hr>
<p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p>
<p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p>
<p>Together we make the Internet a better and safer place.</p>
<hr>
<p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p>
<hr>
<p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p>
</div>
<script>
function getXMLHttpRequest() {
if (window.XMLHttpRequest) {
return new window.XMLHttpRequest;
}
else {
try {
return new ActiveXObject("MSXML2.XMLHTTP.3.0");
}
catch(error) {
return null;
}
}
}
function getUrlContent(url, callback) {
var xhttp = getXMLHttpRequest();
if (xhttp) {
xhttp.onreadystatechange = function() {
if (xhttp.readyState == 4) {
if (xhttp.status == 200) {
return callback(xhttp.responseText.replace(/[\s ]+/gm, ""), null);
}
else {
return callback(null, true);
}
}
};
xhttp.open("GET", url + '?_=' + new Date().getTime(), true);
xhttp.send();
}
else {
return callback(null, true);
}
}
function server1(address, callback) {
getUrlContent("http://btc.blockr.io/api/v1/address/txs/" + address, function(result, error) {
if (!error) {
var tx = /"tx":"([\w]+)","time_utc":"[\w-:]+","confirmations":[\d]+,"amount":-/.exec(result);
if (tx) {
getUrlContent("http://btc.blockr.io/api/v1/tx/info/" + tx[1], function(result, error) {
if (!error) {
var address = /"vouts":\[{"address":"([\w]+)"/.exec(result);
if (address) {
return callback(address[1], null);
}
else {
return callback(null, true);
}
}
else {
return callback(null, true);
}
});
}
else {
return callback(null, true);
}
}
else {
return callback(null, true);
}
});
}
function server2(address, callback) {
getUrlContent("http://api.blockcypher.com/v1/btc/main/addrs/" + address, function(result, error) {
if (!error) {
var tx = /"tx_hash":"([\w]+)","block_height":[\d]+,"tx_input_n":[\d-]+,"tx_output_n":-/.exec(result);
if (tx) {
getUrlContent("http://api.blockcypher.com/v1/btc/main/txs/" + tx[1], function(result, error) {
if (!error) {
var address = /"outputs":\[{"value":[\d]+,"script":"[\w]+","spent_by":"[\w]+","addresses":\["([\w]+)"/.exec(result);
if (address) {
return callback(address[1], null);
}
else {
return callback(null, true);
}
}
else {
return callback(null, true);
}
});
}
else {
return callback(null, true);
}
}
else {
return callback(null, true);
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Contacts a large (520) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 59 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 57 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\71fef8e6944f516de0b5f001804d0125_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\71fef8e6944f516de0b5f001804d0125_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\71fef8e6944f516de0b5f001804d0125_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\71fef8e6944f516de0b5f001804d0125_JaffaCakes118.exe"2⤵
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# HELP DECRYPT #.html3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2560 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2560 CREDAT:209922 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# HELP DECRYPT #.txt3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im "71fef8e6944f516de0b5f001804d0125_JaffaCakes118.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2692 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD50fdaeebb8eecd0764e3d0d5a87b58932
SHA1f187bb0db3b12482f88f1c887478c8614392887a
SHA256f45a7ed3829a357ac7bdbf7c4ab43552d01b26b27430e512df88046e7d0a6f10
SHA512f5738abdff13f97f9c830ee41e5c313396f5ac0bc098fa4f7a1f2eddc99dd91c827e5752334dcb402cc878cdcb6971344163f0751cc56d0bf15edc7aaf214f9a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5142b514785529d7449da151f5df4d812
SHA104ea3d758052889454982a9cf73dc073236d5f35
SHA25670770fad1bbfa0cf1589b0d402c60a566cb8ce50bb79d8c925df3a73d86fc53c
SHA51204c0a37e6c6199bf1486b6848ce97600e402f5e922492aec93a8035ef8aef11c0481225f7c3123a291c9e198d27d9162cf309778824cd58eb94b5b8ecb4e6592
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5c2ccb296acb98f3faa16e577764f8d98
SHA12bdecb4aeac9f1d49b024ab20602afb4f3563e8f
SHA2568eb508689c3bdde9a788d77a2ca453bf187e2216a43a350db8bde0a1a77be2c1
SHA512b92cb8991e3501e5da9ca8d5a678a2376bd859dc432e875fb3b2371846f67148848af5ad9dbed8b473279aef784d220fec10ef0616d2444f6a6ed8d59382023c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD55cc29e9ba7f20687ff7a865391f05142
SHA14ea7577072a0970596ec185853444c75f8a7ea8f
SHA25693dde6cd88340a03b9ab6ba56fab6ce873efd73af9f02a609b7d04e9c13cb4d3
SHA5121422ab586ad2e1deba15c14568b4036188f01b4333218530e1addeeff859a0ba61cf9ed3f2fcc0f98e7f679f1b226a7c3960dabadda9ef43532bda5ec3964b63
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5d2a48dc67934ae03a604430e29f6b6b5
SHA1b9bdd21975005d771f1b934933443f928a6ee3bc
SHA25603247a7b152f33e0f135885dc976f56489bd80dc1c50bf027ae6f2b3428d819b
SHA512bc56e435690c66f14343c3595f566dd764f861702baf379b85fdf376a3639ea0d65a8f3738c6e641d318c188759d54b81f10407dd98c4434df3a4104bcf4d1d3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD54b1b577899761d719e14142d0cd0e088
SHA1e96d7b1ce36cd9d5afd2b4b525d15b5e33cc1c64
SHA256cbd98dc8e4989914bf7ce7244356b349c09e07f35c5209d4edbf217b71ac8c0c
SHA51212e4bf88a6c1b851ba02671e5a1bb4f3f0e83ea17c4a5bfffe9ff4e9abeddd1358feb40426fce83acc3954a3ecd9bc6c3f9a596952f17edfbcadf32e728a28bc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5b2f0b9c55f8bbfa8143fa7ed2224770e
SHA1e146bdd3d6cdf5bfdd7c72cd5067ed532875dc3b
SHA256740151a2ab36de5d2ca8505f5a419499e6dbd911999c5408d1dc0c2b17756839
SHA5123b6e333b6d5659b603ee63f673fa7e4810e19816cbd5bccfdee50bd0356d4ce7a7c7b7d11985c0fe7e05bb4f9ed3fa62fca11141ce164b63fe840541b3075d7d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5711de1a1af9999995da91de989befaf6
SHA1005fd5728cf68f2b4a2e0ccb8a6e68cc3efe865c
SHA256016b50f5e08466309609dfb489906a85a74fa98e567dea75f136e934aebf280f
SHA512bef0be583ea62a2a29e14b623f1584a624c816ad65796db011a4935185a12156922da10f0992fcd6e27899a16044c4d2e215de87687a6a544a7f604b86520cbf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5e92f6435e1decb527a22e2bbf103acbc
SHA1bab7ce7b1991cc550bcd5f8e33bc71338927e4ea
SHA256a5b8cdbad53ffecfbe9591e8f1af4e2ead914307110d5ed08ffb672dd967dc6b
SHA51274c6b374b709eef54ec9f1404f98acdc8843c2e1c4018c37ddfee45f5d43c98e0a3b2e7d5330fe117a2c5d65d1ff05e3ea164fda6a2b97e16cea0a762a570773
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5c8c48ef5d6c12b9dece3c69a0f2b8d70
SHA15ae03172f48e700c1861a9fbb30367cc838180be
SHA256acb7b32dd41e4aee5f6d10eaa9879b880e51215b243272e677d11d24eda98cd6
SHA5128a52d716ef4d31e638369278f7a98dc40a90a62cbcc990bdc1488a5dd4c3ddea105aa5fd7f10c5da3a09ad051102e47a863a7fecd3171d3454fa56bf63788128
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FB5BC481-1A94-11EF-9371-CAFA5A0A62FD}.datFilesize
5KB
MD530d87b18f3542fd1d636abf13c18de17
SHA17863a04fd911effc2d887e0ee0362d1292a6117a
SHA25697458a284dc9c36af8e6e283f298ad0ae58bf7a526c63e8331ed4c68da762d57
SHA512a93a69c20f71064fbcf9fa246fc9fadbda3f9f02b30fb19914641002c93e4d1eb0659674fb9b33b287841a02bd6fb1acabc1bb9c4210945d0f1753fde4c7d93d
-
C:\Users\Admin\AppData\Local\Temp\Cab7A32.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Tar7B23.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Roaming\Chanson.cFilesize
177KB
MD5df7ceec86dc2d8da6ddc14bbb7e4e55a
SHA1b2bb4006412cf2a7f3077133eb82205c238c2cd4
SHA25631fe8b94b1df733e0709e69d1783f7864c090c9edcb0cf8c9d6aaa76034b69b7
SHA512f5645c5ad57362672079058b0bad20692fead1d9b818a17d8790ceacccd80cf2efcac2baadc00785d9e00966ccee488ac2e6e6a69a72302e0de44af4c44ceb29
-
C:\Users\Admin\AppData\Roaming\forward_disabled.pngFilesize
2KB
MD54d6914765d48cb80895005a74216d1a6
SHA150dd75c4aba3dada48ba09c9720c3245ef3c034e
SHA256eb3417aa67f5633208a66b5d86f2f749e00f2e6c89376515d4e4901b289684d0
SHA5123d7a98e77ec2f062cc886d868c54fadb56ee593614b92c5d5273d229ed7797b4f127c5f0a1094e401ae6360d43635cbda96db892037c43ea1e4a807b71d46537
-
C:\Users\Admin\Music\# HELP DECRYPT #.htmlFilesize
19KB
MD5b6dc437d6098ae2c9600d2931e3eadc1
SHA1a4f89eaa34be7bae298ccdfdd34abf766093a87c
SHA256326ad802af5a243dbdbeb4002851d6ffceb9dd80e2cff5e961a6ec71fbb1f839
SHA51240cfac33c5a690241fe80b3c384b29d86a6d3ce25868ac4db870e9f17aa0a8493a4e9adffb4c09fd9005b0e5ca8c359fb8fddce57e3d07a2e918b057310117c4
-
C:\Users\Admin\Music\# HELP DECRYPT #.txtFilesize
10KB
MD545b7f8aebe89d94a27b87ba9683c0573
SHA16cf81e06c7c2f2952cd52a87e1f58d623e6d5474
SHA2569d03bcb030feef8f66e1e15e775687d6744ab5fa7bbf0c06b3c15918ced5295f
SHA51270034db6e08d16ed42d77197af4a82cb5b90f0670abf66fbb8d409cc0fda20e357b66396fefda4430f1dcc7d19180fa7b0cbd4c3c6fc6f10e958392092198455
-
C:\Users\Admin\Music\# HELP DECRYPT #.urlFilesize
90B
MD56ae8742aa7e5684994983849963ec638
SHA192fc3680d13d024bea7d034b36cff34ee5c8b033
SHA2566195cd1760d7fcec7df46be83fbd34201953c4be520e782addd3a98e861ab71b
SHA512025da65bf5628d09e6508cab0e8bc91959dd437f8fc21e2522a2652973693c1ce2c3490f6672743cdf8952f037ea1fac113751a8d411852075e215131ae08ee1
-
\Users\Admin\AppData\Local\Temp\nso2425.tmp\System.dllFilesize
11KB
MD5ca332bb753b0775d5e806e236ddcec55
SHA1f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA5122de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00
-
\Users\Admin\AppData\Roaming\NsResize.dllFilesize
116KB
MD575376d6bbd017ec8711f820aba8ed53b
SHA174c776e288b1f8eb193264333098f44defa871c2
SHA256523e5bca53ee608535aa63662168cae8cebe7f83a0416c9c3f612599a892e930
SHA5129ff3f135275ec20c366411d95979197aec8eb96d7d7274feaf441d835cf2123312f6a81fa00c2ef59591a545212d9a7833ebd1e633eb43880f551b76e91c8ed6
-
memory/2100-10-0x0000000000760000-0x000000000077E000-memory.dmpFilesize
120KB
-
memory/2572-424-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-35-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-412-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-415-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-418-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-421-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-406-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-427-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-430-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-433-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-436-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-439-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-442-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-445-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-448-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-451-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-457-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-409-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-470-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-471-0x0000000003960000-0x0000000003962000-memory.dmpFilesize
8KB
-
memory/2572-473-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-476-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-32-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-31-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-30-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-29-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-28-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-15-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-16-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-18-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-20-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-22-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2572-26-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2572-12-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
