dharma | d968fc01ce5e604515a27226c938fbe09256db97da206e8e74c8a06ffd1e4fa4

General

Target

7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
Size

264KB
MD5

7747fb3574fddef7bf04c2a0cb8500d0
SHA1

92be0988fa9c5d634b38847b1d2199e54ca2fe4f
SHA256

d968fc01ce5e604515a27226c938fbe09256db97da206e8e74c8a06ffd1e4fa4
SHA512

a5c6c9458cfc407c1c8a18298c332c3c41f50972c20e59ace5ee922a8e6d3a5661bfeccbaa7b10bc4b6250f4a5808bc281a2bf8a5dac0134533e548c905e7ca2
SSDEEP

6144:Md8oCITmlIXXeF+omLw98TstAYAyxm+UU8ez9Y:E/PTmqXy+FL9TsfxFUU8ez9Y

Score

10^/10

dharma defense_evasion execution impact persistence ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 2E038AB6 In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (522) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe

Drops startup file 5 IoCs

Processes:

7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4200-0-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4200-1-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4200-2-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4200-3-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4200-9454-0x0000000000400000-0x0000000000468000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe = "C:\\Windows\\System32\\7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe"	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Public\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

Processes:

7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\System32\7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File created	C:\Windows\System32\Info.hta	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe

description	pid	process	target process
PID 4200 set thread context of 4264	4200	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

Processes:

7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-oob.xrm-ms.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\System\vcruntime140.dll	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.dll	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionWideTile.scale-200.png	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\plugin-selectors.css.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.dll.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-150.png	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.targetsize-16.png	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.scale-100_contrast-white.png	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\Microsoft.VisualBasic.Forms.resources.dll.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\plugin.js.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\THMBNAIL.PNG.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_checkbox_selected_18.svg	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ppd.xrm-ms.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+NewSQLServerConnection.odc.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\ui-strings.js.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\lv_get.svg.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Models.dll.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_col.hxt.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-48_altform-unplated.png	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\javaws.policy.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ppd.xrm-ms.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeOneNote.nrr	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\bun.png.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ppd.xrm-ms.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageSmallTile.scale-200.png	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-48_altform-lightunplated.png	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-64_contrast-black.png	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vcruntime140.dll.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.ServiceModel.Resources.dll	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ApothecaryLetter.dotx	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\tr-tr\ui-strings.js.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\selector.js.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-pl.xrm-ms.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 8.0.2 (x64).swidtag.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-phn.xrm-ms	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square71x71Logo.scale-125.png	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-pl.xrm-ms	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeLessThan.Tests.ps1	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clretwrc.dll	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Csp.dll.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\MedTile.scale-200.png	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javafx_iio.dll	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\office.png	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_scale-100.png	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\msvcp140_2.dll	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javap.exe.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\de_get.svg.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymsl.ttf	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\iexplore.exe.mui	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png.id-2E038AB6.[[email protected]].bot	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Input.Manipulations.resources.dll	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\large_trefoil_2x.png	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

5292 vssadmin.exe
7792 vssadmin.exe

pid	process
5292	vssadmin.exe
7792	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe

pid	process
4200	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4200	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 6112 vssvc.exe
Token: SeRestorePrivilege 6112 vssvc.exe
Token: SeAuditPrivilege 6112 vssvc.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe

pid process

4200 7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe

pid process

4200 7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe

description	pid	process
Token: SeBackupPrivilege	6112	vssvc.exe
Token: SeRestorePrivilege	6112	vssvc.exe
Token: SeAuditPrivilege	6112	vssvc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.execmd.execmd.exe

description	pid	process	target process
PID 4200 wrote to memory of 4264	4200	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
PID 4200 wrote to memory of 4264	4200	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
PID 4200 wrote to memory of 4264	4200	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
PID 4200 wrote to memory of 4264	4200	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
PID 4264 wrote to memory of 4564	4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe	cmd.exe
PID 4264 wrote to memory of 4564	4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe	cmd.exe
PID 4564 wrote to memory of 7176	4564	cmd.exe	mode.com
PID 4564 wrote to memory of 7176	4564	cmd.exe	mode.com
PID 4564 wrote to memory of 5292	4564	cmd.exe	vssadmin.exe
PID 4564 wrote to memory of 5292	4564	cmd.exe	vssadmin.exe
PID 4264 wrote to memory of 8372	4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe	cmd.exe
PID 4264 wrote to memory of 8372	4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe	cmd.exe
PID 8372 wrote to memory of 6872	8372	cmd.exe	mode.com
PID 8372 wrote to memory of 6872	8372	cmd.exe	mode.com
PID 8372 wrote to memory of 7792	8372	cmd.exe	vssadmin.exe
PID 8372 wrote to memory of 7792	8372	cmd.exe	vssadmin.exe
PID 4264 wrote to memory of 7004	4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe	mshta.exe
PID 4264 wrote to memory of 7004	4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe	mshta.exe
PID 4264 wrote to memory of 8016	4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe	mshta.exe
PID 4264 wrote to memory of 8016	4264	7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe	mshta.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4200

C:\Users\Admin\AppData\Local\Temp\7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\7747fb3574fddef7bf04c2a0cb8500d0_JaffaCakes118.exe
2⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4264

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:7176

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:5292

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:8372

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:6872

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:7792

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
PID:7004

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
PID:8016

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6112

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-2E038AB6.[[email protected]].bot
Filesize
2.7MB

MD5
33a9a620bbabd702345ce9be43761a45

SHA1
8cff3206d76f5041589f004c71c26bc1a6f9532f

SHA256
230c5327b85edf3dae18f3f30020bb773f9653143c3842a41d0267d39f135e51

SHA512
e2f393e03e58c94247488b58ac86b4ed824be8d96a5d43cf53f9dfa7e0d0b9699151a8ed2b259208f71dcd5acd3c3eedd5efa5c795bc08d1b8a4aee26754b926

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Filesize
13KB

MD5
e132d9bbcf73af06debc14d32240d41e

SHA1
5fd3305fcd1757095e9ed393e1f67f039da19979

SHA256
3c48f073bdcccc5030de3dbb291facf1bcaabc45c250ddc64190ebff88104fe8

SHA512
6a2f9d8cf41a32ed5a7c882e4f08a78265c1327d994516c675e8eef7c8c6733d33a286919f4bc422d74c2977f3adf9f8d6192cf3d4e18b3e78948920988b54f4

Download Submit
memory/4200-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4200-1-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4200-2-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4200-3-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4200-4-0x00000000036E0000-0x0000000003714000-memory.dmp

Filesize
208KB

Download
memory/4200-9454-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4200-16359-0x00000000036E0000-0x0000000003714000-memory.dmp

Filesize
208KB

Download
memory/4264-19967-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads