Malware Analysis Report

2024-09-23 05:15

Sample ID 240601-ygcwrada6x
Target 8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118
SHA256 f64400c70d4467a3c1b9e681cff5d4df8a5e4088f6224d32c1635d1fc861615e
Tags
gandcrab backdoor defense_evasion execution impact ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f64400c70d4467a3c1b9e681cff5d4df8a5e4088f6224d32c1635d1fc861615e

Threat Level: Known bad

The file 8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gandcrab backdoor defense_evasion execution impact ransomware spyware stealer

Gandcrab

Renames multiple (323) files with added filename extension

Deletes shadow copies

Renames multiple (295) files with added filename extension

Drops startup file

Checks computer location settings

Reads user/profile data of web browsers

Enumerates connected drives

Suspicious use of SetThreadContext

Sets desktop wallpaper using registry

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-01 19:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 19:45

Reported

2024-06-01 19:47

Platform

win7-20240508-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe"

Signatures

Gandcrab

ransomware backdoor gandcrab

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (323) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\SMAXDVTKP-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ExitSwitch.jpe C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\MovePush.odt C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ReceiveImport.eprtx C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RestoreUndo.mp4 C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RevokeRepair.wmx C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File created C:\Program Files\SMAXDVTKP-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\AddConnect.ram C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ConvertFromDeny.3g2 C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\StepMount.avi C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\SMAXDVTKP-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\f9eba234f9eba5d919.lock C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ExitComplete.WTV C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RevokeStart.rtf C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\UnregisterClear.vstx C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\PublishProtect.tiff C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RequestDisconnect.pcx C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\StartTrace.mov C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\UndoCompress.kix C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\UpdateBackup.mpe C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DisconnectCompare.potm C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\JoinEnable.vsw C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\JoinRead.au C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\f9eba234f9eba5d919.lock C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DismountInitialize.vsdx C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\InstallMerge.png C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\PingBlock.rm C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ResumeMerge.css C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SuspendStep.dib C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\f9eba234f9eba5d919.lock C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\f9eba234f9eba5d919.lock C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File created C:\Program Files\f9eba234f9eba5d919.lock C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RedoEnable.aifc C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\SMAXDVTKP-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ReceiveConfirm.ogg C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RemoveInitialize.MTS C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\SMAXDVTKP-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ExportWait.dwfx C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\GrantTrace.ADT C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ProtectSend.inf C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 0f0000000100000010000000824bae7c7cb3a15ce851a396760574a30b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d0031000000090000000100000020000000301e06082b0601050507030406082b0601050507030106082b06010505070303140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c1d0000000100000010000000d06bc27453aa4f6d586437e5d3b377980300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a194520000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955 C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 190000000100000010000000e559465e28a60e5499846f194087b0e50300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a19451d0000000100000010000000d06bc27453aa4f6d586437e5d3b37798140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c090000000100000020000000301e06082b0601050507030406082b0601050507030106082b060105050703030b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d00310000000f0000000100000010000000824bae7c7cb3a15ce851a396760574a320000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955 C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945 C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe
PID 2988 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe
PID 2988 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe
PID 2988 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe
PID 2988 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe
PID 2988 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe
PID 820 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 820 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 820 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 820 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe C:\Windows\SysWOW64\wbem\wmic.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.2mmotorsport.biz udp
DE 77.75.249.22:80 www.2mmotorsport.biz tcp
DE 77.75.249.22:443 www.2mmotorsport.biz tcp
US 8.8.8.8:53 www.haargenau.biz udp
CH 217.26.53.161:80 www.haargenau.biz tcp
CH 217.26.53.161:80 www.haargenau.biz tcp
US 8.8.8.8:53 www.bizziniinfissi.com udp
US 8.8.8.8:53 www.holzbock.biz udp
CH 94.126.20.68:80 www.holzbock.biz tcp
CH 94.126.20.68:443 www.holzbock.biz tcp
US 8.8.8.8:53 www.schreiner-freiamt.ch udp
CH 94.126.20.68:443 www.schreiner-freiamt.ch tcp
US 8.8.8.8:53 www.fliptray.biz udp
US 8.8.8.8:53 www.pizcam.com udp
CH 195.15.227.239:80 www.pizcam.com tcp
CH 195.15.227.239:443 www.pizcam.com tcp
CH 195.15.227.239:443 www.pizcam.com tcp
CH 195.15.227.239:443 www.pizcam.com tcp
CH 195.15.227.239:443 www.pizcam.com tcp
US 8.8.8.8:53 www.swisswellness.com udp
DE 83.138.86.12:80 www.swisswellness.com tcp
DE 83.138.86.12:80 www.swisswellness.com tcp
US 8.8.8.8:53 www.hotelweisshorn.com udp
HK 38.207.226.122:80 www.hotelweisshorn.com tcp
HK 38.207.226.122:80 www.hotelweisshorn.com tcp
US 8.8.8.8:53 www.whitepod.com udp
CH 83.166.138.7:80 www.whitepod.com tcp
CH 83.166.138.7:443 www.whitepod.com tcp
CH 83.166.138.7:443 www.whitepod.com tcp
CH 83.166.138.7:443 www.whitepod.com tcp
CH 83.166.138.7:443 www.whitepod.com tcp
US 8.8.8.8:53 www.hardrockhoteldavos.com udp
US 18.207.88.16:80 www.hardrockhoteldavos.com tcp
US 18.207.88.16:443 www.hardrockhoteldavos.com tcp
US 8.8.8.8:53 www.hardrockhotels.com udp
US 151.101.3.52:443 www.hardrockhotels.com tcp
US 151.101.3.52:443 www.hardrockhotels.com tcp
US 151.101.3.52:443 www.hardrockhotels.com tcp
US 151.101.3.52:443 www.hardrockhotels.com tcp
US 8.8.8.8:53 www.belvedere-locarno.com udp
US 172.67.68.116:80 www.belvedere-locarno.com tcp
US 172.67.68.116:443 www.belvedere-locarno.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.152:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 www.hotelfarinet.com udp
GB 18.132.18.63:80 www.hotelfarinet.com tcp
GB 18.132.18.63:443 www.hotelfarinet.com tcp
GB 18.132.18.63:443 www.hotelfarinet.com tcp
GB 18.132.18.63:443 www.hotelfarinet.com tcp
GB 18.132.18.63:443 www.hotelfarinet.com tcp
US 8.8.8.8:53 www.hrk-ramoz.com udp
HK 156.235.147.122:80 www.hrk-ramoz.com tcp
HK 156.235.147.122:80 www.hrk-ramoz.com tcp
US 8.8.8.8:53 www.morcote-residenza.com udp
CH 194.191.24.37:80 www.morcote-residenza.com tcp
CH 194.191.24.37:443 www.morcote-residenza.com tcp
US 8.8.8.8:53 www.seitensprungzimmer24.com udp
DE 136.243.162.140:80 www.seitensprungzimmer24.com tcp
DE 136.243.162.140:443 www.seitensprungzimmer24.com tcp
US 8.8.8.8:53 seitensprungzimmer24.com udp
DE 136.243.162.140:443 seitensprungzimmer24.com tcp
US 8.8.8.8:53 www.arbezie-hotel.com udp
FR 213.186.33.5:80 www.arbezie-hotel.com tcp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
US 8.8.8.8:53 www.aubergemontblanc.com udp
CH 83.166.138.13:80 www.aubergemontblanc.com tcp
CH 83.166.138.13:443 www.aubergemontblanc.com tcp
CH 83.166.138.13:443 www.aubergemontblanc.com tcp
CH 83.166.138.13:443 www.aubergemontblanc.com tcp
CH 83.166.138.13:443 www.aubergemontblanc.com tcp
US 8.8.8.8:53 www.torhotel.com udp
CH 128.65.195.228:80 www.torhotel.com tcp
CH 128.65.195.228:80 www.torhotel.com tcp
US 8.8.8.8:53 www.alpenlodge.com udp
CH 217.26.55.76:80 www.alpenlodge.com tcp
CH 217.26.55.76:443 www.alpenlodge.com tcp
CH 217.26.55.76:443 www.alpenlodge.com tcp
CH 217.26.55.76:443 www.alpenlodge.com tcp
CH 217.26.55.76:443 www.alpenlodge.com tcp
US 8.8.8.8:53 www.aparthotelzurich.com udp
US 104.17.182.58:80 www.aparthotelzurich.com tcp
US 104.17.182.58:443 www.aparthotelzurich.com tcp
US 8.8.8.8:53 www.bnbdelacolline.com udp
CH 128.65.195.174:80 www.bnbdelacolline.com tcp
CH 128.65.195.174:443 www.bnbdelacolline.com tcp
CH 128.65.195.174:443 www.bnbdelacolline.com tcp
CH 128.65.195.174:443 www.bnbdelacolline.com tcp
CH 128.65.195.174:443 www.bnbdelacolline.com tcp
US 8.8.8.8:53 www.elite-hotel.com udp
CH 80.74.144.93:80 www.elite-hotel.com tcp
CH 80.74.144.93:443 www.elite-hotel.com tcp
CH 80.74.144.93:443 www.elite-hotel.com tcp
CH 80.74.144.93:443 www.elite-hotel.com tcp
CH 80.74.144.93:443 www.elite-hotel.com tcp
US 8.8.8.8:53 www.bristol-adelboden.com udp
IE 63.35.51.142:80 www.bristol-adelboden.com tcp
IE 63.35.51.142:443 www.bristol-adelboden.com tcp
IE 63.35.51.142:443 www.bristol-adelboden.com tcp
IE 63.35.51.142:443 www.bristol-adelboden.com tcp
IE 63.35.51.142:443 www.bristol-adelboden.com tcp
US 8.8.8.8:53 www.nationalzermatt.com udp
CH 94.126.23.52:80 www.nationalzermatt.com tcp
CH 94.126.23.52:443 www.nationalzermatt.com tcp
CH 94.126.23.52:443 www.nationalzermatt.com tcp
CH 94.126.23.52:443 www.nationalzermatt.com tcp
CH 94.126.23.52:443 www.nationalzermatt.com tcp
US 8.8.8.8:53 www.waageglarus.com udp
US 8.8.8.8:53 www.limmathof.com udp
CH 217.26.52.10:80 www.limmathof.com tcp
CH 217.26.52.10:443 www.limmathof.com tcp
CH 217.26.52.10:443 www.limmathof.com tcp
CH 217.26.52.10:443 www.limmathof.com tcp
CH 217.26.52.10:443 www.limmathof.com tcp
US 8.8.8.8:53 www.apartmenthaus.com udp
CH 217.26.60.27:80 www.apartmenthaus.com tcp
CH 217.26.60.27:443 www.apartmenthaus.com tcp
CH 217.26.60.27:443 www.apartmenthaus.com tcp
CH 217.26.60.27:443 www.apartmenthaus.com tcp
CH 217.26.60.27:443 www.apartmenthaus.com tcp
US 8.8.8.8:53 www.berginsel.com udp
CH 80.74.145.65:80 www.berginsel.com tcp
CH 80.74.145.65:443 www.berginsel.com tcp
US 8.8.8.8:53 berginsel-oberems.ch udp
CH 80.74.145.65:443 berginsel-oberems.ch tcp
US 8.8.8.8:53 www.chambre-d-hote-chez-fleury.com udp
IE 54.171.157.182:80 www.chambre-d-hote-chez-fleury.com tcp
IE 54.171.157.182:443 www.chambre-d-hote-chez-fleury.com tcp
US 8.8.8.8:53 www.hotel-blumental.com udp
CH 94.126.21.30:80 www.hotel-blumental.com tcp
CH 94.126.21.30:443 www.hotel-blumental.com tcp
CH 94.126.21.30:443 www.hotel-blumental.com tcp
US 8.8.8.8:53 crl.geotrust.com udp
SE 192.229.221.95:80 crl.geotrust.com tcp
US 8.8.8.8:53 www.facebook.com udp
GB 163.70.151.35:80 www.facebook.com tcp
GB 163.70.151.35:443 www.facebook.com tcp
US 8.8.8.8:53 www.la-fontaine.com udp
CA 213.199.57.77:80 www.la-fontaine.com tcp
CA 213.199.57.77:443 www.la-fontaine.com tcp
CA 213.199.57.77:443 www.la-fontaine.com tcp
CA 213.199.57.77:443 www.la-fontaine.com tcp
CA 213.199.57.77:443 www.la-fontaine.com tcp
US 8.8.8.8:53 www.mountainhostel.com udp
IE 54.171.157.182:80 www.mountainhostel.com tcp
IE 54.171.157.182:443 www.mountainhostel.com tcp
US 8.8.8.8:53 www.hotelalbanareal.com udp
DE 3.67.141.185:80 www.hotelalbanareal.com tcp
DE 3.67.141.185:443 www.hotelalbanareal.com tcp
DE 3.67.141.185:443 www.hotelalbanareal.com tcp
DE 3.67.141.185:443 www.hotelalbanareal.com tcp
DE 3.67.141.185:443 www.hotelalbanareal.com tcp
US 8.8.8.8:53 www.geneva.frasershospitality.com udp
US 8.8.8.8:53 www.luganohoteladmiral.com udp
NL 35.214.205.133:80 www.luganohoteladmiral.com tcp
US 8.8.8.8:53 www.bellevuewiesen.com udp
GB 159.65.93.218:80 www.bellevuewiesen.com tcp
GB 159.65.93.218:443 www.bellevuewiesen.com tcp
GB 159.65.93.218:443 www.bellevuewiesen.com tcp
GB 159.65.93.218:443 www.bellevuewiesen.com tcp
GB 159.65.93.218:443 www.bellevuewiesen.com tcp
US 8.8.8.8:53 www.hoteltruite.com udp
NL 185.107.56.192:80 www.hoteltruite.com tcp
NL 185.107.56.192:80 www.hoteltruite.com tcp
US 8.8.8.8:53 survey-smiles.com udp
US 199.59.243.225:80 survey-smiles.com tcp
US 8.8.8.8:53 www.hotelgarni-battello.com udp
US 8.8.8.8:53 www.seminarhotel.com udp
CH 151.248.236.144:80 www.seminarhotel.com tcp
CH 151.248.236.144:443 www.seminarhotel.com tcp
US 8.8.8.8:53 www.roemerturm.ch udp
CH 151.248.236.144:443 www.roemerturm.ch tcp
US 8.8.8.8:53 www.kroneregensberg.com udp
CH 217.26.60.254:80 www.kroneregensberg.com tcp
CH 217.26.60.254:443 www.kroneregensberg.com tcp
CH 217.26.60.254:443 www.kroneregensberg.com tcp
CH 217.26.60.254:443 www.kroneregensberg.com tcp
CH 217.26.60.254:443 www.kroneregensberg.com tcp
US 8.8.8.8:53 www.puurehuus.com udp
CH 217.26.54.189:80 www.puurehuus.com tcp
CH 217.26.54.189:443 www.puurehuus.com tcp
CH 217.26.54.189:443 www.puurehuus.com tcp
CH 217.26.54.189:443 www.puurehuus.com tcp
CH 217.26.54.189:443 www.puurehuus.com tcp
US 8.8.8.8:53 www.hotel-zermatt.com udp
CH 82.220.37.45:80 www.hotel-zermatt.com tcp
CH 82.220.37.45:443 www.hotel-zermatt.com tcp
US 8.8.8.8:53 www.stchristophesa.com udp
CH 83.166.133.76:80 www.stchristophesa.com tcp
CH 83.166.133.76:443 www.stchristophesa.com tcp
CH 83.166.133.76:443 www.stchristophesa.com tcp
CH 83.166.133.76:443 www.stchristophesa.com tcp
CH 83.166.133.76:443 www.stchristophesa.com tcp
US 8.8.8.8:53 www.nh-hotels.com udp
BE 104.68.71.67:80 www.nh-hotels.com tcp
BE 104.68.71.67:80 www.nh-hotels.com tcp
US 8.8.8.8:53 www.schwendelberg.com udp
CH 193.17.199.27:80 www.schwendelberg.com tcp
US 8.8.8.8:53 www.stalden.com udp
CH 193.33.128.144:80 www.stalden.com tcp
CH 193.33.128.144:80 www.stalden.com tcp
US 8.8.8.8:53 www.vignobledore.com udp
GB 213.129.84.57:80 www.vignobledore.com tcp
GB 213.129.84.57:80 www.vignobledore.com tcp
US 8.8.8.8:53 www.eyholz.com udp
CH 81.201.201.94:80 www.eyholz.com tcp
CH 81.201.201.94:443 www.eyholz.com tcp
CH 81.201.201.94:443 www.eyholz.com tcp
CH 81.201.201.94:443 www.eyholz.com tcp
CH 81.201.201.94:443 www.eyholz.com tcp
US 8.8.8.8:53 www.flemings-hotel.com udp
NL 188.227.206.226:80 www.flemings-hotel.com tcp
NL 188.227.206.226:80 www.flemings-hotel.com tcp

Files

memory/2988-0-0x0000000000400000-0x0000000000584000-memory.dmp

memory/2988-1-0x0000000001DB0000-0x0000000001E10000-memory.dmp

memory/2988-21-0x0000000003310000-0x0000000003311000-memory.dmp

memory/2988-50-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2988-49-0x0000000003220000-0x0000000003221000-memory.dmp

memory/2988-48-0x0000000003230000-0x0000000003231000-memory.dmp

memory/2988-47-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2988-46-0x0000000003200000-0x0000000003203000-memory.dmp

memory/2988-45-0x0000000003260000-0x0000000003261000-memory.dmp

memory/2988-44-0x0000000003310000-0x0000000003311000-memory.dmp

memory/2988-43-0x0000000003210000-0x0000000003212000-memory.dmp

memory/2988-42-0x0000000003210000-0x0000000003211000-memory.dmp

memory/2988-41-0x0000000003210000-0x0000000003211000-memory.dmp

memory/2988-40-0x0000000003210000-0x0000000003211000-memory.dmp

memory/2988-39-0x0000000003210000-0x0000000003211000-memory.dmp

memory/2988-38-0x0000000003210000-0x0000000003211000-memory.dmp

memory/2988-3-0x0000000001D60000-0x0000000001D61000-memory.dmp

memory/2988-37-0x0000000003210000-0x0000000003211000-memory.dmp

memory/2988-36-0x0000000003210000-0x0000000003211000-memory.dmp

memory/2988-35-0x0000000003210000-0x0000000003211000-memory.dmp

memory/2988-34-0x0000000003210000-0x0000000003211000-memory.dmp

memory/2988-33-0x0000000003210000-0x0000000003211000-memory.dmp

memory/2988-32-0x0000000003210000-0x0000000003211000-memory.dmp

memory/2988-31-0x0000000003210000-0x0000000003211000-memory.dmp

memory/2988-30-0x0000000003210000-0x0000000003211000-memory.dmp

memory/2988-29-0x0000000003210000-0x0000000003211000-memory.dmp

memory/2988-28-0x0000000003210000-0x0000000003211000-memory.dmp

memory/2988-27-0x0000000003210000-0x0000000003211000-memory.dmp

memory/2988-26-0x0000000003210000-0x0000000003211000-memory.dmp

memory/2988-25-0x0000000003210000-0x0000000003211000-memory.dmp

memory/2988-24-0x0000000003210000-0x0000000003211000-memory.dmp

memory/2988-23-0x0000000003210000-0x0000000003211000-memory.dmp

memory/2988-22-0x0000000003310000-0x0000000003311000-memory.dmp

memory/2988-20-0x0000000003310000-0x0000000003311000-memory.dmp

memory/2988-19-0x0000000003310000-0x0000000003311000-memory.dmp

memory/2988-18-0x0000000003310000-0x0000000003311000-memory.dmp

memory/2988-17-0x0000000003210000-0x0000000003211000-memory.dmp

memory/2988-16-0x0000000003220000-0x0000000003221000-memory.dmp

memory/2988-15-0x0000000003220000-0x0000000003221000-memory.dmp

memory/2988-14-0x0000000003220000-0x0000000003221000-memory.dmp

memory/2988-13-0x0000000003220000-0x0000000003221000-memory.dmp

memory/2988-12-0x0000000003220000-0x0000000003221000-memory.dmp

memory/2988-11-0x0000000003220000-0x0000000003221000-memory.dmp

memory/2988-10-0x0000000003220000-0x0000000003221000-memory.dmp

memory/2988-9-0x0000000003220000-0x0000000003221000-memory.dmp

memory/2988-8-0x0000000003210000-0x0000000003310000-memory.dmp

memory/2988-7-0x0000000002050000-0x0000000002051000-memory.dmp

memory/2988-6-0x0000000001D50000-0x0000000001D51000-memory.dmp

memory/2988-5-0x0000000001D90000-0x0000000001D91000-memory.dmp

memory/2988-4-0x0000000002040000-0x0000000002041000-memory.dmp

memory/2988-2-0x0000000001D70000-0x0000000001D71000-memory.dmp

memory/2988-51-0x0000000000400000-0x0000000000584000-memory.dmp

memory/2988-53-0x0000000003210000-0x0000000003310000-memory.dmp

memory/2988-54-0x0000000001DB0000-0x0000000001E10000-memory.dmp

memory/2988-55-0x0000000003210000-0x0000000003211000-memory.dmp

memory/2988-56-0x0000000003310000-0x0000000003311000-memory.dmp

memory/820-60-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2988-67-0x0000000001DB0000-0x0000000001E10000-memory.dmp

memory/2988-66-0x0000000000400000-0x0000000000584000-memory.dmp

memory/820-65-0x0000000000400000-0x0000000000428000-memory.dmp

memory/820-63-0x0000000000400000-0x0000000000428000-memory.dmp

memory/820-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2988-68-0x0000000004780000-0x0000000004904000-memory.dmp

memory/820-69-0x0000000000400000-0x0000000000428000-memory.dmp

C:\MSOCache\SMAXDVTKP-DECRYPT.txt

MD5 860af5ee0d4b0f4883e48940e2c4ab04
SHA1 a9e1ea4de117fd048412bd3a6c96f3690ac65c66
SHA256 734daa0d0d609cda6ad9e8e84a989d905873c1cd45312608dddd884a0b6099e2
SHA512 c1e5d091460c83f441906993ced54ee32ea053dfb16f2e39297cdb6a446a8bf952ee36ec80c24f2c260ae2eb1aac131b9f5cc3e63cb59e38bda576057073b804

memory/820-85-0x0000000000400000-0x0000000000428000-memory.dmp

memory/820-877-0x0000000000400000-0x0000000000428000-memory.dmp

memory/820-880-0x0000000000400000-0x0000000000428000-memory.dmp

memory/820-911-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab34D8.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar35B9.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4970d7a763448ca692b07acdb4916443
SHA1 150dabe817f1418eaa6e6ca812ed2131efcff4e8
SHA256 f4edd1df2de0397d8211fc34e45d28ddb5b2311795189bed00d76055f9f43107
SHA512 8f8201a43ef813bee8b3a6008f0718ece9a48fcba876f96cef226f65c97496de6382ef8d15747867b4a6be4591424d5dbda589f49853c41aeb3b50166f4a641a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7ec6218b1a2b631f4adc1c6f720b7569
SHA1 ac154913b347c1b18248a36b6391cb43e2603989
SHA256 dda648e869175a68ef6d4f59d276f62e1d30c2da18b2f0ce8018681d0b2350c5
SHA512 5ebf9658b427662f542b892b7d3e5f4d1bdbf71790e7715d12e34251b4fe4c1da8551c973e9bd5a722316369b92b79f9ba5bc11a770b2ca15318b8284832a1d7

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 19:45

Reported

2024-06-01 19:47

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe"

Signatures

Gandcrab

ransomware backdoor gandcrab

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (295) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DGHAIJUM-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\e7e3b8bae7e3bf5719.lock C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\StepDeny.mp2v C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WriteSkip.wmx C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\e7e3b8bae7e3bf5719.lock C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DisablePing.mpe C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SearchSync.ps1 C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\DGHAIJUM-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File created C:\Program Files\e7e3b8bae7e3bf5719.lock C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\TraceExit.wmv C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ProtectNew.wmf C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SwitchUninstall.scf C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ConfirmFind.kix C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ExitPublish.contact C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\GrantPop.mp4v C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\MountMerge.3g2 C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\OpenSend.xlsm C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ReceiveRepair.tif C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SuspendExport.zip C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WriteRestore.emf C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File created C:\Program Files\DGHAIJUM-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\BackupResume.scf C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 5c0000000100000004000000000800000b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900200013202000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c06200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f51400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b271d000000010000001000000054e2cd85ba79cda018fed9e6a863aa46030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe
PID 1916 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe
PID 1916 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe
PID 1916 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe
PID 1916 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe
PID 540 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 540 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 540 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe C:\Windows\SysWOW64\wbem\wmic.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8b8eeeeaff8cd8d23b43e77e80653e57_JaffaCakes118.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 www.2mmotorsport.biz udp
DE 77.75.249.22:80 www.2mmotorsport.biz tcp
DE 77.75.249.22:443 www.2mmotorsport.biz tcp
US 8.8.8.8:53 22.249.75.77.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 177.101.63.23.in-addr.arpa udp
US 8.8.8.8:53 www.haargenau.biz udp
CH 217.26.53.161:80 www.haargenau.biz tcp
CH 217.26.53.161:80 www.haargenau.biz tcp
US 8.8.8.8:53 www.bizziniinfissi.com udp
US 8.8.8.8:53 www.holzbock.biz udp
CH 94.126.20.68:80 www.holzbock.biz tcp
CH 94.126.20.68:443 www.holzbock.biz tcp
US 8.8.8.8:53 www.schreiner-freiamt.ch udp
US 8.8.8.8:53 161.53.26.217.in-addr.arpa udp
US 8.8.8.8:53 68.20.126.94.in-addr.arpa udp
CH 94.126.20.68:443 www.schreiner-freiamt.ch tcp
US 8.8.8.8:53 www.fliptray.biz udp
US 8.8.8.8:53 www.pizcam.com udp
CH 195.15.227.239:80 www.pizcam.com tcp
CH 195.15.227.239:443 www.pizcam.com tcp
US 8.8.8.8:53 239.227.15.195.in-addr.arpa udp
US 8.8.8.8:53 www.swisswellness.com udp
DE 83.138.86.12:80 www.swisswellness.com tcp
DE 83.138.86.12:80 www.swisswellness.com tcp
US 8.8.8.8:53 www.hotelweisshorn.com udp
HK 38.207.226.122:80 www.hotelweisshorn.com tcp
HK 38.207.226.122:80 www.hotelweisshorn.com tcp
US 8.8.8.8:53 www.whitepod.com udp
CH 83.166.138.7:80 www.whitepod.com tcp
CH 83.166.138.7:443 www.whitepod.com tcp
US 8.8.8.8:53 7.138.166.83.in-addr.arpa udp
US 8.8.8.8:53 122.226.207.38.in-addr.arpa udp
US 8.8.8.8:53 www.hardrockhoteldavos.com udp
US 18.207.88.16:80 www.hardrockhoteldavos.com tcp
US 18.207.88.16:443 www.hardrockhoteldavos.com tcp
US 8.8.8.8:53 www.hardrockhotels.com udp
US 151.101.3.52:443 www.hardrockhotels.com tcp
US 8.8.8.8:53 crl.starfieldtech.com udp
US 192.124.249.41:80 crl.starfieldtech.com tcp
US 8.8.8.8:53 ocsp.int-r1.certainly.com udp
US 151.101.3.3:80 ocsp.int-r1.certainly.com tcp
US 8.8.8.8:53 16.88.207.18.in-addr.arpa udp
US 8.8.8.8:53 52.3.101.151.in-addr.arpa udp
US 8.8.8.8:53 41.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 3.3.101.151.in-addr.arpa udp
US 8.8.8.8:53 hotel.hardrock.com udp
US 151.101.3.52:443 hotel.hardrock.com tcp
US 8.8.8.8:53 www.belvedere-locarno.com udp
US 172.67.68.116:80 www.belvedere-locarno.com tcp
US 172.67.68.116:443 www.belvedere-locarno.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 116.68.67.172.in-addr.arpa udp
US 8.8.8.8:53 www.hotelfarinet.com udp
GB 18.132.18.63:80 www.hotelfarinet.com tcp
GB 18.132.18.63:443 www.hotelfarinet.com tcp
US 8.8.8.8:53 www.hrk-ramoz.com udp
HK 156.235.147.122:80 www.hrk-ramoz.com tcp
US 8.8.8.8:53 63.18.132.18.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
HK 156.235.147.122:80 www.hrk-ramoz.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 www.morcote-residenza.com udp
CH 194.191.24.37:80 www.morcote-residenza.com tcp
CH 194.191.24.37:443 www.morcote-residenza.com tcp
US 8.8.8.8:53 www.seitensprungzimmer24.com udp
DE 136.243.162.140:80 www.seitensprungzimmer24.com tcp
DE 136.243.162.140:443 www.seitensprungzimmer24.com tcp
US 8.8.8.8:53 37.24.191.194.in-addr.arpa udp
US 8.8.8.8:53 seitensprungzimmer24.com udp
DE 136.243.162.140:443 seitensprungzimmer24.com tcp
US 8.8.8.8:53 www.arbezie-hotel.com udp
FR 213.186.33.5:80 www.arbezie-hotel.com tcp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
US 8.8.8.8:53 140.162.243.136.in-addr.arpa udp
US 8.8.8.8:53 5.33.186.213.in-addr.arpa udp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
US 8.8.8.8:53 www.aubergemontblanc.com udp
CH 83.166.138.13:80 www.aubergemontblanc.com tcp
CH 83.166.138.13:443 www.aubergemontblanc.com tcp
US 8.8.8.8:53 13.138.166.83.in-addr.arpa udp
US 8.8.8.8:53 www.torhotel.com udp
CH 128.65.195.228:80 www.torhotel.com tcp
US 8.8.8.8:53 228.195.65.128.in-addr.arpa udp
CH 128.65.195.228:80 www.torhotel.com tcp
US 8.8.8.8:53 www.alpenlodge.com udp
CH 217.26.55.76:80 www.alpenlodge.com tcp
CH 217.26.55.76:443 www.alpenlodge.com tcp
US 8.8.8.8:53 www.aparthotelzurich.com udp
US 104.17.183.58:80 www.aparthotelzurich.com tcp
US 104.17.183.58:443 www.aparthotelzurich.com tcp
US 8.8.8.8:53 www.bnbdelacolline.com udp
CH 128.65.195.174:80 www.bnbdelacolline.com tcp
US 8.8.8.8:53 76.55.26.217.in-addr.arpa udp
US 8.8.8.8:53 58.183.17.104.in-addr.arpa udp
CH 128.65.195.174:443 www.bnbdelacolline.com tcp
US 8.8.8.8:53 www.elite-hotel.com udp
CH 80.74.144.93:80 www.elite-hotel.com tcp
CH 80.74.144.93:443 www.elite-hotel.com tcp
US 8.8.8.8:53 174.195.65.128.in-addr.arpa udp
US 8.8.8.8:53 elite-hotel.com udp
CH 80.74.144.93:443 elite-hotel.com tcp
US 8.8.8.8:53 93.144.74.80.in-addr.arpa udp
US 8.8.8.8:53 www.bristol-adelboden.com udp
IE 34.249.200.254:80 www.bristol-adelboden.com tcp
IE 34.249.200.254:443 www.bristol-adelboden.com tcp
US 8.8.8.8:53 www.nationalzermatt.com udp
CH 94.126.23.52:80 www.nationalzermatt.com tcp
CH 94.126.23.52:443 www.nationalzermatt.com tcp
US 8.8.8.8:53 254.200.249.34.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 52.23.126.94.in-addr.arpa udp
US 8.8.8.8:53 nationalzermatt.ch udp
CH 94.126.23.52:443 nationalzermatt.ch tcp
US 8.8.8.8:53 www.waageglarus.com udp
US 8.8.8.8:53 www.limmathof.com udp
CH 217.26.52.10:80 www.limmathof.com tcp
CH 217.26.52.10:443 www.limmathof.com tcp
US 8.8.8.8:53 www.apartmenthaus.com udp
CH 217.26.60.27:80 www.apartmenthaus.com tcp
US 8.8.8.8:53 10.52.26.217.in-addr.arpa udp
CH 217.26.60.27:443 www.apartmenthaus.com tcp

Files

memory/1916-1-0x0000000002240000-0x00000000022A0000-memory.dmp

memory/1916-0-0x0000000000400000-0x0000000000584000-memory.dmp

memory/1916-15-0x0000000003350000-0x0000000003351000-memory.dmp

memory/1916-14-0x00000000021C0000-0x00000000021C1000-memory.dmp

memory/1916-13-0x0000000000700000-0x0000000000701000-memory.dmp

memory/1916-12-0x0000000003320000-0x0000000003323000-memory.dmp

memory/1916-11-0x0000000003380000-0x0000000003381000-memory.dmp

memory/1916-10-0x0000000003430000-0x0000000003431000-memory.dmp

memory/1916-9-0x0000000003330000-0x0000000003332000-memory.dmp

memory/1916-8-0x0000000003340000-0x0000000003341000-memory.dmp

memory/1916-7-0x0000000002470000-0x0000000002471000-memory.dmp

memory/1916-6-0x00000000023F0000-0x00000000023F1000-memory.dmp

memory/1916-5-0x0000000002430000-0x0000000002431000-memory.dmp

memory/1916-4-0x0000000002460000-0x0000000002461000-memory.dmp

memory/1916-3-0x0000000002400000-0x0000000002401000-memory.dmp

memory/1916-2-0x0000000002410000-0x0000000002411000-memory.dmp

memory/1916-16-0x0000000000400000-0x0000000000584000-memory.dmp

memory/1916-18-0x0000000002240000-0x00000000022A0000-memory.dmp

memory/540-21-0x0000000000400000-0x0000000000428000-memory.dmp

memory/540-22-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1916-23-0x0000000000400000-0x0000000000584000-memory.dmp

memory/1916-24-0x0000000002240000-0x00000000022A0000-memory.dmp

memory/540-25-0x0000000000400000-0x0000000000428000-memory.dmp

F:\$RECYCLE.BIN\DGHAIJUM-DECRYPT.txt

MD5 ccdb5bfecdf114dddc06ec84f8bd4ea2
SHA1 47a3b8c0e3635a01068b15eb652979c54e537326
SHA256 b937465c03ff17832bb27a0722e67fdf5cf17d4207a7da17da1fb3a854fe592c
SHA512 9e3e3b1f702ec4d7153ee81769ec28e366824c43a707e7c9d80aff05fa6db34f1471b9fc0462ff0c713fd88833d9bc21291bd7ed5cbd1a23f83f1f21ad17c576

memory/540-777-0x0000000000400000-0x0000000000428000-memory.dmp

memory/540-781-0x0000000000400000-0x0000000000428000-memory.dmp

memory/540-794-0x0000000000400000-0x0000000000428000-memory.dmp