Malware Analysis Report

2024-09-23 05:57

Sample ID 240603-3pa5cadd5s
Target 93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118
SHA256 bb13e13ced7ed27d32eb517c9bbf5cd7bdf0bb42d0cd4e463dc4cb2852db5ee2
Tags
gandcrab backdoor defense_evasion execution impact ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb13e13ced7ed27d32eb517c9bbf5cd7bdf0bb42d0cd4e463dc4cb2852db5ee2

Threat Level: Known bad

The file 93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gandcrab backdoor defense_evasion execution impact ransomware spyware stealer upx

Gandcrab

Renames multiple (313) files with added filename extension

Deletes shadow copies

Renames multiple (259) files with added filename extension

Checks computer location settings

UPX packed file

Drops startup file

Reads user/profile data of web browsers

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Uses Volume Shadow Copy service COM API

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-03 23:40

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 23:40

Reported

2024-06-03 23:43

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe"

Signatures

Gandcrab

ransomware backdoor gandcrab

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (259) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\XBQBOKEN-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\91499384914994696b.lock C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\91499384914994696b.lock C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\PingEnable.mht C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\XBQBOKEN-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File created C:\Program Files\XBQBOKEN-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\PopUnregister.php C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ReadRename.scf C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RequestFind.vbs C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SearchUnlock.vb C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\StartOut.htm C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DenyDebug.gif C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WaitRequest.vst C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\91499384914994696b.lock C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ExportRename.M2T C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RenameNew.pcx C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\CompressConvert.xps C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\GrantCompress.crw C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ResetReceive.gif C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DismountComplete.vdw C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RequestSubmit.xltx C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ResetDeny.jpg C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RevokeSuspend.M2V C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SyncResize.search-ms C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\GroupInstall.xls C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\LockConfirm.kix C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ProtectSplit.scf C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 www.kakaocorp.link udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

memory/208-0-0x0000000000400000-0x000000000045A000-memory.dmp

memory/208-3-0x0000000000400000-0x000000000041C000-memory.dmp

memory/208-2-0x00000000004C0000-0x00000000005C0000-memory.dmp

memory/208-4-0x0000000000400000-0x000000000045A000-memory.dmp

memory/208-5-0x0000000000400000-0x000000000045A000-memory.dmp

memory/208-6-0x0000000000400000-0x000000000045A000-memory.dmp

memory/208-7-0x00000000004C0000-0x00000000005C0000-memory.dmp

memory/208-8-0x0000000000400000-0x000000000041C000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\XBQBOKEN-DECRYPT.txt

MD5 832fe1fbb7fad09ff5ab5e8368ddd0c3
SHA1 277907a5e3a8e7bd4eb9557048e1feca13ccc556
SHA256 ae6c20bd3b92beeb0e8d4003351e772d66d9d186fdbfce5497f202142d529205
SHA512 3eb0d0bdeae86c18c4b96ba503d61cc54191b6cac75619e3e0ad3c661f225f9e231a3619f210b36b975949f73bcc9ab960b66091164088d6fbb58a11e8f432bb

memory/208-180-0x0000000000400000-0x000000000045A000-memory.dmp

memory/208-688-0x0000000000400000-0x000000000045A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 23:40

Reported

2024-06-03 23:43

Platform

win7-20240221-en

Max time kernel

141s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe"

Signatures

Gandcrab

ransomware backdoor gandcrab

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (313) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DisableConvertFrom.rar C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SelectClear.vbe C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\UninstallConvertTo.MTS C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\MoveRename.vsdx C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\UpdateRedo.dwfx C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\CUSGJTM-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\GrantStep.xml C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\a92b5ebea92b59536b.lock C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\a92b5ebea92b59536b.lock C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\a92b5ebea92b59536b.lock C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ClearConnect.xml C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DenyRename.wvx C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\PopBlock.vsdx C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\SyncClose.wmv C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\UpdateSelect.mhtml C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\AssertCompare.php C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\BlockRepair.mpe C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\CopyRedo.i64 C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\PopReceive.txt C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ReadConvertTo.pub C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File created C:\Program Files\a92b5ebea92b59536b.lock C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\FindFormat.m3u C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\PushRemove.avi C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ReceiveDebug.mp4v C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RedoRevoke.vstm C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\UnprotectWatch.TTS C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\CloseUpdate.potm C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\HideFind.crw C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\MoveCompress.clr C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\PingMerge.mp3 C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RepairClear.xlsb C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\CUSGJTM-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\a92b5ebea92b59536b.lock C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\CUSGJTM-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File created C:\Program Files\CUSGJTM-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\LimitDismount.asx C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\RenameAdd.rmi C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\ResumeHide.rtf C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\UninstallLock.gif C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\CUSGJTM-DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\93016c8fa91b493eeb7d00c9d7b6d458_JaffaCakes118.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.kakaocorp.link udp

Files

memory/2924-0-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2924-2-0x0000000000590000-0x0000000000690000-memory.dmp

memory/2924-3-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2924-4-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2924-5-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2924-6-0x0000000000590000-0x0000000000690000-memory.dmp

memory/2924-7-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2924-8-0x0000000000400000-0x000000000041C000-memory.dmp

F:\$RECYCLE.BIN\CUSGJTM-DECRYPT.txt

MD5 38951abe0dee3750b5af4070aaa59b9d
SHA1 01effb4d7d3702715bd25c8519e547f74c33900f
SHA256 76c1f3c18bcf378c529e74282ca8d1c6ca401e434c2e2e84af66c699ee9780fb
SHA512 7ebd914b9ed971c0cad0b078af127a240f9f44c7dcd9edd0b68447733d146cc654b85e4804f10819603841548d9de1a482685ffdec30593d322d49c004a52231

memory/2924-591-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2924-792-0x0000000000400000-0x000000000045A000-memory.dmp