makop | 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f

Analysis

max time kernel
146s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
13/06/2024, 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
Size

322KB
MD5

a3f4d926dd9e36327ff2e467a0a930bb
SHA1

08e865fb1cf421ce39a378221b4b452c868e6f18
SHA256

686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
SHA512

016a361a6e74a144811c6d0a022a98987a142c88c974ae6c32f1bb510308cf6f549351e0dc08bcafd99d6270c8627898d5b960e9572cf9be6e5e70ad1e2e1532
SSDEEP

6144:29X0GTAkzL7r9r/EDppppppppppppppppppppppppppppp0G0MjpNVgB5ZEWH:40OP7r9r/+pppppppppppppppppppppq

Score

10^/10

makop defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\readme-warning.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "makop" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] or [email protected] or [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

[email protected]

Signatures

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (8312) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2592	wbadmin.exe

Loads dropped DLL 4 IoCs

pid	Process
1936	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
2772	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
1616	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
1556	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe\""	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
4	iplogger.org

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1936 set thread context of 2340	1936	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	28
PID 2772 set thread context of 2664	2772	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	42
PID 1616 set thread context of 2852	1616	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	48
PID 1556 set thread context of 3048	1556	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	50

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\STRTEDGE.INF	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21324_.GIF	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\drag.png	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\settings.html	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\ja-JP\wordpad.exe.mui	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15155_.GIF	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPrintTemplate.html	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\46.png	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT.[AE7E3B7B].[[email protected]].makop	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\MANIFEST.MF	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MF	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent.png	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif.[AE7E3B7B].[[email protected]].makop	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18204_.WMF	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.properties	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME29.CSS	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\init.js	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.HXS	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME24.CSS	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-dock.png	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01366_.WMF	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107488.WMF	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\logo.png	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_rainy.png	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\drag.png	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285462.WMF	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDownArrow.jpg	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\HEADER.GIF	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\TAB_ON.GIF	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309904.WMF	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Brunei	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19986_.WMF	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18235_.WMF	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14769_.GIF	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\slideShow.html	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_thunderstorm.png	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansRegular.ttf	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR4B.GIF	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\de-DE\Solitaire.exe.mui	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\settings.css	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\12.png	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0234687.GIF	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0281904.WMF	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.HXS	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_dot.png	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bahia_Banderas	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mazatlan	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\readme-warning.txt	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02288_.WMF	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2260	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2340	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1936	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
2772	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
1616	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
1556	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeBackupPrivilege	2804	vssvc.exe
Token: SeRestorePrivilege	2804	vssvc.exe
Token: SeAuditPrivilege	2804	vssvc.exe
Token: SeBackupPrivilege	1944	wbengine.exe
Token: SeRestorePrivilege	1944	wbengine.exe
Token: SeSecurityPrivilege	1944	wbengine.exe
Token: SeIncreaseQuotaPrivilege	3052	WMIC.exe
Token: SeSecurityPrivilege	3052	WMIC.exe
Token: SeTakeOwnershipPrivilege	3052	WMIC.exe
Token: SeLoadDriverPrivilege	3052	WMIC.exe
Token: SeSystemProfilePrivilege	3052	WMIC.exe
Token: SeSystemtimePrivilege	3052	WMIC.exe
Token: SeProfSingleProcessPrivilege	3052	WMIC.exe
Token: SeIncBasePriorityPrivilege	3052	WMIC.exe
Token: SeCreatePagefilePrivilege	3052	WMIC.exe
Token: SeBackupPrivilege	3052	WMIC.exe
Token: SeRestorePrivilege	3052	WMIC.exe
Token: SeShutdownPrivilege	3052	WMIC.exe
Token: SeDebugPrivilege	3052	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3052	WMIC.exe
Token: SeRemoteShutdownPrivilege	3052	WMIC.exe
Token: SeUndockPrivilege	3052	WMIC.exe
Token: SeManageVolumePrivilege	3052	WMIC.exe
Token: 33	3052	WMIC.exe
Token: 34	3052	WMIC.exe
Token: 35	3052	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3052	WMIC.exe
Token: SeSecurityPrivilege	3052	WMIC.exe
Token: SeTakeOwnershipPrivilege	3052	WMIC.exe
Token: SeLoadDriverPrivilege	3052	WMIC.exe
Token: SeSystemProfilePrivilege	3052	WMIC.exe
Token: SeSystemtimePrivilege	3052	WMIC.exe
Token: SeProfSingleProcessPrivilege	3052	WMIC.exe
Token: SeIncBasePriorityPrivilege	3052	WMIC.exe
Token: SeCreatePagefilePrivilege	3052	WMIC.exe
Token: SeBackupPrivilege	3052	WMIC.exe
Token: SeRestorePrivilege	3052	WMIC.exe
Token: SeShutdownPrivilege	3052	WMIC.exe
Token: SeDebugPrivilege	3052	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3052	WMIC.exe
Token: SeRemoteShutdownPrivilege	3052	WMIC.exe
Token: SeUndockPrivilege	3052	WMIC.exe
Token: SeManageVolumePrivilege	3052	WMIC.exe
Token: 33	3052	WMIC.exe
Token: 34	3052	WMIC.exe
Token: 35	3052	WMIC.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2340	1936	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2340	1936	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2340	1936	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2340	1936	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2340	1936	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2340	1936	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2340	1936	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2340	1936	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2340	1936	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2340	1936	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	28
PID 2340 wrote to memory of 2776	2340	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	30
PID 2340 wrote to memory of 2776	2340	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	30
PID 2340 wrote to memory of 2776	2340	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	30
PID 2340 wrote to memory of 2776	2340	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2260	2776	cmd.exe	32
PID 2776 wrote to memory of 2260	2776	cmd.exe	32
PID 2776 wrote to memory of 2260	2776	cmd.exe	32
PID 2776 wrote to memory of 2592	2776	cmd.exe	35
PID 2776 wrote to memory of 2592	2776	cmd.exe	35
PID 2776 wrote to memory of 2592	2776	cmd.exe	35
PID 2776 wrote to memory of 3052	2776	cmd.exe	39
PID 2776 wrote to memory of 3052	2776	cmd.exe	39
PID 2776 wrote to memory of 3052	2776	cmd.exe	39
PID 2772 wrote to memory of 2664	2772	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	42
PID 2772 wrote to memory of 2664	2772	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	42
PID 2772 wrote to memory of 2664	2772	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	42
PID 2772 wrote to memory of 2664	2772	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	42
PID 2772 wrote to memory of 2664	2772	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	42
PID 2772 wrote to memory of 2664	2772	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	42
PID 2772 wrote to memory of 2664	2772	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	42
PID 2772 wrote to memory of 2664	2772	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	42
PID 2772 wrote to memory of 2664	2772	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	42
PID 2772 wrote to memory of 2664	2772	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	42
PID 1616 wrote to memory of 2852	1616	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	48
PID 1616 wrote to memory of 2852	1616	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	48
PID 1616 wrote to memory of 2852	1616	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	48
PID 1616 wrote to memory of 2852	1616	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	48
PID 1616 wrote to memory of 2852	1616	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	48
PID 1616 wrote to memory of 2852	1616	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	48
PID 1616 wrote to memory of 2852	1616	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	48
PID 1616 wrote to memory of 2852	1616	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	48
PID 1616 wrote to memory of 2852	1616	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	48
PID 1616 wrote to memory of 2852	1616	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	48
PID 1556 wrote to memory of 3048	1556	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	50
PID 1556 wrote to memory of 3048	1556	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	50
PID 1556 wrote to memory of 3048	1556	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	50
PID 1556 wrote to memory of 3048	1556	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	50
PID 1556 wrote to memory of 3048	1556	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	50
PID 1556 wrote to memory of 3048	1556	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	50
PID 1556 wrote to memory of 3048	1556	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	50
PID 1556 wrote to memory of 3048	1556	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	50
PID 1556 wrote to memory of 3048	1556	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	50
PID 1556 wrote to memory of 3048	1556	a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe" n2340
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe" n2340
      4⤵
      PID:2664
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2260
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:2592
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3052
- - C:\Users\Admin\AppData\Local\Temp\a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe" n2340
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe" n2340
      4⤵
      PID:2852
- - C:\Users\Admin\AppData\Local\Temp\a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe" n2340
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Users\Admin\AppData\Local\Temp\a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe" n2340
      4⤵
      PID:3048
- - C:\Users\Admin\AppData\Local\Temp\a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a3f4d926dd9e36327ff2e467a0a930bb_JaffaCakes118.exe" n2340
    3⤵
    PID:200

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1684

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\readme-warning.txt

Filesize
1KB

MD5
6f0139dd854444d28a1c04aaa2c7ad11

SHA1
3e86e95da8da2a1e2974978d63b67198b78196e1

SHA256
0c512b4ae2fe9f5eca3dd4581dcd83aed7ed9c293a65512db0a2a24428b4a183

SHA512
bdd688dda7a2f766761adbbfe00b39a927d29fb988b437416182feda4faff110172f736142a8dd24c7581ccbdb29e6aeda47ac6851f63446da33fc73a3fd011c

Download Submit
C:\Users\Admin\AppData\Local\Temp\610352966

Filesize
57KB

MD5
4f58fca2b69d55758f9d6a99911a9c88

SHA1
4406163b611dd2d676bd13228a9630dab377746c

SHA256
7775acac0f47e6e5c8774eae8243f9cf79ec159f3df97b9197e0e37ba1b7b2c3

SHA512
31fce18e767d72e8524beb3a1b693ffe7688fd23be5b8a8d25e42dacd8baadbe77e0b27150bad21b728dd87e53db2dfc9d7b53ee2f125f0541c928be9c04f0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\610352966

Filesize
57KB

MD5
7db4f37a385ed9db6da048c4206acb75

SHA1
a1ea31f83abe9ac2c48cbaebb13a19a25b970783

SHA256
e2be0b459604bca5999fe28ddaf4847418bf099a2ceac139e9b9f081d7b9ab15

SHA512
6f4f13b1d8bc0fe7a72ff01b9404422b4c8ef74d7ce9be8cb0c41f17d7f11edbe2ae52a252aa35492553ec43350dd943bb2e9206b9e77f964aba9f3946fded4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\610352966

Filesize
57KB

MD5
0400f9632d45ead1d98c3c63ee884886

SHA1
62d6228f76423e79693f39fb2080679d1f965476

SHA256
0d054d77bfd1b92a17c81caae23d36c88370ac8d2d16e5c797a22c8b567bc1e9

SHA512
a7e331e0dcf5541ab4b942ea9603f85c065231da1c567bc022521d9c5151a376ede3a636adbaac1b68b4bf1313618de7cd1eeb7428c94f43e49193ad86ee4bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\610352966

Filesize
57KB

MD5
d0dc6a1c2b750373d28456bc9a996f24

SHA1
e398fbada4bad68002921d1a655ff9d215ffbc4a

SHA256
dc637a61fcbabf541dea7b90d35ba5b564618d7ae443f1313ebc0fc76a6bedfb

SHA512
0126d9af273f1b8edd61483ce76fdfe2f720f5534682bf11249917159bd6420a7f73c82c1b9100706c6ed2e9793efec8c82ffb0b27263396d5b80c64410237c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\610352966

Filesize
57KB

MD5
a1922ff259a33601aa215bacb552119e

SHA1
39fb30ca65264600d77c4ab7c17be7902251290a

SHA256
ed679fb95b9c6960da0f41fab82ee7edaa4fd509af4b1803813d26b3d9c66817

SHA512
b6b28524329a04ff1783a8c51e41b2ad237fd823fd1fb43b2d1b4987cee0103375ec1e41b196e71e0a9fb53f5001bbb1c92b1ece52d3cd9553bc53ff753d2697

Download Submit
\Users\Admin\AppData\Local\Temp\nsd4432.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/2340-10-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2340-11987-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2340-85-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2340-11-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2340-9-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2340-7-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2340-17608-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2664-17255-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2664-17558-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2664-17557-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2852-17646-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2852-17647-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2852-17648-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3048-17697-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3048-17698-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3048-17699-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download