Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
-
submitted
15-06-2024 14:23
General
-
Target
aed7120328d1178bb11ae8a029fc6854_JaffaCakes118.exe
-
Size
262KB
-
MD5
aed7120328d1178bb11ae8a029fc6854
-
SHA1
a81d2fce8c1f7dcefde149f0ed53f36e9af6f062
-
SHA256
0167b5509d7491f76be962a85b4b2638aac06a4cef0fc3dbff155a63dc058d25
-
SHA512
9eef5728d823a12bc63010b64f6fb4c63bc144fd480d38547a93d48fa7e7d828f36537d21cab4a724f5caf810767b9d2b14c1abda0407d634cde01bb49a12f19
-
SSDEEP
6144:yeuqqTPZEnjdVF1pTsF1lVVBsVEiMTJeIBjFWLXx/:yEqTPKd71i6W4IBgLXl
Score
10/10
Malware Config
Extracted
Path
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.txt
Family
cerber
Ransom Note
C E R B E R R A N S O M W A R E
#########################################################################
Cannot you find the files you need?
Is the content of the files that you looked for not readable?
It is normal because the files' names, as well as the data in your files
have been encrypted.
Great!!!
You have turned to be a part of a big community #Cerber_Ransomware.
#########################################################################
!!! If you are reading this message it means the software
!!! "Cerber Ransomware" has been removed from your computer.
#########################################################################
What is encryption?
-------------------
Encryption is a reversible modification of information for security
reasons but providing full access to it for authorized users.
To become an authorized user and keep the modification absolutely
reversible (in other words to have a possibility to decrypt your files)
you should have an individual private key.
But not only it.
It is required also to have the special decryption software
(in your case "Cerber Decryptor" software) for safe and complete
decryption of all your files and data.
#########################################################################
Everything is clear for me but what should I do?
------------------------------------------------
The first step is reading these instructions to the end.
Your files have been encrypted with the "Cerber Ransomware" software; the
instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt")
in the folders with your encrypted files are not viruses, they will
help you.
After reading this text the most part of people start searching in the
Internet the words the "Cerber Ransomware" where they find a lot of
ideas, recommendations and instructions.
It is necessary to realize that we are the ones who closed the lock on
your files and we are the only ones who have this secret key to
open them.
!!! Any attempts to get back your files with the third-party tools can
!!! be fatal for your encrypted files.
The most part of the third-party software change data within the
encrypted file to restore it but this causes damage to the files.
Finally it will be impossible to decrypt your files.
When you make a puzzle but some items are lost, broken or not put in its
place - the puzzle items will never match, the same way the third-party
software will ruin your files completely and irreversibly.
You should realize that any intervention of the third-party software to
restore files encrypted with the "Cerber Ransomware" software may be
fatal for your files.
#########################################################################
!!! There are several plain steps to restore your files but if you do
!!! not follow them we will not be able to help you, and we will not try
!!! since you have read this warning already.
#########################################################################
For your information the software to decrypt your files (as well as the
private key provided together) are paid products.
After purchase of the software package you will be able to:
1. decrypt all your files;
2. work with your documents;
3. view your photos and other media;
4. continue your usual and comfortable work at the computer.
If you understand all importance of the situation then we propose to you
to go directly to your personal page where you will receive the complete
instructions and guarantees to restore your files.
#########################################################################
There is a list of temporary addresses to go on your personal page below:
_______________________________________________________________________
|
| 1. http://cerberhhyed5frqa.sims6n.win/1B12-00A0-AF97-0044-3E25
|
| 2. http://cerberhhyed5frqa.m5gid4.win/1B12-00A0-AF97-0044-3E25
|
| 3. http://cerberhhyed5frqa.wewiso.win/1B12-00A0-AF97-0044-3E25
|
| 4. http://cerberhhyed5frqa.moneu5.win/1B12-00A0-AF97-0044-3E25
|
| 5. http://cerberhhyed5frqa.wins4n.win/1B12-00A0-AF97-0044-3E25
|_______________________________________________________________________
#########################################################################
What should you do with these addresses?
----------------------------------------
If you read the instructions in TXT format (if you have instruction in
HTML (the file with an icon of your Internet browser) then the easiest
way is to run it):
1. take a look at the first address (in this case it is
http://cerberhhyed5frqa.sims6n.win/1B12-00A0-AF97-0044-3E25);
2. select it with the mouse cursor holding the left mouse button and
moving the cursor to the right;
3. release the left mouse button and press the right one;
4. select "Copy" in the appeared menu;
5. run your Internet browser (if you do not know what it is run the
Internet Explorer);
6. move the mouse cursor to the address bar of the browser (this is the
place where the site address is written);
7. click the right mouse button in the field where the site address
is written;
8. select the button "Insert" in the appeared menu;
9. then you will see the address
http://cerberhhyed5frqa.sims6n.win/1B12-00A0-AF97-0044-3E25
appeared there;
10. press ENTER;
11. the site should be loaded; if it is not loaded repeat the same
instructions with the second address and continue until the last
address if falling.
If for some reason the site cannot be opened check the connection to the
Internet; if the site still cannot be opened take a look at the
instructions on omitting the point about working with the addresses in
the HTML instructions.
If you browse the instructions in HTML format:
1. click the left mouse button on the first address (in this case it is
http://cerberhhyed5frqa.sims6n.win/1B12-00A0-AF97-0044-3E25);
2. in a new tab or window of your web browser the site should be loaded;
if it is not loaded repeat the same instructions with the second
address and continue until the last address.
If for some reason the site cannot be opened check the connection to
the Internet.
#########################################################################
Unfortunately these sites are short-term since the antivirus companies
are interested in you do not have a chance to restore your files but
continue to buy their products.
Unlike them we are ready to help you always.
If you need our help but the temporary sites are not available:
1. run your Internet browser (if you do not know what it is run the
Internet Explorer);
2. enter or copy the address
https://www.torproject.org/download/download-easy.html.en into the
address bar of your browser and press ENTER;
3. wait for the site loading;
4. on the site you will be offered to download Tor Browser; download and
run it, follow the installation instructions, wait until the
installation is completed;
5. run Tor Browser;
6. connect with the button "Connect" (if you use the English version);
7. a normal Internet browser window will be opened after
the initialization;
8. type or copy the address
________________________________________________________
| |
| http://cerberhhyed5frqa.onion/1B12-00A0-AF97-0044-3E25 |
|________________________________________________________|
in this browser address bar;
9. press ENTER;
10. the site should be loaded; if for some reason the site is not loading
wait for a moment and try again.
If you have any problems during installation or operation of Tor Browser,
please, visit https://www.youtube.com/ and type request in the search bar
"install tor browser windows" and you will find a lot of training videos
about Tor Browser installation and operation.
If TOR address is not available for a long period (2-3 days) it means you
are late; usually you have about 2-3 weeks after reading the instructions
to restore your files.
#########################################################################
Additional information:
You will find the instructions for restoring your files in those folders
where you have your encrypted files only.
The instructions are made in two file formats - HTML and TXT for
your convenience.
Unfortunately antivirus companies cannot protect or restore your files
but they can make the situation worse removing the instructions how to
restore your encrypted files.
The instructions are not viruses; they have informative nature only, so
any claims on the absence of any instruction files you can send to your
antivirus company.
#########################################################################
Cerber Ransomware Project is not malicious and is not intended to harm a
person and his/her information data.
The project is created for the sole purpose of instruction regarding
information security, as well as certification of antivirus software for
their suitability for data protection.
Together we make the Internet a better and safer place.
#########################################################################
If you look through this text in the Internet and realize that something
is wrong with your files but you do not have any instructions to restore
your files, please, contact your antivirus support.
#########################################################################
Remember that the worst situation already happened and now it depends on
your determination and speed of your actions the further life of
your files.
URLs
http://cerberhhyed5frqa.sims6n.win/1B12-00A0-AF97-0044-3E25
http://cerberhhyed5frqa.m5gid4.win/1B12-00A0-AF97-0044-3E25
http://cerberhhyed5frqa.wewiso.win/1B12-00A0-AF97-0044-3E25
http://cerberhhyed5frqa.moneu5.win/1B12-00A0-AF97-0044-3E25
http://cerberhhyed5frqa.wins4n.win/1B12-00A0-AF97-0044-3E25
http://cerberhhyed5frqa.onion/1B12-00A0-AF97-0044-3E25
Extracted
Path
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.html
Ransom Note
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Cerber Ransomware</title>
<style>
a {
color: #47c;
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
body {
background-color: #e7e7e7;
color: #333;
font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";
font-size: 16px;
line-height: 1.6;
margin: 0;
padding: 0;
}
hr {
background-color: #e7e7e7;
border: 0 none;
border-bottom: 1px solid #c7c7c7;
height: 5px;
margin: 30px 0;
}
li {
padding: 0 0 7px 7px;
}
ol {
padding-left: 3em;
}
.container {
background-color: #fff;
border: 1px solid #c7c7c7;
margin: 40px;
padding: 40px 40px 20px 40px;
}
.info, .tor {
background-color: #efe;
border: 1px solid #bda;
display: block;
padding: 0px 20px;
}
.logo {
font-size: 12px;
font-weight: bold;
line-height: 1;
margin: 0;
}
.tor {
padding: 10px 0;
text-align: center;
}
.warning {
background-color: #f5e7e7;
border: 1px solid #ebccd1;
color: #a44;
display: block;
padding: 15px 10px;
text-align: center;
}
</style>
</head>
<body>
<div class="container">
<h3>C E R B E R R A N S O M W A R E</h3>
<hr>
<p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p>
<p>It is normal because the files' names, as well as the data in your files have been encrypted.</p>
<p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p>
<hr>
<p><span class="warning">If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer.</span></p>
<hr>
<h3>What is encryption?</h3>
<p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p>
<p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p>
<p>But not only it.</p>
<p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p>
<hr>
<h3>Everything is clear for me but what should I do?</h3>
<p>The first step is reading these instructions to the end.</p>
<p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p>
<p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p>
<p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p>
<p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p>
<p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p>
<p>Finally it will be impossible to decrypt your files.</p>
<p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p>
<p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p>
<hr>
<p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p>
<hr>
<p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p>
<p>After purchase of the software package you will be able to:</p>
<ol>
<li>decrypt all your files;</li>
<li>work with your documents;</li>
<li>view your photos and other media;</li>
<li>continue your usual and comfortable work at the computer.</li>
</ol>
<p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p>
<hr>
<div class="info">
<p>There is a list of temporary addresses to go on your personal page below:</p>
<ol>
<li><a href="http://cerberhhyed5frqa.sims6n.win/1B12-00A0-AF97-0044-3E25" target="_blank">http://cerberhhyed5frqa.sims6n.win/1B12-00A0-AF97-0044-3E25</a></li>
<li><a href="http://cerberhhyed5frqa.m5gid4.win/1B12-00A0-AF97-0044-3E25" target="_blank">http://cerberhhyed5frqa.m5gid4.win/1B12-00A0-AF97-0044-3E25</a></li>
<li><a href="http://cerberhhyed5frqa.wewiso.win/1B12-00A0-AF97-0044-3E25" target="_blank">http://cerberhhyed5frqa.wewiso.win/1B12-00A0-AF97-0044-3E25</a></li>
<li><a href="http://cerberhhyed5frqa.moneu5.win/1B12-00A0-AF97-0044-3E25" target="_blank">http://cerberhhyed5frqa.moneu5.win/1B12-00A0-AF97-0044-3E25</a></li>
<li><a href="http://cerberhhyed5frqa.wins4n.win/1B12-00A0-AF97-0044-3E25" target="_blank">http://cerberhhyed5frqa.wins4n.win/1B12-00A0-AF97-0044-3E25</a></li>
</ol>
</div>
<hr>
<h3>What should you do with these addresses?</h3>
<p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p>
<ol>
<li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.sims6n.win/1B12-00A0-AF97-0044-3E25" target="_blank">http://cerberhhyed5frqa.sims6n.win/1B12-00A0-AF97-0044-3E25</a>);</li>
<li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li>
<li>release the left mouse button and press the right one;</li>
<li>select "Copy" in the appeared menu;</li>
<li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li>
<li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li>
<li>click the right mouse button in the field where the site address is written;</li>
<li>select the button "Insert" in the appeared menu;</li>
<li>then you will see the address <a href="http://cerberhhyed5frqa.sims6n.win/1B12-00A0-AF97-0044-3E25" target="_blank">http://cerberhhyed5frqa.sims6n.win/1B12-00A0-AF97-0044-3E25</a> appeared there;</li>
<li>press ENTER;</li>
<li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li>
</ol>
<p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p>
<p>If you browse the instructions in HTML format:</p>
<ol>
<li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.sims6n.win/1B12-00A0-AF97-0044-3E25" target="_blank">http://cerberhhyed5frqa.sims6n.win/1B12-00A0-AF97-0044-3E25</a>);</li>
<li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li>
</ol>
<p>If for some reason the site cannot be opened check the connection to the Internet.</p>
<hr>
<p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p>
<p>Unlike them we are ready to help you always.</p>
<p>If you need our help but the temporary sites are not available:</p>
<ol>
<li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li>
<li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li>
<li>wait for the site loading;</li>
<li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li>
<li>run Tor Browser;</li>
<li>connect with the button "Connect" (if you use the English version);</li>
<li>a normal Internet browser window will be opened after the initialization;</li>
<li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/1B12-00A0-AF97-0044-3E25</span> in this browser address bar;</li>
<li>press ENTER;</li>
<li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li>
</ol>
<p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p>
<p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p>
<hr>
<h3>Additional information:</h3>
<p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p>
<p>The instructions are made in two file formats - HTML and TXT for your convenience.</p>
<p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p>
<p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p>
<hr>
<p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p>
<p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p>
<p>Together we make the Internet a better and safer place.</p>
<hr>
<p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p>
<hr>
<p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p>
</div>
</body>
</html>
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (16389) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Deletes itself 1 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 2 IoCs
-
Modifies Control Panel 4 IoCs
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 51 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 62 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\aed7120328d1178bb11ae8a029fc6854_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\aed7120328d1178bb11ae8a029fc6854_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{32FA63F1-D64D-114D-3379-634918E2D550}\xpsrchvw.exe"C:\Users\Admin\AppData\Roaming\{32FA63F1-D64D-114D-3379-634918E2D550}\xpsrchvw.exe"2⤵
- Adds policy Run key to start application
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1004 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1004 CREDAT:537601 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵
-
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "xpsrchvw.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{32FA63F1-D64D-114D-3379-634918E2D550}\xpsrchvw.exe" > NUL3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "xpsrchvw.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
-
-
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "aed7120328d1178bb11ae8a029fc6854_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\aed7120328d1178bb11ae8a029fc6854_JaffaCakes118.exe" > NUL2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "aed7120328d1178bb11ae8a029fc6854_JaffaCakes118.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x51c1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
219B
MD535a3e3b45dcfc1e6c4fd4a160873a0d1
SHA1a0bcc855f2b75d82cbaae3a8710f816956e94b37
SHA2568ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934
SHA5126d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853
-
Filesize
12KB
MD59fe12f21c75913c26027f1217dd0b335
SHA12a889c4843c8a40d3f8234244065a2eb8ed49be2
SHA256a3be2fe7b3a6edac32371ef555a19166ff81c313958aa58e2730848ff804679a
SHA5127fc179fdc5715e06a9838a8c1c4a20ab57650d0d0989dbb6e0786c6590744f2cbe8419d2a41aad048206e8ea2c4c87cad1d981e7f8f6ca2cb1ce23be8e1d4d9f
-
Filesize
10KB
MD531e8dc49c6fc31deb98d7556aa5a9b97
SHA1cb34697e7ca5f6e65ae04085d16d4531d4800dba
SHA256c5e398124199f2c3cf5db58a8183b046af3db13a50d2de8a7dc5210f141318a6
SHA51289d7ccc45458645bd8ef6068c857dbc05f323cd5bf9530c5e76ba2bf0d6f4be591ad37e22434243556acf6d35d1b0fb266985162a34dd6b068811de3cfa19cc3
-
Filesize
85B
MD585ae0f16f0104e44a0e727411d46db8c
SHA199b1cbac3806e5cd6ab980aa696f2b2368b82ebb
SHA2565e86f90062c31ca492d10afb1de8d902c4210e46bf2c43003f5a8c783f6968ee
SHA512053d305cfd091941394f7ff2058deeeb3bab296942a600c7147be42cad8bb35ca1b3564f40468363e13c564b4838dcffe99e65963e6c56553d6d7452f40ebc65
-
Filesize
342B
MD5a1d505da729c6e2823d99410707b39cb
SHA180a9e22b7467c9071d920c21c06b357d0838af96
SHA2563bebc2152f14578d8903b23cc674f796444523a395c255c3ea26819efb01a78f
SHA51245ae832b93cc85c9d135253a870b9871394a297bce9d954c22ca40225a89fc2c8f4422736a4e83a96d1a31594b8007b84ae37cc9fa06bcafde88256cc15dd398
-
Filesize
342B
MD5955367d1ddacf2590808f593af853a7c
SHA123e210b66e9b1eccc6b641fd89a3b450e3d18339
SHA2563934dce1d4535e6cb5853cc8483d537e6292466769b72f6b8e978fcf10445046
SHA512aa674d4bbc58095a43aa62cde2cab7c8cea346d85550b4790e0cd201e6091dcaea0986de95e7a4a1c81b1b19d696a1b65611f7e54f77eeb9d9a02cf881af4f95
-
Filesize
342B
MD56e908ecf13599d03dc1b3ced57a19911
SHA188d04d04266422412cfd8847d08f2f964f0f0a27
SHA25669d30f1676c16c88f3c72b63eb962cfd8c14cf631eb9f0780375742bf4f044c7
SHA5128fe7db6f6580240d865f17502da3dbc4e1bb872305db3339f4a4b476c9768c8b1f5a0e3b3e0d118c8f3b251c18587d4670fb23a4b46a63224b4c653ef3d690de
-
Filesize
342B
MD5415918b5be1f121e71650f8485e86d86
SHA1854600f7faa0b62dd451978202031b2ffb186522
SHA256d31c0aa47f6fa77d1ed84070e400bd118c23161e76904a4bd41f03964b37d8bb
SHA5122172c18d8c1f16f24d48ef99293a7516ade241d39c9c5d1bd7542ba0b0905bca90cf57720b8162290277b057ced90a2513fee9a6acd9a3d7833564cad2c36ffa
-
Filesize
342B
MD5bd68821438a0007dfe538b2e7a4094c2
SHA193f5a56bf0f1e1f7279a68d6b396eb1da3dbe7af
SHA25620f6eed41ff64f6b4bc8fbf6363a027b5b348371ff1d8c157c3524e63ba15d60
SHA512c54851c36e00f28a3a7d6eee49918ac8de18eabe8fa077548e2cb932376828e491d67f93709071b1deee79ead467f6d975ead425ffdbb3964f0374e963a77a4f
-
Filesize
342B
MD55f29be4712ac8eb726dde3aecb274edd
SHA1c95cacba672146c9de06446654ee72c4bf138671
SHA256c15ceab04b75c02a5f7cb5638f94b11f5a6f151b85030fc770cfc7c92bdfc09c
SHA51271506cbd8d6d31f41d2ea33472e9cff5b3ae6c917f510858644c81d6923d47e1df9d938efe54f94ce52b494e1f0257f87cb1755afaa1bbdfbb0aa4735d5fbded
-
Filesize
342B
MD56d9f9cd523729de05df7403e5e2ffb47
SHA1337d39c9a805d931a22798089ce7d77c14836b70
SHA2567500c34aa2c9ea3d7d92f6277de80033d310df45c12b828d5d9a5a7fa00c56d0
SHA512b549d47c7466717100c2422785633aed2b02ce2e28e5e5b8a9fc49f5581bea6435b88e5f79ba38e1890c39bcdf31e2b5e51e25a2c756dff7cf52d0cfc77e1de8
-
Filesize
342B
MD5e677921dc312d714cab144c0b40bb62f
SHA1eb11eafbee059d7c2f1e698408fdd013063918a4
SHA2566f84ffc41e08fe51c56d339978deb5a80ee0bd87acd35d3fe6a164a6cece121b
SHA512330ecd5876bd9425fecb6728a7f7eacf0eabbc06a30ed65fa3b3189f896c30699e66eca0cc15b514ab83b2098bb955f0f058978d16ef52a368ba6f5929f71de3
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1KB
MD5e88b73121829ac2b05b6c3422f2337b8
SHA16e5d45851eeafe7c1e0cb3a327505c150bfac493
SHA256c752c59990083ef031662c25e43ac714cadf59107d873f8468e37ea3883b2fb0
SHA512669ba2f8658e36a81895fbcf47dc5394c775fc093f71a7f51597fca49dc707f62a43be145fd946beba9bba3017de926970f35c76d3d9527c7799f17ef0a9ddb6
-
Filesize
262KB
MD5aed7120328d1178bb11ae8a029fc6854
SHA1a81d2fce8c1f7dcefde149f0ed53f36e9af6f062
SHA2560167b5509d7491f76be962a85b4b2638aac06a4cef0fc3dbff155a63dc058d25
SHA5129eef5728d823a12bc63010b64f6fb4c63bc144fd480d38547a93d48fa7e7d828f36537d21cab4a724f5caf810767b9d2b14c1abda0407d634cde01bb49a12f19
-
Filesize
272KB
-
Filesize
88KB
-
Filesize
272KB
-
Filesize
8KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
4KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
272KB