globeimposter | c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8

General

Target

b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
Size

170KB
MD5

b0ee9dae7de7781ea809278c48c310a5
SHA1

28be65219441d78399027aa42c9cc7456ee67130
SHA256

c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8
SHA512

5b954dd7bd05549d8f29b720db615b4e79cf07a41efab7ed765eb8533ad429c0d351e610900fbc6ee8f1dc5f2c8c10e53a494a4f9ec8ffd54444a8ab0c2bd8ff
SSDEEP

3072:cPgObYtVfyWSBNSXxPB5fXGWgP548gbl9GNPz+DPGfK:ygJ7Gw57WWg6l9iSl

Score

10^/10

globeimposter defense_evasion execution impact persistence ransomware spyware stealer

Malware Config

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (8675) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2972 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2972	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Roaming\\b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe"	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe

Drops desktop.ini file(s) 38 IoCs

Processes:

b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Users\Public\Desktop\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Users\Public\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

Processes:

b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtau	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPICCAP.DPV	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21326_.GIF	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\Read___ME.html	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Rothera	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14867_.GIF	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\Read___ME.html	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21375_.GIF	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00683_.WMF	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14583_.GIF	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libty_plugin.dll	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Macau	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Palmer	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Vancouver	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\rt.jar	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Lima	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV98.POC	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPTL.ICO	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0234687.GIF	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\liblibass_plugin.dll	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\Read___ME.html	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.properties	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALSO98.POC	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14801_.GIF	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00306_.WMF	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086384.WMF	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382952.JPG	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Ndjamena	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\MMSS.ICO	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0195534.WMF	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0196164.WMF	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107262.WMF	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Swift_Current	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00014_.WMF	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\Read___ME.html	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Hong_Kong	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Urumqi	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL001.XML	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-io.jar	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00914_.WMF	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_COL.HXC	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0196374.WMF	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Curacao	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.commands_5.5.0.165303.jar	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Shanghai	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\ED00010_.WMF	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_asf_plugin.dll	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libx264_plugin.dll	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\WSS.ICO	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00084_.WMF	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\Read___ME.html	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh89	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN011.XML	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_MediumMAsk.bmp	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1244 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe

pid process

2768 b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2568 vssvc.exe
Token: SeRestorePrivilege 2568 vssvc.exe
Token: SeAuditPrivilege 2568 vssvc.exe

pid	process
1244	vssadmin.exe

pid	process
2768	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe

description	pid	process
Token: SeBackupPrivilege	2568	vssvc.exe
Token: SeRestorePrivilege	2568	vssvc.exe
Token: SeAuditPrivilege	2568	vssvc.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 2768 wrote to memory of 1868	2768	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe	cmd.exe
PID 2768 wrote to memory of 1868	2768	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe	cmd.exe
PID 2768 wrote to memory of 1868	2768	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe	cmd.exe
PID 2768 wrote to memory of 1868	2768	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe	cmd.exe
PID 2768 wrote to memory of 2972	2768	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe	cmd.exe
PID 2768 wrote to memory of 2972	2768	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe	cmd.exe
PID 2768 wrote to memory of 2972	2768	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe	cmd.exe
PID 2768 wrote to memory of 2972	2768	b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe	cmd.exe
PID 1868 wrote to memory of 1244	1868	cmd.exe	vssadmin.exe
PID 1868 wrote to memory of 1244	1868	cmd.exe	vssadmin.exe
PID 1868 wrote to memory of 1244	1868	cmd.exe	vssadmin.exe
PID 1868 wrote to memory of 1244	1868	cmd.exe	vssadmin.exe
PID 1868 wrote to memory of 2132	1868	cmd.exe	reg.exe
PID 1868 wrote to memory of 2132	1868	cmd.exe	reg.exe
PID 1868 wrote to memory of 2132	1868	cmd.exe	reg.exe
PID 1868 wrote to memory of 2132	1868	cmd.exe	reg.exe
PID 1868 wrote to memory of 2164	1868	cmd.exe	reg.exe
PID 1868 wrote to memory of 2164	1868	cmd.exe	reg.exe
PID 1868 wrote to memory of 2164	1868	cmd.exe	reg.exe
PID 1868 wrote to memory of 2164	1868	cmd.exe	reg.exe
PID 1868 wrote to memory of 2056	1868	cmd.exe	reg.exe
PID 1868 wrote to memory of 2056	1868	cmd.exe	reg.exe
PID 1868 wrote to memory of 2056	1868	cmd.exe	reg.exe
PID 1868 wrote to memory of 2056	1868	cmd.exe	reg.exe
PID 1868 wrote to memory of 1444	1868	cmd.exe	attrib.exe
PID 1868 wrote to memory of 1444	1868	cmd.exe	attrib.exe
PID 1868 wrote to memory of 1444	1868	cmd.exe	attrib.exe
PID 1868 wrote to memory of 1444	1868	cmd.exe	attrib.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

1444 attrib.exe

pid	process
1444	attrib.exe

C:\Users\Admin\AppData\Local\Temp\b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tmp8601.tmp.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1244

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
3⤵
PID:2132

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
3⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
3⤵
PID:2056

C:\Windows\SysWOW64\attrib.exe
attrib Default.rdp -s -h
3⤵
- Views/modifies file attributes
PID:1444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\b0ee9dae7de7781ea809278c48c310a5_JaffaCakes118.exe > nul
2⤵
- Deletes itself
PID:2972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2568

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

2

T1070

File Deletion

2

T1070.004

Modify Registry

1

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini
Filesize
1KB

MD5
62c8c76598baeca4304093dcd81a2d6b

SHA1
4b442c1a1002f2fc9ddcd26be46d8437eada46fe

SHA256
6bcd93202be28173d4656ebbe3fab546c03d4a41e89c222bbb9d0d59c4a11d3a

SHA512
d6a357f4ce79d68a1e1c7c8f235131591ae8bdbe8f12518a9cbff8f3816019e89300575011fc7c72f212e9d4cc6980f605a2957b4cd2ef348c548647dda5d7c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8601.tmp.bat
Filesize
445B

MD5
32d8f7a3d0c796cee45f64b63c1cca38

SHA1
d58466430a2bba8641bd92c880557379e25b140c

SHA256
1a6f73b5c28d1c10f63f2056068c1de61487b8cf8f1dcf7516548df144b3e9ea

SHA512
288213b92a03ac750ea319bb23c52e7bdf47f5a47ecb70c905c7610a84c63a3ec0a30801b5880e6def8df2c9f577082072e342198d23a19f64e561923e1ef698

Download Submit
C:\Users\Public\Videos\Read___ME.html
Filesize
4KB

MD5
ebefeb9a5c48197b0f46eaaaefb6a91f

SHA1
75657fee0e612046d0c94ee568330990c1551d55

SHA256
9e2081225a9acb7a93f3f0b69d00ae951dd7d5b0c197e0c8ab37d0832ffec156

SHA512
4038c7576ac89f69a6142433a0b8b25f43a596e39b820b75b57180feaafe7b3b4ec4adbf37463b4a35f1ba17360b453dfdbfb6453a4a26f15f14dc2e9591ac80

Download Submit
memory/2768-3-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2768-2-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2768-1443-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2768-3299-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2768-3300-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads