Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
16/06/2024, 06:20
Static task
static1
Behavioral task
behavioral1
Sample
b21a8247fed6d7f3fb9fa89016a5f41d_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
b21a8247fed6d7f3fb9fa89016a5f41d_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
b21a8247fed6d7f3fb9fa89016a5f41d_JaffaCakes118.exe
-
Size
350KB
-
MD5
b21a8247fed6d7f3fb9fa89016a5f41d
-
SHA1
9227062dc0a62e4fa0284ad521a56c373c34ffde
-
SHA256
2d63a0d8ece25bdb093098fe7569c973ada10927387ee288b87030e5765f514b
-
SHA512
68c0342db819d8df9bddce9c23a2552cfa6d72e24ff54c3ed922a4388e698c0c6e3cee8688c905564540141ea32d3e26e8acc49b5412aadd526aea93fe5f7fa7
-
SSDEEP
6144:oucrZMDMXbJ2kAUWaNCZAaCudurslKREBKT0PLNMbQ4AWbO/Fh:P8ZM2RiKCZ9urGETYNMbQ4zbm
Malware Config
Extracted
C:\Users\Admin\Pictures\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.xlfp45.win/33DA-3C2B-4211-006D-AF6B
http://cerberhhyed5frqa.slr849.win/33DA-3C2B-4211-006D-AF6B
http://cerberhhyed5frqa.ret5kr.win/33DA-3C2B-4211-006D-AF6B
http://cerberhhyed5frqa.zgf48j.win/33DA-3C2B-4211-006D-AF6B
http://cerberhhyed5frqa.xltnet.win/33DA-3C2B-4211-006D-AF6B
http://cerberhhyed5frqa.onion/33DA-3C2B-4211-006D-AF6B
Extracted
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (16401) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{723AF0C3-C24B-49DA-B386-57E4308F6DCE}\\cipher.exe\"" b21a8247fed6d7f3fb9fa89016a5f41d_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{723AF0C3-C24B-49DA-B386-57E4308F6DCE}\\cipher.exe\"" cipher.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation cipher.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\cipher.lnk cipher.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\cipher.lnk b21a8247fed6d7f3fb9fa89016a5f41d_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3572 cipher.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cipher = "\"C:\\Users\\Admin\\AppData\\Roaming\\{723AF0C3-C24B-49DA-B386-57E4308F6DCE}\\cipher.exe\"" b21a8247fed6d7f3fb9fa89016a5f41d_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cipher = "\"C:\\Users\\Admin\\AppData\\Roaming\\{723AF0C3-C24B-49DA-B386-57E4308F6DCE}\\cipher.exe\"" b21a8247fed6d7f3fb9fa89016a5f41d_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cipher = "\"C:\\Users\\Admin\\AppData\\Roaming\\{723AF0C3-C24B-49DA-B386-57E4308F6DCE}\\cipher.exe\"" cipher.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cipher = "\"C:\\Users\\Admin\\AppData\\Roaming\\{723AF0C3-C24B-49DA-B386-57E4308F6DCE}\\cipher.exe\"" cipher.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpCF13.bmp" cipher.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3556 vssadmin.exe -
Kills process with taskkill 2 IoCs
pid Process 2700 taskkill.exe 3416 taskkill.exe -
Modifies Control Panel 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop b21a8247fed6d7f3fb9fa89016a5f41d_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{723AF0C3-C24B-49DA-B386-57E4308F6DCE}\\cipher.exe\"" b21a8247fed6d7f3fb9fa89016a5f41d_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop cipher.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{723AF0C3-C24B-49DA-B386-57E4308F6DCE}\\cipher.exe\"" cipher.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings cipher.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 4372 PING.EXE 4456 PING.EXE -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 3572 cipher.exe 4500 msedge.exe 4500 msedge.exe 4056 msedge.exe 4056 msedge.exe 4560 identity_helper.exe 4560 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
description pid Process Token: SeDebugPrivilege 4520 b21a8247fed6d7f3fb9fa89016a5f41d_JaffaCakes118.exe Token: SeDebugPrivilege 3572 cipher.exe Token: SeDebugPrivilege 2700 taskkill.exe Token: SeBackupPrivilege 1196 vssvc.exe Token: SeRestorePrivilege 1196 vssvc.exe Token: SeAuditPrivilege 1196 vssvc.exe Token: SeIncreaseQuotaPrivilege 3260 wmic.exe Token: SeSecurityPrivilege 3260 wmic.exe Token: SeTakeOwnershipPrivilege 3260 wmic.exe Token: SeLoadDriverPrivilege 3260 wmic.exe Token: SeSystemProfilePrivilege 3260 wmic.exe Token: SeSystemtimePrivilege 3260 wmic.exe Token: SeProfSingleProcessPrivilege 3260 wmic.exe Token: SeIncBasePriorityPrivilege 3260 wmic.exe Token: SeCreatePagefilePrivilege 3260 wmic.exe Token: SeBackupPrivilege 3260 wmic.exe Token: SeRestorePrivilege 3260 wmic.exe Token: SeShutdownPrivilege 3260 wmic.exe Token: SeDebugPrivilege 3260 wmic.exe Token: SeSystemEnvironmentPrivilege 3260 wmic.exe Token: SeRemoteShutdownPrivilege 3260 wmic.exe Token: SeUndockPrivilege 3260 wmic.exe Token: SeManageVolumePrivilege 3260 wmic.exe Token: 33 3260 wmic.exe Token: 34 3260 wmic.exe Token: 35 3260 wmic.exe Token: 36 3260 wmic.exe Token: SeIncreaseQuotaPrivilege 3260 wmic.exe Token: SeSecurityPrivilege 3260 wmic.exe Token: SeTakeOwnershipPrivilege 3260 wmic.exe Token: SeLoadDriverPrivilege 3260 wmic.exe Token: SeSystemProfilePrivilege 3260 wmic.exe Token: SeSystemtimePrivilege 3260 wmic.exe Token: SeProfSingleProcessPrivilege 3260 wmic.exe Token: SeIncBasePriorityPrivilege 3260 wmic.exe Token: SeCreatePagefilePrivilege 3260 wmic.exe Token: SeBackupPrivilege 3260 wmic.exe Token: SeRestorePrivilege 3260 wmic.exe Token: SeShutdownPrivilege 3260 wmic.exe Token: SeDebugPrivilege 3260 wmic.exe Token: SeSystemEnvironmentPrivilege 3260 wmic.exe Token: SeRemoteShutdownPrivilege 3260 wmic.exe Token: SeUndockPrivilege 3260 wmic.exe Token: SeManageVolumePrivilege 3260 wmic.exe Token: 33 3260 wmic.exe Token: 34 3260 wmic.exe Token: 35 3260 wmic.exe Token: 36 3260 wmic.exe Token: 33 396 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 396 AUDIODG.EXE Token: SeDebugPrivilege 3416 taskkill.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe 4056 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4520 wrote to memory of 3572 4520 b21a8247fed6d7f3fb9fa89016a5f41d_JaffaCakes118.exe 85 PID 4520 wrote to memory of 3572 4520 b21a8247fed6d7f3fb9fa89016a5f41d_JaffaCakes118.exe 85 PID 4520 wrote to memory of 3572 4520 b21a8247fed6d7f3fb9fa89016a5f41d_JaffaCakes118.exe 85 PID 4520 wrote to memory of 396 4520 b21a8247fed6d7f3fb9fa89016a5f41d_JaffaCakes118.exe 86 PID 4520 wrote to memory of 396 4520 b21a8247fed6d7f3fb9fa89016a5f41d_JaffaCakes118.exe 86 PID 4520 wrote to memory of 396 4520 b21a8247fed6d7f3fb9fa89016a5f41d_JaffaCakes118.exe 86 PID 396 wrote to memory of 2700 396 cmd.exe 88 PID 396 wrote to memory of 2700 396 cmd.exe 88 PID 396 wrote to memory of 2700 396 cmd.exe 88 PID 3572 wrote to memory of 3556 3572 cipher.exe 89 PID 3572 wrote to memory of 3556 3572 cipher.exe 89 PID 396 wrote to memory of 4372 396 cmd.exe 93 PID 396 wrote to memory of 4372 396 cmd.exe 93 PID 396 wrote to memory of 4372 396 cmd.exe 93 PID 3572 wrote to memory of 3260 3572 cipher.exe 96 PID 3572 wrote to memory of 3260 3572 cipher.exe 96 PID 3572 wrote to memory of 4056 3572 cipher.exe 102 PID 3572 wrote to memory of 4056 3572 cipher.exe 102 PID 3572 wrote to memory of 4476 3572 cipher.exe 103 PID 3572 wrote to memory of 4476 3572 cipher.exe 103 PID 4056 wrote to memory of 1880 4056 msedge.exe 104 PID 4056 wrote to memory of 1880 4056 msedge.exe 104 PID 3572 wrote to memory of 4184 3572 cipher.exe 105 PID 3572 wrote to memory of 4184 3572 cipher.exe 105 PID 4184 wrote to memory of 1368 4184 msedge.exe 106 PID 4184 wrote to memory of 1368 4184 msedge.exe 106 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 PID 4056 wrote to memory of 2272 4056 msedge.exe 107 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b21a8247fed6d7f3fb9fa89016a5f41d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b21a8247fed6d7f3fb9fa89016a5f41d_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Users\Admin\AppData\Roaming\{723AF0C3-C24B-49DA-B386-57E4308F6DCE}\cipher.exe"C:\Users\Admin\AppData\Roaming\{723AF0C3-C24B-49DA-B386-57E4308F6DCE}\cipher.exe"2⤵
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3556
-
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffa025546f8,0x7ffa02554708,0x7ffa025547184⤵PID:1880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:24⤵PID:2272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:4500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:84⤵PID:3376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:14⤵PID:3492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:14⤵PID:3496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:14⤵PID:3668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:14⤵PID:1516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:14⤵PID:1804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:84⤵PID:3176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:4560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:14⤵PID:1408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:14⤵PID:1316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:14⤵PID:2588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:14⤵PID:3812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14386940421226848354,15998354743884696313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2896 /prefetch:14⤵PID:5100
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵PID:4476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.xlfp45.win/33DA-3C2B-4211-006D-AF6B3⤵
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa025546f8,0x7ffa02554708,0x7ffa025547184⤵PID:1368
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵PID:2952
-
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "cipher.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{723AF0C3-C24B-49DA-B386-57E4308F6DCE}\cipher.exe" > NUL3⤵PID:3632
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "cipher.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3416
-
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
PID:4456
-
-
-
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "b21a8247fed6d7f3fb9fa89016a5f41d_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\b21a8247fed6d7f3fb9fa89016a5f41d_JaffaCakes118.exe" > NUL2⤵
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "b21a8247fed6d7f3fb9fa89016a5f41d_JaffaCakes118.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
PID:4372
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4592
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4496
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x48c 0x4a01⤵
- Suspicious use of AdjustPrivilegeToken
PID:396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD52462d2a3d98650952539150aea35c76f
SHA19a8a14bd12927b444fca913ef43bdef5b271f223
SHA2568ea6933934f7136dd0c630f43e3b3201e98979578251763729f0345f0a061e1f
SHA512884c093803db35b2c39cf94aed5207dcb9ac7f870b4a90579011ae5e07f340c9d0846371ec66a7e8752fad07f899ff05c027916c17702615f6348ca3bf7da12e
-
Filesize
152B
MD5b4a74bc775caf3de7fc9cde3c30ce482
SHA1c6ed3161390e5493f71182a6cb98d51c9063775d
SHA256dfad4e020a946f85523604816a0a9781091ee4669c870db2cabab027f8b6f280
SHA51255578e254444a645f455ea38480c9e02599ebf9522c32aca50ff37aad33976db30e663d35ebe31ff0ecafb4007362261716f756b3a0d67ac3937ca62ff10e25f
-
Filesize
152B
MD5c5abc082d9d9307e797b7e89a2f755f4
SHA154c442690a8727f1d3453b6452198d3ec4ec13df
SHA256a055d69c6aba59e97e632d118b7960a5fdfbe35cfdfaa0de14f194fc6f874716
SHA512ad765cddbf89472988de5356db5e0ee254ca3475491c6034fba1897c373702ab7cfa4bd21662ab862eebb48a757c3eb86b1f8ed58629751f71863822a59cd26c
-
Filesize
6KB
MD58f9c870c67984e5496e32524c9e9dbaf
SHA1c8e6aa2dde974879ee0d4c4af0164a86ef60f8b1
SHA25611944a8d5957cb1c11de5833663369f1989b55574965c7d9acda04674b80c5a8
SHA51266d4358fabdeceac7004bfe6e9db44c48c68351b6eb084c8fe64afd88a1e24e1e0a1f85c5bee83e5a71512ba7cffd08bd7492acf4a57838d599004e01eb32de8
-
Filesize
6KB
MD51254dabd053439961743af6078ae965a
SHA110a4e07a7c6ac7ec161411b63b7c27d368d5c68d
SHA256910ee61c4942f4b9565ad92e480ff45134b5c0fbe9e884a71e4120fcfeedd812
SHA512077a1fc7575c41882779b122d4ede017c0dd101476c6516b256357ebad3becaa7242761bda14570808a3647005e9bc221f05e397e0daa75d8af20e8d54138094
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5d4a478c0660cba3084bbf033aa0a60cd
SHA123c37a05a0515eb2574a2770511d20d62f358eb2
SHA25655dacd36fb4ea40fbe1c9b2f13414ed695d4f5b89f63130353b8bb89689b5fb5
SHA5122dee520173b65e343dd88de28b2996773385999784b9aed4163a81e7ef267494344fe852eef2dace0e96cd1bb6f966f072ca8ac35b1e6db00767e49982264e78
-
Filesize
1KB
MD5230bd4c152212389b41a5fbc886c696c
SHA1fd62d836e4c95e8a1706cd008606288b94498c96
SHA2566df9b55d48f7e6464825031c4510fa40788022c4a523b5767c964a635a1654e4
SHA512d36dfa653a768c88f166fea23d3cfd4175490f24df773e6694e3c3b6da52b1eeef4fc7130390f49a5fc99bf31006180f448c721d751d670f1c6e433213516e81
-
Filesize
350KB
MD5b21a8247fed6d7f3fb9fa89016a5f41d
SHA19227062dc0a62e4fa0284ad521a56c373c34ffde
SHA2562d63a0d8ece25bdb093098fe7569c973ada10927387ee288b87030e5765f514b
SHA51268c0342db819d8df9bddce9c23a2552cfa6d72e24ff54c3ed922a4388e698c0c6e3cee8688c905564540141ea32d3e26e8acc49b5412aadd526aea93fe5f7fa7
-
Filesize
85B
MD56d26de61e79ec33ba5add652fb3db475
SHA1e7f377582fa04dc7ac122f7fa136f2adaf557fdc
SHA256d944e5668953c8a0a021f0f967e862a2f62546efa436b2ee03750362d67c9faa
SHA5123fa3bcd0b588721d1c6226bbc00c1b1a891bc716cd3d13e9963b3d1500fd5f7f0bdb6e75cc51459660aa201fc92ec8c982080edbefc64b02158886d91b20e3a7
-
Filesize
219B
MD535a3e3b45dcfc1e6c4fd4a160873a0d1
SHA1a0bcc855f2b75d82cbaae3a8710f816956e94b37
SHA2568ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934
SHA5126d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853
-
Filesize
10KB
MD57b9f34f6c21726de3e1fcc83895aea71
SHA13827ff1a44c3c1f9788a62798391405b9e2fe4b7
SHA256d3312c78e22c1f219c82e682a3def15af54bfb783849e4cffd935c7191964044
SHA5120a9b00e492e81b2e7b3eccc73fd857bd5f35d5cec677a3928afe7fdb493c3cb2407096e3644c024074d8645c24f7cd8712c2864748daa7deb448f62f1706f9ed