conti | e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
17-07-2024 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
Size

1.6MB
MD5

520d488564da102f5482fcfdcdbd266a
SHA1

45deee8360e5af17ca04f4bc0fd2c52ae92eb9f0
SHA256

e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7
SHA512

e2c4f46dcf40b8f03bc9fbe0f0cecf933d2825788b0e9f270e7e7ae8a60174d1b7fc778870aa7ce7ba5cb464f28cc5842d043fc93535921749d186e414f51906
SSDEEP

49152:IF/dnNIXDMIHun5tfySS2wMyw4jVrAGuM2:

Score

10^/10

conti ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through: Our website TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/ HTTPS VERSION : https://contirecovery.click YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP ---BEGIN ID--- gufrazxanJ7rgxARuOTCYpFqVJnyoZuShdALs3PjCnANuWY0pSpb7JFDTaK78q9g ---END ID---

URLs

http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/

https://contirecovery.click

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Renames multiple (7909) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\MST7MDT	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_zh_CN.jar	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_zh_CN.jar	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\readme.txt	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\default.jfc	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\readme.txt	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\MSTAG.TLB	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00057_.GIF	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\VelvetRose.css	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\LICENSE	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099200.GIF	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImages.jpg	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\VIBE.WAV	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cambridge_Bay	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00965_.WMF	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_zh_CN.jar	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\ACTIVITL.ICO	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FORM.JS	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Grid.xml	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0292152.WMF	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\PROFILE.INF	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\INDST_01.MID	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01561_.WMF	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\play-background.png	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\readme.txt	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01255G.GIF	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_SelectionSubpicture.png	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18220_.WMF	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21503_.GIF	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237759.WMF	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\THMBNAIL.PNG	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\EVRGREEN.ELM	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\MST7	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\London	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.MX.XML	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMaskSmall.bmp	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00439_.WMF	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_de.properties	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Costa_Rica	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Matamoros	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Cape_Verde	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\readme.txt	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\readme.txt	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237228.WMF	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Slipstream.xml	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME10.CSS	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21330_.GIF	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novokuznetsk	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Earthy.gif	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\readme.txt	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File created	C:\Program Files\DVD Maker\de-DE\readme.txt	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apex.xml	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\grvschema.xsd	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Ushuaia	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02058U.BMP	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.gif	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ie9props.propdesc	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00233_.WMF	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2760	vssvc.exe
Token: SeRestorePrivilege	2760	vssvc.exe
Token: SeAuditPrivilege	2760	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1736	WMIC.exe
Token: SeSecurityPrivilege	1736	WMIC.exe
Token: SeTakeOwnershipPrivilege	1736	WMIC.exe
Token: SeLoadDriverPrivilege	1736	WMIC.exe
Token: SeSystemProfilePrivilege	1736	WMIC.exe
Token: SeSystemtimePrivilege	1736	WMIC.exe
Token: SeProfSingleProcessPrivilege	1736	WMIC.exe
Token: SeIncBasePriorityPrivilege	1736	WMIC.exe
Token: SeCreatePagefilePrivilege	1736	WMIC.exe
Token: SeBackupPrivilege	1736	WMIC.exe
Token: SeRestorePrivilege	1736	WMIC.exe
Token: SeShutdownPrivilege	1736	WMIC.exe
Token: SeDebugPrivilege	1736	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1736	WMIC.exe
Token: SeRemoteShutdownPrivilege	1736	WMIC.exe
Token: SeUndockPrivilege	1736	WMIC.exe
Token: SeManageVolumePrivilege	1736	WMIC.exe
Token: 33	1736	WMIC.exe
Token: 34	1736	WMIC.exe
Token: 35	1736	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1736	WMIC.exe
Token: SeSecurityPrivilege	1736	WMIC.exe
Token: SeTakeOwnershipPrivilege	1736	WMIC.exe
Token: SeLoadDriverPrivilege	1736	WMIC.exe
Token: SeSystemProfilePrivilege	1736	WMIC.exe
Token: SeSystemtimePrivilege	1736	WMIC.exe
Token: SeProfSingleProcessPrivilege	1736	WMIC.exe
Token: SeIncBasePriorityPrivilege	1736	WMIC.exe
Token: SeCreatePagefilePrivilege	1736	WMIC.exe
Token: SeBackupPrivilege	1736	WMIC.exe
Token: SeRestorePrivilege	1736	WMIC.exe
Token: SeShutdownPrivilege	1736	WMIC.exe
Token: SeDebugPrivilege	1736	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1736	WMIC.exe
Token: SeRemoteShutdownPrivilege	1736	WMIC.exe
Token: SeUndockPrivilege	1736	WMIC.exe
Token: SeManageVolumePrivilege	1736	WMIC.exe
Token: 33	1736	WMIC.exe
Token: 34	1736	WMIC.exe
Token: 35	1736	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2852	WMIC.exe
Token: SeSecurityPrivilege	2852	WMIC.exe
Token: SeTakeOwnershipPrivilege	2852	WMIC.exe
Token: SeLoadDriverPrivilege	2852	WMIC.exe
Token: SeSystemProfilePrivilege	2852	WMIC.exe
Token: SeSystemtimePrivilege	2852	WMIC.exe
Token: SeProfSingleProcessPrivilege	2852	WMIC.exe
Token: SeIncBasePriorityPrivilege	2852	WMIC.exe
Token: SeCreatePagefilePrivilege	2852	WMIC.exe
Token: SeBackupPrivilege	2852	WMIC.exe
Token: SeRestorePrivilege	2852	WMIC.exe
Token: SeShutdownPrivilege	2852	WMIC.exe
Token: SeDebugPrivilege	2852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2852	WMIC.exe
Token: SeRemoteShutdownPrivilege	2852	WMIC.exe
Token: SeUndockPrivilege	2852	WMIC.exe
Token: SeManageVolumePrivilege	2852	WMIC.exe
Token: 33	2852	WMIC.exe
Token: 34	2852	WMIC.exe
Token: 35	2852	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2852	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 2808	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	33
PID 1588 wrote to memory of 2808	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	33
PID 1588 wrote to memory of 2808	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	33
PID 1588 wrote to memory of 2808	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	33
PID 2808 wrote to memory of 1736	2808	cmd.exe	35
PID 2808 wrote to memory of 1736	2808	cmd.exe	35
PID 2808 wrote to memory of 1736	2808	cmd.exe	35
PID 1588 wrote to memory of 1668	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	36
PID 1588 wrote to memory of 1668	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	36
PID 1588 wrote to memory of 1668	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	36
PID 1588 wrote to memory of 1668	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	36
PID 1668 wrote to memory of 2852	1668	cmd.exe	38
PID 1668 wrote to memory of 2852	1668	cmd.exe	38
PID 1668 wrote to memory of 2852	1668	cmd.exe	38
PID 1588 wrote to memory of 2620	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	39
PID 1588 wrote to memory of 2620	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	39
PID 1588 wrote to memory of 2620	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	39
PID 1588 wrote to memory of 2620	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	39
PID 2620 wrote to memory of 2672	2620	cmd.exe	41
PID 2620 wrote to memory of 2672	2620	cmd.exe	41
PID 2620 wrote to memory of 2672	2620	cmd.exe	41
PID 1588 wrote to memory of 3048	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	42
PID 1588 wrote to memory of 3048	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	42
PID 1588 wrote to memory of 3048	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	42
PID 1588 wrote to memory of 3048	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	42
PID 3048 wrote to memory of 3068	3048	cmd.exe	44
PID 3048 wrote to memory of 3068	3048	cmd.exe	44
PID 3048 wrote to memory of 3068	3048	cmd.exe	44
PID 1588 wrote to memory of 664	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	45
PID 1588 wrote to memory of 664	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	45
PID 1588 wrote to memory of 664	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	45
PID 1588 wrote to memory of 664	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	45
PID 664 wrote to memory of 2948	664	cmd.exe	47
PID 664 wrote to memory of 2948	664	cmd.exe	47
PID 664 wrote to memory of 2948	664	cmd.exe	47
PID 1588 wrote to memory of 2036	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	48
PID 1588 wrote to memory of 2036	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	48
PID 1588 wrote to memory of 2036	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	48
PID 1588 wrote to memory of 2036	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	48
PID 2036 wrote to memory of 2696	2036	cmd.exe	50
PID 2036 wrote to memory of 2696	2036	cmd.exe	50
PID 2036 wrote to memory of 2696	2036	cmd.exe	50
PID 1588 wrote to memory of 2944	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	51
PID 1588 wrote to memory of 2944	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	51
PID 1588 wrote to memory of 2944	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	51
PID 1588 wrote to memory of 2944	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	51
PID 2944 wrote to memory of 2676	2944	cmd.exe	53
PID 2944 wrote to memory of 2676	2944	cmd.exe	53
PID 2944 wrote to memory of 2676	2944	cmd.exe	53
PID 1588 wrote to memory of 3024	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	54
PID 1588 wrote to memory of 3024	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	54
PID 1588 wrote to memory of 3024	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	54
PID 1588 wrote to memory of 3024	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	54
PID 3024 wrote to memory of 1780	3024	cmd.exe	56
PID 3024 wrote to memory of 1780	3024	cmd.exe	56
PID 3024 wrote to memory of 1780	3024	cmd.exe	56
PID 1588 wrote to memory of 2552	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	57
PID 1588 wrote to memory of 2552	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	57
PID 1588 wrote to memory of 2552	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	57
PID 1588 wrote to memory of 2552	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	57
PID 2552 wrote to memory of 2192	2552	cmd.exe	59
PID 2552 wrote to memory of 2192	2552	cmd.exe	59
PID 2552 wrote to memory of 2192	2552	cmd.exe	59
PID 1588 wrote to memory of 1924	1588	520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe	60

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{251043BE-D219-4D0C-82D2-93D40ADB5A8B}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{251043BE-D219-4D0C-82D2-93D40ADB5A8B}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1736
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E946A539-2E4F-4797-8E93-660E42DDB7DD}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E946A539-2E4F-4797-8E93-660E42DDB7DD}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{545ACC47-648B-4791-92EE-87FDADC945DB}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{545ACC47-648B-4791-92EE-87FDADC945DB}'" delete
    3⤵
    PID:2672
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E65AB81-3BFF-4DCE-B5B3-5058AD365F7C}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E65AB81-3BFF-4DCE-B5B3-5058AD365F7C}'" delete
    3⤵
    PID:3068
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{041C2284-81E0-4527-9C49-2EA679A08023}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{041C2284-81E0-4527-9C49-2EA679A08023}'" delete
    3⤵
    PID:2948
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4C6D4BEA-50A9-4CE4-A760-2C122FA131E1}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4C6D4BEA-50A9-4CE4-A760-2C122FA131E1}'" delete
    3⤵
    PID:2696
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3B135599-A196-498D-B5FD-D31F2598D376}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3B135599-A196-498D-B5FD-D31F2598D376}'" delete
    3⤵
    PID:2676
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CAC5169F-BAA7-4FC2-A7D8-AABB40338D42}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CAC5169F-BAA7-4FC2-A7D8-AABB40338D42}'" delete
    3⤵
    PID:1780
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EE10663E-8D07-492B-B5E0-386C27706DB9}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EE10663E-8D07-492B-B5E0-386C27706DB9}'" delete
    3⤵
    PID:2192
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4488BBB3-ED7C-44B1-ADB5-A722F9B538FC}'" delete
  2⤵
  PID:1924
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4488BBB3-ED7C-44B1-ADB5-A722F9B538FC}'" delete
    3⤵
    PID:2204
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{504ECF7F-0DC7-4614-8789-5F02C2A5ADD4}'" delete
  2⤵
  PID:2372
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{504ECF7F-0DC7-4614-8789-5F02C2A5ADD4}'" delete
    3⤵
    PID:1480
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1F6DE48C-C1A9-4EA7-BD9C-FBAB2746F635}'" delete
  2⤵
  PID:2088
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1F6DE48C-C1A9-4EA7-BD9C-FBAB2746F635}'" delete
    3⤵
    PID:756
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A572FBE4-DF46-4311-9871-4577566CC0DD}'" delete
  2⤵
  PID:2084
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A572FBE4-DF46-4311-9871-4577566CC0DD}'" delete
    3⤵
    PID:1308
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3C383903-035F-40B6-BF2E-A2287D96DC7D}'" delete
  2⤵
  PID:448
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3C383903-035F-40B6-BF2E-A2287D96DC7D}'" delete
    3⤵
    PID:2976
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{265B38BC-CFCD-4F84-BB5A-D03515CDD138}'" delete
  2⤵
  PID:1552
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{265B38BC-CFCD-4F84-BB5A-D03515CDD138}'" delete
    3⤵
    PID:952
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1916B8D1-CAEB-45EB-8C89-96BAD47976C1}'" delete
  2⤵
  PID:1856
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1916B8D1-CAEB-45EB-8C89-96BAD47976C1}'" delete
    3⤵
    PID:688
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{29E43122-4A9A-401D-9426-E48474C4881E}'" delete
  2⤵
  PID:1544
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{29E43122-4A9A-401D-9426-E48474C4881E}'" delete
    3⤵
    PID:2428
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E1217FE-A367-456E-8F90-D094F4864870}'" delete
  2⤵
  PID:1976
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E1217FE-A367-456E-8F90-D094F4864870}'" delete
    3⤵
    PID:2464

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\readme.txt

Filesize
867B

MD5
0e1b5789055ef20f16251ac1358b8b27

SHA1
70f73dbf8592e379d7b2c702d77d0d41cc516016

SHA256
651bb8f94deeabeddfa0685742425902ae1a2fce599d0f7d20979832eb2b5080

SHA512
e3d38553e076fda1da0474854493ac05342ed248187512f7e26335c608b05a25f514ae8e9006319c5da6d0c97a4bc93182a51e1f37a9b713378604db8ada067a

Download Submit
memory/1588-17573-0x00000000005D0000-0x00000000009E0000-memory.dmp

Filesize
4.1MB

Download
memory/1588-17585-0x00000000005D0000-0x00000000009E0000-memory.dmp

Filesize
4.1MB

Download
memory/1588-17572-0x00000000005D0000-0x00000000009E0000-memory.dmp

Filesize
4.1MB

Download
memory/1588-2-0x00000000005D0000-0x00000000009E0000-memory.dmp

Filesize
4.1MB

Download
memory/1588-12282-0x00000000005D0000-0x00000000009E0000-memory.dmp

Filesize
4.1MB

Download
memory/1588-17567-0x00000000005D0000-0x00000000009E0000-memory.dmp

Filesize
4.1MB

Download
memory/1588-17569-0x00000000005D0000-0x00000000009E0000-memory.dmp

Filesize
4.1MB

Download
memory/1588-17571-0x00000000005D0000-0x00000000009E0000-memory.dmp

Filesize
4.1MB

Download
memory/1588-17-0x00000000005D0000-0x00000000009E0000-memory.dmp

Filesize
4.1MB

Download
memory/1588-9-0x00000000005D0000-0x00000000009E0000-memory.dmp

Filesize
4.1MB

Download
memory/1588-17575-0x00000000005D0000-0x00000000009E0000-memory.dmp

Filesize
4.1MB

Download
memory/1588-17574-0x00000000005D0000-0x00000000009E0000-memory.dmp

Filesize
4.1MB

Download
memory/1588-17576-0x00000000005D0000-0x00000000009E0000-memory.dmp

Filesize
4.1MB

Download
memory/1588-17577-0x00000000005D0000-0x00000000009E0000-memory.dmp

Filesize
4.1MB

Download
memory/1588-17579-0x00000000005D0000-0x00000000009E0000-memory.dmp

Filesize
4.1MB

Download
memory/1588-17582-0x00000000005D0000-0x00000000009E0000-memory.dmp

Filesize
4.1MB

Download
memory/1588-17581-0x00000000005D0000-0x00000000009E0000-memory.dmp

Filesize
4.1MB

Download
memory/1588-17583-0x00000000005D0000-0x00000000009E0000-memory.dmp

Filesize
4.1MB

Download
memory/1588-0-0x00000000005D0000-0x00000000009E0000-memory.dmp

Filesize
4.1MB

Download