Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
01-09-2024 01:13
Behavioral task
behavioral1
Sample
cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
19 signatures
150 seconds
General
-
Target
cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe
-
Size
340KB
-
MD5
cdef94301bd9049d387924f0318b6f1d
-
SHA1
013b1669b76cd0dd4a1ac4863c0158b6e431f626
-
SHA256
fe0504bc55b176b0e70a8ff2bd0f1fa7c23335143e4379e2e3348e0f35cb2e0a
-
SHA512
b9eb76333a779c0d47e10e498131fa1a9fae4b11b950e14760b7528e5dce58a47f4261e44cd4af9299092c6e912171aca25f77220c7900f228d00f8300123ed6
-
SSDEEP
6144:N30Rq/yK6pDv9X18shucxq8TKRpnKzuiSNv2Airkda34ekFiWUrvhwjVg0n2WmB8:R0RQZ6pDN18KTKRpnK2Irkdc4ekIWUrG
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\_READ_THI$_FILE_SAKFAX4_.txt
Ransom Note
-----
!!! CERBER RANSOMWARE !!!
-----
YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED
-----
The only way to decrypt your files is to receive the private key and decryption program.
To receive the private key and decryption program go to any decrypted folder,
inside there is the special file (*_READ_THIS_FILE_*) with complete instructions
how to decrypt your files.
If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below:
-----
1. Download "Tor Browser" from https://www.torproject.org/ and install it.
2. In the "Tor Browser" open your personal page here:
http://p27dokhpz2n7nvgr.onion/FB60-DD9B-EC95-0091-B8CA
Note! This page is available via "Tor Browser" only.
-----
Also you can use temporary addresses on your personal page without using "Tor Browser".
-----
1. http://p27dokhpz2n7nvgr.1ms2rx.top/FB60-DD9B-EC95-0091-B8CA
2. http://p27dokhpz2n7nvgr.1j2ien.top/FB60-DD9B-EC95-0091-B8CA
3. http://p27dokhpz2n7nvgr.1nhkou.top/FB60-DD9B-EC95-0091-B8CA
4. http://p27dokhpz2n7nvgr.1a7wnt.top/FB60-DD9B-EC95-0091-B8CA
5. http://p27dokhpz2n7nvgr.1czh7o.top/FB60-DD9B-EC95-0091-B8CA
-----
Note! These are temporary addresses! They will be available for a limited amount of time!
-----
URLs
http://p27dokhpz2n7nvgr.onion/FB60-DD9B-EC95-0091-B8CA
http://p27dokhpz2n7nvgr.1ms2rx.top/FB60-DD9B-EC95-0091-B8CA
http://p27dokhpz2n7nvgr.1j2ien.top/FB60-DD9B-EC95-0091-B8CA
http://p27dokhpz2n7nvgr.1nhkou.top/FB60-DD9B-EC95-0091-B8CA
http://p27dokhpz2n7nvgr.1a7wnt.top/FB60-DD9B-EC95-0091-B8CA
http://p27dokhpz2n7nvgr.1czh7o.top/FB60-DD9B-EC95-0091-B8CA
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Blocklisted process makes network request 5 IoCs
flow pid Process 2181 1640 mshta.exe 2184 1640 mshta.exe 2186 1640 mshta.exe 2188 1640 mshta.exe 2190 1640 mshta.exe -
Contacts a large (1097) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 2744 netsh.exe 2964 netsh.exe -
Deletes itself 1 IoCs
pid Process 1276 cmd.exe -
Drops startup file 1 IoCs
description ioc Process File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/1604-0-0x0000000000BB0000-0x0000000000BFC000-memory.dmp upx behavioral1/memory/1604-1-0x0000000000BB0000-0x0000000000BFC000-memory.dmp upx behavioral1/memory/1604-2-0x0000000000BB0000-0x0000000000BFC000-memory.dmp upx behavioral1/memory/1604-5-0x0000000000BB0000-0x0000000000BFC000-memory.dmp upx -
Drops file in System32 directory 38 IoCs
description ioc Process File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\documents cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat! cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat! cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\desktop cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1604 set thread context of 2692 1604 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 31 -
Drops file in Program Files directory 20 IoCs
description ioc Process File opened for modification \??\c:\program files\ cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\ cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\bitcoin cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\microsoft\office cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\outlook cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\word cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\microsoft\excel cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\microsoft\onenote cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\microsoft\outlook cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\powerpoint cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\steam cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\microsoft\powerpoint cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\onenote cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\thunderbird cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\excel cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\microsoft sql server cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\microsoft\word cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\office cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\the bat! cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\office cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\steam cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat! cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\documents cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\desktop cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\outlook cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\word cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\ cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\onenote cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\the bat! cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\desktop cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\word cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\office cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\word cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat! cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\documents cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat! cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\excel cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\office cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1616 PING.EXE -
Kills process with taskkill 1 IoCs
pid Process 2196 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1616 PING.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 2692 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe Token: SeDebugPrivilege 2196 taskkill.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 1604 wrote to memory of 2692 1604 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 31 PID 1604 wrote to memory of 2692 1604 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 31 PID 1604 wrote to memory of 2692 1604 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 31 PID 1604 wrote to memory of 2692 1604 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 31 PID 1604 wrote to memory of 2692 1604 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 31 PID 1604 wrote to memory of 2692 1604 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 31 PID 1604 wrote to memory of 2692 1604 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 31 PID 1604 wrote to memory of 2692 1604 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 31 PID 1604 wrote to memory of 2692 1604 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 31 PID 1604 wrote to memory of 2692 1604 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 31 PID 1604 wrote to memory of 2692 1604 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 31 PID 2692 wrote to memory of 2744 2692 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 32 PID 2692 wrote to memory of 2744 2692 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 32 PID 2692 wrote to memory of 2744 2692 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 32 PID 2692 wrote to memory of 2744 2692 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 32 PID 2692 wrote to memory of 2964 2692 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 34 PID 2692 wrote to memory of 2964 2692 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 34 PID 2692 wrote to memory of 2964 2692 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 34 PID 2692 wrote to memory of 2964 2692 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 34 PID 2692 wrote to memory of 1640 2692 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 37 PID 2692 wrote to memory of 1640 2692 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 37 PID 2692 wrote to memory of 1640 2692 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 37 PID 2692 wrote to memory of 1640 2692 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 37 PID 2692 wrote to memory of 1660 2692 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 38 PID 2692 wrote to memory of 1660 2692 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 38 PID 2692 wrote to memory of 1660 2692 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 38 PID 2692 wrote to memory of 1660 2692 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 38 PID 2692 wrote to memory of 1276 2692 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 39 PID 2692 wrote to memory of 1276 2692 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 39 PID 2692 wrote to memory of 1276 2692 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 39 PID 2692 wrote to memory of 1276 2692 cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe 39 PID 1276 wrote to memory of 2196 1276 cmd.exe 41 PID 1276 wrote to memory of 2196 1276 cmd.exe 41 PID 1276 wrote to memory of 2196 1276 cmd.exe 41 PID 1276 wrote to memory of 2196 1276 cmd.exe 41 PID 1276 wrote to memory of 1616 1276 cmd.exe 43 PID 1276 wrote to memory of 1616 1276 cmd.exe 43 PID 1276 wrote to memory of 1616 1276 cmd.exe 43 PID 1276 wrote to memory of 1616 1276 cmd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe2⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2744
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2964
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_READ_THI$_FILE_7WTGAC_.hta"3⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:1640
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_READ_THI$_FILE_SAKFAX4_.txt3⤵
- System Location Discovery: System Language Discovery
PID:1660
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "cdef94301bd9049d387924f0318b6f1d_JaffaCakes118.exe"4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1616
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
75KB
MD5453ef3b0e1d5a91d61a82d82c07ea73b
SHA170597e81a8c7bc3fe084bd514ec0db7e68708566
SHA25669fc53da4ee7d6000fadb07c3e129987c49f43a4c40fd151a194a0e81ce407b7
SHA512a6fd1c2d9828f7e78029ff00b3771972d66fbf71e14ebc57baa2c39adf19c7d5f18f4a94ca6074c14305493342bb681554859656dec62b9ec7161f3d6e8ac537
-
Filesize
1KB
MD534cf56f52750f6588281323dc42b5224
SHA1645e92fca1b7228195fa3a789be3968c38832d94
SHA256cf677d58e7b8bca23ab822f02b364a95d056fc10b8a151a86ed4e50d63ab5bfe
SHA51203110f82164a74ad5dc4a3eef9fd1f4598e2640567c7a055e1bfe2ebb8e49996588ae8446755f236570d74913188e3165bdfce3cc954e291f9a8e36ef9374065