cerber | b6cb0ed4ec3397234c1f67bef483ee62f45ca9d1becca3fa0c9fcbe3642acf9a

Analysis

max time kernel
132s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2024 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
Size

271KB
MD5

f1a79f9cba710bf8cc11122d6999d66d
SHA1

3756af4d51bb0511e5ef4319eaf7720b4c73194b
SHA256

b6cb0ed4ec3397234c1f67bef483ee62f45ca9d1becca3fa0c9fcbe3642acf9a
SHA512

3394ad10858ec3161c2e084f79a22ce74d6c1102581af4ef6576ec78eabe82fc9f5ee6c248d1389927a983c4385e905a5c559d711100bd391b6b80f76943c8ed
SSDEEP

6144:Kn/L+GOm9pZ9rBzo/pwwIIg8I32PkFVEXS:0zOm9r99/8y2PSaS

Score

10^/10

cerber defense_evasion discovery execution impact ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\OneNote Notebooks\README.hta

Ransom Note

<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>CERBER RANSOMWARE - Instructions</title><HTA:APPLICATION APPLICATIONNAME="Cerber Ransomware - Instructions"SCROLL="yes"SINGLEINSTANCE="yes"WINDOWSTATE="maximize"><style>a {color: #04a;text-decoration: none;}a:hover {text-decoration: underline;}body {background-color: #e7e7e7;color: #222;font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif;font-size: 13pt;line-height: 19pt;}body, h1 {margin: 0;padding: 0;}h1 {color: #555;font-size: 14pt;}hr {color: #bda;margin: 1.5%;}ol {padding-left: 2.5%;}ol li {padding-bottom: 13pt;}small {color: #555;font-size: 11pt;}ul {list-style-type: none;margin: 0;padding: 0;}.button {color: #04a;cursor: pointer;}.button:hover {text-decoration: underline;}.container {background-color: #fff;border: 2pt solid #c7c7c7;margin: 2.5%;min-width: 850px;padding: 2.5%;}.header {border-bottom: 2pt solid #c7c7c7;margin-bottom: 2.5%;padding-bottom: 2.5%;}.info {background-color: #efe;border: 2pt solid #bda;display: inline-block;padding: 1.5%;text-align: center;}.updating {color: red;display: none;}#change_language {float: right;}#change_language, #texts div {display: none;}</style></head><body><div class="container"><div class="header"><a href="#" id="change_language" onclick="return changeLanguage();" title="English">☑ English</a><h1>CERBER RANSOMWARE</h1>Instructions</div><div id="languages">☑ Select your language<ul><li><a href="#" title="English" onclick="return showBlock('en');">English</a></li><li><a href="#" title="Arabic" onclick="return showBlock('ar');">العربية</a></li><li><a href="#" title="Chinese" onclick="return showBlock('zh');">中文</a></li><li><a href="#" title="Dutch" onclick="return showBlock('nl');">Nederlands</a></li><li><a href="#" title="French" onclick="return showBlock('fr');">Français</a></li><li><a href="#" title="German" onclick="return showBlock('de');">Deutsch</a></li><li><a href="#" title="Italian" onclick="return showBlock('it');">Italiano</a></li><li><a href="#" title="Japanese" onclick="return showBlock('ja');">日本語</a></li><li><a href="#" title="Korean" onclick="return showBlock('ko');">한국어</a></li><li><a href="#" title="Polish" onclick="return showBlock('pl');">Polski</a></li><li><a href="#" title="Portuguese" onclick="return showBlock('pt');">Português</a></li><li><a href="#" title="Spanish" onclick="return showBlock('es');">Español</a></li><li><a href="#" title="Turkish" onclick="return showBlock('tr');">Türkçe</a></li></ul></div><div id="texts"><div id="en">Can't you find the necessary files? Is the content of your files not readable?It is normal because the files' names and the data in your files have been encrypted by "Cerber Ransomware".It means your files are NOT damaged! Your files are modified only. This modification is reversible. From now it is not possible to use your files until they will be decrypted.The only way to decrypt your files safely is to buy the special decryption software "Cerber Decryptor".Any attempts to restore your files with the third-party software will be fatal for your files!<hr>You can proceed with purchasing of the decryption software at your personal page:Please wait...<a class="url" href="http://xrhwryizf5mui7a5.2eu9zl.bid/006E-D6E3-ABF5-0446-75B3" target="_blank">http://xrhwryizf5mui7a5.2eu9zl.bid/006E-D6E3-ABF5-0446-75B3</a><hr><a href="http://xrhwryizf5mui7a5.wasf56.bid/006E-D6E3-ABF5-0446-75B3" target="_blank">http://xrhwryizf5mui7a5.wasf56.bid/006E-D6E3-ABF5-0446-75B3</a><hr><a href="http://xrhwryizf5mui7a5.e2yzfi.bid/006E-D6E3-ABF5-0446-75B3" target="_blank">http://xrhwryizf5mui7a5.e2yzfi.bid/006E-D6E3-ABF5-0446-75B3</a>If this page cannot be opened  click here  to generate a new address to your personal page.At this page you will receive the complete instructions how to buy the decryption software for restoring all your files.Also at this page you will be able to restore any one file for free to be sure "Cerber Decryptor" will help you.<hr>If your personal page is not available for a long period there is another way to open your personal page - installation and use of Tor Browser:<ol><li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li><li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li><li>wait for the site loading;</li><li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li><li>run Tor Browser;</li><li>connect with the button "Connect" (if you use the English version);</li><li>a normal Internet browser window will be opened after the initialization;</li><li>type or copy the address http://xrhwryizf5mui7a5.onion/006E-D6E3-ABF5-0446-75B3 in this browser address bar;</li><li>press ENTER;</li><li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li></ol>If you have any problems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the search bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use.<hr>Additional information:You will find the instructions ("*.hta") for restoring your files in any folder with your encrypted files.The instructions ("*.hta") in the folders with your encrypted files are not viruses, the instructions ("*.hta") will help you to decrypt your files.Remember the worst situation already happened and now the future of your files depends on your determination and speed of your actions.</div><div id="ar" style="direction: rtl;">لا يمكنك العثور على الملفات الضرورية؟ هل محتوى الملفات غير قابل للقراءة؟هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cerber Ransomware".وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا. ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها.الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cerber Decryptor".إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك!<hr>يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية:أرجو الإنتظار...<a class="url" href="http://xrhwryizf5mui7a5.2eu9zl.bid/006E-D6E3-ABF5-0446-75B3" target="_blank">http://xrhwryizf5mui7a5.2eu9zl.bid/006E-D6E3-ABF5-0446-75B3</a><hr><a href="http://xrhwryizf5mui7a5.wasf56.bid/006E-D6E3-ABF5-0446-75B3" target="_blank">http://xrhwryizf5mui7a5.wasf56.bid/006E-D6E3-ABF5-0446-75B3</a><hr><a href="http://xrhwryizf5mui7a5.e2yzfi.bid/006E-D6E3-ABF5-0446-75B3" target="_blank">http://xrhwryizf5mui7a5.e2yzfi.bid/006E-D6E3-ABF5-0446-75B3</a>في حالة تعذر فتح هذه الصفحة  انقر هنا  لإنشاء عنوان جديد لصفحتك الشخصية.في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك.في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cerber Decryptor" سوف يساعدك.<hr>إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor:<ol><li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li><li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li><li>انتظر لتحميل الموقع;</li><li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li><li>قم بتشغيل متصفح Tor;</li><li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li><li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li><li>قم بكتابة أو نسخ العنوان http://xrhwryizf5mui7a5.onion/006E-D6E3-ABF5-0446-75B3 في شريط العنوان في المتصفح;</li><li>اضغط ENTER;</li><li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li></ol>إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه.<hr>معلومات إضافية:سوف تجد إرشادات استعادة الملفات الخاصة بك ("*.hta") في أي مجلد مع ملفاتك المشفرة.الإرشادات ("*.hta") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*.hta") سوف تساعدك على فك تشفير الملفات الخاصة بك.تذكر أن أسوأ موقف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك.</div><div id="zh">您找不到所需的文件？ 您文件的内容无法阅读？这是正常的，因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。这意味着您的文件并没有损坏！您的文件只是被修改了，这个修改是可逆的，解密之前您无法使用您的文件。安全解密您文件的唯一方式是购买特别的解密软件“Cerber Decryptor”。任何使用第三方软件恢复您文件的方式对您的文件来说都将是致命的！<hr>您可以在您的个人页面上购买解密软件：请稍候...<a class="url" href="http://xrhwryizf5mui7a5.2eu9zl.bid/006E-D6E3-ABF5-0446-75B3" target="_blank">http://xrhwryizf5mui7a5.2eu9zl.bid/006E-D6E3-ABF5-0446-75B3</a><hr><a href="http://xrhwryizf5mui7a5.wasf56.bid/006E-D6E3-ABF5-0446-75B3" target="_blank">http://xrhwryizf5mui7a5.wasf56.bid/006E-D6E3-ABF5-0446-75B3</a><hr><a href="http://xrhwryizf5mui7a5.e2yzfi.bid/006E-D6E3-ABF5-0446-75B3" target="_blank">http://xrhwryizf5mui7a5.e2yzfi.bid/006E-D6E3-ABF5-0446-75B3</a>如果这个页面无法打开，请 点击这里 生成您个人页面的新地址。您将在这个页面上看到如何购买解密软件以恢复您的文件。您可以在这个页面使用“Cerber Decryptor”免费恢复任何文件。<hr>如果您的个人页面长期不可用，有其他方法可以打开您的个人页面 - 安装并使用 Tor 浏览器：<ol><li>使用您的上网浏览器（如果您不知道使用 Internet Explorer 的话）；</li><li>在浏览器的地址栏输入或复制地址 <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> 并按 ENTER 键；</li><li>等待站点加载；</li><li>您将在站点上下载 Tor 浏览器；下载并运行它，按照安装指南进行操作，等待直至安装完成；</li><li>运行 Tor 浏览器；</li><li>使用“Connect”按钮进行连接（如果您使用英文版）；</li><li>初始化之后将打开正常的上网浏览器窗口；</li><li>在浏览器地址栏中输入或复制地址 http://xrhwryizf5mui7a5.onion/006E-D6E3-ABF5-0446-75B3</li><li>按 ENTER 键；</li><li>该站点将加载；如果由于某些原因等待一会儿后没有加载，请重试。</li></ol>如果在安装期间或使用 Tor 浏览器期间有任何问题，请访问 <a href="https://www.baidu.com/s?wd=%E6%80%8E%E4%B9%88%E5%AE%89%E8%A3%85%20tor%20%E6%B5%8F%E8%A7%88%E5%99%A8" target="_blank">https://www.baidu.com</a> 并在搜索栏中输入“怎么安装 Tor 浏览器”，您将找到有关如何安装洋葱 Tor 浏览器的说明和教程。<hr>附加信息：您将在任何带有加密文件的文件夹中找到恢复您文件(“*.hta”)的说明。带有加密文件的文件夹中的(“*.hta”)说明不是病毒，(“*.hta”)说明将帮助您解密您的文件。请记住，最坏的情况都发生过了，您的文件还能不能用取决于您的决定和反应速度。</div><div id="nl">Kunt u de nodige files niet vinden? Is de inhoud van uw bestanden niet leesbaar?Het is gewoonlijk omdat de bestandsnamen en de gegevens in uw bestanden zijn versleuteld door “Cerber Ransomware”.Het betekent dat uw bestanden NIET beschadigd zijn! Uw bestanden zijn alleen gewijzigd. Deze wijziging is omkeerbaar. Vanaf nu is het niet mogelijk uw bestanden te gebruiken totdat ze ontsleuteld zijn.De enige manier om uw bestanden veilig te ontsleutelen is door de speciale ontsleutel-software “Cerber Decryptor” te kopen.Elke poging om uw bestanden te herstellen met software van een derde partij zal fataal zijn voor uw bestanden!<hr>U kunt op uw persoonlijke pagina de ontsleutel-software kopen:Even geduld aub...<a class="url" href="http://xrhwryizf5mui7a5.2eu9zl.bid/006E-D6E3-ABF5-0446-75B3" target="_blank">http://xrhwryizf5mui7a5.2eu9zl.bid/006E-D6E3-ABF5-0446-75B3</a><hr><a href="http://xrhwryizf5mui7a5.wasf56.bid/006E-D6E3-ABF5-0446-75B3" target="_blank">http://xrhwryizf5mui7a5.wasf56.bid/006E-D6E3-ABF5-0446-75B3</a><hr><a href="http://xrhwryizf5mui7a5.e2yzfi.bid/006E-D6E3-ABF5-0446-75B3" target="_blank">http://xrhwryizf5mui7a5.e2yzfi.bid/006E-D6E3-ABF5-0446-75B3</a>Als deze pagina niet geopend kan worden  klik dan hier  om een nieuw adres aan uw persoonlijke pagina toe te voegen.Op deze pagina zult u de complete instructies ontvangen hoe u de ontsleutel-software kunt kopen om al uw bestanden te herstellen.Op deze pagina kunt u ook één file gratis herstellen om u ervan te verzekeren dat “Cerber Decryptor” u zal helpen.<hr>Als uw persoonlijke pagina langere tijd niet beschikbaar is, is er een andere manier om uw persoonlijke pagina te openen – het installeren en gebruiken van Tor Browser:

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Contacts a large (526) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe

Loads dropped DLL 3 IoCs

pid	Process
3056	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
3056	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
3056	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpEE14.bmp"	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3056 set thread context of 4408	3056	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe	88

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\PLANNERS.ONE	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BUSINESS.ONE	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BLANK.ONE	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\README.hta	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\ACADEMIC.ONE	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\DESIGNER.ONE	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1372	PING.EXE

Kills process with taskkill 1 IoCs

evasion

pid	Process
1504	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1372	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	4356	WMIC.exe
Token: SeSecurityPrivilege	4356	WMIC.exe
Token: SeTakeOwnershipPrivilege	4356	WMIC.exe
Token: SeLoadDriverPrivilege	4356	WMIC.exe
Token: SeSystemProfilePrivilege	4356	WMIC.exe
Token: SeSystemtimePrivilege	4356	WMIC.exe
Token: SeProfSingleProcessPrivilege	4356	WMIC.exe
Token: SeIncBasePriorityPrivilege	4356	WMIC.exe
Token: SeCreatePagefilePrivilege	4356	WMIC.exe
Token: SeBackupPrivilege	4356	WMIC.exe
Token: SeRestorePrivilege	4356	WMIC.exe
Token: SeShutdownPrivilege	4356	WMIC.exe
Token: SeDebugPrivilege	4356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4356	WMIC.exe
Token: SeRemoteShutdownPrivilege	4356	WMIC.exe
Token: SeUndockPrivilege	4356	WMIC.exe
Token: SeManageVolumePrivilege	4356	WMIC.exe
Token: 33	4356	WMIC.exe
Token: 34	4356	WMIC.exe
Token: 35	4356	WMIC.exe
Token: 36	4356	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4356	WMIC.exe
Token: SeSecurityPrivilege	4356	WMIC.exe
Token: SeTakeOwnershipPrivilege	4356	WMIC.exe
Token: SeLoadDriverPrivilege	4356	WMIC.exe
Token: SeSystemProfilePrivilege	4356	WMIC.exe
Token: SeSystemtimePrivilege	4356	WMIC.exe
Token: SeProfSingleProcessPrivilege	4356	WMIC.exe
Token: SeIncBasePriorityPrivilege	4356	WMIC.exe
Token: SeCreatePagefilePrivilege	4356	WMIC.exe
Token: SeBackupPrivilege	4356	WMIC.exe
Token: SeRestorePrivilege	4356	WMIC.exe
Token: SeShutdownPrivilege	4356	WMIC.exe
Token: SeDebugPrivilege	4356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4356	WMIC.exe
Token: SeRemoteShutdownPrivilege	4356	WMIC.exe
Token: SeUndockPrivilege	4356	WMIC.exe
Token: SeManageVolumePrivilege	4356	WMIC.exe
Token: 33	4356	WMIC.exe
Token: 34	4356	WMIC.exe
Token: 35	4356	WMIC.exe
Token: 36	4356	WMIC.exe
Token: SeBackupPrivilege	4308	vssvc.exe
Token: SeRestorePrivilege	4308	vssvc.exe
Token: SeAuditPrivilege	4308	vssvc.exe
Token: 33	4084	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4084	AUDIODG.EXE
Token: SeDebugPrivilege	1504	taskkill.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 4408	3056	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe	88
PID 3056 wrote to memory of 4408	3056	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe	88
PID 3056 wrote to memory of 4408	3056	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe	88
PID 3056 wrote to memory of 4408	3056	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe	88
PID 3056 wrote to memory of 4408	3056	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe	88
PID 3056 wrote to memory of 4408	3056	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe	88
PID 3056 wrote to memory of 4408	3056	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe	88
PID 3056 wrote to memory of 4408	3056	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe	88
PID 3056 wrote to memory of 4408	3056	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe	88
PID 3056 wrote to memory of 4408	3056	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe	88
PID 4408 wrote to memory of 3244	4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe	91
PID 4408 wrote to memory of 3244	4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe	91
PID 3244 wrote to memory of 4356	3244	cmd.exe	93
PID 3244 wrote to memory of 4356	3244	cmd.exe	93
PID 4408 wrote to memory of 2064	4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe	99
PID 4408 wrote to memory of 2064	4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe	99
PID 4408 wrote to memory of 2064	4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe	99
PID 4408 wrote to memory of 3756	4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe	100
PID 4408 wrote to memory of 3756	4408	f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe	100
PID 3756 wrote to memory of 1504	3756	cmd.exe	102
PID 3756 wrote to memory of 1504	3756	cmd.exe	102
PID 3756 wrote to memory of 1372	3756	cmd.exe	104
PID 3756 wrote to memory of 1372	3756	cmd.exe	104

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3244
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic.exe shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4356
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2064
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3756
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1504
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1372

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4dc 0x508
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nscA643.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
C:\Users\Admin\AppData\Roaming\Arrays.dll

Filesize
102KB

MD5
53b475200fd923b7dee70ea8b213b096

SHA1
6f6c4a51f57cde10a00523fd1e5c6b8941c11f8a

SHA256
43e3d1893e027ce4858e5ffcdd1eebf66d3d63a8468a9cd321faeefa6f2a7ad5

SHA512
3f040a619b5fabe3fe2d6d98c5e627464e7e2c75dc633da6402549c6513805ba65ac0263f2450563b1191fe0baa74650eacb187dc11a32d0f33927ab9c354b1e

Download Submit
C:\Users\Admin\AppData\Roaming\chunker.output.doctype-system.xml

Filesize
1KB

MD5
506b088bd66478ee8fc5234cdee784f9

SHA1
91abc3a8c09b03ae31a9fae614c0604f09c1a9ad

SHA256
4b076e639a30056e2ffa6f3e5002ca3c754cdcdcde101ef89605b263b8ccf4c1

SHA512
9372df2806c5e2e5b332bf71df480d52ebea640ddf532a32a732589c744011cacbbc0ef944c6138ee9ffb3b7a0a47751d29498da23a3fcb9c59f422bfa9f52e6

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\README.hta

Filesize
60KB

MD5
9f8b57116c369e958e266270dc8dc3a3

SHA1
c3edacd58fd640c30e79a40b00f927d828d82bef

SHA256
39b6ff4f0eea07492f79198ae0d531c4a1e0b03676c67523123b2d954198c590

SHA512
8fd38006264e33e6a6389af6e7bde1638e64c7ab0a7d7b90c455bc5274e6269bce56c2dad4e7373f5477f712e30bde94aaf62002acb2896a69d8af4a34d54ced

Download Submit
memory/3056-23-0x0000000063180000-0x000000006319E000-memory.dmp

Filesize
120KB

Download
memory/4408-719-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-725-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-33-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-34-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-35-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-41-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-40-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-28-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-518-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-713-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-716-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-26-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-722-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-27-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-728-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-731-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-734-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-737-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-740-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-743-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-747-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-22-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-750-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-753-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-756-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-759-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-765-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4408-770-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download