exorcist | ca680208fb28dca0595ca9f677c7845aca09c1979db0a9d680ad6f6bf30b7097

Analysis

max time kernel
129s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-09-2024 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Size

68KB
MD5

f269d24544e8bb4cb82680bb396a5f1b
SHA1

8283f4266a7782308b04a3d03c8b13a38eefaa61
SHA256

ca680208fb28dca0595ca9f677c7845aca09c1979db0a9d680ad6f6bf30b7097
SHA512

c22f51697316c4d29e4b4ef817a1c73d4681fc02b0a2b0fee01e2aaf065d6a3aa04b7defc366cea012a723e600bd80a12083d54bb0907fa0b4cf6f12c41e68d1
SSDEEP

1536:7ufJPTAoUei1obcxtZbW3BqlIS2IyUY4h2wEsOolJT+y9F:7upTAneif03BqarUY4l

Score

10^/10

exorcist defense_evasion discovery execution impact ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\DECRYPT-ejaJxB-decrypt.hta

Ransom Note

<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><title>ejaJxB Decrypt</title><style type="text/css">body { text-align: center; background: rgb(192, 176, 176); color: black; font-family: Arial, Helvetica, sans-serif; font-size: 14pt;}a { cursor: pointer; color: rgb(68, 68, 68);}textarea { width: 90%; height: 200px; background: black; color: white; border: 1px solid black; font-size: 12pt; font-weight: bold;}</style></head><body><h1>ejaJxB Decrypt</h1><h3>All your data has been encrypted with Exorcist 2.0 Ransomware.</h3><h3>Do not worry: you have some hours to contact us and decrypt your data by paying a ransom.</h3><h3>If you don't pay in time, price will be increased. Then, if the payment is still not received, your keys will be destroyed.</h3><h3>To do this, install Tor Browser (here: <a href='https://www.torproject.org/download/'>https://www.torproject.org/download/</a>) and follow instructions on this web site: <a href='http://7iulpt5i6whht6zo2r52f7vptxtjxs3vfcdxxazllikrtqpupn4epnqd.onion/'>http://7iulpt5i6whht6zo2r52f7vptxtjxs3vfcdxxazllikrtqpupn4epnqd.onion/</a></h3><h3>IMPORTANT: Do not modify this file, otherwise you will not be able to recover your data!</h3><hr><h2>Your authorization key:</h2><textarea readonly>i0knP+Q7tugIBD25IyvkTo4vYmNJJWiS5VwPcHqluyirHasGEijODow/tK38hYW5 8t0o17SN4Yihgw/v+CdBhw6Z0RsBEYCUNzD6jK9H7ZylhsL9U8KOtD9usFkqEZyy /j8U3KRyv1VBMoAIX5ttHtIqvHhbNOGxxvIbJwbu31AXr3RWSirjy69pYqbGKMNw bzE80swjkPHBgYRRxF9JuCi7+S6l1gwCrcbAI+WF/HholwD/rKQgOgm2hJAw29qf +yNXcFALUYHThcDZ3OTbf3Y3qDTlFe+ujupFFytmu00PuKQEFM8L4nmI77rSR3cY xVj3NI8qcLLke0TI/mRnPXDihqbW8jeM4u7CqU5wHPnUjakzoPtv4rBfxqRtCH7y 48yYzUu/KnMt9rCSAUTFz7/SGTHSxM6j6KWa8eljX0kLtWKcxss1XswGgwY2cObB LQvc50yWhTl630tNqFSNggheqnW+dLEZYpxZhbRyvN0wOgi6KmFg9r5z/JBUJink 4IDk6ENKRaj6nV+L5kYucuA/65ok4WYjRGQeI1+poyKqlRf7Z5eE1TSjx6uVPmCq hArBZwekxoHmrdJHPFdLe6H/BKhk/YthyfXKZ46xypoDPDk3CI07MnJmBgPoBUdu +WgCETHSq2sNt4KVJFkNHpizmMGtcXR1RiUU5SHBfUfWKrBX4Iv0R4uugz6HgBfU WtXoi1KfO2kwGdAzxV2DcBNLMPHowcTltRwePx8TfEspeomREhZaYcY8VZ/NRpdH 2OXc2VIn7TOHxwgCZaSiFoAW9w4JKGdUxj1Ee0f6spVMygfmMtbfPHk2fwfgMD+Z ZQ8QPZxY34VVIxn+ysn7dPOSEvOSLNKMJIGKps52aDppKBQ2n4W4BgIXED94INjG mzUVZxOTDHqnr/TcKSVIPIrwY3BVHprgH9dhu3VFagt5At2d6XZT+ntfJ3lyqczZ vlGm0w4kW+MZUhutQi95VNqHUlvG1mefYav/6AKrk/ZlQuQL90sTDenX04kOdk7I qHoZ1ZFk2cJApm3dx+E+08JtF5nUeloPA8cR4iCdtDrbosbWLgt55SiEV++e0JoK Q9Z3t+KWV26PB1UV6R++UfwVzEFG9bI2c90xXJg3x1O8T309EwYrFKWmjuwuyScn tWptvXvlaDfF460EL5iOajmkiLooZmvy7PQ0d3jGI1ANq71+ogKecOjoi0OcZINE n9LEJMnyqfIVI0lhDdiBBCRPhgas8p9Cm9Jcb8QpyDAgvrrMFsnr/KRfDyerfOua Nelg1Kpwl0yPgecAoDjJHY38iywbF8F30i93zBcaE16N9JBV82dcR/7LOyf/7s9Q DtTtrdgKXbP96xCx1BEO5Ou+0DyBJowUzA76xuIv9uJXzlqxVuiPtNJyZGryBXD/ EEF+4/4vzEapybXh8rEK39fO+hp/MQflcedcwAsXejHLlJ4nsNFUqYGZRWwH54h5 YOTeP0KrciyN6teWgEtG7YH74OO8vfLqsS4wheeyur4fNqG8lIodhRcaeXbOwOqL Z7QYyeZCN0JxW/ApgHWRAavI9nWLS2i0lOdsUcJikjLl5d0rKF8xeNzi9RESC20D qivq8cALdMC49OurtKv16iK7PEN2gq2+trxzBTHhxIuISxn5Eqreh9zJjHznASXa XqIRz8XJQu6297AbSSXetJ27V+6sCxLxB5kipDyxcqjtlb7l5rHnLozted1wDBD8 63lQh7JoyLQiWo41wsLIQ6auepD5jQX1qfv//9RMNOX8AFvL6KdQ6Ss1FOiklfVz wmA3R3K9TihFE/wR3KnqMDviGqCDQIfiEzcEbeH47Nbzzv8ZIjml3s0HJsf7T9CV HBRzoK92IGHI7b45tGy7pZE1kWxx5slwLzYyXu3oWTaLOEogc7HHXqB9zdEvMCqF aoTmi//JIfKoVLbZRHndNizyoc7b8vikOoSfG11iSAxWbygbprW94oPN5gaoHebH +PncCPM317QHDnyqwykCiGzTRbBz1z/efau6d7Xuwz9c4hsxQmNi7Kp6CLTPBb+s GMxieOiHyYnLpERbpVkqYO5A15LjKNqnIhrCNpRh8Ex8wo5Z26/8fOfC44YRMs2y 9g+JTcBuPmD60B7wiJ1/pIm8aI1d4nTcEbSlI2zNUEcvAckAaJc8KG/5nljbTtaE Auhz73BYuZDxrlIq8dXBlpPzGJawCRmuTgpCwbyK/CoH2zyMDaiA32Iu9Ld0iqRa IAUHSEcez3y6pJ61/2j8eBsO2Gg/8xohwQ4tmAj3eTBRSKUAvq5+8wXtplh839YC VV0mJu1rAlFX4rA7vhd87yz3P/Y2oG2eqhWDS6eRGq10jaFT8b0byulqF/cDl4vJ fPc1mCykKDJza0n9o2IXP0C5b0Y/ECUlP+JLS5/9xOyhvujQbgFa+iclfQKjtO/C BVCyrFwhQrB6zhyRoJ2eWLruP2ZK8TOLBXC7RmuISiIdbwQde/VIkxZ7eA+NfZDZ JaAlY+oK1Tv/jGp2scVxQru9HBOXLVnGgDNa7IeFpgfprM51AryuGWtYdwPZqf4Y vktWp2bJPPFD91K3IqxPCcRe6V6rAA0m1aSQDPz0cvVEOYpF2nhZ+l8BGue91XDf NZ/igFPFe0AuDRxvrG8aZVVHGKSI80xD/3gfEcoxVrsWqZXan8UEvJ4+fr9Vl2Dy fwTR0vdW3p+TszE0kd3vjvNxu4KnWjWhCKCx/5UmeBvMrkCKWe12ps4yafBs6pX9 8c7yN3eb0DucUomJF7SlHD37bSk8ZN0jW6ZnqnLVceW4zliCYvrm17bduKLICF1D 16gVaiRRO+XjILYItBVvoQSzRms28Z7FHS3HMq8+pOQl+itDoKHCT8etWraLPX5j Sr+Mxm+NIeYG2sG1RKkA0ySi2RfvN/9dkVq2eiiPMvydS9gPN/uUzsMRwdhEn99W QRixmkxfI0FvRxflZo9U0fKu7+qILA4dG6kNKYo89jsEVbl7eEf+Eyh+sPIxVCPO qT8uQUSQgsXBbExbOg3vXl0xFXOvoewaNmQvjEyXCARFn+9PFqtTSzU6QFYbfUxT yrMK1bScGSXbDxHDypuC16J2UT+h4PFYBxvyTW/ncOJ/Qq0LheJ5hWsMQ1IgY9W5 6lN0Ci5QnOCoL2q4S9XDBID0EIQcSNUY3SxzJO/d+LQV6hpGnawIOsr1xHU5tIQ7 mA9oIMGURwWWPhpyjnc+k12wDZ2fxwrA7xeefCXK5YNRipN+Hw2Kf6Ag00LWu0uI VpHlGtn4+qBTGQESmZ4MWtG5+p/D3KTkCkYIWlCRZd38lPzCZVNTU7apVfFmHVpN BDzMeLqREJ5QakYl7ES1Km3Ty7uvKyY7upPH+iId26WHEPPazvEb2deg475knowP WahB3YDIRhg1/UMju9AAlBg9GMvutuZnYKS8mK++FtEYVFf+B7YC5x7CiBV7s168 pdfCVi+WKdoCj72c9OOpUGMoaIFD1dU8Kwg8usQYWH7JDsPRvmwQlIBk5nlGEn72 hO+ktUly5zq85z4yfq10FCl0vcM42kw+ilJ+R1eUXSeji4oE/lmUOGtgReUga64N 7YOmg39i3gc6jMvzt3mSGsQZEA/NxgN71dAq9vzcYwAaz3QKSWuKtLb+ujeYtY8o kuyKs0tXbiETQ7ojFdgMzAwa+44zYqUUl8QNW+MKhaC7JkIXmtKSst5aYP2S2Pd3 vJK6lFTqKOnS47VLqhuPRw8u0l981R6EltFzG1Tin3o2QjWdLw9fKmxoajOX6Kd9 LwL0kUM7lTnIHqZQ1WI31+vw4wRhS0B+An1TrpzkhIZdrVOgFtfjqvKnavnoy1Jb 9hmPv6gq5OBWOQXShV3ZCk7UkP59zvWKDHv565tyXHOBepD62eFp6JuwYpHRRs/5 1P9RlbGQ99/lsCxnGcW/wj+gQLoz+eVAXLE9mJ2lfwR7R2ddBEjqfC970LhcaNwd nYZ31FKxparPJiPSSYusktzj1a3jdrcsDV/qT5NK0VRDV4Cm4oxIH95/mIoX9TzS G9j1CM/4CIqZ+PDeEnJBP7xLYMyHTYVaAlBYpBPR6QjTiTP30Aq670u9vz3qZdUp Fqcx6XnsYqvnYbIuRzd7Y0AYaz0zgisWdFlH2k/EEiC0CmqlpIKU2TpbIjzMbLdP i6OB/sLqOjgOgsuphvLAB5/UF9jZY/EbjPd/qBUNtagy48JBd/1FEwaNrir9T/DX oquBbJn0K5lwsPhid4444THitTOSKVldoRR7dFxt5qkQ1ycTQhgINLDYp8owCLnS sAL6SwrZKh1i5haeMMalavnUHBhO6tiMJpvz4uhhkNUJHYy+lfXsvV2ikbcMIP2x 7Frku2KzUxaLOcrlaxQBizfH34Lw6mHLS6Ca8pSJv+vcsljJ9+XKT5F+vDgwX2fc AqvTshxFlUrxOGIzuBlnv7dGyZipn3IUJ+8wliHhDzNWzHdXPgYG20/gDeataH87 ivv+K4nchJXY/o+T8domjSdQ04+2Tt5NIYg5TRMcQZ/3oe1cjBGm5uvQswtW9Pj7 KtT3OXYpLzTWf5kzhH6i309dijJgbDQSxl1/3dbKr5Y7wDv+52m12StUrToDuqfS +BFCDTwTwV6a5yC85LMIVUwAYueha1jky84fguaI8cBDn77pNHPKsYrrKMilFjZI 8G1L2qhoafjWdxEXCCBzZwaQMFwqdR80lqc6VqtjyZdiRR2kVmEhFrGO76wDSEXk wW9icFQtB7UzrRAhpSi6kN93LyB0y65D717TSPSCjVM7NuGCNdXMHy9bYkK41GPJ 6qrjnPXhO9hG+UcxQikLbaZNN4AqfIhsP59hsiu/a3fNbiDqxuF/2s6hRbv5mmmc 30CMraWW4PfZSnLN9y2OvzJnVruXTTs2GY5Ag5+R/8La5oy5I0KLaOjm0HimDSQv rtJ3ooO9QBZO3yzkH+HIg7lbmzimLIBsDRY1RMOoWEFNFLVaUbq1nn2yxaEEv9V/ GoWN7mGZeD1d3GOCzWpUrTnNcB/Tqb+jy4w8A2QJ8bpmUBxCOkcZ6aHwY07ZBp3N </textarea></body></html>

Signatures

Exorcist Ransomware
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
ransomware exorcist
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-18\desktop.ini	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-18\desktop.ini	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\P:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\F:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\Z:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\X:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\Q:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\E:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\I:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\H:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\G:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\K:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\B:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\R:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\N:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\M:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\L:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\J:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\A:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\Y:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\V:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\S:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\T:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\U:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\O:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\D:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
284	vssadmin.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c9d90784-69ed-11ef-8389-806e6f6e6963}\NukeOnDelete = "0"	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c9d90783-69ed-11ef-8389-806e6f6e6963}\MaxCapacity = "29"	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence = "1"	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c004e006500770045007800700061006e0064002e006a007400780000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 529fdd735ae0caab0f7c87e849d0d41ee9510829329c1f2905b3cda365c09523	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0053006b0069007000540072006100630065002e006f006400700000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 790551368951712d0a437841602ced2d5d5ee6d004ce6e0265bc87f86a90aab0	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = a33545ffaf9966d14dfc4cfb3d9e67301e4647a90dc959cbc19f20bd89398360	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 977adaaa5b2c11448cee5d85e8192df4d0571d65e0f37774fa90832fa86f8218	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{1a1f5501-69b6-11ef-8fd1-ea7747d117e6}	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6918ADE6-DFB9-45FC-8FA8-ECC7E5E8A810}	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0043006f006e00740061006300740073005c00410064006d0069006e002e0063006f006e00740061006300740000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 99e18ffc583ea960a026510dad3079cc94cf937c57ba5c41365e78cf65a2a833	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = e1925e07317a62be5df6af83e095cd3337c8df052f751ba8e6cd6468d22cfb93	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6918ADE6-DFB9-45FC-8FA8-ECC7E5E8A810}\WpadNetworkName = "Network 3"	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 85d8a0df237bc8b8b5304aed490d55d21cac529afe2a3c09251dc22a28a2a85c	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0045006e007400650072004d006500610073007500720065002e0030003000310000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = c0686c9a29adc43f384838f36a49385995e2f9279362c32643193fea519ea05e	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c005000750062006c00690073006800570072006900740065002e0063006f006e00740061006300740000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c00520065006100640045006e00610062006c0065002e0077006d00780000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = e468421b2bcf0595eb5b7269b210fc84b362fca33e91c92e14da5e3b7c4cd87d	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 68278133cf7acf49065b125d7edbb1bc1e77bba79d89b960dc7437cc1dbf44fa	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c00520065007000610069007200530070006c00690074002e006a007000650000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 7341ffe8da46ff0b8c22e0d97863459f9747d5e4cf127dd50a0fb19086210859	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 2049353d81d85febea15e6dbbaaa10a2a34585fb0b615063a2c15150e4f12eca	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c004400690073006d006f0075006e007400570072006900740065002e0063006600670000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c00530061007600650049006e0069007400690061006c0069007a0065002e0065006d007a0000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Owner = 540a000080fd27ad0e0ddb01	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = e3c7eb9eec172501f1aa19315d472d8497929b8bf0c03ad8b42e2e0e1c6f38ff	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 72e1614bf2ab0a7cac68ea55d02e7ccba53a28a4582428134af471313a844ea1	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = f819f52d27145996537dd79adf07de91e1dfcb9d1e5a84dfa24c5ad2f2d22f73	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c9d90783-69ed-11ef-8389-806e6f6e6963}\NukeOnDelete = "0"	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 4293f35e4c1e26d0ba008e810b0783944500b9640eb2c569ddf904cfe53cf16d	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = b9781ec1b8ec66cc570ffc92695d26eca9f5cae629e535f14bc3066aeb69ed3b	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c9d90784-69ed-11ef-8389-806e6f6e6963}\MaxCapacity = "14116"	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 12053c380018bb6f9360c0299e923762cef7645fe31b92ed76203801cd2a8e34	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c004500780070006f00720074005300770069007400630068002e006d003300750000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 9a19943daec69b5f4dda5e868377c4ec0a8c710a1c80965379d491d260035de8	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-99-a7-cf-99-91\WpadDecision = "0"	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 8ffeb534e727ccb37f28cece48be954096e964c0222f80e348a7235e65631d1d	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0049006d0070006f0072007400530075007300700065006e0064002e0063006c00720000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 9612cda2e70dfbb4cd2f02a600aa6204159c1da9b71cf3674017f33523954b71	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{1a1f5501-69b6-11ef-8fd1-ea7747d117e6}\MaxCapacity = "2047"	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6918ADE6-DFB9-45FC-8FA8-ECC7E5E8A810}\WpadDecisionTime = e0bb47b00e0ddb01	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-99-a7-cf-99-91\WpadDecisionTime = e0bb47b00e0ddb01	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 9742743d518e99cc0f5bb9d1c6f4658a99bee23bbf156b5b895014f8119825b0	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 96b865870d54ee283a68f67c90ca6ad85f551d0994733ca2dfbe9b5d809bfdc3	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 30759b9ab0d6244fb45c6f07a1949f4d3267f8baac29cdd00dc625b7b4ccaaf3	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 8a388185c8247ec4701093d44ac4de8a7b2bb87e2e75ddf576f9ef822feeba6b	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 85725cf2e50dbb2b02f96c9517dcb740967e5434af950e2cfeba46bb8eff57b5	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\1xBb0d\windows.sys:lyhxozmopp	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\raS1TR\windows.sys:yoglygxpztqveikkj	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\1xBb0d\windows.sys:lyhxozmopp	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\6G1hoO\windows.sys:ymiuwsmgitpdtbmh	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Token: SeRestorePrivilege	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Token: SeDebugPrivilege	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Token: SeSecurityPrivilege	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Token: SeRestorePrivilege	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Token: SeDebugPrivilege	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Token: SeBackupPrivilege	2360	vssvc.exe
Token: SeRestorePrivilege	2360	vssvc.exe
Token: SeAuditPrivilege	2360	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3008	WMIC.exe
Token: SeSecurityPrivilege	3008	WMIC.exe
Token: SeTakeOwnershipPrivilege	3008	WMIC.exe
Token: SeLoadDriverPrivilege	3008	WMIC.exe
Token: SeSystemProfilePrivilege	3008	WMIC.exe
Token: SeSystemtimePrivilege	3008	WMIC.exe
Token: SeProfSingleProcessPrivilege	3008	WMIC.exe
Token: SeIncBasePriorityPrivilege	3008	WMIC.exe
Token: SeCreatePagefilePrivilege	3008	WMIC.exe
Token: SeBackupPrivilege	3008	WMIC.exe
Token: SeRestorePrivilege	3008	WMIC.exe
Token: SeShutdownPrivilege	3008	WMIC.exe
Token: SeDebugPrivilege	3008	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3008	WMIC.exe
Token: SeRemoteShutdownPrivilege	3008	WMIC.exe
Token: SeUndockPrivilege	3008	WMIC.exe
Token: SeManageVolumePrivilege	3008	WMIC.exe
Token: 33	3008	WMIC.exe
Token: 34	3008	WMIC.exe
Token: 35	3008	WMIC.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2052	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	31
PID 2644 wrote to memory of 2052	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	31
PID 2644 wrote to memory of 2052	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	31
PID 2644 wrote to memory of 2052	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	31
PID 2052 wrote to memory of 284	2052	cmd.exe	33
PID 2052 wrote to memory of 284	2052	cmd.exe	33
PID 2052 wrote to memory of 284	2052	cmd.exe	33
PID 2052 wrote to memory of 284	2052	cmd.exe	33
PID 2644 wrote to memory of 2088	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	35
PID 2644 wrote to memory of 2088	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	35
PID 2644 wrote to memory of 2088	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	35
PID 2644 wrote to memory of 2088	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	35
PID 2644 wrote to memory of 2444	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	37
PID 2644 wrote to memory of 2444	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	37
PID 2644 wrote to memory of 2444	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	37
PID 2644 wrote to memory of 2444	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	37
PID 2644 wrote to memory of 2708	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	39
PID 2644 wrote to memory of 2708	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	39
PID 2644 wrote to memory of 2708	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	39
PID 2644 wrote to memory of 2708	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	39
PID 2644 wrote to memory of 2788	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	41
PID 2644 wrote to memory of 2788	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	41
PID 2644 wrote to memory of 2788	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	41
PID 2644 wrote to memory of 2788	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	41
PID 2644 wrote to memory of 2852	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	43
PID 2644 wrote to memory of 2852	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	43
PID 2644 wrote to memory of 2852	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	43
PID 2644 wrote to memory of 2852	2644	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	43
PID 2852 wrote to memory of 3008	2852	cmd.exe	45
PID 2852 wrote to memory of 3008	2852	cmd.exe	45
PID 2852 wrote to memory of 3008	2852	cmd.exe	45
PID 2852 wrote to memory of 3008	2852	cmd.exe	45

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\cmd.exe
  cmd /C vssadmin Delete Shadows /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:284
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit /set {default} recoveryenabled No
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2444
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2788
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wmic SHADOWCOPY /nointeractive
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic SHADOWCOPY /nointeractive
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-18\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
C:\Users\Admin\AppData\DECRYPT-ejaJxB-decrypt.hta

Filesize
6KB

MD5
3c8d6a2f9f25707270d0225a3b63d2d4

SHA1
7afa93b55c19301b15966bbd5ce6b7a267408b9d

SHA256
5682cb7b6704ac47e6374abd8fb2a30877dacf555e90feb9df950b2d68272d08

SHA512
d5993405b17d8f7453ae474b6de6889bbcac7b4e634a51962aa196370d21cefeed4e06391190ac8b5feb812d9cce3a18d0f55d5b3597f4779c936cc30bda43be

Download Submit