exorcist | ca680208fb28dca0595ca9f677c7845aca09c1979db0a9d680ad6f6bf30b7097

Analysis

max time kernel
97s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2024 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Size

68KB
MD5

f269d24544e8bb4cb82680bb396a5f1b
SHA1

8283f4266a7782308b04a3d03c8b13a38eefaa61
SHA256

ca680208fb28dca0595ca9f677c7845aca09c1979db0a9d680ad6f6bf30b7097
SHA512

c22f51697316c4d29e4b4ef817a1c73d4681fc02b0a2b0fee01e2aaf065d6a3aa04b7defc366cea012a723e600bd80a12083d54bb0907fa0b4cf6f12c41e68d1
SSDEEP

1536:7ufJPTAoUei1obcxtZbW3BqlIS2IyUY4h2wEsOolJT+y9F:7upTAneif03BqarUY4l

Score

10^/10

exorcist discovery ransomware

Malware Config

Extracted

Path

C:\Users\Admin\3D Objects\DECRYPT-YMPxsm-decrypt.hta

Ransom Note

<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><title>YMPxsm Decrypt</title><style type="text/css">body { text-align: center; background: rgb(192, 176, 176); color: black; font-family: Arial, Helvetica, sans-serif; font-size: 14pt;}a { cursor: pointer; color: rgb(68, 68, 68);}textarea { width: 90%; height: 200px; background: black; color: white; border: 1px solid black; font-size: 12pt; font-weight: bold;}</style></head><body><h1>YMPxsm Decrypt</h1><h3>All your data has been encrypted with Exorcist 2.0 Ransomware.</h3><h3>Do not worry: you have some hours to contact us and decrypt your data by paying a ransom.</h3><h3>If you don't pay in time, price will be increased. Then, if the payment is still not received, your keys will be destroyed.</h3><h3>To do this, install Tor Browser (here: <a href='https://www.torproject.org/download/'>https://www.torproject.org/download/</a>) and follow instructions on this web site: <a href='http://7iulpt5i6whht6zo2r52f7vptxtjxs3vfcdxxazllikrtqpupn4epnqd.onion/'>http://7iulpt5i6whht6zo2r52f7vptxtjxs3vfcdxxazllikrtqpupn4epnqd.onion/</a></h3><h3>IMPORTANT: Do not modify this file, otherwise you will not be able to recover your data!</h3><hr><h2>Your authorization key:</h2><textarea readonly>fsZBwjpZ8YbSWx2j2UT3Xsj6umX+nm0BZGj/IDUR877vaLPqsTMR84ckgTpqo1XH Yk1JziYnOFXGfY2zqQLq5PGjuC4uEYMubyjKFLlJRvWK2caCH9Wgo3AErvde05Tg 368+Vk35w2SI63pzwqvbeYNX0wFE/bOi5CQymIEpGxtxtjvPXooKxSwpKUm6Di9c cJB+lbBeL7H4SmX+BrzZi+tVj5X4otsUIyknMdSnMYGoOwPsORSFp5XNgHN8ODi2 qLAUTBMXHnqLwPk5W/Ma8a56gIJf/4tSkB1UvDxCgj2HciihkbKVdbQ0BsfTWZjR 2zE9gJycNDrRZOc0fTjuAbjPRFk5KTH/qdkvupLAHzAp16JqxwEXb2rYkv2sPkx7 fO6LLIQ7vtFrBGwWR7o6cIJyLAac7kBbtBQ+VOdvy+qJjHl2DvvKenhel6nc18pj z9QmUO4OrM8Rta4T4egGV7n7t7G5y/cZOYJknX7h7vXBQIc9nQCfBBnfA752o5+t BTQaJkMrcS3ICgCA/9fuZqZn5y1GSPbFEtmFc9SXG5Ln7Wz//cIBx6YuZiWh0RsX PlMNiR8+NbMb9iRMmr/z8rFdWv5a+JY9sMNjkIInm3vrOfriUnyGBQYz/TzRZW44 Gbs+6BOiEXJ4XNqroLs24uuS7mam8hZ0V6fqGIX8SKQ/SHnBpa5BPC4/MLMv0cF8 Zb3LlDotS1jf2CSBg+3GI98ypLOWsaaMW78Tw9V4qg5qe+dJpVIIquFF/NbgLZAw NJKUsVz6IOvBosQ56cOpMSkjChWPtb3oE5Lpn2nznjaVM2Xf9HxqQ2nyEeieaWB6 CbiIk44KrmBPXfnGlCN87daL0Z4BH/UNxNoo/Sg6gyHaxtG4PK3cohhexQnREJ+7 bAFUxGmpX1zFRXgXy6eJxsn4W6SnsyKPqvEfJDZodSh+c20AMr27s+kURZzZ5h3J 1BZ81NlzQpOB37ROjg0WnvZAE1MxCEvtr0tCT7ty1Z2CA99X3I27/i2BGLn+lT6b bvZo/lkLpRxuyh5yggb1SYms2JU9GuQ8EykEjAHd+LyxFyVRT37RmoPxN3mvR5w2 vXqYer6f+QdRv7IJd0OaLSt3F1iOQNqaTw5WnGmeVeZl+WJ7+pkC8i/xt69X/tD8 z0reHtO2ueNEqlTOU1Le80xVAtL6COHFLsUla/EDbXHpsuxaJklNSN0sZw9pT+3Q YMpwxbPmJhmgy/vzbLJlgwVbtobMp+1VtGimNmyOvt7Zkh4EMxDBMcBAHxnGElD1 TxXOf4ON4mvkgxSXP7HEH3mRyCCtdNz6Oww5rjUyHDkeuTy0mO0tY0ma+L/Y9jB9 0eWdIBrUk7XPjfcRkDFJohJuI3uFpQhGNJKBlZiU43ux+mDWOgTWAVmbYp0Akwl3 0LYYM70v54myx7XwRdFHNph3CCUFvJPBpvtYx0ZOz1f5SdZ8uE7Qt/kyQobWke3p xtLoSYrkUFqOrh2Un/JKDnHyhLqv65s/9jJ9dVUs3nuGsiLDDFF/2s7Z+xbpKPiQ rNEv9YIZD3/wKplG5xiN4XF0jLm4KHQ0AGZm25q3evvaA07CZyCAZF33NpsQ65qV oY7ITlE8ZGV9xNAzNlzXb3ShicMmV8klJuSv1zEZRI33tkYVHbOUXIAiPfvaVXyC XQAkoMRrmGX/mM/XwOoP2clYGxwxtpPiaFc61AfvHN4eEsw77g1AyzmX7bcyv8Pq d2brKMS2mK5Mov62RkC5xKBIjNQcDaIXE1FLgiuya8TTxz+/M01fhvXYl8u5wJ2Y 4a6ffceG14t9wg96LM/cs5+hc1xa1k0f/kh6h/5pvg6ER6boqwbw2hHGU/rkkKsm 5xiKFiqwHTYCeNkwZg+ZVb8fXLM/UnfrLd2uFpJK1quOrewNv1dxiQD39uMZVSJZ DtBC//zLZQuPaGSlUSxVz7AsBbbw6AY0I0gW1LyQSC6mPI4PVcCxKtswHC6juXW8 wEjtR3MEJIQ6eRU9IyhUCS3/SNdrw84ROQCbX1pJ5GfwH5tJe9YvHU1sAijHCxcU rlDfbWBtAcaTO+kt0XO5Qi4f9GCw/f1QOT1SzySf8Q5wOM9kMURQtfe7JYt0AGqz ytgODKLmFcNDiq1FR19PTW2wwlNv94Dv7KIQ/1g9i8SddsK8+ipk8L/tB1nEQAOB pOkX3gzQEq0WO1ARN4bQ536NjFrJQ5C09zCyx2LiwZJTMlfs7LadtL4KJcFcMUjv IY6JGt7wEcOp9MlVorphJ/bFkKX3lvtnW8I3+Ipb8QE2F63kjN310QCZ+AM0Sop+ pE5h1JNbQ9Uh9kDkfqQLTLCla/vekzE6+wETRSZkohCjTM5blL6pATcZMz++ao/e Geek2hcwPGcej23J7lySMfegLlmRZDrF6Dv5mv1lhsqwFklEoXOrZ2Kre8Xmjavx 0OwubOQep4uLGN6HMcOi7Yru34LSVADdXBK/Rl80rlOcdpny1fobC9LZErkOaIhc Mo+FjZ2Bt6yui4EN416VXLSRPGcM4HYbEHYJC13XCq7qKz0LS38dBbJfvpOic1Xz 6efjt1lBBWditWFeheCHHlX2UvIhrSH0jdzhue9Wc+HqndF4m7Ax0j0cksLvf5o7 zS/8arKzGPAG/A0bWYfV+d2QNqV8lcqscCCN6h1uMk/aTC18A4WDe1ZvxW3MMHkO WgZSkQ6VVv8k3qg+BQDgdRM29vgs1k3IHBJRDWUNiduY8FPOho+BOqAhSb3atfkE oIDxCdSWqmwkvibYy9iKAkThUSyDzZsB2RB9BUIIb6X3JVXrGda7os0DO/d+Zlzk Yp+3gPoi2ZmdIEmeSho0AsDJLkNEjY34IPT50OkSITwOV6idVcqw0Zrn3c5KdE1Y Mab41WlXGa/B9PCp5Bm1+zOmr4uCyHjCqzmdwp+oK5aMFWDmZkAwBYAX9fn1PxOM yM+dFeDtIwXoXLgh/k9JMTmNZFOR89WWzkgwxT+u2XX11cibiNA27punINTax6jV H8b9PUeQO35guGROaRDzIsx6RmjleNeso4ge1xS9N4a5t9fIYO217g0zpjwqCJPd rPA5OluOm/z1kDwv6XG18VdUSFOzJWgHvHIh65YHo3XQTiYbrmExQx32RXd7uVJs oG2POPDy3IZ+6fqdmamT+AF6JTTAaIbTXHrJyaS3Gi3+KP/0ZwFz9z9Ss8xzsF4C IyZY/eiO0q2PgHWQ0zXc8ltlHHBXb0gI1F7svhsP46+SIzcWg+v+8su0le5oitX0 p9NEoey4OdsFHePojl97x0R7zmiCj/nsjnj2SF5DlDV6Di/WH7SH4gLEhK29fsS5 RDsvqBc7Q3L5aU9tN66syjxwAWrpS512hao6SzliHr61jVjVfL8mRgBrCjg29EcK ga+AcVVjhp8LyzMf/4JJs0M47JZss26AdVYhUwe41rMQQu9a4pysaCIrcj9G7V98 jYq1Ie7aP6Z7IAU6kf4nRmwdQwKWHJIjtCjoASNSC32ah6fxMC71/RQXr7mz9Drz hv8RvaGbkGBZ/+8OvzL0zucztdj8Hpm0Q7AVl6ZHiDD9m60OZPWuhst9FTTafMKZ V51nWXtn1WtCslQZiyEbKXI8valqa73eETVmS+5oPEdqxYwXzzcxJwpOiC0ejjVI MVRvVMvkE4EC0uuuxN4eDfUTFsulOQv9/NxEjj6QRXFEN0Vi4psfkQPk5AVrDWgx e/qfF71nFeyRTg3TC45UdyHI2y35MAqIY8sUHtNezvS3e/evebjUFoPSzGrFKHZT cfH9+QC1RIu3wvc4ctrsIFRfdZDbq+W65ZNrnAORNziyAeAtauEpXztKIqsEwttp pDKWTohE6SEpI/Z8NnL9i0iNwtOtfXhewW4Gd8uhdY03wSeZZ19OO4Qgir5hXDyB qJsymlDQoCgInqY7kPnpMBnHdUJIhsVdWKDcKiRmzPJ5v1ZAY6EfIuFPwLLJGpq1 0/bqoYevQ93Nc7oVP0p8EqZNT/nBYcoeVl0hq+ZQ/lKUG04GO0WntflRq+aDrV41 0zmNPNvAwCHkWmIsDDQylvV7ISr4IsUhvrwEUwCQxdEFOqhcDYBTQ6uR6+fAzrXR +UYRmFw4y1JwlNMaN8al6XUX+/yOXxtIbSdI/A67wnkFlTlG6r47qp3ZWBMUMVNm Q+TCxmZHDuCXlj+VMHFaZVAk3bwsuL+IH6CgRW7+R4j0t6AvnFrnR321FMjG2OXK 24xDi+lZeVNRzHV9zBrKnA1IuP+V9kVWyzKSEDLfkavneg1Jep7tjQrtoWacRoTW LBzj9VZmRaEfSL/mjTMV6imFOtEiSxCXRcoPgtZAIvGGZ7rj2sScM+ib4prioyWd N2H5B/9R2leQLBG6xSTllRlouzAr5F08RcAFi8o6/NcB4s3LiezMJDlCFii7rf7H TOg+/epfv3Q64qpTrRlvMSOqjRAffp8Wbc6+G4CFwCqly5aVqGTYmlzGRE6i1pDz xnUVgL0GT88kUIQ1eb5OeLfM+dt9FNppX1UyHMUWXym11ww3JDo+AtMjo4gYJ2tT BCPDyz9yFuSCyMb/VOlR17O8jAcuyVKBq+5p21pxWD/EvPJVOe+PIBFxjDNtlere twJDhE4vTE08/OkhnVtgRLrxjTRCtCw0Dsks2Jr9qCLgRPerNxFdwHP5cBl6z8p8 QzBEENtRcXA9I42GvGZ0si9I6H/Anpyc1Bab8ExDyckar5Y2v7z8GKXLLhBKpW4u icqvTn9AiSF8S4J5CA9T2r8+F1Wv9wpHQV5cIRiOnXkg9QgVBtF52m7BRLwU5p6y uWQ88lPas699amFWI5z9MmPksMGAFxdfPUoa22pQS2HrBTThfEVl7cnjhyRgqBGD oCTEXSVcCo7p520iEx6bEJ4oSG3FRnATmUOlRxCH7aSSsvSsvS0//saA123Mfyxc u0bkulilCJ29ATKhy3lr2cJuulr+Mv/w6o/N/GRrmadKlH1NWg7aYwSP2fAC1Fjv y1xo59Gly0d0R+fpoFSc3gUalNxK3qJKwhsnRuyJrDQRoKtfVDCsTSOVHcMcXWSl </textarea></body></html>

Signatures

Exorcist Ransomware
Ransomware-as-a-service which avoids infecting machines in CIS nations. First seen in mid-2020.
ransomware exorcist
Renames multiple (149) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-18\desktop.ini	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-18\desktop.ini	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\Q:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\O:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\I:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\X:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\T:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\K:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\S:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\E:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\Z:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\P:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\D:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\Y:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\R:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\N:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\M:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\B:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\V:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\F:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\J:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\W:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\L:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\H:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\G:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File opened (read-only)	\??\A:	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = a7bf5df92d61946a31772faf3e1a857e47ee58e5a6253b3c76f02a12ec90de69	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c007600630072006500640069007300740032003000320032005f007800380036005f003000300031005f0076006300520075006e00740069006d0065004100640064006900740069006f006e0061006c005f007800380036002e006c006f00670000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 1a7c86b4da79c443172a3aff5a9028b45b0bf90fba3b5f9c3683bd85a262ba44	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = d6c0786c26754f5a4ac0d715173211d792b4416e036904c5edf39fcc62fad192	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 4dfa741ba4c726d2b8f01b89ac8e4b7b0b6c694393ec2d76204ec29ecc200325	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c004200610063006b00750070004a006f0069006e002e0077006100780000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004d0075007300690063005c005300740065007000530074006f0070002e0078006c007300780000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c004c0069006d00690074004d006f0075006e0074002e0078006c007400780000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004d0075007300690063005c00550070006400610074006500500072006f0074006500630074002e0064006f00630000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 9dae0d56be6b11b097d22e0df499ebf926f08ed81bcaf27a17c57e5ebd8f4c9c	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 8a8ddef8a5df97a36a2e9ea28c19070f9ffb4268ee6a8f87dba0435e0bdbea83	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 18ba766fcf836eeea52af0334e51780d4cd4d06f7f99606588e11b3e6453651e	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 3d5d1c55a368261fb38ed16b8f3210fd447195ae3175269abd57d7b56e5bc1c0	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c0043006f00700079004100640064002e006f006400700000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 74c14bc5ef07d198dd870a32389802f3479f31c14e5eab1bba9cf19bea2cb050	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = bbf548063957ec1495b063a2f6f40027945a739f1288492d4a78bf5cecd001ab	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 53e6ce56264c570aa1ac92f79c933c1c81b0328de5eb22eb8d379802b486d79f	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = ca2bb1273a88378bd5a2c612eb4579f6c157c0e30d3bc536aaec6f7aafc66d42	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c00500069006300740075007200650073005c004400650062007500670049006e007300740061006c006c002e0064007800660000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c007600630072006500640069007300740032003000320032005f007800360034005f003000300030005f0076006300520075006e00740069006d0065004d0069006e0069006d0075006d005f007800360034002e006c006f00670000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 146157ecabeb140b0fa07d6bb55c57fc4c239ab4b623407bc36cab3c5ae04b36	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0053006500740054006500730074002e0064006f006300780000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004400650073006b0074006f0070005c0053006b00690070004700650074002e0070007000730000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 8b1b6431f22b8e87152da04a731b9f1756ec4d89d0b18eaa326e47865a3e2328	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c0043006f006e007600650072007400460072006f006d0049006e007300740061006c006c002e0076007300780000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = e36180979a09a84d8b7c5fd88940764fe3c3eb330cee0429bcf5e8595c7ed051	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004d0075007300690063005c004500780070006f007200740055006e00700072006f0074006500630074002e006d0070003200760000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c00500069006300740075007200650073005c005000750062006c006900730068005300770069007400630068002e0063007200320000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 294b50fff335ca7e483b6e6394ca6043676685be9c0e3fdfc3fd9af680a56fd4	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00660061003300350061006400380032002d0030003000300030002d0030003000300030002d0030003000300030002d006400300031003200300030003000300030003000300030007d00000030002c007b00660061003300350061006400380032002d0030003000300030002d0030003000300030002d0030003000300030002d006600300066006600330061003000300030003000300030007d0000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = bef73b980e94c64e57f17b849dc57cdb3ec2290ad2bda8680dd23dca7d85c933	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = c5e6d112f74436f83c1d59d0521408cdca3d0181389bb796362d9f1bbbf6423c	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c004f00700065006e005200650070006100690072002e0076007300770000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004d0075007300690063005c00470072006f007500700057006100690074002e00700070007300780000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c007600630072006500640069007300740032003000320032005f007800380036005f003000300030005f0076006300520075006e00740069006d0065004d0069006e0069006d0075006d005f007800380036002e006c006f00670000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 4be4637b343f462cc48192b2030a1f4d1c44e8cd6872f3c4deb8d2ebca1c2006	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 88b27b04df96859d89f04a73deef5365125bc21361a8c22ab04f9bb39ac1ff3f	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 162f3a98223b633ef62a0aff38099fd1348e3b59c2d80eecf10553668cdda188	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 36d9dd9355eb3b85f4e6a61635745bb8123acf89d7b67f00938e11600c3ca9ac	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = be73a9fe8b29e91e34618b280384f2e299c0c833947f1e873a8fccc60464dd74	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c00500069006300740075007200650073005c004d0079002000570061006c006c00700061007000650072002e006a007000670000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 6d23e1ebefea1078f367e3d69841edbb5c22071b0608786c4de470c22c24b87b	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 86e47084e82a99cea5f88449a78d44465d6a7b717a94ecde39425ac151099ed4	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 72401b8228b0d2ef44957336410c35d1510025e60df04131ecf77227331e8344	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = cd612d6601ff4609bc4f5c7dc8d6a045f05e3e50cbdbd0636b5008bb36889ad6	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f00630075006d0065006e00740073005c004f006e0065004e006f007400650020004e006f007400650062006f006f006b0073005c0051007500690063006b0020004e006f007400650073002e006f006e00650000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = b987872560c50fc86dd7f6e4d113a4277a47b95737853d3d65e2656e64388af7	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = bf439dabd682be4c3a35130e5ea55045eae951d8bc76c287626932e3a8413a87	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = e5786fd3335cbe26b09f749478946acd701e92b9de2f9c64e9362b635d7b8681	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 77d8b44d687e943d768263d7bf14a1cee5b564e5167868f35a0783899e3c9d95	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 8deda96a8d882e3070a49aff8bbcf6196b53d41b54d0f56b265a15601b767024	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = c1b287c9c3ad21f56a94742bf571f039700393ed27ea297dbd85e3e01faf1adb	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 407bb02401e5207fb2277b26ba6a77c7c775976599b122596856b56c402992b2	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c0057006100740063006800440065006e0079002e0078006c007300780000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = c13b2a9d31a852b3979786344fc8fe346edfa89ab453f686e1c7ffd8e20aa7dc	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = a702304d9e24d5db5ebc30a1a9a7e07704773fc9b5cd41a4ed28ff972f2c3866	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = b687ac17d0691720dab36f0c09f5e2eb9e5a8df9eca9e3f56d73ff66b1d7a119	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0044006f0077006e006c006f006100640073005c00540065007300740043006f006e00760065007200740054006f002e006500700072007400780000000000	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = f1c19a48331436a2e0ab5216ef5ca2e78da4da9f2289237f6a9bee939c24ea99	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = fe8f50e066bfd6c2d43a0b170ab0174d0fd21f5f4c49e40f46a7153b2ceb919b	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = e38f512d230d64152d8476ebee9d70bd096c45bfc28647a9c28d3a66904b5de9	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\HzqYrQ\windows.sys:lyhxozmopp	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\j6PYEu\windows.sys:ymiuwsmgitpdtbmh	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\HzqYrQ\windows.sys:lyhxozmopp	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\Microsoft\Windows\kqCe1c\windows.sys:yoglygxpztqveikkj	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Token: SeRestorePrivilege	1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Token: SeDebugPrivilege	1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Token: SeSecurityPrivilege	1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Token: SeRestorePrivilege	1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Token: SeDebugPrivilege	1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2032	WMIC.exe
Token: SeSecurityPrivilege	2032	WMIC.exe
Token: SeTakeOwnershipPrivilege	2032	WMIC.exe
Token: SeLoadDriverPrivilege	2032	WMIC.exe
Token: SeSystemProfilePrivilege	2032	WMIC.exe
Token: SeSystemtimePrivilege	2032	WMIC.exe
Token: SeProfSingleProcessPrivilege	2032	WMIC.exe
Token: SeIncBasePriorityPrivilege	2032	WMIC.exe
Token: SeCreatePagefilePrivilege	2032	WMIC.exe
Token: SeBackupPrivilege	2032	WMIC.exe
Token: SeRestorePrivilege	2032	WMIC.exe
Token: SeShutdownPrivilege	2032	WMIC.exe
Token: SeDebugPrivilege	2032	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2032	WMIC.exe
Token: SeRemoteShutdownPrivilege	2032	WMIC.exe
Token: SeUndockPrivilege	2032	WMIC.exe
Token: SeManageVolumePrivilege	2032	WMIC.exe
Token: 33	2032	WMIC.exe
Token: 34	2032	WMIC.exe
Token: 35	2032	WMIC.exe
Token: 36	2032	WMIC.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 4840	1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	82
PID 1424 wrote to memory of 4840	1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	82
PID 1424 wrote to memory of 4840	1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	82
PID 1424 wrote to memory of 2520	1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	84
PID 1424 wrote to memory of 2520	1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	84
PID 1424 wrote to memory of 2520	1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	84
PID 1424 wrote to memory of 1212	1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	86
PID 1424 wrote to memory of 1212	1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	86
PID 1424 wrote to memory of 1212	1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	86
PID 1424 wrote to memory of 1600	1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	89
PID 1424 wrote to memory of 1600	1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	89
PID 1424 wrote to memory of 1600	1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	89
PID 1424 wrote to memory of 1876	1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	91
PID 1424 wrote to memory of 1876	1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	91
PID 1424 wrote to memory of 1876	1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	91
PID 1424 wrote to memory of 1324	1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	93
PID 1424 wrote to memory of 1324	1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	93
PID 1424 wrote to memory of 1324	1424	f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe	93
PID 1324 wrote to memory of 2032	1324	cmd.exe	95
PID 1324 wrote to memory of 2032	1324	cmd.exe	95
PID 1324 wrote to memory of 2032	1324	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f269d24544e8bb4cb82680bb396a5f1b_JaffaCakes118.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\SysWOW64\cmd.exe
  cmd /C vssadmin Delete Shadows /All /Quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4840
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit /set {default} recoveryenabled No
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2520
- C:\Windows\SysWOW64\cmd.exe
  cmd /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1212
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1876
- C:\Windows\SysWOW64\cmd.exe
  cmd /C wmic SHADOWCOPY /nointeractive
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic SHADOWCOPY /nointeractive
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\3D Objects\DECRYPT-YMPxsm-decrypt.hta

Filesize
6KB

MD5
0087cc2c34de09b3ba6f83205975f07d

SHA1
b16c5d0bf5f97862338e1eb30290acc35dc471c1

SHA256
201aa37d37f5e194190dd3de19a19508966627c18eee95850db3bd953c1888c7

SHA512
ff60e99deafb5367315513d34f3666b330527d713e1924452a5a69ae8269802d8051718b00d5595f553b32dafbc3e155e4f8427e55f8f2bc53dc38a7700dfa0b

Download Submit
\Device\HarddiskVolume1\$RECYCLE.BIN\S-1-5-18\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit