Analysis
-
max time kernel
148s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
27-09-2024 05:08
General
-
Target
f9c5740ff15f172ceeda63ac7681fbdd_JaffaCakes118.exe
-
Size
226KB
-
MD5
f9c5740ff15f172ceeda63ac7681fbdd
-
SHA1
04c9fd6bbcc500d9fd90f7c09cf0395cd3b926aa
-
SHA256
e126ba2abf85d604c05020dfa7d578e91244656ab8e0e07950ba9c05c037c6ac
-
SHA512
2db4e99d07765ebe8d4e85310ee360a324c986050149107796d3c2c0236460624c8d977ceac33ad5652cfff20c2c2398cf1e57d715e1e0ab22bf4e6ec78fba04
-
SSDEEP
6144:yQGB/n4ZWOeRzb2RL6nDHoEpgYH79X+9AD:G4ZADDHofYGAD
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.xlfp45.win/0393-F0FC-8815-03A4-4DEB
http://cerberhhyed5frqa.slr849.win/0393-F0FC-8815-03A4-4DEB
http://cerberhhyed5frqa.ret5kr.win/0393-F0FC-8815-03A4-4DEB
http://cerberhhyed5frqa.zgf48j.win/0393-F0FC-8815-03A4-4DEB
http://cerberhhyed5frqa.xltnet.win/0393-F0FC-8815-03A4-4DEB
http://cerberhhyed5frqa.onion/0393-F0FC-8815-03A4-4DEB
Extracted
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (16388) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Deletes itself 1 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 6 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 2 IoCs
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 2 IoCs
-
Modifies Control Panel 4 IoCs
-
Modifies Internet Explorer settings 1 TTPs 59 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 51 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9c5740ff15f172ceeda63ac7681fbdd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f9c5740ff15f172ceeda63ac7681fbdd_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f9c5740ff15f172ceeda63ac7681fbdd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f9c5740ff15f172ceeda63ac7681fbdd_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{24904338-379E-53D6-B3B4-47BAA50F43E4}\fontview.exe"C:\Users\Admin\AppData\Roaming\{24904338-379E-53D6-B3B4-47BAA50F43E4}\fontview.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{24904338-379E-53D6-B3B4-47BAA50F43E4}\fontview.exe"C:\Users\Admin\AppData\Roaming\{24904338-379E-53D6-B3B4-47BAA50F43E4}\fontview.exe"4⤵
- Adds policy Run key to start application
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2236 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2236 CREDAT:996353 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt5⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"5⤵
-
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "fontview.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{24904338-379E-53D6-B3B4-47BAA50F43E4}\fontview.exe" > NUL5⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "fontview.exe"6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "f9c5740ff15f172ceeda63ac7681fbdd_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\f9c5740ff15f172ceeda63ac7681fbdd_JaffaCakes118.exe" > NUL3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "f9c5740ff15f172ceeda63ac7681fbdd_JaffaCakes118.exe"4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2464 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4e81⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5633a22e6384a442904b7d17cefe41d9f
SHA1886493283f43978345c74560f5bb7f2582037667
SHA2560b21e440a6c920f78f9fe865e72b17f2b894da7526341ad672ffc7e263a6253c
SHA5120eab3d009987cb5d816345e3c62f3f9ad582daaae573f52d2de3bcc9dbb3a6eb16d32e83172d1c106b2c0bc94375bbcaabd4f3afd7d04000e5518a8549a25389
-
Filesize
85B
MD504fccdc0f2659157b0e75f1f601e6c6f
SHA1b5e858fa824ef73e7685ad064fb8f71fcd7d335b
SHA256b2c9370a21bb31520b03ad6750213851447b8d335a27e9970e178183100497e9
SHA512f73027fd40e608c27e0c9b1964a98aba53878ac095bd8361dd9db335706b461acd4021cb12217eb8357d5f0491c1de166b81964e77378399adea80d81fa8f583
-
Filesize
219B
MD535a3e3b45dcfc1e6c4fd4a160873a0d1
SHA1a0bcc855f2b75d82cbaae3a8710f816956e94b37
SHA2568ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934
SHA5126d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853
-
Filesize
10KB
MD51f20a335c6cebd05497b5a1a94a6a95d
SHA1e160bf8d31d55e535aa71f6a9c317364d4a82496
SHA25652a8226a3f604d4f596a48ed95d0e7a90e97d7e37b56604ffb447ea6c5d7f3fb
SHA512d709514685cc7ba307810b730dae84bf10b315c96d0f24a1d2c73919d6b9f9f925cdf5328b0a14c0a50a8a923bab98e25654523c8c4578ff5295f3f4ff792e46
-
Filesize
342B
MD5ca879e2358ef98390925c7eb78acc6a2
SHA17d21c879739648e95ad6a4761a0012b6f5619da9
SHA2565e7b71538d02072fb961a9727fca5e9b975cf9e8f417e34fbd32f8284f702b1d
SHA5127aca2c474a45d640c24ac20bfb65e94cc5cd221840de772f9aa3197e62f9a2c8025a1de6a193673abe86309ab2aa21ba04694f0ff4042fc680e8c3fefc728951
-
Filesize
342B
MD5577f9b80e8a4f2f2af9394f8f436be0e
SHA1374c1b674d7f6b9f3e42cafc3c288a5433e70cbc
SHA25659c2a32e1dbc82b0f276b1e4b598d15d13bf06873af3d08c5fa0bf436cc4e83b
SHA512e1b07f1b27a3afbd43b3da0ff3a0d29ab441d8ad64b164abb55cbf9e4773b79c37b4acb77dea56ed2564209a156df5d23690ddeeb0b6f77ef245b241d816eec6
-
Filesize
342B
MD5146653d1abb7a6d1dfa00d8ad373f75a
SHA14065acb0bbdcdf6b35d1e3d3e9394bdd5c79d886
SHA2560934de98c68c98eff59d278ad6b6235069eaa8642739f1cf7ae5fa958ad7e9f3
SHA51288419e666f0d21cf0d28cd90d3fce024290ffcbd380f81158b6aed530417b357b9cf2d3500fcc1504657fced15b81fa9be4eaba13c0ac7a6c7620d55aa924975
-
Filesize
342B
MD56ab8ac07c87ddb9068fa496047ade678
SHA1d9f722093c9a355c2001af6740e49bbb6b4f3aa3
SHA256a8ba1941fbe552570ea7d60e5056a7ac8f700cfa092b21abfedc19368947d9b1
SHA5128b1a6d12e1346aff248589600b69636f5201b9cfa3c0cb023522bebc5d119fb433a2cca1855752bc04d4fe5e6d2663063d168fd04b15eebcc7e6a5355fd24387
-
Filesize
342B
MD59fcfeff028573306635e3fed152c27bc
SHA13309a72addcd05e7cf50824a1a1e3f5140c5f549
SHA2567dd694c4993f2d484cbcd02f793530fefbb3aef60420a0ec36a49d91b40b5cdb
SHA512310a371e8758ebdf8072fee0ad005296783172bd32eb2f42070e616b9c2bdcf5a03db261cac0170b96e8f6744f513819037bcbd44f3c39837e923b467f2b81e4
-
Filesize
342B
MD557981079c51c8a0c047d6906654053ae
SHA1f127fb93ee1749f717e1c82f2cdb1b49fa1ffa02
SHA2569944c2354b003b6811fcc6b2e313e58c1666feb5a95cef954459a72dbe42fa8b
SHA5128b47ee95ab5302fd5417c5bad701c2711cc17d54e36fe7e57f0f4194e37efe74448d3edfd017d5092a17215e4cfe2e607b8b42bc6cc3d82b5ad6ba8e55098226
-
Filesize
342B
MD5ecc65898e1c700750d6c2bfd1fb930fc
SHA1667516e87bfc7444cb8d71db41f1be8e19f59945
SHA256d87c5f6402cf67e157381329c3d9535ca8f8d911e8df37074f8dae3b3fc75746
SHA51241017dfa98fbab9b08fac85276de0db38fc404c15789d089f4a27f0fa8e43b9e32479c64bab6aeabb65a348ccb91cac5c99a8c82154434a9076f5a2fa92064ea
-
Filesize
342B
MD5f0a1c12207227b9fb75ec4ee4dee1d2d
SHA181a679dc959435636107ca1196345d695237d705
SHA256df5a1f095f8783d4a45b0b8518ba638b15c619e2a44a23c3bc5706fdfa08e89e
SHA512097c9404a06e93a5b05f86f9ddd687484fb9a36b1865adef4d84167c45d4fc1c7ceb1d3d780c1f27e3f3570bd029fae67be322cad164df963c0f9fa8c6b4eafa
-
Filesize
342B
MD55743823cba1da43519213038f748778d
SHA1be279caa5aad183a035641f9f9fe5be29f4e8e48
SHA2569ee8f7eef96c468585be732894c9e50bbb3488ad6a93866be971bca70afac87d
SHA512ff61146d7579ac7315a6fe7d9211a82621c02d6ab8c4f25c032722eb00199a3c07285311c29ef9d01fcb5bb41f0d869a4433e8ff58a2c69358a717d7da242c51
-
Filesize
5KB
MD59962c0e6779aa16fb5cec38387ff5cec
SHA127b831b84578dd8eda58993d754fc66e65c5afd1
SHA256bb7995440062f8551e3b8bc4f1ce55ace407639212fce5858851be2152a03525
SHA512135c560072f4f040af2dcce00ee68dbf1b18732b42668e4994a50bd1e7a555034cfef0751f9469f065a9f71c80d1f610b66793f764439c7a823106b1c40020ef
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
113KB
MD5164724978a7243bdc20d1ac77eba6418
SHA13fa0cf927cee74db40bda63a8fb51c5ab31c2366
SHA256dab48b011cd01ed12b86d8881ad3cc85913875fea9b17008a33123b40a87da78
SHA51230b09df3d90075402995b92a16d7c5c42d4c0ed8dff95af494aec430011cf07e96941c33a4af42ecf5243f2f878d3351c6f496f0d40e64da1db5f9973b0e4f21
-
Filesize
2KB
MD570c0bfe7c834d097e805787ed2f123a4
SHA1fded0dc703add894b981c6ca64a56b8c67fa1544
SHA25691d313b0cd8e40919b541b43113283d6dde03a7c663917b883a45f09ef7925ca
SHA512b68beb9eed98888bb6aebe2f8fa1642849f5ffc0c7816614615d5ed4f85e6b7c6d73baf10d0bdbaa180aa21275bf5fb3fce490267fa90213e5e5e35b1f001e20
-
Filesize
1KB
MD5c6d053e1a32928cf2cda28ec03f7c4e1
SHA1ab66a6d9792c4d07c1c41f74b38cd4a00221a9ff
SHA256e0c9c2e0484671d026fe1c6c6da05cfc34ce6ffc658ebd75adc61380947b0792
SHA512b619c10e11a3c8f1e688af6cbd673c1bd1dddfda5bacd8555c9081b09568dadf6683edb978e11e76d9806c7977b55349c8fa5a90034fe92913747ad17ec27e78
-
Filesize
11KB
MD5883eff06ac96966270731e4e22817e11
SHA1523c87c98236cbc04430e87ec19b977595092ac8
SHA25644e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82
SHA51260333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390
-
Filesize
84KB
MD5f47a66f7cf15f17cc98d4cb4f0b34bc2
SHA1e6ae6734c0acf0beab835f168881c6cfa98ac515
SHA25606df7ee9794cc4db9950e0ea805add4870276a794a8756484a6ccd0a96783aa1
SHA51276afe23aae871ef77e8d03248dee2555d64e3eece66561b453f075d871cd7fa477f3715d1663f3de00c1258e53bf87cf5e955d267884874ae196605a80eea81d
-
Filesize
226KB
MD5f9c5740ff15f172ceeda63ac7681fbdd
SHA104c9fd6bbcc500d9fd90f7c09cf0395cd3b926aa
SHA256e126ba2abf85d604c05020dfa7d578e91244656ab8e0e07950ba9c05c037c6ac
SHA5122db4e99d07765ebe8d4e85310ee360a324c986050149107796d3c2c0236460624c8d977ceac33ad5652cfff20c2c2398cf1e57d715e1e0ab22bf4e6ec78fba04
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB