Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/10/2024, 23:28
Static task
static1
Behavioral task
behavioral1
Sample
270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe
-
Size
344KB
-
MD5
270b70bad151a515136f553e5bc880ac
-
SHA1
77b7def336c7647c6faadaf7136d70ff1e9ba7fc
-
SHA256
db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa
-
SHA512
c198f9498d634ec4d05cf29a1bb6ade8c59a2904510464e3b292b11bcf5382d7fe603e46b6a72b14f3f996811f68101e46c467914b21ea6eccaf423df2d1a43f
-
SSDEEP
3072:v5sAzvcjE+lcO3zXgKRcP66BpwwB9RStc3Yfqr:v5jvc4+lcO3zQKSPfBJXv3YM
Malware Config
Extracted
C:\Users\Admin\Downloads\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.vmfu48.win/27A7-6315-3347-0073-1597
http://cerberhhyed5frqa.45tori.win/27A7-6315-3347-0073-1597
http://cerberhhyed5frqa.fkr84i.win/27A7-6315-3347-0073-1597
http://cerberhhyed5frqa.fkri48.win/27A7-6315-3347-0073-1597
http://cerberhhyed5frqa.djre89.win/27A7-6315-3347-0073-1597
http://cerberhhyed5frqa.onion/27A7-6315-3347-0073-1597
Extracted
C:\Users\Admin\Downloads\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (16396) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A9B9797B-2350-5224-D0C5-BE661FD62C90}\\Magnify.exe\"" 270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A9B9797B-2350-5224-D0C5-BE661FD62C90}\\Magnify.exe\"" Magnify.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Magnify.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\Magnify.lnk Magnify.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\Magnify.lnk 270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 452 Magnify.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Magnify = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A9B9797B-2350-5224-D0C5-BE661FD62C90}\\Magnify.exe\"" 270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Magnify = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A9B9797B-2350-5224-D0C5-BE661FD62C90}\\Magnify.exe\"" 270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Magnify = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A9B9797B-2350-5224-D0C5-BE661FD62C90}\\Magnify.exe\"" Magnify.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Magnify = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A9B9797B-2350-5224-D0C5-BE661FD62C90}\\Magnify.exe\"" Magnify.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpCABD.bmp" Magnify.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Magnify.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4112 cmd.exe 1820 PING.EXE 988 cmd.exe 1060 PING.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3216 vssadmin.exe -
Kills process with taskkill 2 IoCs
pid Process 436 taskkill.exe 4168 taskkill.exe -
Modifies Control Panel 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop 270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A9B9797B-2350-5224-D0C5-BE661FD62C90}\\Magnify.exe\"" 270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop Magnify.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A9B9797B-2350-5224-D0C5-BE661FD62C90}\\Magnify.exe\"" Magnify.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings Magnify.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 1820 PING.EXE 1060 PING.EXE -
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 452 Magnify.exe 1472 msedge.exe 1472 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2504 identity_helper.exe 2504 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
description pid Process Token: SeDebugPrivilege 3192 270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe Token: SeDebugPrivilege 452 Magnify.exe Token: SeDebugPrivilege 436 taskkill.exe Token: SeBackupPrivilege 808 vssvc.exe Token: SeRestorePrivilege 808 vssvc.exe Token: SeAuditPrivilege 808 vssvc.exe Token: SeIncreaseQuotaPrivilege 2412 wmic.exe Token: SeSecurityPrivilege 2412 wmic.exe Token: SeTakeOwnershipPrivilege 2412 wmic.exe Token: SeLoadDriverPrivilege 2412 wmic.exe Token: SeSystemProfilePrivilege 2412 wmic.exe Token: SeSystemtimePrivilege 2412 wmic.exe Token: SeProfSingleProcessPrivilege 2412 wmic.exe Token: SeIncBasePriorityPrivilege 2412 wmic.exe Token: SeCreatePagefilePrivilege 2412 wmic.exe Token: SeBackupPrivilege 2412 wmic.exe Token: SeRestorePrivilege 2412 wmic.exe Token: SeShutdownPrivilege 2412 wmic.exe Token: SeDebugPrivilege 2412 wmic.exe Token: SeSystemEnvironmentPrivilege 2412 wmic.exe Token: SeRemoteShutdownPrivilege 2412 wmic.exe Token: SeUndockPrivilege 2412 wmic.exe Token: SeManageVolumePrivilege 2412 wmic.exe Token: 33 2412 wmic.exe Token: 34 2412 wmic.exe Token: 35 2412 wmic.exe Token: 36 2412 wmic.exe Token: SeIncreaseQuotaPrivilege 2412 wmic.exe Token: SeSecurityPrivilege 2412 wmic.exe Token: SeTakeOwnershipPrivilege 2412 wmic.exe Token: SeLoadDriverPrivilege 2412 wmic.exe Token: SeSystemProfilePrivilege 2412 wmic.exe Token: SeSystemtimePrivilege 2412 wmic.exe Token: SeProfSingleProcessPrivilege 2412 wmic.exe Token: SeIncBasePriorityPrivilege 2412 wmic.exe Token: SeCreatePagefilePrivilege 2412 wmic.exe Token: SeBackupPrivilege 2412 wmic.exe Token: SeRestorePrivilege 2412 wmic.exe Token: SeShutdownPrivilege 2412 wmic.exe Token: SeDebugPrivilege 2412 wmic.exe Token: SeSystemEnvironmentPrivilege 2412 wmic.exe Token: SeRemoteShutdownPrivilege 2412 wmic.exe Token: SeUndockPrivilege 2412 wmic.exe Token: SeManageVolumePrivilege 2412 wmic.exe Token: 33 2412 wmic.exe Token: 34 2412 wmic.exe Token: 35 2412 wmic.exe Token: 36 2412 wmic.exe Token: 33 1968 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1968 AUDIODG.EXE Token: SeDebugPrivilege 4168 taskkill.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe 2620 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3192 wrote to memory of 452 3192 270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe 86 PID 3192 wrote to memory of 452 3192 270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe 86 PID 3192 wrote to memory of 452 3192 270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe 86 PID 3192 wrote to memory of 4112 3192 270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe 87 PID 3192 wrote to memory of 4112 3192 270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe 87 PID 3192 wrote to memory of 4112 3192 270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe 87 PID 4112 wrote to memory of 436 4112 cmd.exe 89 PID 4112 wrote to memory of 436 4112 cmd.exe 89 PID 4112 wrote to memory of 436 4112 cmd.exe 89 PID 452 wrote to memory of 3216 452 Magnify.exe 90 PID 452 wrote to memory of 3216 452 Magnify.exe 90 PID 4112 wrote to memory of 1820 4112 cmd.exe 94 PID 4112 wrote to memory of 1820 4112 cmd.exe 94 PID 4112 wrote to memory of 1820 4112 cmd.exe 94 PID 452 wrote to memory of 2412 452 Magnify.exe 96 PID 452 wrote to memory of 2412 452 Magnify.exe 96 PID 452 wrote to memory of 2620 452 Magnify.exe 102 PID 452 wrote to memory of 2620 452 Magnify.exe 102 PID 2620 wrote to memory of 4532 2620 msedge.exe 103 PID 2620 wrote to memory of 4532 2620 msedge.exe 103 PID 452 wrote to memory of 4040 452 Magnify.exe 104 PID 452 wrote to memory of 4040 452 Magnify.exe 104 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1912 2620 msedge.exe 105 PID 2620 wrote to memory of 1472 2620 msedge.exe 106 PID 2620 wrote to memory of 1472 2620 msedge.exe 106 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Users\Admin\AppData\Roaming\{A9B9797B-2350-5224-D0C5-BE661FD62C90}\Magnify.exe"C:\Users\Admin\AppData\Roaming\{A9B9797B-2350-5224-D0C5-BE661FD62C90}\Magnify.exe"2⤵
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3216
-
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab24c46f8,0x7ffab24c4708,0x7ffab24c47184⤵PID:4532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:24⤵PID:1912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:1472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:84⤵PID:664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:14⤵PID:5064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:14⤵PID:1380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:14⤵PID:3384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:14⤵PID:4960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:14⤵PID:1872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4348 /prefetch:84⤵PID:2992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4348 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:2504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:14⤵PID:3904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:14⤵PID:1100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4376 /prefetch:14⤵PID:4948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:14⤵PID:3888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5887784939266688785,13970439544732225431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1776 /prefetch:14⤵PID:2864
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵PID:4040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.vmfu48.win/27A7-6315-3347-0073-15973⤵PID:2840
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab24c46f8,0x7ffab24c4708,0x7ffab24c47184⤵PID:4656
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵PID:3492
-
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "Magnify.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{A9B9797B-2350-5224-D0C5-BE661FD62C90}\Magnify.exe" > NUL3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:988 -
C:\Windows\system32\taskkill.exetaskkill /t /f /im "Magnify.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4168
-
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1060
-
-
-
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe" > NUL2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "270b70bad151a515136f553e5bc880ac_JaffaCakes118.exe"3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:436
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1820
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:808
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3668
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2100
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x394 0x4981⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
1Accessibility Features
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
1Accessibility Features
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Service Discovery
2Query Registry
2Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD537f660dd4b6ddf23bc37f5c823d1c33a
SHA11c35538aa307a3e09d15519df6ace99674ae428b
SHA2564e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d
-
Filesize
152B
MD5d7cb450b1315c63b1d5d89d98ba22da5
SHA1694005cd9e1a4c54e0b83d0598a8a0c089df1556
SHA25638355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031
SHA512df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8
-
Filesize
6KB
MD5729540b8af2236304b74438c7d2fd050
SHA1ed34329a7cae91fa468352bcd3c1edbab0f782ca
SHA256bd71f07f95b1dcebe3f27031f00a322297a0ba3c76c8a6c737d5e618dfe6bcbe
SHA512c0c9c41d0af8a69539e3545a9660a26d7445dfcc98f201d5681bf759153fef4f14bb3fd407c484a0c0fc931ccaf79f0a4daef3d60b70b8f336e77de5598c1028
-
Filesize
6KB
MD50bd045b74a1f92f597e3f6efb5f5bf9d
SHA1f4f2204039b985227fc5e522bce938b26773e354
SHA2566599d4216a253d6f80d4b185e137c6598c87d316a68e75e6f85291f464e8b4c6
SHA512bcf425d4d850c59efd484f0d2d2d325972d93491e5599a706fa3690799004f2e578f92900d2dd53396faeecdc4f5897c49fb644e209b6c0502523e959f601d0f
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5447b5ed9e597b2a6ceb7b1e087de904a
SHA1ee591acaa44cd7dc5746b4edf890309f5f771f08
SHA2569efbfbaaaefa35397599cf3d1d693831d914b618500e2a41e2fc4505b69d04d8
SHA5120b4b97e8787b5af7251c4842f858176ed14b6a1a8a4846f90405d4e8583cd4140280e39d843752e1062094b4769b9ca7875d6944bbb857e67da627af79097c8d
-
Filesize
1KB
MD57f63018fa7bb6ac591744b771f42b50b
SHA1a95d68566721cd22e7625afb724adbb42b58d521
SHA2565e021ee9eff8218379491512eb9c5ea7f3570f77e2cd19abaefaef32a269fa75
SHA5127f4119deb3d38294ac8a36dcde3a2c5914fbe228404e4f11696ca6c823a1070bfaa0a7df3e02bdf4134e696da8f0bbfa77641168b731588e44bf868df815d791
-
Filesize
344KB
MD5270b70bad151a515136f553e5bc880ac
SHA177b7def336c7647c6faadaf7136d70ff1e9ba7fc
SHA256db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa
SHA512c198f9498d634ec4d05cf29a1bb6ade8c59a2904510464e3b292b11bcf5382d7fe603e46b6a72b14f3f996811f68101e46c467914b21ea6eccaf423df2d1a43f
-
Filesize
12KB
MD5efd218a89476a54272ad672a57ad7042
SHA10b227cf248d1355a90aff778f0af83bf40d40994
SHA256581412734885380890905ff2eaf01fd727ad58a72c88bc7ea8e0bb352484fc97
SHA5129ef441c128918baf899c9109f6ddb69974eac3bf80a85561131db6fd814cb22043d6ab1e1494661dc494e7ca862a1950e25621ff417ac51bfa90693f679d6f3c
-
Filesize
10KB
MD5d9a83454a4d47177c92d7db730e786e9
SHA15247c6263e013c016494162b479fbec548fb7087
SHA256b169de7c5bc9f4d4f554cbef18ea8385f6c978d708c1ea072447385d135a52a8
SHA512ff26ac1d3ea923f847f667579478b1c851e954b9979667182487a193b22ae193f5af31c8470e7837b46737ee0436d4d0d7e92252200e9509faa03fe116ad28f2
-
Filesize
85B
MD56128d6628812b814744d74219709e02d
SHA1a1f7556b375c8afce9b0b30bef4cb0fbdd07b39b
SHA256075507aa043df834c913bd183a6868316a9becc1bcbb08e57c4530efe7f0da9c
SHA512ba6915e6ce69afbeb1a7f70f18892512c8de0e635fbee0aad72570d112d0abfa5bb6a8f1793bd0bb2512c7a15d747496d517110fee669ff69ca3960dca92d0db
-
Filesize
219B
MD535a3e3b45dcfc1e6c4fd4a160873a0d1
SHA1a0bcc855f2b75d82cbaae3a8710f816956e94b37
SHA2568ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934
SHA5126d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853