teslacrypt | a878058e1c857a46a565cd950a6e26c2b6d30fca17ef97efb7488625c326aaba

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-10-2024 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe
Size

388KB
MD5

1fe6fdfb7796bf1ec5bdf80f86fa9dc5
SHA1

c4f86755ca60567fedc3a05ce88c4a342219c8b4
SHA256

a878058e1c857a46a565cd950a6e26c2b6d30fca17ef97efb7488625c326aaba
SHA512

22cfa91dfb8f8a885932b269202b4e68da7b94316213f47729b3fc2a10050e7629abe310ffa583ca1211b54dbbc37b040f76442c1c2e774a6dfd79e3fd80d9b6
SSDEEP

6144:nYMk7V7PQkaYO0iNq/PimTBQNEETJYOo0DldfrvwmjcMVW5OouUI5KtrQ8POyU:nnSdO0iNEPn+TGOoYzwscMSOXUIJ

Score

10^/10

teslacrypt defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+kdpef.txt

Family

teslacrypt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/BA1B1583073DEA5 2. http://kkd47eh4hdjshb5t.angortra.at/BA1B1583073DEA5 3. http://ytrest84y5i456hghadefdsd.pontogrot.com/BA1B1583073DEA5 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser 3. Type in the address bar: xlowfznrg4wf7dli.onion/BA1B1583073DEA5 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://tt54rfdjhb34rfbnknaerg.milerteddy.com/BA1B1583073DEA5 http://kkd47eh4hdjshb5t.angortra.at/BA1B1583073DEA5 http://ytrest84y5i456hghadefdsd.pontogrot.com/BA1B1583073DEA5 *-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/BA1B1583073DEA5

URLs

http://tt54rfdjhb34rfbnknaerg.milerteddy.com/BA1B1583073DEA5

http://kkd47eh4hdjshb5t.angortra.at/BA1B1583073DEA5

http://ytrest84y5i456hghadefdsd.pontogrot.com/BA1B1583073DEA5

http://xlowfznrg4wf7dli.ONION/BA1B1583073DEA5

Signatures

TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
ransomware teslacrypt
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (422) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2688 cmd.exe

pid	process
2688	cmd.exe

Drops startup file 3 IoCs

Processes:

dyeopbpvfjhn.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+kdpef.txt	dyeopbpvfjhn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+kdpef.html	dyeopbpvfjhn.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+kdpef.png	dyeopbpvfjhn.exe

Executes dropped EXE 2 IoCs

Processes:

dyeopbpvfjhn.exedyeopbpvfjhn.exe

pid process

2232 dyeopbpvfjhn.exe
2596 dyeopbpvfjhn.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
2232	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dyeopbpvfjhn.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fblixqmmhrex = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\dyeopbpvfjhn.exe\""	dyeopbpvfjhn.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

Processes:

1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exedyeopbpvfjhn.exe

description	pid	process	target process
PID 2868 set thread context of 2296	2868	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe
PID 2232 set thread context of 2596	2232	dyeopbpvfjhn.exe	dyeopbpvfjhn.exe

Drops file in Program Files directory 64 IoCs

Processes:

dyeopbpvfjhn.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\Recovery+kdpef.txt	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_s.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\Recovery+kdpef.txt	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_h.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\Recovery+kdpef.html	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\Recovery+kdpef.txt	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\Recovery+kdpef.txt	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\Recovery+kdpef.txt	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\23.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\Recovery+kdpef.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\selection_subpicture.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Uninstall Information\Recovery+kdpef.html	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\Recovery+kdpef.txt	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\Recovery+kdpef.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\Recovery+kdpef.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\Recovery+kdpef.html	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\Recovery+kdpef.txt	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\36.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\settings.css	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\resources.pak	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\Recovery+kdpef.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\Recovery+kdpef.txt	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\Recovery+kdpef.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\settings.css	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\Recovery+kdpef.txt	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\Recovery+kdpef.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\Recovery+kdpef.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\Recovery+kdpef.txt	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\Recovery+kdpef.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\Recovery+kdpef.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\Recovery+kdpef.html	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\Recovery+kdpef.txt	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\Recovery+kdpef.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\default_thumb.jpg	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\Recovery+kdpef.html	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Recovery+kdpef.html	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\Recovery+kdpef.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\flyout_background.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)notConnectedStateIcon.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\Recovery+kdpef.txt	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\Recovery+kdpef.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\Recovery+kdpef.txt	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\Recovery+kdpef.txt	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\Recovery+kdpef.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\info.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Recovery+kdpef.html	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\Recovery+kdpef.txt	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\Recovery+kdpef.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\Recovery+kdpef.html	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\cpu.css	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\Recovery+kdpef.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter_partly-cloudy.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_ButtonGraphic.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\Recovery+kdpef.html	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\en-US\Recovery+kdpef.html	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\Recovery+kdpef.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedQuanPin.txt	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Common Files\System\ado\Recovery+kdpef.txt	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\Recovery+kdpef.html	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\Recovery+kdpef.png	dyeopbpvfjhn.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\Recovery+kdpef.png	dyeopbpvfjhn.exe

Drops file in Windows directory 2 IoCs

Processes:

1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\dyeopbpvfjhn.exe	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe
File created	C:\Windows\dyeopbpvfjhn.exe	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exeDllHost.exe1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.execmd.exedyeopbpvfjhn.exeNOTEPAD.EXEIEXPLORE.EXEcmd.exedyeopbpvfjhn.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dyeopbpvfjhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dyeopbpvfjhn.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F818EC51-858B-11EF-A701-7E918DD97D05} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0d592cc9819db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d9070000000002000000000010660000000100002000000087b3eca2b04150b1ecce22023609334bd7c4e8ee6aaf9f94e4147bcfdf2974ee000000000e8000000002000020000000b3894fdb05284f8b7a4fba8a750b940c8bc9582008337e7b03b6f9674f8d8c6d90000000c20a58f663ee210dbff3a387c3488b386bf375076ee3058e0b827dda551f6de92a2237e555a41da34b9d90d9e430cf105b56616aca28fddb1950508bef041f86b65903e84cef14599c3fc1fd36f70d5dddb4ac7b3d260328e2c5cf50f42c2af7e312c5a2bb27464a5f1787759306f75ad61ae5f67a3489e806ba4fde5b104cc385177ec6061fecd736264027beec1ced40000000808d123fc2038a365624b60e9f6a9267031b0a3c7ddc9c108f5d00ddd48500096eefdd0533c18989322295ce865d97021fca8febfb1d6ad7babbcc3a14d59496	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d907000000000200000000001066000000010000200000005980ce0884d51fb9f62f4a20520ee4ab080a69a773bbea202045e925ad67539e000000000e80000000020000200000007765f8c6a88e256f64703608a4a5571c1f575f76cb177b92524a40c6242d810a200000006f9c2e9ad931b78328de2426e2a43e558619a41a92c63a20bb3fd8bf620b0e6840000000b3143f5322beb78ca14ac52ef04fd0cfb131723e8af8fdd21fbdc803f7e9e575000d2b1133d41c96c3e67eca3c2dcd73963adcedf661ddab0a8fb62cd6885f99	iexplore.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

dyeopbpvfjhn.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	dyeopbpvfjhn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	dyeopbpvfjhn.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

624 NOTEPAD.EXE

pid	process
624	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dyeopbpvfjhn.exe

pid	process
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe
2596	dyeopbpvfjhn.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exedyeopbpvfjhn.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2296	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe
Token: SeDebugPrivilege	2596	dyeopbpvfjhn.exe
Token: SeIncreaseQuotaPrivilege	1876	WMIC.exe
Token: SeSecurityPrivilege	1876	WMIC.exe
Token: SeTakeOwnershipPrivilege	1876	WMIC.exe
Token: SeLoadDriverPrivilege	1876	WMIC.exe
Token: SeSystemProfilePrivilege	1876	WMIC.exe
Token: SeSystemtimePrivilege	1876	WMIC.exe
Token: SeProfSingleProcessPrivilege	1876	WMIC.exe
Token: SeIncBasePriorityPrivilege	1876	WMIC.exe
Token: SeCreatePagefilePrivilege	1876	WMIC.exe
Token: SeBackupPrivilege	1876	WMIC.exe
Token: SeRestorePrivilege	1876	WMIC.exe
Token: SeShutdownPrivilege	1876	WMIC.exe
Token: SeDebugPrivilege	1876	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1876	WMIC.exe
Token: SeRemoteShutdownPrivilege	1876	WMIC.exe
Token: SeUndockPrivilege	1876	WMIC.exe
Token: SeManageVolumePrivilege	1876	WMIC.exe
Token: 33	1876	WMIC.exe
Token: 34	1876	WMIC.exe
Token: 35	1876	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2028	WMIC.exe
Token: SeSecurityPrivilege	2028	WMIC.exe
Token: SeTakeOwnershipPrivilege	2028	WMIC.exe
Token: SeLoadDriverPrivilege	2028	WMIC.exe
Token: SeSystemProfilePrivilege	2028	WMIC.exe
Token: SeSystemtimePrivilege	2028	WMIC.exe
Token: SeProfSingleProcessPrivilege	2028	WMIC.exe
Token: SeIncBasePriorityPrivilege	2028	WMIC.exe
Token: SeCreatePagefilePrivilege	2028	WMIC.exe
Token: SeBackupPrivilege	2028	WMIC.exe
Token: SeRestorePrivilege	2028	WMIC.exe
Token: SeShutdownPrivilege	2028	WMIC.exe
Token: SeDebugPrivilege	2028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2028	WMIC.exe
Token: SeRemoteShutdownPrivilege	2028	WMIC.exe
Token: SeUndockPrivilege	2028	WMIC.exe
Token: SeManageVolumePrivilege	2028	WMIC.exe
Token: 33	2028	WMIC.exe
Token: 34	2028	WMIC.exe
Token: 35	2028	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

2488 iexplore.exe
1780 DllHost.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXEDllHost.exe

pid process

2488 iexplore.exe
2488 iexplore.exe
2528 IEXPLORE.EXE
2528 IEXPLORE.EXE
1780 DllHost.exe
1780 DllHost.exe

pid	process
2488	iexplore.exe
1780	DllHost.exe

pid	process
2488	iexplore.exe
2488	iexplore.exe
2528	IEXPLORE.EXE
2528	IEXPLORE.EXE
1780	DllHost.exe
1780	DllHost.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exedyeopbpvfjhn.exedyeopbpvfjhn.exeiexplore.exe

description	pid	process	target process
PID 2868 wrote to memory of 2296	2868	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe
PID 2868 wrote to memory of 2296	2868	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe
PID 2868 wrote to memory of 2296	2868	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe
PID 2868 wrote to memory of 2296	2868	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe
PID 2868 wrote to memory of 2296	2868	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe
PID 2868 wrote to memory of 2296	2868	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe
PID 2868 wrote to memory of 2296	2868	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe
PID 2868 wrote to memory of 2296	2868	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe
PID 2868 wrote to memory of 2296	2868	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe
PID 2868 wrote to memory of 2296	2868	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe
PID 2868 wrote to memory of 2296	2868	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe
PID 2296 wrote to memory of 2232	2296	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe	dyeopbpvfjhn.exe
PID 2296 wrote to memory of 2232	2296	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe	dyeopbpvfjhn.exe
PID 2296 wrote to memory of 2232	2296	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe	dyeopbpvfjhn.exe
PID 2296 wrote to memory of 2232	2296	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe	dyeopbpvfjhn.exe
PID 2296 wrote to memory of 2688	2296	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe	cmd.exe
PID 2296 wrote to memory of 2688	2296	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe	cmd.exe
PID 2296 wrote to memory of 2688	2296	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe	cmd.exe
PID 2296 wrote to memory of 2688	2296	1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe	cmd.exe
PID 2232 wrote to memory of 2596	2232	dyeopbpvfjhn.exe	dyeopbpvfjhn.exe
PID 2232 wrote to memory of 2596	2232	dyeopbpvfjhn.exe	dyeopbpvfjhn.exe
PID 2232 wrote to memory of 2596	2232	dyeopbpvfjhn.exe	dyeopbpvfjhn.exe
PID 2232 wrote to memory of 2596	2232	dyeopbpvfjhn.exe	dyeopbpvfjhn.exe
PID 2232 wrote to memory of 2596	2232	dyeopbpvfjhn.exe	dyeopbpvfjhn.exe
PID 2232 wrote to memory of 2596	2232	dyeopbpvfjhn.exe	dyeopbpvfjhn.exe
PID 2232 wrote to memory of 2596	2232	dyeopbpvfjhn.exe	dyeopbpvfjhn.exe
PID 2232 wrote to memory of 2596	2232	dyeopbpvfjhn.exe	dyeopbpvfjhn.exe
PID 2232 wrote to memory of 2596	2232	dyeopbpvfjhn.exe	dyeopbpvfjhn.exe
PID 2232 wrote to memory of 2596	2232	dyeopbpvfjhn.exe	dyeopbpvfjhn.exe
PID 2232 wrote to memory of 2596	2232	dyeopbpvfjhn.exe	dyeopbpvfjhn.exe
PID 2596 wrote to memory of 1876	2596	dyeopbpvfjhn.exe	WMIC.exe
PID 2596 wrote to memory of 1876	2596	dyeopbpvfjhn.exe	WMIC.exe
PID 2596 wrote to memory of 1876	2596	dyeopbpvfjhn.exe	WMIC.exe
PID 2596 wrote to memory of 1876	2596	dyeopbpvfjhn.exe	WMIC.exe
PID 2596 wrote to memory of 624	2596	dyeopbpvfjhn.exe	NOTEPAD.EXE
PID 2596 wrote to memory of 624	2596	dyeopbpvfjhn.exe	NOTEPAD.EXE
PID 2596 wrote to memory of 624	2596	dyeopbpvfjhn.exe	NOTEPAD.EXE
PID 2596 wrote to memory of 624	2596	dyeopbpvfjhn.exe	NOTEPAD.EXE
PID 2596 wrote to memory of 2488	2596	dyeopbpvfjhn.exe	iexplore.exe
PID 2596 wrote to memory of 2488	2596	dyeopbpvfjhn.exe	iexplore.exe
PID 2596 wrote to memory of 2488	2596	dyeopbpvfjhn.exe	iexplore.exe
PID 2596 wrote to memory of 2488	2596	dyeopbpvfjhn.exe	iexplore.exe
PID 2488 wrote to memory of 2528	2488	iexplore.exe	IEXPLORE.EXE
PID 2488 wrote to memory of 2528	2488	iexplore.exe	IEXPLORE.EXE
PID 2488 wrote to memory of 2528	2488	iexplore.exe	IEXPLORE.EXE
PID 2488 wrote to memory of 2528	2488	iexplore.exe	IEXPLORE.EXE
PID 2596 wrote to memory of 2028	2596	dyeopbpvfjhn.exe	WMIC.exe
PID 2596 wrote to memory of 2028	2596	dyeopbpvfjhn.exe	WMIC.exe
PID 2596 wrote to memory of 2028	2596	dyeopbpvfjhn.exe	WMIC.exe
PID 2596 wrote to memory of 2028	2596	dyeopbpvfjhn.exe	WMIC.exe
PID 2596 wrote to memory of 2164	2596	dyeopbpvfjhn.exe	cmd.exe
PID 2596 wrote to memory of 2164	2596	dyeopbpvfjhn.exe	cmd.exe
PID 2596 wrote to memory of 2164	2596	dyeopbpvfjhn.exe	cmd.exe
PID 2596 wrote to memory of 2164	2596	dyeopbpvfjhn.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

dyeopbpvfjhn.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	dyeopbpvfjhn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	dyeopbpvfjhn.exe

C:\Users\Admin\AppData\Local\Temp\1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\1fe6fdfb7796bf1ec5bdf80f86fa9dc5_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\dyeopbpvfjhn.exe
    C:\Windows\dyeopbpvfjhn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Windows\dyeopbpvfjhn.exe
      C:\Windows\dyeopbpvfjhn.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2596
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:624
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2488
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2488 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2528
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\DYEOPB~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\1FE6FD~1.EXE
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2688

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+kdpef.html

Filesize
9KB

MD5
42b9defa3c22670549c88c352eebd7c8

SHA1
8e75bab6dba473467b10f25b58c0b1cb8347416d

SHA256
39a9e3af76ed44b8afa73bda85e2629657d20c24ec91ed076fd0ab87e4901ce4

SHA512
8153a4933d4d94920778fc0cf052e16d040a397a714d495d88e533f97778626d7767540e5103f08906f04d40dc58106589eb900491db628b5e3f03166ed95b64

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+kdpef.png

Filesize
63KB

MD5
44b9c66b8f1f99be6198f07bae10a01e

SHA1
6784a62d466bf1383f74558b5a9075f1e8ab4a1a

SHA256
83d57950fbc1866457985347ee26040959ce509e19beecb96a605217481ea315

SHA512
832da429a963a7ca02375cc166ee5bf10ee338bc964df79f9d096ab25fde28b937de07792638ca955ad21a88c699c68cb5fdbd443945ade0605976dd5c5132da

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+kdpef.txt

Filesize
1KB

MD5
99bf04db906bf51557959c671dba9ee2

SHA1
12fcd234e530855508e205310bd01ffa43f73beb

SHA256
457f521625205d8924d851161c69642158b8fcf9ec3927758b3ed363426ea52a

SHA512
1a5285fa7b226b783e0c98ca8318c290814f2393e7cf48a34c6d02d227a67a51f2b154a10eb4d39d3e7b3e70f5ecfd7f25b66572a0c7d417f92ceeeabb62bec2

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
782cd194cf17ef48b35f2a776f0b5a1c

SHA1
ecac2aeb08b0cb165fe63670e787b69c4ee48b25

SHA256
0d9a172cc228eca8a8df0656fd2ec4b0adc88689dd4f4674a3be24774dbc5f5d

SHA512
9622b74c5e0b5d0380766299ae02ab99a26cc9f11768828d754ff22ea854323770bec358cfcf0ff33cf34ecf8469c9dd63c2422ee493a0d634e150561c7a08d5

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
3d8f07eb400a297cdfb4984b9d9fee02

SHA1
3556e686330321597184e80b2f0749cc5b2abf4a

SHA256
346860aa3001b014febe0925af8a014d1e207fc89b091a45f808dd9f3e5669b7

SHA512
a9b6878d017d3e0261383704c6eebe5c76a947b7385005e44826b107da992bea0ac906d584ed4c480023c952bc3c1854c57c20de460e193f6e846a7e64bcc7c5

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
102bbbc947d6c89fc55c96412f94c13c

SHA1
67157082ee09afcb35ad4e4876a7fe4172f1290c

SHA256
56e5f9e1823e49ab81011cbfadbdac2c208d35abdbd8d39ef8f0a2305c005227

SHA512
ade23c7e730c7d52c650db4e5b632943b50613eade203565fa1f81555e4fab22947df46815c98fb5810e33d0ea55da58e5e3e7b8a504fc3d58384983c6265f84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf49d353c14e0c95eb076eca342c6c40

SHA1
e10fded1e24f59636ca3f0466a32bcad856ae7e6

SHA256
6cbb24f8c255cddbbbe07af8a923c1d556d64c635521373b7d023883e72d25b6

SHA512
68f74236c8186acfd503d3a135e90c0d5f3d2fc197b92494f3b50e3ed8878d46508ad7de444c5d04e876b95cc183b3c394c14cca6057d05780a3ed1642aeb9f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0291c04a5412c381f4d0d31b50c3e58b

SHA1
1e90ee48578b3951fbcf7c6b147e3661db3e9d27

SHA256
4f4a45084290e46fbcaa433bdcd970938ff9f8854af45cea2ce347ce00828d96

SHA512
73f6b36e7b642c9643db27463b6d45861d1c493ee9a3fd64d45facbce61fb3927c16c40f40774307601717a6f4cf083c07ba307ef47c0f633d39171887acec9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa71d9dd57ab89282ec8fddb576dfef4

SHA1
f1134b2b062a712a86512f457acd0b0ffc0b899c

SHA256
b95593117db837dbdc393f6fa7cf5bb99ca4b3bef08789231e34499a786a8866

SHA512
89af5b8a24daf5fd7a81cc4eabbe8ad4ae4a5362680b6a5ae9a5aa4fc692e67d9b8e3495443e1d56ccf932da82e61e1989b928a25a06afd9dc2086f92b858209

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58a09d82c1e9fc1f11997ee87632b3cc

SHA1
8d16af332f6a6f97fa3f2040e50a3a6176e6f9d4

SHA256
3f895e9fb596e8222ae24d4eeade20423515a7b4fa9c49b8ae3f4274376c1ae6

SHA512
4b12d2eaf90e4fa06ba59ca281eb965d0fde9127d546a0d6582b929fddc494c70af889187c0558e7d51b266306bd5d18d57dda0dff248ab89c2086c5efce9a38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
821bbce4b74071d898ac736a7d04b960

SHA1
2f7f47d3563c2fb8c2d6720a914b821275646a0c

SHA256
132f85fdb4bfe83431ba0d8fd5e16e98fa12e89236c32ce18b5101cc2761d828

SHA512
f31bbc64f48d1ded897fd476e85242a43731e9b5da21ec3e229c32833eafca4ddbf987a29ef90ef5252a16b3146c807c47ff5cd52c6966b13be89a5ae09cf5a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
467e9a92d5a31f4f8b3d58b0303c5781

SHA1
22eb2cdeffc6bf46b69509edb3f24b5246059a24

SHA256
0cc956dfb2d39e25c3e2f6661aa04a704d7ef016b1191aa2bd82d534ba470a7b

SHA512
2dd34549dc3f3054bcfd9291460ffd44083c6426dc7c370d3877e972914be48d5ef0e60b3e9a06021f2a4bf79a0acf24e15acd84ce80bd4747cb95a3e9049ebf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d42385feeb3d43274ca0eb296e693a15

SHA1
cd98dcb7c6087e9d649c7422de51cd5723e76dd0

SHA256
39aec1305594ff4ec10686d4c46cdf3dabde47f8ae16e4486a1671a2561f36b3

SHA512
3f60debe9bd7cbb5af265e4242c0924d134f522a38692e0e9c2480dd44c6ae45ccb23b84113eebdf1f6541b2bb080fe74c07dcb65dcbc9d2cfd97d8b95a23df8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dad42d8c78c467b0552770f00621841d

SHA1
17a5ff854247f6cbfaf68dd4efee6fac019ecfe8

SHA256
8ee734fbedcc95654445ed3ef4743277f91fd5b894aff4a2a12c2d7c2927798a

SHA512
b3a47ec3b4eeb1a8b29a3a8f9572f0e4812ff2f846f48121c3c2ea2d83487766fe57e738c4e002ffdfcbc86fba0f7a062bc42f9f9d00a4c847df9470104b0e3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d4350970e4e0b3287f4eb1e76b6bf45

SHA1
a97d87ccb5b58ea95c71f77a8bf7434804ce3cbc

SHA256
6038532a64dd4ad6dbcee2954351782e0bb6d245a04488c96f6d989e26d87547

SHA512
aa31ea435add14c7a4f22a9acf3459f061e7f3b7a26a366d026aac332bd9e993fed13ef2e736f119bfdc127f85791d58ed830da6945dfca00a822ad2183d0ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFA49.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFA48.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\dyeopbpvfjhn.exe

Filesize
388KB

MD5
1fe6fdfb7796bf1ec5bdf80f86fa9dc5

SHA1
c4f86755ca60567fedc3a05ce88c4a342219c8b4

SHA256
a878058e1c857a46a565cd950a6e26c2b6d30fca17ef97efb7488625c326aaba

SHA512
22cfa91dfb8f8a885932b269202b4e68da7b94316213f47729b3fc2a10050e7629abe310ffa583ca1211b54dbbc37b040f76442c1c2e774a6dfd79e3fd80d9b6

Download Submit
memory/1780-6103-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/2232-28-0x0000000000400000-0x000000000085C000-memory.dmp

Filesize
4.4MB

Download
memory/2296-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2296-31-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2296-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2296-11-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2296-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2296-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2296-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2296-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2296-19-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2296-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2296-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2596-6107-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2596-1874-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2596-53-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2596-6106-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2596-6096-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2596-56-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2596-51-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2596-6143-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2596-6146-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2596-50-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2596-4943-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2596-54-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2596-2383-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2596-6102-0x0000000002BF0000-0x0000000002BF2000-memory.dmp

Filesize
8KB

Download
memory/2596-1878-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2868-18-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/2868-0-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/2868-1-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download