cerber | fbdcb15aa69d2b10586e61ed558e55bfb2e5dc44dc5dc3f1cd0eecdf1d8920ca

Analysis

max time kernel
144s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe
Size

293KB
MD5

2f3373e966d98b09c7de17ebf02e3e5a
SHA1

90a307047c688dd34e9ee337bb229d6eb693cdb8
SHA256

fbdcb15aa69d2b10586e61ed558e55bfb2e5dc44dc5dc3f1cd0eecdf1d8920ca
SHA512

2ea399966362e572e0e6562ae4fc7631ee56a3dedbcd4537ceeb4ea4005b6d319f5815f4b253d506d39371fea6946aca48b23ce54851c7a085b0731aef412992
SSDEEP

6144:ln/L+Xx9IroJBTRohGirODzHW+/NPpXpcgojiONSI74jOMPtGR:tEx9IsihGiO/zKg2gGQO+i

Score

10^/10

cerber defense_evasion discovery execution impact ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\# HELP DECRYPT #.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Cerber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .upd_on { color: red; display: block; } .upd_off { display: none; float: left; } .tor { padding: 10px 0; text-align: center; } .url { margin-right: 5px; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R   R A N S O M W A R E</h3> <hr> Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#C3rber Ransomware". <hr> If you are reading this message it means the software "Cerber" has been removed from your computer. <hr> <h3>What is encryption?</h3> Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. <hr> <h3>Everything is clear for me but what should I do?</h3> The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !Any attempts to get back your files with the third-party tools can be fatal for your encrypted files! The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files! When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. <hr> There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already. <hr> For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. <hr> <div class="info"> There is a list of temporary addresses to go on your personal page below: <ol> <li>Please wait...<a class="url" href="http://52uo5k3t73ypjije.o8hpwj.bid/D338-A83E-DE5F-0042-FF21" id="url_1" target="_blank">http://52uo5k3t73ypjije.o8hpwj.bid/D338-A83E-DE5F-0042-FF21</a>(<a href="#updateUrl" onClick="return updateUrl();" style="color: red;">Get a NEW address!</a>)</li> <li><a href="http://52uo5k3t73ypjije.n8niwa.bid/D338-A83E-DE5F-0042-FF21" target="_blank">http://52uo5k3t73ypjije.n8niwa.bid/D338-A83E-DE5F-0042-FF21</a></li> <li><a href="http://52uo5k3t73ypjije.ojesoa.bid/D338-A83E-DE5F-0042-FF21" target="_blank">http://52uo5k3t73ypjije.ojesoa.bid/D338-A83E-DE5F-0042-FF21</a></li> <li><a href="http://52uo5k3t73ypjije.7j6htz.bid/D338-A83E-DE5F-0042-FF21" target="_blank">http://52uo5k3t73ypjije.7j6htz.bid/D338-A83E-DE5F-0042-FF21</a></li> <li><a href="http://52uo5k3t73ypjije.onion.to/D338-A83E-DE5F-0042-FF21" target="_blank">http://52uo5k3t73ypjije.onion.to/D338-A83E-DE5F-0042-FF21</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): <ol> <li>take a look at the first address (in this case it is Please wait...<a class="url" href="http://52uo5k3t73ypjije.o8hpwj.bid/D338-A83E-DE5F-0042-FF21" id="url_2" target="_blank">http://52uo5k3t73ypjije.o8hpwj.bid/D338-A83E-DE5F-0042-FF21</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address Please wait...<a class="url" href="http://52uo5k3t73ypjije.o8hpwj.bid/D338-A83E-DE5F-0042-FF21" id="url_3" target="_blank">http://52uo5k3t73ypjije.o8hpwj.bid/D338-A83E-DE5F-0042-FF21</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: <ol> <li>click the left mouse button on the first address (in this case it is Please wait...<a class="url" href="http://52uo5k3t73ypjije.o8hpwj.bid/D338-A83E-DE5F-0042-FF21" id="url_4" target="_blank">http://52uo5k3t73ypjije.o8hpwj.bid/D338-A83E-DE5F-0042-FF21</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> If for some reason the site cannot be opened check the connection to the Internet. <hr> Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address http://52uo5k3t73ypjije.onion/D338-A83E-DE5F-0042-FF21 in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. <hr> <h3>Additional information:</h3> You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. <hr> Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. <hr> If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. <hr> Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files. </div> <script> function getXMLHttpRequest() { if (window.XMLHttpRequest) { return new window.XMLHttpRequest; } else { try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } } function getUrlContent(url, callback) { var xhttp = getXMLHttpRequest(); if (xhttp) { xhttp.onreadystatechange = function() { if (xhttp.readyState == 4) { if (xhttp.status == 200) { return callback(xhttp.responseText.replace(/[\s ]+/gm, ""), null); } else { return callback(null, true); } } }; xhttp.open("GET", url + '?_=' + new Date().getTime(), true); xhttp.send(); } else { return callback(null, true); } } function server1(address, callback) { getUrlContent("http://btc.blockr.io/api/v1/address/txs/" + address, function(result, error) { if (!error) { var tx = /"tx":"([\w]+)","time_utc":"[\w-:]+","confirmations":[\d]+,"amount":-/.exec(result); if (tx) { getUrlContent("http://btc.blockr.io/api/v1/tx/info/" + tx[1], function(result, error) { if (!error) { var address = /"vouts":\[{"address":"([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true); } }); } function server2(address, callback) { getUrlContent("http://api.blockcypher.com/v1/btc/main/addrs/" + address, function(result, error) { if (!error) { var tx = /"tx_hash":"([\w]+)","block_height":[\d]+,"tx_input_n":[\d-]+,"tx_output_n":-/.exec(result); if (tx) { getUrlContent("http://api.blockcypher.com/v1/btc/main/txs/" + tx[1], function(result, error) { if (!error) { var address = /"outputs":\[{"value":[\d]+,"script":"[\w]+","spent_by":"[\w]+","addresses":\["([\w]+)"/.exec(result); if (address) { return callback(address[1], null); } else { return callback(null, true); } } else { return callback(null, true); } }); } else { return callback(null, true); } } else { return callback(null, true);

Extracted

Path

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\# HELP DECRYPT #.txt

Ransom Note

C_E_R_B_E_R R_A_N_S_O_M_W_A_R_E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable??? It is normal because the files' names, as well as the data in your files have been encrypted. Great! You have turned to be a part of a big community "#Cerb3r Ransomware". ######################################################################### !!! If you are reading this message it means the software "Cerber" has !!! been removed from your computer. !!! HTML instruction ("# DECRYPT MY FILES #.html") always contains a !!! working domain of your personal page! ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to return your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle, but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://52uo5k3t73ypjije.o8hpwj.bid/D338-A83E-DE5F-0042-FF21 | | 2. http://52uo5k3t73ypjije.n8niwa.bid/D338-A83E-DE5F-0042-FF21 | | 3. http://52uo5k3t73ypjije.ojesoa.bid/D338-A83E-DE5F-0042-FF21 | | 4. http://52uo5k3t73ypjije.7j6htz.bid/D338-A83E-DE5F-0042-FF21 | | 5. http://52uo5k3t73ypjije.onion.to/D338-A83E-DE5F-0042-FF21 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://52uo5k3t73ypjije.o8hpwj.bid/D338-A83E-DE5F-0042-FF21); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://52uo5k3t73ypjije.o8hpwj.bid/D338-A83E-DE5F-0042-FF21 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://52uo5k3t73ypjije.o8hpwj.bid/D338-A83E-DE5F-0042-FF21); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://52uo5k3t73ypjije.onion/D338-A83E-DE5F-0042-FF21 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.

URLs

http://52uo5k3t73ypjije.o8hpwj.bid/D338-A83E-DE5F-0042-FF21

http://52uo5k3t73ypjije.n8niwa.bid/D338-A83E-DE5F-0042-FF21

http://52uo5k3t73ypjije.ojesoa.bid/D338-A83E-DE5F-0042-FF21

http://52uo5k3t73ypjije.7j6htz.bid/D338-A83E-DE5F-0042-FF21

http://52uo5k3t73ypjije.onion.to/D338-A83E-DE5F-0042-FF21

http://52uo5k3t73ypjije.onion/D338-A83E-DE5F-0042-FF21

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Contacts a large (524) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe

Loads dropped DLL 3 IoCs

pid	Process
3788	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe
3788	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe
3788	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpD05B.bmp"	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3788 set thread context of 4640	3788	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe	86

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# HELP DECRYPT #.html	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# HELP DECRYPT #.txt	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# HELP DECRYPT #.url	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\PLANNERS.ONE	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BUSINESS.ONE	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BLANK.ONE	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\ACADEMIC.ONE	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\DESIGNER.ONE	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3436	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
804	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3436	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4640	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe
4640	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe
4640	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe
4640	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe
3108	msedge.exe
3108	msedge.exe
288	msedge.exe
288	msedge.exe
4196	identity_helper.exe
4196	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	4640	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	948	WMIC.exe
Token: SeSecurityPrivilege	948	WMIC.exe
Token: SeTakeOwnershipPrivilege	948	WMIC.exe
Token: SeLoadDriverPrivilege	948	WMIC.exe
Token: SeSystemProfilePrivilege	948	WMIC.exe
Token: SeSystemtimePrivilege	948	WMIC.exe
Token: SeProfSingleProcessPrivilege	948	WMIC.exe
Token: SeIncBasePriorityPrivilege	948	WMIC.exe
Token: SeCreatePagefilePrivilege	948	WMIC.exe
Token: SeBackupPrivilege	948	WMIC.exe
Token: SeRestorePrivilege	948	WMIC.exe
Token: SeShutdownPrivilege	948	WMIC.exe
Token: SeDebugPrivilege	948	WMIC.exe
Token: SeSystemEnvironmentPrivilege	948	WMIC.exe
Token: SeRemoteShutdownPrivilege	948	WMIC.exe
Token: SeUndockPrivilege	948	WMIC.exe
Token: SeManageVolumePrivilege	948	WMIC.exe
Token: 33	948	WMIC.exe
Token: 34	948	WMIC.exe
Token: 35	948	WMIC.exe
Token: 36	948	WMIC.exe
Token: SeIncreaseQuotaPrivilege	948	WMIC.exe
Token: SeSecurityPrivilege	948	WMIC.exe
Token: SeTakeOwnershipPrivilege	948	WMIC.exe
Token: SeLoadDriverPrivilege	948	WMIC.exe
Token: SeSystemProfilePrivilege	948	WMIC.exe
Token: SeSystemtimePrivilege	948	WMIC.exe
Token: SeProfSingleProcessPrivilege	948	WMIC.exe
Token: SeIncBasePriorityPrivilege	948	WMIC.exe
Token: SeCreatePagefilePrivilege	948	WMIC.exe
Token: SeBackupPrivilege	948	WMIC.exe
Token: SeRestorePrivilege	948	WMIC.exe
Token: SeShutdownPrivilege	948	WMIC.exe
Token: SeDebugPrivilege	948	WMIC.exe
Token: SeSystemEnvironmentPrivilege	948	WMIC.exe
Token: SeRemoteShutdownPrivilege	948	WMIC.exe
Token: SeUndockPrivilege	948	WMIC.exe
Token: SeManageVolumePrivilege	948	WMIC.exe
Token: 33	948	WMIC.exe
Token: 34	948	WMIC.exe
Token: 35	948	WMIC.exe
Token: 36	948	WMIC.exe
Token: SeBackupPrivilege	2472	vssvc.exe
Token: SeRestorePrivilege	2472	vssvc.exe
Token: SeAuditPrivilege	2472	vssvc.exe
Token: 33	2164	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2164	AUDIODG.EXE
Token: SeDebugPrivilege	804	taskkill.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe
288	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 4640	3788	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe	86
PID 3788 wrote to memory of 4640	3788	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe	86
PID 3788 wrote to memory of 4640	3788	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe	86
PID 3788 wrote to memory of 4640	3788	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe	86
PID 3788 wrote to memory of 4640	3788	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe	86
PID 3788 wrote to memory of 4640	3788	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe	86
PID 3788 wrote to memory of 4640	3788	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe	86
PID 3788 wrote to memory of 4640	3788	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe	86
PID 3788 wrote to memory of 4640	3788	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe	86
PID 3788 wrote to memory of 4640	3788	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe	86
PID 3788 wrote to memory of 4640	3788	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe	86
PID 4640 wrote to memory of 440	4640	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe	87
PID 4640 wrote to memory of 440	4640	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe	87
PID 440 wrote to memory of 948	440	cmd.exe	89
PID 440 wrote to memory of 948	440	cmd.exe	89
PID 4640 wrote to memory of 288	4640	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe	102
PID 4640 wrote to memory of 288	4640	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe	102
PID 288 wrote to memory of 308	288	msedge.exe	103
PID 288 wrote to memory of 308	288	msedge.exe	103
PID 4640 wrote to memory of 3956	4640	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe	104
PID 4640 wrote to memory of 3956	4640	2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe	104
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 4556	288	msedge.exe	105
PID 288 wrote to memory of 3108	288	msedge.exe	106
PID 288 wrote to memory of 3108	288	msedge.exe	106
PID 288 wrote to memory of 2656	288	msedge.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Users\Admin\AppData\Local\Temp\2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:440
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic.exe shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# HELP DECRYPT #.html
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffacf7646f8,0x7ffacf764708,0x7ffacf764718
      4⤵
      PID:308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,11080943018757161544,7997054113975710002,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
      4⤵
      PID:4556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,11080943018757161544,7997054113975710002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,11080943018757161544,7997054113975710002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2440 /prefetch:8
      4⤵
      PID:2656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11080943018757161544,7997054113975710002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:1
      4⤵
      PID:3824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11080943018757161544,7997054113975710002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
      4⤵
      PID:4100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11080943018757161544,7997054113975710002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
      4⤵
      PID:2544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11080943018757161544,7997054113975710002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
      4⤵
      PID:4636
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11080943018757161544,7997054113975710002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
      4⤵
      PID:2916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11080943018757161544,7997054113975710002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
      4⤵
      PID:3620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11080943018757161544,7997054113975710002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11080943018757161544,7997054113975710002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
      4⤵
      PID:3232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11080943018757161544,7997054113975710002,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4268 /prefetch:1
      4⤵
      PID:2028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11080943018757161544,7997054113975710002,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
      4⤵
      PID:2408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11080943018757161544,7997054113975710002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
      4⤵
      PID:280
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# HELP DECRYPT #.txt
    3⤵
    PID:3956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://52uo5k3t73ypjije.o8hpwj.bid/D338-A83E-DE5F-0042-FF21?auto
    3⤵
    PID:164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ffacf7646f8,0x7ffacf764708,0x7ffacf764718
      4⤵
      PID:4560
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:3976
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "2f3373e966d98b09c7de17ebf02e3e5a_JaffaCakes118.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:804
  - - C:\Windows\system32\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3436

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3c4 0x468
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8696b871a8af8be12feceed43c36ca09

SHA1
36f81336ce8f47cc41452cdff3ef265a3db3065f

SHA256
34c67deb4edef15c289e82709c25ea206e1fc98d1e048394c4faaf564e08597e

SHA512
0f307ca2773639e3c46eca265c647df622c87121c7c4f09b6666ea4c6fa2c4e1a2ddb97e1e3ae5d62ecd28c79d002edc85e9ebc54e775525a12e415f6f6ef050

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d575e1a996b5ebe77b26602fdb6a55cf

SHA1
aa1c20b50150bc04c3b2951dd9d9b59b593e607f

SHA256
4acbda73fb666bb69531045a13f24fa746502bf1d65348ea7ba160c52569bbcc

SHA512
ca5e7e40d2e860dbc47dc535c93c5106833cf5828b9023cd35b8314b7858da7356892d6cd6d648b2c14b35d4c56098d082fc287e6f089e04bcdf1c4087a7c452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
478b02c8edba643bfc0a0170ee29b20a

SHA1
9bea94213cccdd0c0920c645dc5031fc4a582739

SHA256
def72163b3fbc11594b302aa9b8bb98f93c161908d5e2174c6d187cd103ec917

SHA512
e9f3ccde133d7f871b6e633400eac40a0f08e29f3efe0b04053e469d01d7938d5b68a3c148599690356225878ca937d36b0165990b2f71b5ec6718c8d5a5ac2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C41.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
C:\Users\Admin\AppData\Roaming\CTOCWidget.js

Filesize
4KB

MD5
e44bf097d9a8ecc77aa8cc101b3c8e84

SHA1
5b166477b20f71ca9898d01ae85f07b0a29b2ff0

SHA256
8d9dae274b0e2175c02feb744a640ce0de2995c8f16340e2adac81fc152c19b1

SHA512
b6eef655e92f50309b5b0aa68aac88d168e03e0fbfcbcb27c226d6bd408defa2fd1ea80e3856508bdd0e779dff28de2ddad7f5d238a80c7346b1382f6060a384

Download Submit
C:\Users\Admin\AppData\Roaming\DumpLog.dll

Filesize
14KB

MD5
68034fc27e1c9f1cb2b6a6f60eefd893

SHA1
2ed61813ff32d7faa818ef7d9b3b18c9d3829541

SHA256
dd5f2a15d20726016da804082c1d767b0d0404e9292cf211336746bbb67109b0

SHA512
93753329f3680dca4045b9abd251f7ecd978e7b831e8fced3d75deb3de7c65c6b841824f6a7c6810e604ae3dab3dc5f7eca026c46cbbba47998b507aa1f29f6b

Download Submit
C:\Users\Admin\AppData\Roaming\color_mngmt.png

Filesize
1KB

MD5
7fb86957f74857c520bd710a29bc598f

SHA1
cf308dd290ecad39e0a21aa222bba46c2a82c58d

SHA256
f223e56196cbda40e4bdedda2ef2f53e38371b98081c7990e0c3decff4a8ed1d

SHA512
45819900bc77df77a6226110e2352dff8022b8912a27f7b6579bd7d6ff7ca200e10222989dd1a30a78ebdf5127073dc0bf3832faacf17e5ff3d496382e64823f

Download Submit
C:\Users\Admin\AppData\Roaming\computer_server_stack.png

Filesize
1KB

MD5
db13332156f5819ca68b2b3480830fed

SHA1
e8990679d5d08a90ff48bf60e36ef840d7147c39

SHA256
d83b332197038923b2725bb988cb0a30eaded162c4e41c951824b3192ebdb004

SHA512
d687ab8114e4e432823af66d02870da3b3cae67e6dc99164c7d9d6370ab71ab32fb751f8fdfa0df7ead09f65c688ea85d0dbb55f301938877ae0376d9cb1646b

Download Submit
C:\Users\Admin\AppData\Roaming\error-2.png

Filesize
4KB

MD5
03bb2810172dbaec0061344c74909121

SHA1
5f865501f722f0f7438f0fa8b41cf39797f939d0

SHA256
c82b31f78c0b8231e00186c1ce03c14fbf2fe830a89e231bb089f1f84decdc0d

SHA512
ab99ee2cc7e9222a7d7d44fd66f1ea5ed8d862eacdaf946a43d94f06e75e93d90a83c45bbe92da8885cb373cd5b6f60c199f6f3bb854c7822bc1a46cc282631c

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\# HELP DECRYPT #.html

Filesize
19KB

MD5
5673c8fa6e88ed66b14bfe6abe88bd51

SHA1
0258ce3f4c4685d4b4ff358daa96edd4db62e62e

SHA256
9511e5a072dd5d57931f3d4ece58defec16c9cbe919cb52c16182e1d4f433b92

SHA512
52aab718881a1084e92b3fe093dc69d08ba0b77dcb7e616f940c69070d6cde0666066d734c8589bf850bb00ccf79da7959c10dfd114b0b13dea5a999fb7ad018

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\# HELP DECRYPT #.txt

Filesize
10KB

MD5
0677f5c1920e8cf64f298ba8756191f9

SHA1
bcc640590788ccf10cbcddcf4ceb245884905906

SHA256
49a0cb8b0496b9ed053faa132ba3d88a947819dbb54bf45c2acca3adebc94d96

SHA512
87925b0f15d44a00c66ac01e4e0e7badc0d2de337d3fb1ac19527f38b478f9ec345b1319466710b1853d97a6286680fa3c69ddfda2c8acc7df9a08292ae00df9

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\# HELP DECRYPT #.url

Filesize
90B

MD5
30528e0761861f261e7900d6a03a0e40

SHA1
3a225d4541722f2624407bb9031b4ec5a66f602b

SHA256
771e786a8af61f307e7736e69cf2b89b5ecba8a5a858e80be8c1f711c8fa39e9

SHA512
3a4425d49c52a37753a2a1cf03676ed38f3eaf3e9babe4ed2a9c2b6639b9f0aa437a37add3017ed674cb5280841c175a7c12cc3656018e595ad75bbf78be261e

Download Submit
memory/4640-787-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4640-814-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4640-781-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4640-784-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4640-27-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4640-790-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4640-793-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4640-796-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4640-799-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4640-802-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4640-805-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4640-808-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4640-811-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4640-28-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4640-817-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4640-820-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4640-823-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4640-826-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4640-831-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4640-24-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4640-23-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4640-22-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4640-20-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4640-865-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4640-21-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4640-19-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4640-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download