4f1e783f68071d95e0b07e1f8b80ed49d0d94a089ae96016b197f846350cfe66

Resubmissions

16/10/2024, 02:26

241016-cwyacaxhmd 10

16/10/2024, 02:19

241016-csapwasbjm 10

Analysis

max time kernel
141s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/10/2024, 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe
Size

364KB
MD5

4affa384ff6ab351df42fc3a02716670
SHA1

7bebae1ad50fd27c3df625dc3995256f7d8bb8c2
SHA256

4f1e783f68071d95e0b07e1f8b80ed49d0d94a089ae96016b197f846350cfe66
SHA512

802616cac860ed2facd74387475e45ecd5a9e00fb106db801cd0168659fcecb9bb0ca6afb4cfeeca592d24d20c07add685e9a65c3178c839d37850a324906070
SSDEEP

6144:rHDYm7R++Qhm/FxsB+lIB+0ODLawCi308Ki7B4iTK24D1sr:rHr2mwB+g03S5idVK24Zsr

Score

10^/10

defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\+REcovER+ewfdo+.txt

Ransom Note

{}_~_~+ -$.-_+$|~~_|| =|_$.**+-~| $+|=*.-=| !!! IMPORTANT INFORMATION !!!! All of your files are encrypted with RSA-4096. More information about the RSA algorythm can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server. To receive your private key follow one of the links: 1. http://88fga.ketteaero.com/9C9DD2E0EAF29921 2. http://2bdfb.spinakrosa.at/9C9DD2E0EAF29921 3. http://uj5nj.onanwhit.com/9C9DD2E0EAF29921 If all of the addresses are not available, follow these steps: 1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: k7tlx3ghr3m4n2tu.onion/9C9DD2E0EAF29921 4. Follow the instructions on the site. !!! Your personal identification ID: 9C9DD2E0EAF29921 !!! )(*=~_$~+$==-$*~=$$ __$-=-+*

URLs

http://88fga.ketteaero.com/9C9DD2E0EAF29921

http://2bdfb.spinakrosa.at/9C9DD2E0EAF29921

http://uj5nj.onanwhit.com/9C9DD2E0EAF29921

http://k7tlx3ghr3m4n2tu.onion/9C9DD2E0EAF29921

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	yekoen.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\+REcovER+ewfdo+.png	yekoen.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\+REcovER+ewfdo+.txt	yekoen.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\+REcovER+ewfdo+.png	yekoen.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\+REcovER+ewfdo+.txt	yekoen.exe

Executes dropped EXE 2 IoCs

pid	Process
744	yekoen.exe
4796	yekoen.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vssebhqpt = "C:\\Windows\\SYSTEM32\\CMD.EXE /C START \"\" \"C:\\Users\\Admin\\Documents\\yekoen.exe\""	yekoen.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1704 set thread context of 1688	1704	4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe	95
PID 744 set thread context of 4796	744	yekoen.exe	101

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\+REcovER+ewfdo+.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\+REcovER+ewfdo+.txt	yekoen.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\+REcovER+ewfdo+.png	yekoen.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\+REcovER+ewfdo+.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailBadge.scale-100.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\Klondike.Medium.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\PhotosApp\+REcovER+ewfdo+.txt	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-60_altform-unplated.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Deleted\+REcovER+ewfdo+.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_altform-unplated_contrast-white.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-FR\+REcovER+ewfdo+.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\+REcovER+ewfdo+.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailSmallTile.scale-200.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreWideTile.scale-200.png	yekoen.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-180.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-black_scale-125.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\WideTile.scale-125.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-100_contrast-black.png	yekoen.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\+REcovER+ewfdo+.png	yekoen.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\+REcovER+ewfdo+.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedWideTile.scale-100.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Fonts\+REcovER+ewfdo+.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\Timer3Sec.targetsize-20.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-60_altform-lightunplated.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeWideTile.scale-150.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-400.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\29.jpg	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Microsoft.Support.SDK\+REcovER+ewfdo+.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_contrast-white.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_NinjaCat.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteSmallTile.scale-400.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24_altform-unplated.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100_contrast-high.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_altform-unplated_contrast-black.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\+REcovER+ewfdo+.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_contrast-white.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\+REcovER+ewfdo+.txt	yekoen.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\+REcovER+ewfdo+.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionSmallTile.scale-150.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-30_altform-lightunplated.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\messaging\+REcovER+ewfdo+.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.scale-100_contrast-white.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-black_scale-100.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-256_altform-lightunplated.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\+REcovER+ewfdo+.txt	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\30.jpg	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalMedTile.scale-100_contrast-white.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-100_contrast-white.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\offlineUtilities.js	yekoen.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\+REcovER+ewfdo+.txt	yekoen.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\+REcovER+ewfdo+.txt	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\+REcovER+ewfdo+.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_altform-unplated_contrast-black.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-40_altform-unplated_contrast-black.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-unplated.png	yekoen.exe
File opened for modification	C:\Program Files\dotnet\swidtag\+REcovER+ewfdo+.png	yekoen.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-140.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\az-Latn-AZ\View3d\+REcovER+ewfdo+.txt	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_contrast-black.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\+REcovER+ewfdo+.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square71x71Logo.scale-200.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-24.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Dark.scale-250.png	yekoen.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg5_thumb.png	yekoen.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yekoen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yekoen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2324	vssadmin.exe
4496	vssadmin.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Axronics	yekoen.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	yekoen.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe
4796	yekoen.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4796	yekoen.exe
Token: SeBackupPrivilege	4540	vssvc.exe
Token: SeRestorePrivilege	4540	vssvc.exe
Token: SeAuditPrivilege	4540	vssvc.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1688	1704	4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe	95
PID 1704 wrote to memory of 1688	1704	4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe	95
PID 1704 wrote to memory of 1688	1704	4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe	95
PID 1704 wrote to memory of 1688	1704	4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe	95
PID 1704 wrote to memory of 1688	1704	4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe	95
PID 1704 wrote to memory of 1688	1704	4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe	95
PID 1704 wrote to memory of 1688	1704	4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe	95
PID 1704 wrote to memory of 1688	1704	4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe	95
PID 1704 wrote to memory of 1688	1704	4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe	95
PID 1704 wrote to memory of 1688	1704	4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe	95
PID 1688 wrote to memory of 744	1688	4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe	96
PID 1688 wrote to memory of 744	1688	4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe	96
PID 1688 wrote to memory of 744	1688	4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe	96
PID 1688 wrote to memory of 4364	1688	4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe	97
PID 1688 wrote to memory of 4364	1688	4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe	97
PID 1688 wrote to memory of 4364	1688	4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe	97
PID 744 wrote to memory of 4796	744	yekoen.exe	101
PID 744 wrote to memory of 4796	744	yekoen.exe	101
PID 744 wrote to memory of 4796	744	yekoen.exe	101
PID 744 wrote to memory of 4796	744	yekoen.exe	101
PID 744 wrote to memory of 4796	744	yekoen.exe	101
PID 744 wrote to memory of 4796	744	yekoen.exe	101
PID 744 wrote to memory of 4796	744	yekoen.exe	101
PID 744 wrote to memory of 4796	744	yekoen.exe	101
PID 744 wrote to memory of 4796	744	yekoen.exe	101
PID 744 wrote to memory of 4796	744	yekoen.exe	101
PID 4796 wrote to memory of 2324	4796	yekoen.exe	102
PID 4796 wrote to memory of 2324	4796	yekoen.exe	102
PID 4796 wrote to memory of 2688	4796	yekoen.exe	116
PID 4796 wrote to memory of 2688	4796	yekoen.exe	116
PID 4796 wrote to memory of 2688	4796	yekoen.exe	116
PID 4796 wrote to memory of 4496	4796	yekoen.exe	117
PID 4796 wrote to memory of 4496	4796	yekoen.exe	117
PID 4796 wrote to memory of 2180	4796	yekoen.exe	119
PID 4796 wrote to memory of 2180	4796	yekoen.exe	119
PID 4796 wrote to memory of 2180	4796	yekoen.exe	119

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	yekoen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	yekoen.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4affa384ff6ab351df42fc3a02716670_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Users\Admin\Documents\yekoen.exe
    C:\Users\Admin\Documents\yekoen.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:744
  - - C:\Users\Admin\Documents\yekoen.exe
      C:\Users\Admin\Documents\yekoen.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4796
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:2324
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\+REcovER+ewfdo+.txt
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:4496
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\DOCUME~1\yekoen.exe >> NUL
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\4AFFA3~1.EXE >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4364

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\+REcovER+ewfdo+.png

Filesize
37KB

MD5
44266ccabaa27f33630248d42a7d20b9

SHA1
6483d90b659573e525d8e3e1cbaa8b1fd8184ea6

SHA256
ed328ff997249744de73f7b6903da525a017ff17ecb652d3146c04600b4580a9

SHA512
ce897b94b34100e69fc5042f05dab13241ada78e6b1e8cea3f00789925e9b12e3ca8d9eedca40267bb3e12b32af6c55927bb66652050153b37ff7c450e106e86

Download Submit
C:\Program Files\7-Zip\Lang\+REcovER+ewfdo+.txt

Filesize
1KB

MD5
b16d6e2b13f09ce8bd948cd8525304bb

SHA1
8e409a168ddc637a572be43b4e2ddf59208b39b7

SHA256
eb5b8354d49690b6221ebfed1d3f898b050d967e9647849681a136442b00180a

SHA512
0555f44a2064e6c24d2e0f56f901ff30aa891bc96884a4582fc36ece73bca2839427a12ce2b5b9a2d8935798e2a1b265b412cf1e4e690eebcb3625c9d5805eed

Download Submit
C:\Users\Admin\Documents\yekoen.exe

Filesize
364KB

MD5
4affa384ff6ab351df42fc3a02716670

SHA1
7bebae1ad50fd27c3df625dc3995256f7d8bb8c2

SHA256
4f1e783f68071d95e0b07e1f8b80ed49d0d94a089ae96016b197f846350cfe66

SHA512
802616cac860ed2facd74387475e45ecd5a9e00fb106db801cd0168659fcecb9bb0ca6afb4cfeeca592d24d20c07add685e9a65c3178c839d37850a324906070

Download Submit
memory/744-13-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1688-6-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1688-5-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1688-7-0x0000000074490000-0x00000000744C9000-memory.dmp

Filesize
228KB

Download
memory/1688-4-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1688-14-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1688-16-0x0000000074490000-0x00000000744C9000-memory.dmp

Filesize
228KB

Download
memory/1688-2-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1704-0-0x0000000000620000-0x0000000000626000-memory.dmp

Filesize
24KB

Download
memory/1704-3-0x0000000000620000-0x0000000000626000-memory.dmp

Filesize
24KB

Download
memory/1704-1-0x0000000000620000-0x0000000000626000-memory.dmp

Filesize
24KB

Download
memory/4796-23-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4796-1561-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4796-21-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4796-25-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4796-27-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4796-20-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4796-19-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4796-294-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4796-1324-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4796-22-0x0000000074490000-0x00000000744C9000-memory.dmp

Filesize
228KB

Download
memory/4796-3762-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4796-6566-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4796-6903-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4796-6904-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4796-6909-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4796-6910-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4796-6913-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4796-6916-0x0000000074490000-0x00000000744C9000-memory.dmp

Filesize
228KB

Download