Malware Analysis Report

2025-03-15 08:13

Sample ID 241016-kcqp6avhqj
Target 4c1626ea1439d9ad45d3efa5de84edb9_JaffaCakes118
SHA256 ef6e9e5c78935d2248bea62cffff95ec3b4bef29ffb3d3d916f6aaf57bcb572f
Tags
defense_evasion discovery execution impact persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ef6e9e5c78935d2248bea62cffff95ec3b4bef29ffb3d3d916f6aaf57bcb572f

Threat Level: Known bad

The file 4c1626ea1439d9ad45d3efa5de84edb9_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery execution impact persistence ransomware spyware stealer

Renames multiple (440) files with added filename extension

Deletes shadow copies

Loads dropped DLL

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

Deletes itself

Indicator Removal: File Deletion

Looks up external IP address via web service

Adds Run key to start application

Drops file in Program Files directory

Program crash

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Opens file in notepad (likely ransom note)

Modifies system certificate store

System policy modification

Interacts with shadow copies

Uses Volume Shadow Copy service COM API

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 08:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 08:27

Reported

2024-10-16 08:30

Platform

win7-20241010-en

Max time kernel

119s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4c1626ea1439d9ad45d3efa5de84edb9_JaffaCakes118.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (440) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+yol.txt C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+yol.html C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+yol.txt C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+yol.html C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c1626ea1439d9ad45d3efa5de84edb9_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\santa_svc = "C:\\Users\\Admin\\AppData\\Roaming\\xlhnxacroic.exe" C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\TextConv\how_recover+yol.txt C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\how_recover+yol.html C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\how_recover+yol.html C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\settings.js C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_hail.png C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\how_recover+yol.html C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\how_recover+yol.txt C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\how_recover+yol.txt C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\how_recover+yol.txt C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\how_recover+yol.html C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\how_recover+yol.html C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\how_recover+yol.txt C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\how_recover+yol.html C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-CN.pak C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\how_recover+yol.txt C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\how_recover+yol.txt C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_hov.png C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\how_recover+yol.txt C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Windows Defender\fr-FR\how_recover+yol.txt C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\bg_sidebar.png C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\how_recover+yol.html C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\es-ES\how_recover+yol.html C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Microsoft Games\More Games\ja-JP\how_recover+yol.txt C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\visualization\how_recover+yol.html C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Icons\how_recover+yol.txt C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\settings.css C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\how_recover+yol.html C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\how_recover+yol.txt C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\how_recover+yol.html C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\de-DE\how_recover+yol.txt C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\how_recover+yol.html C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\init.js C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous_partly-cloudy.png C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\how_recover+yol.html C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_ButtonGraphic.png C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask_PAL.wmv C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\it\how_recover+yol.html C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_hover.png C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-docked.png C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\how_recover+yol.txt C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain.wmv C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\how_recover+yol.html C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\how_recover+yol.txt C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\20.png C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-horizontal.png C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\how_recover+yol.html C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\how_recover+yol.html C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_item.png C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\how_recover+yol.txt C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_rest.png C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\how_recover+yol.html C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\how_recover+yol.txt C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fy\how_recover+yol.html C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\how_recover+yol.txt C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\how_recover+yol.html C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\service.js C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\how_recover+yol.html C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\how_recover+yol.txt C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4c1626ea1439d9ad45d3efa5de84edb9_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8B2BD451-8B98-11EF-AB24-56CF32F83AF3} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435229144" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b96000000000200000000001066000000010000200000005da7ef40227a4e4b923437219504dd30bb371ff6885723fe1bb2fef83a495750000000000e800000000200002000000084b1fd2421632b4fe71bc6ee2faf073c37fc904cc8fc9bbecc2948e35bad7013200000000f7a7fc7c18ee1fd7f18df097155bdba6e97b0c493cd1b79302b0060554dae9a40000000db3d18aa82e9440319785ed1751e030415753e4d84a8ca32b34c0d05c04e44c2e29068b3811cbdaad6111118d4e31e147d30cf8a17bf12771d821251abe1409c C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b9600000000020000000000106600000001000020000000167e41207698b5bff8c624fc1d46ddf6e585a2f2390fd487f6e2ee03aa22acfd000000000e80000000020000200000004631f1135d616653cf9815afdc77dc6024f08156ff018250471f008bb7ee3a2690000000ff26659697e1e662ff0e260627a42d006c1344157afc2158af85b5b94c514009bd853d628c58bfe955025d6f03ea4dc21509eec9ad02962d592dfd967b8063d4a5d0cb8e667f2ba1bd509998f69a6f2b024493464554d7a4bfcb260d350ffafcf6b86e8c8dfb7edb4234444beceb21a622975734e627e5f2ce65d9ffe4f2207a875673523cf3495851da808e1dfd5e8840000000139fc005c6f89405aa9c996d125ac0b1ed6fc88577508164c514f72eac72e6d71b93dd80204a5d92f247dc2ba4bd8de08b55463768e016c97d8e7d270823c458 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 505ce85fa51fdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4c1626ea1439d9ad45d3efa5de84edb9_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2312 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\4c1626ea1439d9ad45d3efa5de84edb9_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe
PID 2312 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\4c1626ea1439d9ad45d3efa5de84edb9_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe
PID 2312 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\4c1626ea1439d9ad45d3efa5de84edb9_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe
PID 2312 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\4c1626ea1439d9ad45d3efa5de84edb9_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe
PID 2312 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\4c1626ea1439d9ad45d3efa5de84edb9_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\4c1626ea1439d9ad45d3efa5de84edb9_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\4c1626ea1439d9ad45d3efa5de84edb9_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\4c1626ea1439d9ad45d3efa5de84edb9_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe C:\Windows\System32\vssadmin.exe
PID 2196 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe C:\Windows\System32\vssadmin.exe
PID 2196 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe C:\Windows\System32\vssadmin.exe
PID 2196 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe C:\Windows\System32\vssadmin.exe
PID 2196 wrote to memory of 272 N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2196 wrote to memory of 272 N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2196 wrote to memory of 272 N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2196 wrote to memory of 272 N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2196 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2196 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2196 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2196 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2940 wrote to memory of 1996 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2940 wrote to memory of 1996 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2940 wrote to memory of 1996 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2940 wrote to memory of 1996 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2196 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe C:\Windows\System32\vssadmin.exe
PID 2196 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe C:\Windows\System32\vssadmin.exe
PID 2196 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe C:\Windows\System32\vssadmin.exe
PID 2196 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe C:\Windows\System32\vssadmin.exe
PID 2196 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\4c1626ea1439d9ad45d3efa5de84edb9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4c1626ea1439d9ad45d3efa5de84edb9_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe

C:\Users\Admin\AppData\Roaming\xlhnxacroic.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\4C1626~1.EXE

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Howto_Restore_FILES.TXT

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\Howto_Restore_FILES.HTM

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2940 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\XLHNXA~1.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 myexternalip.com udp
US 34.160.111.145:80 myexternalip.com tcp
US 8.8.8.8:53 landscapesuppliesadelaide.com.au udp
US 8.8.8.8:53 customconverting.net udp
US 162.241.140.253:80 customconverting.net tcp
US 162.241.140.253:443 customconverting.net tcp
US 8.8.8.8:53 thedallaslawgroup.com udp
US 8.8.8.8:53 smarterandsafer.com udp
US 185.230.63.171:80 smarterandsafer.com tcp
US 185.230.63.171:443 smarterandsafer.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.75:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.smarterandsafer.com udp
US 34.149.87.45:443 www.smarterandsafer.com tcp
US 8.8.8.8:53 crockpotsmart.com udp
US 8.8.8.8:53 magaz.mdoy.pro udp
RU 95.79.92.138:80 magaz.mdoy.pro tcp
RU 95.79.92.138:443 magaz.mdoy.pro tcp
US 162.241.140.253:80 customconverting.net tcp
US 162.241.140.253:443 customconverting.net tcp
US 185.230.63.171:80 smarterandsafer.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2312-0-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2312-1-0x0000000000400000-0x0000000000486000-memory.dmp

\Users\Admin\AppData\Roaming\xlhnxacroic.exe

MD5 4c1626ea1439d9ad45d3efa5de84edb9
SHA1 2c736ddc4159ef0671508cb54d20068e4581ce56
SHA256 ef6e9e5c78935d2248bea62cffff95ec3b4bef29ffb3d3d916f6aaf57bcb572f
SHA512 00875d867697fcc4fb0b6d0828d5dd14633d3d428f60d18eb536906d8699799f444d61b3b2973f9b484018cd1f23378030aa1cf787ae30eadb652d928aebb57f

memory/2312-8-0x0000000000400000-0x0000000000486000-memory.dmp

memory/2312-7-0x0000000000400000-0x00000000004AD000-memory.dmp

memory/2196-9-0x0000000000400000-0x00000000004AD000-memory.dmp

memory/2196-10-0x0000000000400000-0x00000000004AD000-memory.dmp

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+yol.txt

MD5 19e60a0ecba5ff0c66afc8b66c3a29e1
SHA1 ecb95dcf2726ca856db78547181e8e9d10f2e4f6
SHA256 ae0c78abbfe6da67a410df61e87af994305c8e497a2f66ece8eff68bc3bdfe5a
SHA512 de7ef12712660cb7af5949c0eeab8389be26c7dfd1aea6b5b1f109fae59842fe4e405649d0eacc90fe67742ab17fae555137ca18a053580323bd3191c0abc478

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\how_recover+yol.html

MD5 184e7d1fd0f7cd8d2cf88e566e56bd07
SHA1 7b01b2bb38cddeea01d736dc1296c6ce1a45bf54
SHA256 cac20edbebd653e3696ee65eee1e78ef7ba92c9a166720fccd333fbf131d1912
SHA512 817c8904615798bf4f131de6fe27d33b7024e0625013cd00fd6dce4aa14651aff93324c05bb95c44ddc27be5d5210c0611e8b07d6dba5d95b5ce60ba2aec5a43

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

MD5 2ae71f5e00f5296225affe53f5115d6f
SHA1 5bbcd8d8313f8fdb28ceaacd1c3d4f749de5f246
SHA256 32e9b59be9ee3d8308997f43211304b35891b63299420a3cc9247d7b0eb607f0
SHA512 42487d712303fc92226b3f2d9eedcc9cc86d5681f0a0f14c83ee6e8f4bae400ffde164ff4598928756099466d2f3a62a6cd3315c0e5480a71dec966f101e9696

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 2d85109321bf587575f2b94dfa0d9112
SHA1 dcc82789daa2837598409915b2abbd8113a6bd89
SHA256 2fca9d11dc53aa634299325c5fe2c5665a6b58532bfa4746759587c6a41d6e36
SHA512 15832e5519870cbc19bf9b50f2622e660e9ee8b782944b5e3ebb008c307f010475b4e0b41bc1adaa78a9e85a34193825a0a46c1e9b7928e688c435f8ac194d71

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

MD5 7a5bb31437f75d72bae90f395ecf14c7
SHA1 64d55842ba5a433fe8bac6bd03c7a1f7893d54f0
SHA256 7ea234ad2b43c74658d3f35bbe5eb30a8d2f592287b12310014d00b9b0c2a0cc
SHA512 d7d3692414a655c30eaf5de3a4ae80c70090cb5adca1eb7b5716f6775bee8955227ad05bffac96ab1201710520c78ebb05c3517dc3e83338310e122a8d7c01fe

memory/2196-1674-0x0000000000400000-0x00000000004AD000-memory.dmp

memory/2196-2748-0x0000000000400000-0x00000000004AD000-memory.dmp

memory/2196-2749-0x0000000000400000-0x00000000004AD000-memory.dmp

memory/2196-4407-0x0000000003780000-0x0000000003782000-memory.dmp

memory/1652-4408-0x00000000002A0000-0x00000000002A2000-memory.dmp

C:\Users\Admin\Desktop\Howto_Restore_FILES.BMP

MD5 f2cd3427306daa75c76cf81e3687e70c
SHA1 56599c487d71a40caaf1b906a858d518778a5236
SHA256 c2d56efa1b2780ae3ab8ebade640868f4a1072643c1c1936537d5eae63d5a25f
SHA512 f8ba3cd380f74b392cedd591e9eaccb4181c49d1c7f5518452a4d7873c55deac4446ca4dc81090791df7c596d0a6fc7d5b516f0a467af9999dcf52e3b8d2e304

memory/2196-4412-0x0000000000400000-0x00000000004AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar2C81.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\Cab2C6E.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4d182749af592893f64c5dd7eb133d11
SHA1 fae61271332cca5006777c76ea6c0c57aef0170b
SHA256 4eb807aba457a9aadeb16f2f37a6179fc221171a849a5ee2c272e9ce74540a40
SHA512 7db28df642dc7b408b0e382b5b72c5435847e151f0bb026f1bcf6ae6667e14a958546ec6f1a541d5334f0e684c18e4f443892a408c235ac98e68f0c96fa2c4a2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef05e0fe6b4f583cb518ef6fa3b535b8
SHA1 245f8864201a0a05d104a8739deb0a6644f5faa5
SHA256 4ed5593c8c71799784d6607a30d79f9cc61a3ab3a88f9ee68979a644332ac919
SHA512 f9850a1856b342ebd392bd894bc1220863e90f0f0a0c36024738a41e1a9c9f152c0de0a299ff8676ea361893109cd015408b03e042f960398cdba6e36492e727

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7673c65079ab1111fa15698a4ded427
SHA1 4f5caead316fc954309aafc15fcbb7493d09e490
SHA256 6a9881aade18f4d60cadfeae6282b1f87a69769fb3e371725fb9eee69eb02999
SHA512 17d97ae3f8f7310319c276f700833ba2a306c8b8e28e1fed0779f40f8d064c9d0fd76fbb9af2a8ed17f8c8eb4be47102c9f716556a5b6f74a80d80e89eb92de1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 748aa03286fbf7391351668b4c58d3c1
SHA1 2ec8964e69ed37ba021208b5d213f447682b3a81
SHA256 1f53412d6f072b33163656b1f9014e0c7047ba7a386635ffee5d21451254f7f2
SHA512 d611960f074edb0c95bb177b5d639f1c46ebd9145767fc02400c6a97b82961a42709e29fe24adfb7ab040b8d03dcaa2b130fc5b04cab426de0d1e9bb1f15100e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b43dd81c37cafc8148d136521a1cbca
SHA1 24f7f995768bbc9bd60bb85e8ffaebded362da3f
SHA256 db675ebd035c3877ce4af3105e7628a7784bcfc38142e3b5a004c4110d7121a4
SHA512 5dd36c91f6875a126d5de2590cc2b180be0d4d24baea3a2686f5fefc35bed57111ad6483c51722bfe3c5fae37d5ed870d74a9033830822512feec9e57364e279

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ec830d477b682c3ce9d85f0f90c637ae
SHA1 b88f4c317be1b8fd79c78cccad1a6a6a634f92e1
SHA256 ab4d1b4616153d26525e20939fcd59ef703b453924091a5a99d0ba4f884b80c7
SHA512 aabc8309f17c55162ff8941a00122c7fefd423333e016820770a9e7079e3b7f98d6c1236412cc808573bcc81aede6f7f995813214fe224cc54936d4d803c5d41

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a2de495afed10b6de385cdfdd6b4035b
SHA1 a2a6aa15537e7f1e5a614e6be7c81bc6bf82bb64
SHA256 3a7eaf1d3fa7de1e60b3a5c02cf4470a6b125bb0425f99393c23938ef6c2b916
SHA512 402f7f00be2d48ca82c09902064a9e751be44a5a73012b9e8ce57f51927de947f7a277e189f027d6b804458e2ac1e24e19305c0fbcfa94bbdee0a2eb04e67025

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 21c97c8bcef2a848ae7827968d6a17f8
SHA1 a5e71f8e93681490e3112d994207b610e843c591
SHA256 4b2e06ac548a95a3e1ff467cf13e4c8610c117f4714e798cb56373b559576ff4
SHA512 3c92f7f9aaa219b4828bb8279fb87d682d8be8924ffac4bd1f64e2525cc8058c9092de8a62c9fca4a889be486d36ff366c6493b3e7c400914f819bcfc47bc2ef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4cad10853ef40dea82df77262a89f4b3
SHA1 1dada601e3571f79ba5170eb927814b380b2f10e
SHA256 fb4505ae45a1e06d9db7004e4830690ebd57cd1373b920e165938a8904a3353a
SHA512 c700fcd8b537b15d874795d7100111011b7075e6989cb0abd2c62024b13288a5b441fa2d136889078f27e40d823aa34a0775efe99eff75c533963d21e94d36e6

memory/2196-4851-0x0000000000400000-0x00000000004AD000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 da6b84675cedd2357869f303d223cc0f
SHA1 5507f8b4a1529258cea8bd5c0fa86bd843136055
SHA256 41bc031a15d90d3228a9b33d37d78212a601dab42a74b6377a5a1bdec5fb0b52
SHA512 1ef86ccfd0ac01e8c8e2d15ada8f415997ec2cbb1060835603716bd22012c94c0ccc29a8c7e6e31fde8d36fa52844612564154edc19e5beb2bd7b84fa3a98c2a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fa33eb015b46c7309a7e06e5889e0167
SHA1 1e8695855995a529924e9329b2daa263b4806117
SHA256 d64c04acbdbf477ac9b3f3a58f91ff8bae4defa1fa698a1aca5c916ec69c5f27
SHA512 f449d17406eefb711dde0cab4a3cebb992f0e619a072008373c6942becb45399da2a56e3e396557445bcb0ed64bf189e7b94cfce69b0f4e5b5cdd4f7890b7082

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b78990a188962cbf2bf07fbebb099500
SHA1 5af1284d50fdd02f185a580b7be25bb78dd1cff2
SHA256 01b9d0b37ac3d7c6275195fadefab308d6925d57b5e9498b81f4c4d5fd605fc6
SHA512 24120c400546fc8cdee333233a916fcc31889878153feb31583840ef7d91634df0c25a2cc704adf1c519e65f80eff3d2395a782774af696193cabd19d4f18d31

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba700be8e5f5e3ad97aada7c6fad81fb
SHA1 022a6d29671187d8fd6daf17b61db94d647f58bc
SHA256 b5c7a0941bb553e399128005a991e50499c1fd089df35fa91965df9325c1e86b
SHA512 aaa18259ac7f71c9e5599c3711c8e3eaa901809ac7c1647f7a51b124e09a2f0d4c205bec8c7fe1b9e8c11ba13b5f14feec5fef6d3946a013b5c85cabd0b5b53e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fd9b0ae8de2de4718613da4e20c24a51
SHA1 d80246309ad33b2589bee7c6ea20f50525a028ee
SHA256 9386df45703eb2f237f8865039cd2f0c07ea513a3252b6acb61aa5364187c1b7
SHA512 5f90bc90470e45cdc99419abdaec72d7c1eba9008a6bbfa9f647673a4c723807d0d5a85872df2dc7c14c8983600f22e5ecf50b969abc282eb09a1c82c8c4ca67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2db7353ddc13231f64e299a59c53d4f3
SHA1 0f5f887c8777bf0ee405b079256a5d4e9789c748
SHA256 3fa87c2561a3af982a9dee1548cfa22f4e3f56e4a0944ba63fe5a7cc3e67eeba
SHA512 7854fc79f303020117cb5bc47df70a5258644b5653eecacb1847542d7545a66229f9522c5109049ef98c963b75a9d9051ccf8be821adaa7c45ef80df8e5e6131

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a3121fbe7b1ef7a722c1a3d5a7f27aa7
SHA1 ed888f4de6c31ce3a717046b92788d51c0249ce5
SHA256 6318d0df7c431f5ea14bf05dde57ba8d43e69d44cd063508a96f5d1fac28fde9
SHA512 2ce40c39b701ef2e8e82902f9abbadb9c7cea4dba3cac68b39800ad16a2648ba5a15c0164100b51860ae225a356573e72fea3dcc8b0e73f5606ac3cbd96f5020

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc65e7a3fb17a73e1dd8bf01a44b0dd1
SHA1 650c060a05a0e89fab8a3a4ff8be78f6dfa210b7
SHA256 a12f79cb3c89101884a69941d00d33072c8ff762673e9a0b59bde12704786ca2
SHA512 0c18a8210f4c882a77678bd417ed0f671c1161859a4bbd7684a179f7a44b0267a52c31db265f42ad15e6beeda9fb8208bf2f1b643939657aee287724f3ee160b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4093d192f79276214a79bb7717913d0a
SHA1 03cd42cebdcf2f03d076a494d5c47395e2d66fee
SHA256 8da0481e514e76bbb6d70e640717b837bfc29dc5b2c3c2ede324f81f4d8d0f03
SHA512 cb0d7028fe083bba6eb0ee4d00a15a8a6b1e381f18f32b5c7ecca3bdd295bd6982ebc5d4dcd07e48d90c5940085d275a1bf8f301bb684d06f17117c42bd07619

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 17b27c1f883c839561290de58207ab7a
SHA1 4e5dd689c9a846829eac2608a96cc069c8e634cc
SHA256 2fdaa191a7d8c23ddc8f60868a91f8c5945d82ee2450a804f4b6c1e52725594e
SHA512 4381abd11259631d73a761a618088e3aab15ff82035ea932e8d4f71c42a9f4eb87529a5c02498c2dd3a2b48b983763678b40509f5e2fdbab4cb133d50c074308

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 08:27

Reported

2024-10-16 08:30

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4c1626ea1439d9ad45d3efa5de84edb9_JaffaCakes118.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4c1626ea1439d9ad45d3efa5de84edb9_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4c1626ea1439d9ad45d3efa5de84edb9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4c1626ea1439d9ad45d3efa5de84edb9_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 764 -ip 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 448

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/764-0-0x0000000000500000-0x0000000000501000-memory.dmp