3fb80b937831aca246d838a129d4e094b8de7fc513fe14f311e1bbaf67cb8a99

Reason

Machine shutdown

General

Target

5092d1d7abb882028147df297432ca49_JaffaCakes118.exe
Size

381KB
MD5

5092d1d7abb882028147df297432ca49
SHA1

101d56d520a89ac973099959a317a790d7b75130
SHA256

3fb80b937831aca246d838a129d4e094b8de7fc513fe14f311e1bbaf67cb8a99
SHA512

aec9a4a561978251bc537675fad16818522c6cd6b8f6e5700f96ded4d0c2ba4bd50c5efc8ec5e2ab30fe56f5209e21f1af16f4fb7b599db8184266e474b7a898
SSDEEP

6144:bU+DRYgAOEYI146+ziWRKrY7350PeR21AG+KpAy:l9YgaTl+ziTrY7pAxdpAy

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1336 2176 WerFault.exe 5092d1d7abb882028147df297432ca49_JaffaCakes118.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

5092d1d7abb882028147df297432ca49_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5092d1d7abb882028147df297432ca49_JaffaCakes118.exe

pid	pid_target	process	target process
1336	2176	WerFault.exe	5092d1d7abb882028147df297432ca49_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5092d1d7abb882028147df297432ca49_JaffaCakes118.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "232"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4116 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msedge.exe

pid process

4648 msedge.exe
4648 msedge.exe
Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
628
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bootim.exe

description pid process

Token: SeSystemEnvironmentPrivilege 4944 bootim.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

1040 LogonUI.exe

pid	process
4116	NOTEPAD.EXE

pid	process
4648	msedge.exe
4648	msedge.exe

pid
4
4
4
4
4
628

description	pid	process
Token: SeSystemEnvironmentPrivilege	4944	bootim.exe

pid	process
1040	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 5060 wrote to memory of 2132	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 2132	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4648	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 4648	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 1988	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 1988	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 1988	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 1988	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 1988	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 1988	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 1988	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 1988	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 1988	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 1988	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 1988	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 1988	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 1988	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 1988	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 1988	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 1988	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 1988	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 1988	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 1988	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 1988	5060	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\5092d1d7abb882028147df297432ca49_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5092d1d7abb882028147df297432ca49_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 556
2⤵
- Program crash
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2176 -ip 2176
1⤵
PID:1616

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2744

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\BackupResolve.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault4f3e18a8hef49h449dh8d94h63a3f0d04487
1⤵
- Suspicious use of WriteProcessMemory
PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa223046f8,0x7ffa22304708,0x7ffa22304718
2⤵
PID:2132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,337814416671378165,14119255730756305058,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
2⤵
PID:4152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,337814416671378165,14119255730756305058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,337814416671378165,14119255730756305058,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
2⤵
PID:1988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5196

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3876055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1040

C:\Windows\system32\bootim.exe
bootim.exe /startpage:1
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

1

T1217

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0ee68cb6d34a50003ff6e529178e6fad

SHA1
67f2ebc683ae0b521d27aebaf109a4ed0e86b282

SHA256
574098c715d2810f1f4f84619e5f565324119e65dce8fe908d9736c8a3748018

SHA512
b13ab868b4932865009efac53a947bfad53db32110dc383550f1a09063195e56ff590a2593d9b98c13c480175545616ccc3164b0a5d17bb4416a39e012024593

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
4e5685fbcbc83aa80b149a1793a62375

SHA1
f6a2332f32d68365254d05415ba0d367529d82bb

SHA256
d62dfdd7d8b729ef532ba12e7a2b58b6e278a1e2e73e76a3e479a83ec07a3461

SHA512
5f4f4b23a42629fad50dd586dc39defd9fdd8c352c03cd9c5c4aee6de7264d2f6e96e27e71c83a6165d9a85c47f1cfa7b9b19d34ffeba96679b5208ec44db751

Download Submit
\??\pipe\LOCAL\crashpad_5060_OOFESUAWAXYHMFVB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2176-0-0x0000000002290000-0x00000000022BE000-memory.dmp

Filesize
184KB

Download
memory/2176-1-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors