Malware Analysis Report

2024-10-24 18:18

Sample ID 241018-b9z6essepj
Target 54d303b283679409adb0d34f34573b60_JaffaCakes118
SHA256 a23f28cc3a6e1718908506e8106d74649fee66776ba9c9a1d111e1fbc700fe2a
Tags
upx defense_evasion discovery ransomware spyware stealer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

a23f28cc3a6e1718908506e8106d74649fee66776ba9c9a1d111e1fbc700fe2a

Threat Level: Likely malicious

The file 54d303b283679409adb0d34f34573b60_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

upx defense_evasion discovery ransomware spyware stealer

Renames multiple (950) files with added filename extension

Renames multiple (443) files with added filename extension

Deletes itself

Checks computer location settings

Reads user/profile data of web browsers

Indicator Removal: File Deletion

UPX packed file

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Browser Information Discovery

Unsigned PE

Opens file in notepad (likely ransom note)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 01:51

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 01:51

Reported

2024-10-18 01:53

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe"

Signatures

Renames multiple (950) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Indicator Removal: File Deletion

defense_evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT-1.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Nauru.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\az.txt C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spl.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Chita.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.PPT C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ndjamena.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Moscow C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Krasnoyarsk C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santarem.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Stockholm.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Omsk.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Athens C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SplashScreen.zip C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fur.txt C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Windhoek.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-2.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Brunei C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+9 C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bangkok.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zurich C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceAmharic.txt C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Iqaluit.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\Currie.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Juan C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Niue.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Denver C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kabul C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yerevan.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Inuvik.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Antarctica\Rothera.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Antarctica\Troll.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Thimphu.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Mozilla Firefox\postSigningData.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Managua.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rankin_Inlet.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Nicosia.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\MST C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Dawson_Creek.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Nipigon.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Dushanbe.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Honolulu.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Noumea.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\EmptyDatabase.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Maceio.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Monrovia C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-11 C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tegucigalpa C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Troll C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Mazatlan C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre7\lib\meta-index.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Dawson_Creek.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Lima C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Yekaterinburg C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Eucla C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Boise C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Phoenix.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Monterrey C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\release C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Ceuta C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\notepad.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\README_ASAP.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\54D303~1.EXE" >> NUL

Network

N/A

Files

memory/2364-0-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2364-1526-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2364-1525-0x0000000000400000-0x0000000000479000-memory.dmp

memory/2364-2296-0x0000000000400000-0x0000000000479000-memory.dmp

C:\Users\Admin\Desktop\README_ASAP.txt

MD5 a0bca63c8ba75cf1b7a30d0b171f474f
SHA1 af8a8153d52ee5d471e7f69b2245683b441b7b7d
SHA256 fdac2db3a1b1d199162e8768be32cc0c9e7161556b840c24c7e1928ac3f3f531
SHA512 0d68622772132d80fda645fa7cbd45eed8cd5f876da359f4aa735c56adfca949f7b77843301d8f6da26e89ade67daa3341f2edf0d0bcde08599a362b1abdc002

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 01:51

Reported

2024-10-18 01:53

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe"

Signatures

Renames multiple (443) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Indicator Removal: File Deletion

defense_evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre-1.8\LICENSE C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\Products.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Analytics.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64 C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\es.txt C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\COPYRIGHT.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Content C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArray.txt C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\README.txt C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64 C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceYi.txt C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\af.txt C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ga.txt C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ru.txt C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\server\Xusage.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Analytics C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64 C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fr.txt C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\Lang\sl.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\Lang\yo.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\release C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\Products.txt C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\Lang\ka.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\Lang\ps.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\Lang\uk.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-tw.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\Content C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\Lang\mk.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\VideoLAN\VLC\README.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\CompatExceptions.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\NOTICE.TXT C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\gu.txt C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\Lang\ku-ckb.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spc.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\Lang\el.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\Lang\ro.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125 C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\Lang\ba.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\Lang\nb.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\Lang\br.txx C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\notepad.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\54d303b283679409adb0d34f34573b60_JaffaCakes118.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\README_ASAP.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\54D303~1.EXE" >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/3848-0-0x0000000000400000-0x0000000000479000-memory.dmp

memory/3848-667-0x0000000000400000-0x0000000000479000-memory.dmp

memory/3848-668-0x0000000000400000-0x0000000000479000-memory.dmp

memory/3848-1395-0x0000000000400000-0x0000000000479000-memory.dmp

memory/3848-1433-0x0000000000400000-0x0000000000479000-memory.dmp

C:\Users\Admin\Desktop\README_ASAP.txt

MD5 a0bca63c8ba75cf1b7a30d0b171f474f
SHA1 af8a8153d52ee5d471e7f69b2245683b441b7b7d
SHA256 fdac2db3a1b1d199162e8768be32cc0c9e7161556b840c24c7e1928ac3f3f531
SHA512 0d68622772132d80fda645fa7cbd45eed8cd5f876da359f4aa735c56adfca949f7b77843301d8f6da26e89ade67daa3341f2edf0d0bcde08599a362b1abdc002