zeppelin | 821945dd5882aad4181fcb2670a26cc322224f9f677e5df26f7e708ced0ab6a3

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-10-2024 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
Size

217KB
MD5

56f16414e71c5263c57a4ce7733c70b5
SHA1

d74ea238db6e0870422f6dcc4fef83964a380d1a
SHA256

821945dd5882aad4181fcb2670a26cc322224f9f677e5df26f7e708ced0ab6a3
SHA512

a492452c26f6c6d36853edcd13db03645442ea82c761940a1c0f96bc0fab7269fbb99c2e83350ecc06143cb142ddcadc6fce2ea32312440fc985b163b60d46ca
SSDEEP

6144:dC61i972KJmciP8yGw44DQFu/U3buRKlemZ9DnGAe6MTgGkT/+:dK972P/kyGv4DQFu/U3buRKlemZ9DnGm

Score

10^/10

zeppelin defense_evasion discovery execution impact ransomware

Malware Config

Signatures

Detects Zeppelin payload 7 IoCs

resource	yara_rule
behavioral1/memory/2960-76-0x00000000000C0000-0x0000000000202000-memory.dmp	family_zeppelin
behavioral1/memory/1868-812-0x00000000000C0000-0x0000000000202000-memory.dmp	family_zeppelin
behavioral1/memory/2444-8740-0x00000000000C0000-0x0000000000202000-memory.dmp	family_zeppelin
behavioral1/memory/2444-16595-0x00000000000C0000-0x0000000000202000-memory.dmp	family_zeppelin
behavioral1/memory/2444-24178-0x00000000000C0000-0x0000000000202000-memory.dmp	family_zeppelin
behavioral1/memory/2444-30443-0x00000000000C0000-0x0000000000202000-memory.dmp	family_zeppelin
behavioral1/memory/1868-30479-0x00000000000C0000-0x0000000000202000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (7361) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
1792	notepad.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\U:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\T:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\S:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\X:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\Q:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\N:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\M:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\L:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\H:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\B:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\R:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\A:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\Z:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\W:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\P:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\O:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\K:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\J:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\I:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\G:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\Y:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened (read-only)	\??\E:	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	iplogger.org
16	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\!!! ALL YOUR FILES ARE ENCRYPTED !!!.hta	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188511.WMF.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02285_.WMF.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\LOOKUP.DAT	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\LoanAmortization.xltx.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099158.WMF.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions.css	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\GMT.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_ja_4.4.0.v20140623020002.jar	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_ja.jar.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178348.JPG	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01330_.GIF	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\HST.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\ja-JP\FreeCell.exe.mui.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CMNTY_01.MID	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\PersonalContact.ico	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01166_.WMF.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00780L.GIF.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21505_.GIF.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplate.html.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105378.WMF	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216874.WMF.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183290.WMF	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImage.jpg.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01701_.WMF	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\vlc.mo	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTVIEW.JPG	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Cape_Verde.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WWINTL.REST.IDX_DLL.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RECL.ICO.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00172_.WMF.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Elemental.thmx	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POSTCARD.XML.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface_3.10.1.v20140813-1009.jar	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.css.sac_1.3.1.v200903091627.jar.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04385_.WMF	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTITS.ICO.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DigitalInk.jpg.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\!!! ALL YOUR FILES ARE ENCRYPTED !!!.hta	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187839.WMF.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Casual.gif	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00057_.WMF.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Couture.thmx.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_ja.jar.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sw\!!! ALL YOUR FILES ARE ENCRYPTED !!!.hta	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105846.WMF	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBrowserUpgrade.html.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPrintTemplate.html.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Nauru.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\it-IT\Minesweeper.exe.mui.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153095.WMF	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALENDAR.DPV	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0211981.WMF.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe.HORSEMONEY.215-6CD-44D	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\!!! ALL YOUR FILES ARE ENCRYPTED !!!.hta	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.hta	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2956	vssadmin.exe
2396	vssadmin.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2000	WMIC.exe
Token: SeSecurityPrivilege	2000	WMIC.exe
Token: SeTakeOwnershipPrivilege	2000	WMIC.exe
Token: SeLoadDriverPrivilege	2000	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1788	WMIC.exe
Token: SeSecurityPrivilege	1788	WMIC.exe
Token: SeSystemProfilePrivilege	2000	WMIC.exe
Token: SeTakeOwnershipPrivilege	1788	WMIC.exe
Token: SeSystemtimePrivilege	2000	WMIC.exe
Token: SeLoadDriverPrivilege	1788	WMIC.exe
Token: SeProfSingleProcessPrivilege	2000	WMIC.exe
Token: SeSystemProfilePrivilege	1788	WMIC.exe
Token: SeIncBasePriorityPrivilege	2000	WMIC.exe
Token: SeSystemtimePrivilege	1788	WMIC.exe
Token: SeCreatePagefilePrivilege	2000	WMIC.exe
Token: SeProfSingleProcessPrivilege	1788	WMIC.exe
Token: SeBackupPrivilege	2000	WMIC.exe
Token: SeIncBasePriorityPrivilege	1788	WMIC.exe
Token: SeRestorePrivilege	2000	WMIC.exe
Token: SeCreatePagefilePrivilege	1788	WMIC.exe
Token: SeShutdownPrivilege	2000	WMIC.exe
Token: SeBackupPrivilege	1788	WMIC.exe
Token: SeDebugPrivilege	2000	WMIC.exe
Token: SeRestorePrivilege	1788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2000	WMIC.exe
Token: SeShutdownPrivilege	1788	WMIC.exe
Token: SeRemoteShutdownPrivilege	2000	WMIC.exe
Token: SeDebugPrivilege	1788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1788	WMIC.exe
Token: SeUndockPrivilege	2000	WMIC.exe
Token: SeRemoteShutdownPrivilege	1788	WMIC.exe
Token: SeManageVolumePrivilege	2000	WMIC.exe
Token: SeUndockPrivilege	1788	WMIC.exe
Token: 33	2000	WMIC.exe
Token: SeManageVolumePrivilege	1788	WMIC.exe
Token: 34	2000	WMIC.exe
Token: 33	1788	WMIC.exe
Token: 35	2000	WMIC.exe
Token: 34	1788	WMIC.exe
Token: 35	1788	WMIC.exe
Token: SeBackupPrivilege	1532	vssvc.exe
Token: SeRestorePrivilege	1532	vssvc.exe
Token: SeAuditPrivilege	1532	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1788	WMIC.exe
Token: SeSecurityPrivilege	1788	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2000	WMIC.exe
Token: SeTakeOwnershipPrivilege	1788	WMIC.exe
Token: SeLoadDriverPrivilege	1788	WMIC.exe
Token: SeSecurityPrivilege	2000	WMIC.exe
Token: SeSystemProfilePrivilege	1788	WMIC.exe
Token: SeTakeOwnershipPrivilege	2000	WMIC.exe
Token: SeSystemtimePrivilege	1788	WMIC.exe
Token: SeLoadDriverPrivilege	2000	WMIC.exe
Token: SeProfSingleProcessPrivilege	1788	WMIC.exe
Token: SeSystemProfilePrivilege	2000	WMIC.exe
Token: SeIncBasePriorityPrivilege	1788	WMIC.exe
Token: SeSystemtimePrivilege	2000	WMIC.exe
Token: SeCreatePagefilePrivilege	1788	WMIC.exe
Token: SeProfSingleProcessPrivilege	2000	WMIC.exe
Token: SeBackupPrivilege	1788	WMIC.exe
Token: SeIncBasePriorityPrivilege	2000	WMIC.exe
Token: SeRestorePrivilege	1788	WMIC.exe
Token: SeCreatePagefilePrivilege	2000	WMIC.exe
Token: SeShutdownPrivilege	1788	WMIC.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 1912	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	32
PID 1868 wrote to memory of 1912	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	32
PID 1868 wrote to memory of 1912	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	32
PID 1868 wrote to memory of 1912	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	32
PID 1868 wrote to memory of 1876	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	33
PID 1868 wrote to memory of 1876	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	33
PID 1868 wrote to memory of 1876	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	33
PID 1868 wrote to memory of 1876	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	33
PID 1868 wrote to memory of 1688	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	35
PID 1868 wrote to memory of 1688	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	35
PID 1868 wrote to memory of 1688	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	35
PID 1868 wrote to memory of 1688	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	35
PID 1868 wrote to memory of 564	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	36
PID 1868 wrote to memory of 564	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	36
PID 1868 wrote to memory of 564	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	36
PID 1868 wrote to memory of 564	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	36
PID 1868 wrote to memory of 1664	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	37
PID 1868 wrote to memory of 1664	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	37
PID 1868 wrote to memory of 1664	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	37
PID 1868 wrote to memory of 1664	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	37
PID 1868 wrote to memory of 1492	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	38
PID 1868 wrote to memory of 1492	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	38
PID 1868 wrote to memory of 1492	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	38
PID 1868 wrote to memory of 1492	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	38
PID 1868 wrote to memory of 2444	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	40
PID 1868 wrote to memory of 2444	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	40
PID 1868 wrote to memory of 2444	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	40
PID 1868 wrote to memory of 2444	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	40
PID 1868 wrote to memory of 2960	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	42
PID 1868 wrote to memory of 2960	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	42
PID 1868 wrote to memory of 2960	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	42
PID 1868 wrote to memory of 2960	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	42
PID 1664 wrote to memory of 2956	1664	cmd.exe	46
PID 1664 wrote to memory of 2956	1664	cmd.exe	46
PID 1664 wrote to memory of 2956	1664	cmd.exe	46
PID 1664 wrote to memory of 2956	1664	cmd.exe	46
PID 1492 wrote to memory of 2000	1492	cmd.exe	48
PID 1492 wrote to memory of 2000	1492	cmd.exe	48
PID 1492 wrote to memory of 2000	1492	cmd.exe	48
PID 1492 wrote to memory of 2000	1492	cmd.exe	48
PID 1912 wrote to memory of 1788	1912	cmd.exe	47
PID 1912 wrote to memory of 1788	1912	cmd.exe	47
PID 1912 wrote to memory of 1788	1912	cmd.exe	47
PID 1912 wrote to memory of 1788	1912	cmd.exe	47
PID 1492 wrote to memory of 2396	1492	cmd.exe	51
PID 1492 wrote to memory of 2396	1492	cmd.exe	51
PID 1492 wrote to memory of 2396	1492	cmd.exe	51
PID 1492 wrote to memory of 2396	1492	cmd.exe	51
PID 1868 wrote to memory of 1792	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	52
PID 1868 wrote to memory of 1792	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	52
PID 1868 wrote to memory of 1792	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	52
PID 1868 wrote to memory of 1792	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	52
PID 1868 wrote to memory of 1792	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	52
PID 1868 wrote to memory of 1792	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	52
PID 1868 wrote to memory of 1792	1868	56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe	52

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1788
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1876
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  - System Location Discovery: System Language Discovery
  PID:564
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2956
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2396
- C:\Users\Admin\AppData\Local\Temp\56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe" -agent 0
  2⤵
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:2444
- C:\Users\Admin\AppData\Local\Temp\56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\56f16414e71c5263c57a4ce7733c70b5_JaffaCakes118.exe" -agent 1
  2⤵
  PID:2960
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1792

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control