Analysis
-
max time kernel
147s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2024 02:12
Static task
static1
Behavioral task
behavioral1
Sample
5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe
-
Size
326KB
-
MD5
5fddd166f5b5931b2ab328cfd40e420a
-
SHA1
fa92f4074a2ee7166b9dc9081707ba7a4e8956c4
-
SHA256
4f151f64c97aa09c5c99f25b63c503b91b54a99910daadb97762ad4f5dbb4910
-
SHA512
57aa9f96d83a906b910b1d63f3e9fa694c302696a7d237be47cfb1efdf0b5f0d2c152daa2be628fca2cd007a71dbc60def81867ddbfefed81b740b6240079c8c
-
SSDEEP
6144:kt8UOo3u1PmgxfxNJpXSDV76nu9Ni/n5s5ojFHf9BW:kt8Po3utmgxf3JRSDJ6u6SWlo
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\restore_files_rqyjx.txt
http://nasdki39dawk.oj998fh4txkjh.com/D8A66019E06A126
http://awoeinf832as.wo49i277rnw.com/D8A66019E06A126
https://zpr5huq4bgmutfnf.onion.to/D8A66019E06A126
http://zpr5huq4bgmutfnf.onion/D8A66019E06A126
Extracted
C:\Program Files\7-Zip\Lang\restore_files_rqyjx.html
https://zpr5huq4bgmutfnf.onion.to/D8A66019E06A126</a>
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (887) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation vcwghv.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_rqyjx.txt vcwghv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_rqyjx.html vcwghv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_rqyjx.txt vcwghv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_rqyjx.html vcwghv.exe -
Executes dropped EXE 1 IoCs
pid Process 5008 vcwghv.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSCONFIG = "C:\\Users\\Admin\\AppData\\Roaming\\vcwghv.exe" vcwghv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSCONFIG = "C" vcwghv.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ipinfo.io -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\restore_files_rqyjx.txt vcwghv.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\restore_files_rqyjx.html vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-256_altform-unplated.png vcwghv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeSmallTile.scale-400.png vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-72_altform-unplated.png vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\restore_files_rqyjx.html vcwghv.exe File opened for modification C:\Program Files\dotnet\host\fxr\7.0.16\restore_files_rqyjx.txt vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Square150x150Logo.scale-200.png vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchWideTile.contrast-white_scale-200.png vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_Success.jpg vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\MedTile.scale-200.png vcwghv.exe File opened for modification C:\Program Files\Internet Explorer\ja-JP\restore_files_rqyjx.html vcwghv.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\LargeTile.scale-125.png vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\restore_files_rqyjx.html vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20_altform-unplated_contrast-black.png vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_altform-unplated_contrast-white.png vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-IN\restore_files_rqyjx.txt vcwghv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\restore_files_rqyjx.txt vcwghv.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\restore_files_rqyjx.txt vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\restore_files_rqyjx.html vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\MedTile.scale-200.png vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\restore_files_rqyjx.txt vcwghv.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\LargeTile.scale-125.png vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\subscription_intro\save-money.png vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-200.png vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Nose.png vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-200_contrast-white.png vcwghv.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gd\restore_files_rqyjx.html vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_04.jpg vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-32_altform-unplated_contrast-black.png vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-200.png vcwghv.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\restore_files_rqyjx.txt vcwghv.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\restore_files_rqyjx.html vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-100_contrast-white.png vcwghv.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\restore_files_rqyjx.txt vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\7739_20x20x32.png vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionLargeTile.scale-150.png vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\restore_files_rqyjx.txt vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-64_altform-unplated_contrast-black.png vcwghv.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\README.txt vcwghv.exe File opened for modification C:\Program Files\Windows NT\Accessories\en-US\restore_files_rqyjx.txt vcwghv.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\MedTile.scale-125.png vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\WideTile.scale-200.png vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.scale-200.png vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\restore_files_rqyjx.html vcwghv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg6.jpg vcwghv.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\restore_files_rqyjx.html vcwghv.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare150x150Logo.scale-100_contrast-black.png vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-125.png vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-125.png vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\eu-ES\View3d\restore_files_rqyjx.html vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-64_altform-unplated_contrast-white.png vcwghv.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\restore_files_rqyjx.html vcwghv.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\WideTile.scale-125.png vcwghv.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\restore_files_rqyjx.txt vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupLargeTile.scale-400.png vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLogo.scale-100_contrast-black.png vcwghv.exe File opened for modification C:\Program Files\Internet Explorer\en-US\restore_files_rqyjx.html vcwghv.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\restore_files_rqyjx.txt vcwghv.exe File opened for modification C:\Program Files\Windows NT\Accessories\es-ES\restore_files_rqyjx.txt vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-40.png vcwghv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\MedTile.scale-200.png vcwghv.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\restore_files_rqyjx.txt vcwghv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vcwghv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1532 vssadmin.exe 4844 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings vcwghv.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3904 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe 5008 vcwghv.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2108 5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe Token: SeDebugPrivilege 5008 vcwghv.exe Token: SeBackupPrivilege 3544 vssvc.exe Token: SeRestorePrivilege 3544 vssvc.exe Token: SeAuditPrivilege 3544 vssvc.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe 844 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2108 wrote to memory of 5008 2108 5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe 86 PID 2108 wrote to memory of 5008 2108 5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe 86 PID 2108 wrote to memory of 5008 2108 5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe 86 PID 2108 wrote to memory of 3712 2108 5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe 88 PID 2108 wrote to memory of 3712 2108 5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe 88 PID 2108 wrote to memory of 3712 2108 5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe 88 PID 5008 wrote to memory of 1532 5008 vcwghv.exe 90 PID 5008 wrote to memory of 1532 5008 vcwghv.exe 90 PID 5008 wrote to memory of 3904 5008 vcwghv.exe 110 PID 5008 wrote to memory of 3904 5008 vcwghv.exe 110 PID 5008 wrote to memory of 3904 5008 vcwghv.exe 110 PID 5008 wrote to memory of 844 5008 vcwghv.exe 111 PID 5008 wrote to memory of 844 5008 vcwghv.exe 111 PID 844 wrote to memory of 3940 844 msedge.exe 112 PID 844 wrote to memory of 3940 844 msedge.exe 112 PID 5008 wrote to memory of 4844 5008 vcwghv.exe 114 PID 5008 wrote to memory of 4844 5008 vcwghv.exe 114 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 1624 844 msedge.exe 116 PID 844 wrote to memory of 3840 844 msedge.exe 117 PID 844 wrote to memory of 3840 844 msedge.exe 117 PID 844 wrote to memory of 3676 844 msedge.exe 118 PID 844 wrote to memory of 3676 844 msedge.exe 118 PID 844 wrote to memory of 3676 844 msedge.exe 118 PID 844 wrote to memory of 3676 844 msedge.exe 118 PID 844 wrote to memory of 3676 844 msedge.exe 118 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcwghv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" vcwghv.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5fddd166f5b5931b2ab328cfd40e420a_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Roaming\vcwghv.exeC:\Users\Admin\AppData\Roaming\vcwghv.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5008 -
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet3⤵
- Interacts with shadow copies
PID:1532
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:3904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RESTORE_FILES.HTML3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffde01046f8,0x7ffde0104708,0x7ffde01047184⤵PID:3940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:24⤵PID:1624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:34⤵PID:3840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:84⤵PID:3676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:14⤵PID:4744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:14⤵PID:4472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:84⤵PID:1660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:84⤵PID:4396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:14⤵PID:4768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:14⤵PID:2172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:14⤵PID:5236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,8295757106809847046,3046329219257777449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:14⤵PID:5244
-
-
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet3⤵
- Interacts with shadow copies
PID:4844
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwghv.exe >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:6092
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\5FDDD1~1.EXE >> NUL2⤵
- System Location Discovery: System Language Discovery
PID:3712
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3544
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2720
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2988
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD56f409fbb014d4e028a1e0096991f2543
SHA19b8739eeb29299df52535337cec1b72b6617c28b
SHA256c62641e645380412f3f8bbdb98547a52dc5c38983097a6cb0211f21c77d1d4e9
SHA512354fd64e2e14b6f9af2761003e1355310d8a208e89c1051f0c1c5f544cd1914a1530957286aaf6b878dc3680c83c39d58572ad48b9da4e14955e5dae5da3e182
-
Filesize
2KB
MD5df3f6c33e4c3d89d6878378095ee5aba
SHA1bd3b0afa9593c8743e015e2c875db0a77c3a65c0
SHA2567354b6c41d7519887de321615fdd3574733e850768fe7d5f51943c33717352b1
SHA512ef987d8820a79e367b170a44f7ed7f7bdea2a9974ead3264861425ca096a34593818071d7f9572acbfcee938fb8e1db5c4e7e05b48246b1abd75d2a5ce5a9d99
-
Filesize
152B
MD5d22073dea53e79d9b824f27ac5e9813e
SHA16d8a7281241248431a1571e6ddc55798b01fa961
SHA25686713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA51297152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413
-
Filesize
152B
MD5bffcefacce25cd03f3d5c9446ddb903d
SHA18923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA25623e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7
-
Filesize
5KB
MD5631c92d673985addc86c22ec56ffc913
SHA16699dd791688dbfda1368dcfa52221f0048b7072
SHA256a3ad901785522074e84b461e058ea2baf1d747d224d857f4bd898c63247a6d4c
SHA512dacaf76b8adb0ceed79587fd5f9739f55e7d98dcb867bedafe4cf4b9d652686dbc742280e6f4ec3d53ec91b421cfa0e9fffa1600d8bf5ea14621039650548492
-
Filesize
6KB
MD5d84ffe31534d73280bb1b7e616073470
SHA1a533200c42dbcda819e167f2df8808c678eb9ad3
SHA25691395eacefaf65ae7b623ed502836dcbb16ce153a8b8bb061e904f1bfe724050
SHA512149305759994a678560edfc27794dd9d215683bf7f7021f8e5b1f55f5a1a88938486cad7346d682f2e1e8d8d5aa4e105b1434f2a5639518be85fbef3ed40a13c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD58e879b483ab784beaf8f1e7538181b36
SHA14f89938f0ea379934f41caa7564df522f161a82c
SHA256402b9c5d0cfbd85d59de78eb872a69ce3b200af11caf9a2dca005c947570113b
SHA5124980422652c9627976faba298a7e6f8be82c6c1a2c30a92b16cd02b8b5d159c40dd987ccf146910ccd350c069098d537397782fbba01003e180a59c9512bf9e5
-
Filesize
326KB
MD55fddd166f5b5931b2ab328cfd40e420a
SHA1fa92f4074a2ee7166b9dc9081707ba7a4e8956c4
SHA2564f151f64c97aa09c5c99f25b63c503b91b54a99910daadb97762ad4f5dbb4910
SHA51257aa9f96d83a906b910b1d63f3e9fa694c302696a7d237be47cfb1efdf0b5f0d2c152daa2be628fca2cd007a71dbc60def81867ddbfefed81b740b6240079c8c