Analysis Overview
SHA256
0e5f7abcb8ff75ff08dcb8ce964c1b6e65b36f46562ed02e4c24a4a139ba5904
Threat Level: Known bad
The file 638b967576052290aa5c3d5ccf68cc5f_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Renames multiple (378) files with added filename extension
Deletes shadow copies
Reads user/profile data of web browsers
Deletes itself
Executes dropped EXE
Drops startup file
Indicator Removal: File Deletion
Adds Run key to start application
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
System policy modification
Opens file in notepad (likely ransom note)
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-20 17:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-20 17:50
Reported
2024-10-20 17:53
Platform
win7-20241010-en
Max time kernel
151s
Max time network
142s
Command Line
Signatures
Deletes shadow copies
Renames multiple (378) files with added filename extension
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+wqeua.txt | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+wqeua.html | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+wqeua.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+wqeua.txt | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+wqeua.html | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_ReCoVeRy_+wqeua.png | C:\Windows\prxcecqchgwo.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\prxcecqchgwo.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\aroinics_svc = "C:\\Windows\\SYSTEM32\\CMD.EXE /C START C:\\Windows\\prxcecqchgwo.exe" | C:\Windows\prxcecqchgwo.exe | N/A |
Indicator Removal: File Deletion
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\_ReCoVeRy_+wqeua.txt | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\server\_ReCoVeRy_+wqeua.html | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\deploy\_ReCoVeRy_+wqeua.txt | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\ca@valencia\_ReCoVeRy_+wqeua.txt | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Windows NT\Accessories\ja-JP\_ReCoVeRy_+wqeua.txt | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_ReCoVeRy_+wqeua.txt | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\_ReCoVeRy_+wqeua.html | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\_ReCoVeRy_+wqeua.html | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\_ReCoVeRy_+wqeua.html | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_ReCoVeRy_+wqeua.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\gd\_ReCoVeRy_+wqeua.txt | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\_ReCoVeRy_+wqeua.txt | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_ReCoVeRy_+wqeua.html | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_ReCoVeRy_+wqeua.html | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\ta\_ReCoVeRy_+wqeua.html | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\tt\_ReCoVeRy_+wqeua.txt | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\localizedStrings.js | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\_ReCoVeRy_+wqeua.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\sd\_ReCoVeRy_+wqeua.txt | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\yo.txt | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\_ReCoVeRy_+wqeua.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\_ReCoVeRy_+wqeua.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\_ReCoVeRy_+wqeua.txt | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_ButtonGraphic.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\el.pak | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_settings.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\es.txt | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\_ReCoVeRy_+wqeua.txt | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\_ReCoVeRy_+wqeua.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-desk.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_ReCoVeRy_+wqeua.html | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\activity16v.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_windy.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\_ReCoVeRy_+wqeua.html | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\fonts\_ReCoVeRy_+wqeua.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\_ReCoVeRy_+wqeua.html | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_ReCoVeRy_+wqeua.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\settings.js | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_ReCoVeRy_+wqeua.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\en-US\_ReCoVeRy_+wqeua.html | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\_ReCoVeRy_+wqeua.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_ReCoVeRy_+wqeua.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\bg.txt | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sv.txt | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\_ReCoVeRy_+wqeua.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\cpu.js | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\logo.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Triedit\_ReCoVeRy_+wqeua.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\wa\_ReCoVeRy_+wqeua.txt | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_ReCoVeRy_+wqeua.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_ReCoVeRy_+wqeua.html | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_ReCoVeRy_+wqeua.html | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_s.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonSubpicture.png | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\_ReCoVeRy_+wqeua.html | C:\Windows\prxcecqchgwo.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\slideshow_glass_frame.png | C:\Windows\prxcecqchgwo.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\prxcecqchgwo.exe | C:\Users\Admin\AppData\Local\Temp\638b967576052290aa5c3d5ccf68cc5f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\prxcecqchgwo.exe | C:\Users\Admin\AppData\Local\Temp\638b967576052290aa5c3d5ccf68cc5f_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\NOTEPAD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\638b967576052290aa5c3d5ccf68cc5f_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\prxcecqchgwo.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{13EF2551-8F0C-11EF-AF7A-C23FE47451C3} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000004e9bc861df5be7f9ed702e8541184606299db5c843c0747ffb1706623ca14dc9000000000e8000000002000020000000c3600e5d5fcb2a3da4279b5b15c8edf2cc2b6c16b21ad61edbe646818280071320000000e3957643022ea67c458d2a536243847f8fe265f21b6d68b8988f43308275a15b40000000d794a0b39332446098365cb7e654f1c619b60b9da5dee1d90801c7f94aa2bfbdfec06557aeb98e34cd3d5dacad15371ba3f97675ea2f25bc3ffe4259cfe22730 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20d6e4e81823db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b13190000000002000000000010660000000100002000000058038144c1583f6016813860829e128b393633b18729d7add4d4f940c3ea1ee7000000000e8000000002000020000000b7ec39d2ea3c06ed264afd823368f6933638547fe2c869559d5c0a32bab969a39000000033fd97e61825d24a1a3b0d4ea87fb9a75d46cf22dab6bd88e98fe3f4059e086ad1ec6f51d6b54ff03150c4a0d34588868d91559d11861e639ad012c4672cb20b042f09c802e29f6fd1728a43ec4b717c86d3d8829cbc421969e8f2241ce8a2d4877b7347df6195c4f5248b973e376493bbde41186d741a68923d0c6a85ac649eb31d47533460166df5d1cc21cb8decf840000000dd6925ed0bdabced289ef41f82a5634917ff878987ab31332072d59b6ab34746ddcc6803e4b3f574b0720f09817013e67cea18084cb99c627f442d01cff26f29 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\638b967576052290aa5c3d5ccf68cc5f_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\prxcecqchgwo.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\prxcecqchgwo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Windows\prxcecqchgwo.exe | N/A |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\638b967576052290aa5c3d5ccf68cc5f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\638b967576052290aa5c3d5ccf68cc5f_JaffaCakes118.exe"
C:\Windows\prxcecqchgwo.exe
C:\Windows\prxcecqchgwo.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\638B96~1.EXE
C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2104 CREDAT:275457 /prefetch:2
C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tele-channel.com | udp |
| US | 3.94.10.34:80 | tele-channel.com | tcp |
| US | 8.8.8.8:53 | multibrandphone.com | udp |
| US | 8.8.8.8:53 | vtechshop.net | udp |
| US | 8.8.8.8:53 | sappmtraining.com | udp |
| US | 8.8.8.8:53 | shirongfeng.cn | udp |
| US | 107.163.124.124:80 | shirongfeng.cn | tcp |
| US | 8.8.8.8:53 | controlfreaknetworks.com | udp |
| US | 104.247.198.49:80 | controlfreaknetworks.com | tcp |
| US | 3.94.10.34:80 | tele-channel.com | tcp |
| US | 107.163.124.124:80 | shirongfeng.cn | tcp |
Files
memory/2280-0-0x0000000000890000-0x00000000008BF000-memory.dmp
memory/2280-1-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2280-2-0x0000000000400000-0x0000000000487000-memory.dmp
C:\Windows\prxcecqchgwo.exe
| MD5 | 638b967576052290aa5c3d5ccf68cc5f |
| SHA1 | deccc5ee88858026981db8c43183a2f8ede3d143 |
| SHA256 | 0e5f7abcb8ff75ff08dcb8ce964c1b6e65b36f46562ed02e4c24a4a139ba5904 |
| SHA512 | 7a4160c651080f6d3fa12eae3cae5cad17b97d2ace98ec6c03e95404ae8465ae642b669ebaeb388242323820f2d97a48dfb96eccbbef7d39751ff774df0b3258 |
memory/2280-10-0x0000000000400000-0x0000000000487000-memory.dmp
memory/2280-9-0x0000000000400000-0x0000000000494000-memory.dmp
memory/2532-8-0x0000000000400000-0x0000000000494000-memory.dmp
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+wqeua.png
| MD5 | b94c13577974277ebb1c3a35c5e5d9db |
| SHA1 | 289761b71b773518156c07d2433ce50c977bfbd9 |
| SHA256 | f102ba9c9052d7829c611ca4c6eab40a48c1bc8d2ba69bbf47a49500aa2ac78f |
| SHA512 | 01f792d82ecd39281b339fa89c1395e0d45cf6cad9f7a7f39487043456089d1a6bf59923fea2a4845bfd275287ab10a97dba17ebbf283bfef274344ee2a2cc46 |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+wqeua.txt
| MD5 | 40a496759a6b131f39acb79d9b93c6b8 |
| SHA1 | 931dd2d009bcb86d97c6e90879b762c0e8b4b683 |
| SHA256 | 2f6071a886e8c8642f6160f99add5953da9b3e8a77ae0e537b6e54373f58c651 |
| SHA512 | f4a46bb893fb3423a2fe83339f39377159a7972368e1fcbe730dffc29b964b4b60197234be36ffc1ef7590338e7a3f7d6595a1110789a9e714d621fff809b52d |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+wqeua.html
| MD5 | 280bba0f7ff1e06d7af518d1d7951a5b |
| SHA1 | 420b8750fd83b93049e04b1cee9f8d5a89a5c6f9 |
| SHA256 | 87b94270b6e1d5ac4bbc60fbde71173fe764a3ccc527397c05b7ceee7549a066 |
| SHA512 | ec39897d383bd38d82c3e7e7972dabe320941249c4783c343f3fbe9b5e9b445db45d44537be7abb603be6f276f4db7df21eaa8a6c4d98c6e82eada74c2a5cada |
memory/2532-178-0x0000000000400000-0x0000000000494000-memory.dmp
memory/2532-227-0x0000000000400000-0x0000000000494000-memory.dmp
memory/2532-712-0x0000000000400000-0x0000000000494000-memory.dmp
memory/2532-844-0x0000000000400000-0x0000000000494000-memory.dmp
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
| MD5 | 23a962236d0410cd34251fd79888eea7 |
| SHA1 | d1e9fd11dbc352137aad07576fa5337190b4c9f3 |
| SHA256 | 77d293ff984df186ca06de41f68cb7942e05e5447e8104081862c80ef4f35ad4 |
| SHA512 | 160e6e1840bed458a4c0b393d8418ea17bcc92736d37bc5651f3303d65800add654817ef563b0e296ebf37b736d152979be3868f2f4fe045bf74633bfe73af7a |
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
| MD5 | 6e20b9209e3337e0d1688d206b90c360 |
| SHA1 | 8442fc10952813d086289792656f8b106f9d39db |
| SHA256 | 4a5cda2a5c0c7d89453ec3623a125079b4da11e00b714ec4e0094fb52495b733 |
| SHA512 | 13eb513a18af760005649210ef31939d7e752c18be717035e17e654eb01aa879ee54804c173b5d14d0a894db4e616274ed944999f56a08b3a64f6c4459afdb9e |
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
| MD5 | 54460c3c1d028c4b14305e5a515b5499 |
| SHA1 | c77be4a6ea33261b6ec95ccba2b1ec88b0cff78f |
| SHA256 | f86c2ddd4fa524132b6a3f2f0e4eb2d34214020e63ce56af7c6d8a40d6c0bb86 |
| SHA512 | 20b338719de91af5846910d0909641ea88413fa90322d81585a7b111108989c5aabedbc01e03e3286114fcd39d6a8798ca1c745c4e7e51d3293bc96f613c0887 |
memory/2532-1651-0x0000000000400000-0x0000000000494000-memory.dmp
memory/2532-2339-0x0000000000400000-0x0000000000494000-memory.dmp
memory/2532-3292-0x0000000000400000-0x0000000000494000-memory.dmp
memory/2532-4166-0x0000000000400000-0x0000000000494000-memory.dmp
memory/2532-4890-0x0000000000400000-0x0000000000494000-memory.dmp
memory/2532-5815-0x0000000000400000-0x0000000000494000-memory.dmp
memory/2532-5891-0x0000000002A70000-0x0000000002A72000-memory.dmp
memory/1512-5892-0x0000000000160000-0x0000000000162000-memory.dmp
memory/2532-5896-0x0000000000400000-0x0000000000494000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabC9F6.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarCAE4.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 65336b7b25552d1c5075358b69facc9b |
| SHA1 | a49eb79cb3f5034e1ee715efe9fbdc42358787ef |
| SHA256 | f31dbd5b5da8662ea47b83d7f78a736ab6e06a549111bca5336de3d36738f4e1 |
| SHA512 | db159f12bb884604aa06c22899957b05994ea644e4b90bdaa6e46179fc2455bf753583503f9b81e24905bd930bef9702ccfefc4d57e35055f4f39475168bdb1e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7beb0a5e9ed399cc8f0d0bb87dab1c09 |
| SHA1 | c98520441c84c238c2aad675dc1b169ef2e3f89f |
| SHA256 | 046a83e8cc91c469e0948c1ba577bc23d42e12bde406172b0fdef7dae8898a91 |
| SHA512 | 2390784609886b42c830fbaf47d29e39ced4229ff02358a5f29b6ebece00457eed565aa0211ccf7a1969ecf81b9f9d33396631ebebe6f8dddb040d6a698e4ba1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 086b97e004d1e89f124d33281245ea34 |
| SHA1 | 06c19ddf16355cac8ac90f2dd78f9a43ec40de33 |
| SHA256 | eb0b8e466cf7c08575edc9635aff16807ff26a819d1e0ab6e2a6735fdea1eb59 |
| SHA512 | b725675434fe9a720a7f23bd8d5e2348490a3214e8b16f528ab594fd1b3288263668a3a7019fb68c6aa0d6325767a15083811d7ae41ad943fa3454bf5d4eff2d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 219900033b452d6d549f54e6d10516f8 |
| SHA1 | c535b5563aa46ad1d92b0c420e7d9d15a06b8a00 |
| SHA256 | 021a35af9864506744faa67d2e8cfefa5232db3c08256652774c6bca9f9c8354 |
| SHA512 | d737f9902db1bc770034dbf0c932afbdbf9b4a3e5f8117ef77292d2c7c1417e0e9fece04481ab5758cea1b794000d06c6888518b1863dd9f3278c018f629afe5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d8a9c2f4cbb19e057fe103f2a01ce08f |
| SHA1 | 2fb6fa736a536196507ecd5735fc163dc1a1c5b0 |
| SHA256 | cf901be65c46fdb20d0a038260a2bd5ef2515cdc6169664765034fb2e9258b32 |
| SHA512 | c61d08b42ff7272693f044593990d0176e16ad2a75e41da074e380264072d43b3f3f1df7d69cd17488afa8f7c4550d4ff36925b1049f81fbaea1fa4f735e2c0b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6429d521c433c0f7e21281585d5b6a32 |
| SHA1 | d4ab7530d8f19b7659298c3dddd85f5af46d75cf |
| SHA256 | 13cfe797f9a99da013e1b6c86bfd06271ae95ad047b9e51d543bdfc029edbee4 |
| SHA512 | ed03b5b4e82f5ce2f335f1e16ce41f70e43a86c51212f7c00b709b059a7c16deaf3a11868a1c3ae31cfe554cfae980c3c6dbb26f4c7fd9e065ad49689eab2265 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fd99c4f5f975661bbee2c1ead755b0c0 |
| SHA1 | 8000adafd21eb84c6aff20fb66e6fede1f7c9af1 |
| SHA256 | 1cc8e70b2b726c8d2a016f85352b988547f23c060bd1fda302a0c769ad4ae29d |
| SHA512 | de4c5ee68429e2b295f53f69cbe7a15a738be8cb2a584f1095bd441f21caa44df4f143cc81746980947ff1a40cc8d59fcd59450a5af5909a632c12b92a2c7989 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ea755050504d97c5baf1b12fff811791 |
| SHA1 | c0e1f2a98fb9f03ce94d9231dadb6dfacb0d2299 |
| SHA256 | 3ebb86ea7c2ce42064d4e286632a2ddeb19b4005f8a60d3c29fd6e9c8ff1376b |
| SHA512 | 331bacb011e9dc4d2451806780edea92a62d5ef0974d84e3b2b2c160403521482e23197adbc712fe4f2135718da31a70b99013dbd9cdd7b0f3707327f1ef5eb3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c26cfab0084ef3cab509ff2e62a80c57 |
| SHA1 | df92715e4a9c6499d8cd7bb16ba989c52b8b7360 |
| SHA256 | 741b2e451aed366cdc4ba7f3d5ab44f32a1a37ead23bcbc3453fc69eb2bd18d5 |
| SHA512 | a80d0e4cedee840e465f7be0cb43c4b1e9910c0aaa47019cedbcc83838b421f3656c0627eebaa5a8d015f4a453e8391d934a5e660264e7d1f9b59849b8724a92 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bfbe8810cd04c04aa0f78e68aa9cefc7 |
| SHA1 | e53b887754299dae87f6e0ed0695d16cd7044f30 |
| SHA256 | ffc293243baa3cc8f596e72e833b5e5fdacd84243f1bb5c6efeceae2828433ab |
| SHA512 | 390954d2082e512850d5b5d9cbe3749604c037209f33984288c372fd81d0d7ba0ab518e9722312d38b43a403e1efe04a2c356c19dd7e78302dd4d952aabb4399 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-20 17:50
Reported
2024-10-20 17:53
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
114s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\638b967576052290aa5c3d5ccf68cc5f_JaffaCakes118.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\638b967576052290aa5c3d5ccf68cc5f_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\638b967576052290aa5c3d5ccf68cc5f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\638b967576052290aa5c3d5ccf68cc5f_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3616 -ip 3616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 376
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3616-1-0x0000000000670000-0x0000000000671000-memory.dmp
memory/3616-0-0x0000000000690000-0x00000000006BF000-memory.dmp