Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/10/2024, 22:40
Static task
static1
Behavioral task
behavioral1
Sample
764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe
-
Size
317KB
-
MD5
764dde3f1fd9259e60c40b148db70637
-
SHA1
0594e04536101063361d903e7db109a6dfaef85f
-
SHA256
403736515e661b6b36e18644a1e4aaa8b64f3d2597cf260300c815f9326d669a
-
SHA512
cbc6bc71698f75ebf23b2991476dabc895b23fd16af84967a2197aacc77b243e27ac143cdcc787549019492481bef63c847d79489eb3a8d672e8c8b5d0be157a
-
SSDEEP
6144:J6tiiYyUYE+I6TdpIg+aLUvPOfE2sg4qJLfG7zWBMvKvGB77Z:J60iYyo+JT/+f282sGtw/77Z
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\restore_files_vewif.txt
http://nasdki39dawk.oj998fh4txkjh.com/DDFD4123AC768C4C
http://awoeinf832as.wo49i277rnw.com/DDFD4123AC768C4C
https://zpr5huq4bgmutfnf.onion.to/DDFD4123AC768C4C
http://zpr5huq4bgmutfnf.onion/DDFD4123AC768C4C
Extracted
C:\Program Files\7-Zip\Lang\restore_files_vewif.html
https://zpr5huq4bgmutfnf.onion.to/DDFD4123AC768C4C</a>
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (873) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation vcwsfs.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_vewif.txt vcwsfs.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_vewif.html vcwsfs.exe -
Executes dropped EXE 1 IoCs
pid Process 1112 vcwsfs.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSCONFIG = "C:\\Users\\Admin\\AppData\\Roaming\\vcwsfs.exe" vcwsfs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSCONFIG = "C" vcwsfs.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 ipinfo.io -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\restore_files_vewif.html vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-400_contrast-white.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Images\restore_files_vewif.txt vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-125_contrast-white.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\TimerWideTile.contrast-black_scale-200.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\restore_files_vewif.html vcwsfs.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\restore_files_vewif.txt vcwsfs.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\THMBNAIL.PNG vcwsfs.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\restore_files_vewif.txt vcwsfs.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\restore_files_vewif.html vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-200_contrast-black.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.scale-125.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\restore_files_vewif.txt vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-32_contrast-white.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_altform-unplated_contrast-black.png vcwsfs.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\restore_files_vewif.txt vcwsfs.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\restore_files_vewif.txt vcwsfs.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\common.js vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-80.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\restore_files_vewif.txt vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-24_altform-unplated.png vcwsfs.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\restore_files_vewif.txt vcwsfs.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ru-RU\restore_files_vewif.txt vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Logo.scale-125_contrast-white.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSplash.scale-200_contrast-black.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\AppxMetadata\restore_files_vewif.txt vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\restore_files_vewif.txt vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\assets\back-icon.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailWideTile.scale-100.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\WideTile.scale-200.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_7.m4a vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreMedTile.scale-200.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-400_contrast-white.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\restore_files_vewif.txt vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-125.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-48.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ClippingTool.targetsize-20.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-400.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxMediumTile.scale-125.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-48.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-16.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-36_altform-unplated_contrast-black.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\EmptyAlbumList.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeMediumTile.scale-400.png vcwsfs.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\restore_files_vewif.txt vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\af-ZA\View3d\restore_files_vewif.html vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionSmallTile.scale-100.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-30_altform-unplated.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteMediumTile.scale-200.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-200_contrast-black.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\LargeTile.scale-125.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-64.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\AppxMetadata\restore_files_vewif.txt vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-256_altform-unplated.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\WideTile.scale-125.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-200.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\restore_files_vewif.txt vcwsfs.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\restore_files_vewif.html vcwsfs.exe File opened for modification C:\Program Files\Windows Mail\restore_files_vewif.html vcwsfs.exe File opened for modification C:\Program Files\Windows NT\restore_files_vewif.html vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Controls\EndOfLife\Assets\farewell.jpg vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_MouseNose.png vcwsfs.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\eml.scale-256.png vcwsfs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vcwsfs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4128 vssadmin.exe 2080 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings vcwsfs.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2868 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe 1112 vcwsfs.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 3144 msedge.exe 3144 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1564 764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe Token: SeDebugPrivilege 1112 vcwsfs.exe Token: SeBackupPrivilege 4084 vssvc.exe Token: SeRestorePrivilege 4084 vssvc.exe Token: SeAuditPrivilege 4084 vssvc.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1564 wrote to memory of 1112 1564 764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe 86 PID 1564 wrote to memory of 1112 1564 764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe 86 PID 1564 wrote to memory of 1112 1564 764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe 86 PID 1564 wrote to memory of 4960 1564 764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe 88 PID 1564 wrote to memory of 4960 1564 764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe 88 PID 1564 wrote to memory of 4960 1564 764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe 88 PID 1112 wrote to memory of 4128 1112 vcwsfs.exe 90 PID 1112 wrote to memory of 4128 1112 vcwsfs.exe 90 PID 1112 wrote to memory of 2868 1112 vcwsfs.exe 110 PID 1112 wrote to memory of 2868 1112 vcwsfs.exe 110 PID 1112 wrote to memory of 2868 1112 vcwsfs.exe 110 PID 1112 wrote to memory of 3144 1112 vcwsfs.exe 111 PID 1112 wrote to memory of 3144 1112 vcwsfs.exe 111 PID 3144 wrote to memory of 1068 3144 msedge.exe 112 PID 3144 wrote to memory of 1068 3144 msedge.exe 112 PID 1112 wrote to memory of 2080 1112 vcwsfs.exe 113 PID 1112 wrote to memory of 2080 1112 vcwsfs.exe 113 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 4164 3144 msedge.exe 115 PID 3144 wrote to memory of 3520 3144 msedge.exe 116 PID 3144 wrote to memory of 3520 3144 msedge.exe 116 PID 3144 wrote to memory of 1088 3144 msedge.exe 117 PID 3144 wrote to memory of 1088 3144 msedge.exe 117 PID 3144 wrote to memory of 1088 3144 msedge.exe 117 PID 3144 wrote to memory of 1088 3144 msedge.exe 117 PID 3144 wrote to memory of 1088 3144 msedge.exe 117 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcwsfs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" vcwsfs.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Roaming\vcwsfs.exeC:\Users\Admin\AppData\Roaming\vcwsfs.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1112 -
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet3⤵
- Interacts with shadow copies
PID:4128
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RESTORE_FILES.HTML3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8e1ce46f8,0x7ff8e1ce4708,0x7ff8e1ce47184⤵PID:1068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,5529471428205303647,10651165217005545336,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:24⤵PID:4164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,5529471428205303647,10651165217005545336,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:34⤵PID:3520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,5529471428205303647,10651165217005545336,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:84⤵PID:1088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5529471428205303647,10651165217005545336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:14⤵PID:1052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5529471428205303647,10651165217005545336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:14⤵PID:2000
-
-
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet3⤵
- Interacts with shadow copies
PID:2080
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwsfs.exe >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:2680
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\764DDE~1.EXE >> NUL2⤵
- System Location Discovery: System Language Discovery
PID:4960
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4084
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2364
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:492
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD529457c0abb75c95bf4c37e77fd1488d6
SHA1e053e2b109e051193f82dad75dbbe1b86b26c080
SHA2566fb436f2e59e9696894784a2e572a2e87cd792c38dbbe27922bbb53b833fee4a
SHA5126f610c1402f8ce93bebf4f70304f461777b0818b940857ddd841e158fcfc035c4dbd92e490f1353ee5e7650e23a20e2c3f10820c545b17c3a8bb432e8467543a
-
Filesize
2KB
MD5ba95d3cbbc52103ca2f2c8a8ed3dfc4a
SHA192cc2bebee676002dbd11c9c831a4435588fc403
SHA2563f05098bd0c1c9c9c0e71642d12fe443190a3b9ba69470c038341185efdc6127
SHA512c9fd6b309668bdeb9aaa3ec233a2e12e16e0096e92bee8977b0f5f588bd3f6fe712933c43d65e70462c39ccc0baafd88135ed0c5cf0036045589f67aa455c50c
-
Filesize
152B
MD534d2c4f40f47672ecdf6f66fea242f4a
SHA14bcad62542aeb44cae38a907d8b5a8604115ada2
SHA256b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33
SHA51250fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6
-
Filesize
152B
MD58749e21d9d0a17dac32d5aa2027f7a75
SHA1a5d555f8b035c7938a4a864e89218c0402ab7cde
SHA256915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304
SHA512c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a
-
Filesize
5KB
MD5a89fe62492ddc21dd15a3bd9d0a22153
SHA1f5d83032adefbdd24d902ba412922ab5b74490a1
SHA2562a7466c04cb8697d270dbd3ace3bff305ba73834a5e0eabcfa87c1b4f8c639b9
SHA51298afc9da90d9ad74d4909e569b2dd76872435d5716405c57a28bb9a9b10440be0589c035857e829cd23cf2c233c14cc8c711f92b4a1786b58db5300269065e7c
-
Filesize
6KB
MD5a08c60aabafbeca068a2ed8b6087fdb4
SHA1f5fe6f608cd41b1b6a608a2c4d584e33a7338327
SHA256bd88b3f145b40df21a9473a086299971b7b849613021e1d176f7a7d1d9f798e3
SHA5123aaa31be567eb3b7bcaea5fde300f17e27e1c1457b1b36b04c204d751120cf63d4560432cdae1a01eefd30b8fa320c81d1c3643ccb90596579b1c9b957d16f99
-
Filesize
10KB
MD58117a800276e8fadbfb2f5384a9400a3
SHA16d12802e19e04c9baa180760dc62b11bae9cb27a
SHA2564c17d5b032153a98d8ce115e6ece1fcbfff7a2ba58b359a1d92778813df1a983
SHA512af230ad5604b5f802fec697ba03c215f1b9f8a94b2df89b7e2a4f9a06e21706d3209b7143820b1c7d560fd7a8da2715727d96028d6fe0df9cee9dd07d739a052
-
Filesize
317KB
MD5764dde3f1fd9259e60c40b148db70637
SHA10594e04536101063361d903e7db109a6dfaef85f
SHA256403736515e661b6b36e18644a1e4aaa8b64f3d2597cf260300c815f9326d669a
SHA512cbc6bc71698f75ebf23b2991476dabc895b23fd16af84967a2197aacc77b243e27ac143cdcc787549019492481bef63c847d79489eb3a8d672e8c8b5d0be157a