0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
Size

1.2MB
MD5

cc3652c078fa2bdfbbfae33335c30bda
SHA1

b3d3ad0c2c9d526717f55c431d51c2f1e957325b
SHA256

0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad
SHA512

d027e1df8c10516b81e47ef840f0e2baf971c0e0c4e77ff0fdc0122bbbb66ed210fd78336cb40d05c76d91838ae89ebb3304050dbf7fb7eeec73d47d1d26ec3d
SSDEEP

12288:QKMzISi3LAStu+KxSgNrc+YCiYKjqxJUZGhEzXMOalwmtnvXigwwdAnIK4RHLrog:vMsSibWXpNrcVEnvXigwwdAIK4R/W3

Score

10^/10

credential_access defense_evasion discovery evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\!!!HOW_TO_DECRYPT!!!.mht

Ransom Note

From: =?utf-8?B?0RFQctTF0YDQcNC60IXQvdC+IEludGVybmV0IED4cGxvseVyIDEz?= Subject: Date: San, 00 Jan 2000 00:00:00 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft MimeOLE =EF=BB=BF<!DOCTYPE HTML> <!DOCTYPE html PUBLIC "" "">=20 <HTML lang=3D"ru">=20 <HEAD>=20 <META = content=3D"IE = 3D11.0000" http-equiv=3D"X - UA - Compatible">=20 <META charset=3D"utf-8">=20 <TITLE>!!!HOW_TO_DECRYPT!!!</TITLE>=20 <LINK href=3D"style.css" rel=3D"stylesheet">=20 <META name=3D"GENERATOR" content=3D"MSHTML 11.00.10570.1001">=20 </HEAD>=20 <BODY>=20 =20 =20 All your valiable data has been encrypted! =20 =20 =20 Hello! Sorry, but we have inform you that your order has been blocked due to the issue of securities. Make sure your data is not blocked.=20 All your valuable files were encrypted with strong encryption algorithms AES-256 + RSA-2048 + CHACHA and renamed. You can read about these algorithms in Google.=20 Your unique encryption key is stored securely on our server and your data can be decrypted quickly and securely. =20 We can prove that we can decrypt all of your data. Please just send us 3 small encrypted files which are randomly stored on your server.=20 We will decrypt these files and send them to you as a proof. Please note that files for free test decryption should not contain valuable information. =20 As you know information is the most valuable resource in the world. That's why all of your confidential data was uploaded to our servers.=20 If you need proof, just write us and we will show you that we have your files. If you will not start a dialogue with us in 72 hours=20 we will be forced to publish your files in the Darknet. Your customers and partners will be informed about the data leak by email or phone. =20 This way, your reputation will be ruined. If you will not react, we will be forced to sell the most important information such as databases=20 to interested parties to generate some profit. Please understand that we are just doing our job. We don't want to harm your company.=20 Think of this incident as an opportunity to improve your security. We are opened for dialogue and ready to help you. We are professionals,=20 please don't try to fool us. =20 =20 If you want to resolve this situation, please write to ALL of these 2 email addresses: =20 [email protected] [email protected] In subject line please write your ID: 8894338990327332297 =20 =20 =20 Important! =20 * We asking to send your message to ALL of our 2 email adresses because for various reasons, your email may not be delivered. =20 * Our message may be recognized as spam, so be sure to check the spam folder. =20 * If we do not respond to you within 24 hours, write to us from another email address. Use Gmail, Yahoo, Hotmail, or any other well-known email service. =20 Important =20 * Please don't waste the time, it will result only additinal damage to your company! =20 * Please do not try to decrypt the files yourself. We will not be able to help you if files will be modified. =20 =20 =20 </BODY> =20 </HTML>

Emails

[email protected] [email protected] In

URLs

http-equiv=3D"X

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
536	bcdedit.exe
684	bcdedit.exe

Renames multiple (911) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2152	wbadmin.exe
776	wbadmin.exe

Drops file in Drivers directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\System32\drivers\etc\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\services	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Deletes itself 1 IoCs

pid	Process
2268	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe\" e"	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\E:\$RECYCLE.BIN\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 39 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\Z:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\L:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\S:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\T:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\J:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\U:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\V:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\W:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\B:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\I:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\O:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\P:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\Q:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\Y:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\M:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\A:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\N:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\R:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\X:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\E:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\K:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\H:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\440adada-f29f-4986-b69f-edba7cedbf5f.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\LogFiles\Scm\29da68e3-7ef7-455e-a6e8-0d249e7b7eac	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\System32\LogFiles\Scm\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\RegBack\DEFAULT	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\BCD-Template	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\DEFAULT	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\System32\Microsoft\Protect\S-1-5-18\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\BCD-Template.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\SECURITY	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\LogFiles\Scm\29da68e3-7ef7-455e-a6e8-0d249e7b7eac.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\LogFiles\Scm\29da68e3-7ef7-455e-a6e8-0d249e7b7eac.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\System32\config\RegBack\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\RegBack\SYSTEM	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\5a73103f-8e10-4b31-8839-646f58f46eb6.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\COMPONENTS.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\440adada-f29f-4986-b69f-edba7cedbf5f.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\BCD-Template.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\SAM	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\SOFTWARE	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\929bc581-46b6-4237-bec1-5ea5f9afd46e	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\System32\config\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\SYSTEM	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\440adada-f29f-4986-b69f-edba7cedbf5f	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Tokyo	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Santiago.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Eucla	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Juneau	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Los_Angeles.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Martinique	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Marengo.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Oral.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\London.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-2.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\PST8.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\ZoneInfoMappings	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Asuncion	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Boa_Vista.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Sao_Paulo.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+4.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kuala_Lumpur.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Athens	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Majuro.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Marquesas.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\meta-index.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\PST8PDT	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Tongatapu.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Noronha.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Toronto.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Fakaofo.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Nicosia	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-4.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Belize	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Creston.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Shanghai.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Yellowknife	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Auckland.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Easter.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Ashgabat	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Reykjavik.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Broken_Hill.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Tegucigalpa.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Tucuman.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Hong_Kong	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Monaco	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-14.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Tehran	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Easter	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Boa_Vista.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Brussels	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Adak	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\El_Salvador.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Fakaofo	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Galapagos	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\HST10	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Ushuaia.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Johannesburg.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Sao_Paulo	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Santo_Domingo	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Madrid.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Monaco.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Sofia.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe

Drops file in Windows directory 50 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\absthr_1	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_0	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\Panther\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\Boot\PCAT\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Boot\DVD\EFI\BCD	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\ehome\CreateDisc\Components\tables\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1cb1	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Panther\setupinfo.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1cb2	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_1	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Boot\PCAT\bootmgr	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2th2	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\absthr_2	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\enwindow	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Panther\setupinfo	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Panther\setupinfo.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2cb1	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2th1	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\absthr_0	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2th0	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_2	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_3	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File created	C:\Windows\Boot\DVD\EFI\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1th1	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2cb0	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2cb2	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\Boot\DVD\PCAT\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1cb0	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1th0	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1th2	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\dewindow	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\BCD	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 13 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1440	vssadmin.exe
2728	vssadmin.exe
2652	vssadmin.exe
2836	vssadmin.exe
2968	vssadmin.exe
2876	vssadmin.exe
2864	vssadmin.exe
3008	vssadmin.exe
2800	vssadmin.exe
2016	vssadmin.exe
1796	vssadmin.exe
2064	vssadmin.exe
1724	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeBackupPrivilege	2888	vssvc.exe
Token: SeRestorePrivilege	2888	vssvc.exe
Token: SeAuditPrivilege	2888	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2224	wmic.exe
Token: SeSecurityPrivilege	2224	wmic.exe
Token: SeTakeOwnershipPrivilege	2224	wmic.exe
Token: SeLoadDriverPrivilege	2224	wmic.exe
Token: SeSystemProfilePrivilege	2224	wmic.exe
Token: SeSystemtimePrivilege	2224	wmic.exe
Token: SeProfSingleProcessPrivilege	2224	wmic.exe
Token: SeIncBasePriorityPrivilege	2224	wmic.exe
Token: SeCreatePagefilePrivilege	2224	wmic.exe
Token: SeBackupPrivilege	2224	wmic.exe
Token: SeRestorePrivilege	2224	wmic.exe
Token: SeShutdownPrivilege	2224	wmic.exe
Token: SeDebugPrivilege	2224	wmic.exe
Token: SeSystemEnvironmentPrivilege	2224	wmic.exe
Token: SeRemoteShutdownPrivilege	2224	wmic.exe
Token: SeUndockPrivilege	2224	wmic.exe
Token: SeManageVolumePrivilege	2224	wmic.exe
Token: 33	2224	wmic.exe
Token: 34	2224	wmic.exe
Token: 35	2224	wmic.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2800	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	31
PID 2124 wrote to memory of 2800	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	31
PID 2124 wrote to memory of 2800	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	31
PID 2124 wrote to memory of 2652	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	36
PID 2124 wrote to memory of 2652	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	36
PID 2124 wrote to memory of 2652	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	36
PID 2124 wrote to memory of 2728	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	38
PID 2124 wrote to memory of 2728	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	38
PID 2124 wrote to memory of 2728	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	38
PID 2124 wrote to memory of 1440	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	40
PID 2124 wrote to memory of 1440	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	40
PID 2124 wrote to memory of 1440	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	40
PID 2124 wrote to memory of 3008	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	42
PID 2124 wrote to memory of 3008	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	42
PID 2124 wrote to memory of 3008	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	42
PID 2124 wrote to memory of 1724	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	44
PID 2124 wrote to memory of 1724	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	44
PID 2124 wrote to memory of 1724	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	44
PID 2124 wrote to memory of 2064	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	46
PID 2124 wrote to memory of 2064	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	46
PID 2124 wrote to memory of 2064	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	46
PID 2124 wrote to memory of 2864	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	48
PID 2124 wrote to memory of 2864	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	48
PID 2124 wrote to memory of 2864	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	48
PID 2124 wrote to memory of 2876	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	50
PID 2124 wrote to memory of 2876	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	50
PID 2124 wrote to memory of 2876	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	50
PID 2124 wrote to memory of 2968	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	52
PID 2124 wrote to memory of 2968	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	52
PID 2124 wrote to memory of 2968	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	52
PID 2124 wrote to memory of 1796	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	54
PID 2124 wrote to memory of 1796	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	54
PID 2124 wrote to memory of 1796	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	54
PID 2124 wrote to memory of 2016	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	56
PID 2124 wrote to memory of 2016	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	56
PID 2124 wrote to memory of 2016	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	56
PID 2124 wrote to memory of 2836	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	58
PID 2124 wrote to memory of 2836	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	58
PID 2124 wrote to memory of 2836	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	58
PID 2124 wrote to memory of 684	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	60
PID 2124 wrote to memory of 684	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	60
PID 2124 wrote to memory of 684	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	60
PID 2124 wrote to memory of 536	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	62
PID 2124 wrote to memory of 536	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	62
PID 2124 wrote to memory of 536	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	62
PID 2124 wrote to memory of 776	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	64
PID 2124 wrote to memory of 776	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	64
PID 2124 wrote to memory of 776	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	64
PID 2124 wrote to memory of 2152	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	66
PID 2124 wrote to memory of 2152	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	66
PID 2124 wrote to memory of 2152	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	66
PID 2124 wrote to memory of 2224	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	68
PID 2124 wrote to memory of 2224	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	68
PID 2124 wrote to memory of 2224	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	68
PID 2124 wrote to memory of 2268	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	71
PID 2124 wrote to memory of 2268	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	71
PID 2124 wrote to memory of 2268	2124	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	71

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2124
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:2800
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:2652
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2728
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1440
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3008
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1724
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2064
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2864
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2876
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2968
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1796
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2016
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2836
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:684
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:536
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:776
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:2152
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\CC3652~1.EXE >> NUL
  2⤵
  - Deletes itself
  PID:2268

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\!!!HOW_TO_DECRYPT!!!.mht

Filesize
4KB

MD5
aa893f5e5b5066777df56f91165c0110

SHA1
e15ad248d0c65cf0aff108f258bd5817ec93a464

SHA256
9f5970914bd7ceb8ac86752b47a4b18865b5138e21b89e1f158654e2341c5ac3

SHA512
8f6bba494d68991d48efa5ae27992a87d9ba2d636283b36a82bfc0f1bebfd9672eca6be3dade417508c6317e7cab949ed904eec06376d586f21a3d7734cdf3a4

Download Submit