Overview

overview

10

Static

static

3

ed28a3189a...18.exe

windows7-x64

10

ed28a3189a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-12-2024 23:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed28a3189aefa3589a8602d24d19f1cb_JaffaCakes118.exe

  • Size

    226KB

  • MD5

    ed28a3189aefa3589a8602d24d19f1cb

  • SHA1

    4619f493d165ffc9893f19a32e197b7572497cd2

  • SHA256

    52e15e0deb115003af9f56c7f4e66076a4c859b4e8d782e5ad1d29a95b9164bc

  • SHA512

    06577460509c754a2850f69ac250132e73e2367995825632cf358cf7dd20f1774cb38a7c2a214209fe74a10ca8bac7fdf3bc84d0447fe77963a926333d3d73de

  • SSDEEP

    6144:BQGB/n4ZWOeRzb2RL6nDHoEpgYH79X+9Ac:l4ZADDHofYGAc

Score
10/10
cerberdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Family

cerber

Ransom Note
C E R B E R R A N S O M W A R E ######################################################################### Cannot you find the files you need? Is the content of the files that you looked for not readable? It is normal because the files' names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #Cerber_Ransomware. ######################################################################### !!! If you are reading this message it means the software !!! "Cerber Ransomware" has been removed from your computer. ######################################################################### What is encryption? ------------------- Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users. To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data. ######################################################################### Everything is clear for me but what should I do? ------------------------------------------------ The first step is reading these instructions to the end. Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions. It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them. !!! Any attempts to get back your files with the third-party tools can !!! be fatal for your encrypted files. The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files. ######################################################################### !!! There are several plain steps to restore your files but if you do !!! not follow them we will not be able to help you, and we will not try !!! since you have read this warning already. ######################################################################### For your information the software to decrypt your files (as well as the private key provided together) are paid products. After purchase of the software package you will be able to: 1. decrypt all your files; 2. work with your documents; 3. view your photos and other media; 4. continue your usual and comfortable work at the computer. If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. ######################################################################### There is a list of temporary addresses to go on your personal page below: _______________________________________________________________________ | | 1. http://cerberhhyed5frqa.xmfhr6.win/939D-5CBD-8609-0063-7DA9 | | 2. http://cerberhhyed5frqa.cmfhty.win/939D-5CBD-8609-0063-7DA9 | | 3. http://cerberhhyed5frqa.dk59jg.win/939D-5CBD-8609-0063-7DA9 | | 4. http://cerberhhyed5frqa.xmfu59.win/939D-5CBD-8609-0063-7DA9 | | 5. http://cerberhhyed5frqa.er48rt.win/939D-5CBD-8609-0063-7DA9 |_______________________________________________________________________ ######################################################################### What should you do with these addresses? ---------------------------------------- If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it): 1. take a look at the first address (in this case it is http://cerberhhyed5frqa.xmfhr6.win/939D-5CBD-8609-0063-7DA9); 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select "Copy" in the appeared menu; 5. run your Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button "Insert" in the appeared menu; 9. then you will see the address http://cerberhhyed5frqa.xmfhr6.win/939D-5CBD-8609-0063-7DA9 appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions. If you browse the instructions in HTML format: 1. click the left mouse button on the first address (in this case it is http://cerberhhyed5frqa.xmfhr6.win/939D-5CBD-8609-0063-7DA9); 2. in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address. If for some reason the site cannot be opened check the connection to the Internet. ######################################################################### Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products. Unlike them we are ready to help you always. If you need our help but the temporary sites are not available: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button "Connect" (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address ________________________________________________________ | | | http://cerberhhyed5frqa.onion/939D-5CBD-8609-0063-7DA9 | |________________________________________________________| in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or operation of Tor Browser, please, visit https://www.youtube.com/ and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation. If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files. ######################################################################### Additional information: You will find the instructions for restoring your files in those folders where you have your encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company. ######################################################################### Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place. ######################################################################### If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support. ######################################################################### Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.
URLs

http://cerberhhyed5frqa.xmfhr6.win/939D-5CBD-8609-0063-7DA9

http://cerberhhyed5frqa.cmfhty.win/939D-5CBD-8609-0063-7DA9

http://cerberhhyed5frqa.dk59jg.win/939D-5CBD-8609-0063-7DA9

http://cerberhhyed5frqa.xmfu59.win/939D-5CBD-8609-0063-7DA9

http://cerberhhyed5frqa.er48rt.win/939D-5CBD-8609-0063-7DA9

http://cerberhhyed5frqa.onion/939D-5CBD-8609-0063-7DA9

Extracted

Path

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>&#067;erber Ransomware</title> <style> a { color: #47c; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #333; font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; line-height: 1.6; margin: 0; padding: 0; } hr { background-color: #e7e7e7; border: 0 none; border-bottom: 1px solid #c7c7c7; height: 5px; margin: 30px 0; } li { padding: 0 0 7px 7px; } ol { padding-left: 3em; } .container { background-color: #fff; border: 1px solid #c7c7c7; margin: 40px; padding: 40px 40px 20px 40px; } .info, .tor { background-color: #efe; border: 1px solid #bda; display: block; padding: 0px 20px; } .logo { font-size: 12px; font-weight: bold; line-height: 1; margin: 0; } .tor { padding: 10px 0; text-align: center; } .warning { background-color: #f5e7e7; border: 1px solid #ebccd1; color: #a44; display: block; padding: 15px 10px; text-align: center; } </style> </head> <body> <div class="container"> <h3>C E R B E R&nbsp;&nbsp;&nbsp;R A N S O M W A R E</h3> <hr> <p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p> <p>It is normal because the files' names, as well as the data in your files have been encrypted.</p> <p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p> <hr> <p><span class="warning">If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer.</span></p> <hr> <h3>What is encryption?</h3> <p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p> <p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p> <p>But not only it.</p> <p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p> <hr> <h3>Everything is clear for me but what should I do?</h3> <p>The first step is reading these instructions to the end.</p> <p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p> <p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p> <p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p> <p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p> <p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p> <p>Finally it will be impossible to decrypt your files.</p> <p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p> <p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p> <hr> <p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p> <hr> <p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p> <p>After purchase of the software package you will be able to:</p> <ol> <li>decrypt all your files;</li> <li>work with your documents;</li> <li>view your photos and other media;</li> <li>continue your usual and comfortable work at the computer.</li> </ol> <p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p> <hr> <div class="info"> <p>There is a list of temporary addresses to go on your personal page below:</p> <ol> <li><a href="http://cerberhhyed5frqa.xmfhr6.win/939D-5CBD-8609-0063-7DA9" target="_blank">http://cerberhhyed5frqa.xmfhr6.win/939D-5CBD-8609-0063-7DA9</a></li> <li><a href="http://cerberhhyed5frqa.cmfhty.win/939D-5CBD-8609-0063-7DA9" target="_blank">http://cerberhhyed5frqa.cmfhty.win/939D-5CBD-8609-0063-7DA9</a></li> <li><a href="http://cerberhhyed5frqa.dk59jg.win/939D-5CBD-8609-0063-7DA9" target="_blank">http://cerberhhyed5frqa.dk59jg.win/939D-5CBD-8609-0063-7DA9</a></li> <li><a href="http://cerberhhyed5frqa.xmfu59.win/939D-5CBD-8609-0063-7DA9" target="_blank">http://cerberhhyed5frqa.xmfu59.win/939D-5CBD-8609-0063-7DA9</a></li> <li><a href="http://cerberhhyed5frqa.er48rt.win/939D-5CBD-8609-0063-7DA9" target="_blank">http://cerberhhyed5frqa.er48rt.win/939D-5CBD-8609-0063-7DA9</a></li> </ol> </div> <hr> <h3>What should you do with these addresses?</h3> <p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p> <ol> <li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfhr6.win/939D-5CBD-8609-0063-7DA9" target="_blank">http://cerberhhyed5frqa.xmfhr6.win/939D-5CBD-8609-0063-7DA9</a>);</li> <li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li> <li>release the left mouse button and press the right one;</li> <li>select "Copy" in the appeared menu;</li> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li> <li>click the right mouse button in the field where the site address is written;</li> <li>select the button "Insert" in the appeared menu;</li> <li>then you will see the address <a href="http://cerberhhyed5frqa.xmfhr6.win/939D-5CBD-8609-0063-7DA9" target="_blank">http://cerberhhyed5frqa.xmfhr6.win/939D-5CBD-8609-0063-7DA9</a> appeared there;</li> <li>press ENTER;</li> <li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p> <p>If you browse the instructions in HTML format:</p> <ol> <li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfhr6.win/939D-5CBD-8609-0063-7DA9" target="_blank">http://cerberhhyed5frqa.xmfhr6.win/939D-5CBD-8609-0063-7DA9</a>);</li> <li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li> </ol> <p>If for some reason the site cannot be opened check the connection to the Internet.</p> <hr> <p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p> <p>Unlike them we are ready to help you always.</p> <p>If you need our help but the temporary sites are not available:</p> <ol> <li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li> <li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loading;</li> <li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>run Tor Browser;</li> <li>connect with the button "Connect" (if you use the English version);</li> <li>a normal Internet browser window will be opened after the initialization;</li> <li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/939D-5CBD-8609-0063-7DA9</span> in this browser address bar;</li> <li>press ENTER;</li> <li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li> </ol> <p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p> <p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p> <hr> <h3>Additional information:</h3> <p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p> <p>The instructions are made in two file formats - HTML and TXT for your convenience.</p> <p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p> <p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p> <hr> <p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p> <p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p> <p>Together we make the Internet a better and safer place.</p> <hr> <p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p> <hr> <p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p> </div> </body> </html>

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Cerber family
    cerber
  • Contacts a large (16388) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 59 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed28a3189aefa3589a8602d24d19f1cb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ed28a3189aefa3589a8602d24d19f1cb_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Users\Admin\AppData\Local\Temp\ed28a3189aefa3589a8602d24d19f1cb_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\ed28a3189aefa3589a8602d24d19f1cb_JaffaCakes118.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Users\Admin\AppData\Roaming\{24904338-379E-53D6-B3B4-47BAA50F43E4}\shrpubw.exe
        "C:\Users\Admin\AppData\Roaming\{24904338-379E-53D6-B3B4-47BAA50F43E4}\shrpubw.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Users\Admin\AppData\Roaming\{24904338-379E-53D6-B3B4-47BAA50F43E4}\shrpubw.exe
          "C:\Users\Admin\AppData\Roaming\{24904338-379E-53D6-B3B4-47BAA50F43E4}\shrpubw.exe"
          4⤵
          • Adds policy Run key to start application
          • Drops startup file
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Sets desktop wallpaper using registry
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:580
          • C:\Windows\system32\vssadmin.exe
            "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:1900
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:900
          • C:\Windows\System32\bcdedit.exe
            "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:748
          • C:\Windows\System32\bcdedit.exe
            "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
            5⤵
            • Modifies boot configuration data using bcdedit
            PID:2268
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2436
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2436 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2960
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2436 CREDAT:603137 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2592
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
            5⤵
              PID:2416
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
              5⤵
                PID:3056
              • C:\Windows\system32\cmd.exe
                /d /c taskkill /t /f /im "shrpubw.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{24904338-379E-53D6-B3B4-47BAA50F43E4}\shrpubw.exe" > NUL
                5⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                PID:2792
                • C:\Windows\system32\taskkill.exe
                  taskkill /t /f /im "shrpubw.exe"
                  6⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:956
                • C:\Windows\system32\PING.EXE
                  ping -n 1 127.0.0.1
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:1464
          • C:\Windows\SysWOW64\cmd.exe
            /d /c taskkill /t /f /im "ed28a3189aefa3589a8602d24d19f1cb_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\ed28a3189aefa3589a8602d24d19f1cb_JaffaCakes118.exe" > NUL
            3⤵
            • Deletes itself
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Suspicious use of WriteProcessMemory
            PID:3036
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /t /f /im "ed28a3189aefa3589a8602d24d19f1cb_JaffaCakes118.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1920
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 1 127.0.0.1
              4⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1460
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2856
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:2900
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2900 CREDAT:275457 /prefetch:2
          2⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2656
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
        1⤵
        • System Location Discovery: System Language Discovery
        PID:2800
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x598
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2632

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Windows Management Instrumentation

      1
      T1047

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Defense Evasion

      Direct Volume Access

      1
      T1006

      Indicator Removal

      2
      T1070

      File Deletion

      2
      T1070.004

      Modify Registry

      4
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Network Service Discovery

      2
      T1046

      Remote System Discovery

      1
      T1018

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Defacement

      1
      T1491

      Inhibit System Recovery

      3
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html
        Filesize

        12KB

        MD5

        768593bafcbe910755fe7f3a2e0476d0

        SHA1

        8c468e40c97831f4d2d24d8431379fce5b08ae32

        SHA256

        9a417caaf4ea85faa1cd58a189ad467f0d17db5c6bd8932e26dc58c615b7a19a

        SHA512

        9522c6f2deac126bc5b337f518fb54b24f38054d794fcd6e3b0e621322f73708af9ef8bda801400ffcaec877b44799920b1bd78414dab43ef2453bfb132d10cd

        Download Submit

      • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
        Filesize

        10KB

        MD5

        7e6e73547b060f2a014dbe6fcb5ec668

        SHA1

        7be6fb9d7b91eb0b038d66ca128340cd47bc45d9

        SHA256

        6a419cec6da1721c606b80fe651b388bade651f8d78ed15b0acf109afd787f42

        SHA512

        f07d6a86c86c30cabd024c9a266bdac582a3f699a8c345728f22782c0fe94740dc5011e30b4f08d5c1d95425ced92d6e564fc354abd815eab88c4dad9d551a22

        Download Submit

      • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url
        Filesize

        85B

        MD5

        a5066ecae43064ddd8af5c6221e05867

        SHA1

        7c726d3bc2e4fba1e825a301e172d4cb597ed83e

        SHA256

        0b3e7237bb75a12133fc8f058b229c4d60ab6e7dafbfa6c5e3a0800ce421cdd8

        SHA512

        676e44c4a34e7c3177c240c7929f5e12bd6db011566a12fd9de8088c095ac1b7bb043e7867ca8d7bc03ea2c763ec0545bcf66d1878a09ca3801e2dd66cfb8a08

        Download Submit

      • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs
        Filesize

        219B

        MD5

        35a3e3b45dcfc1e6c4fd4a160873a0d1

        SHA1

        a0bcc855f2b75d82cbaae3a8710f816956e94b37

        SHA256

        8ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934

        SHA512

        6d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        5c0ae236d641cc88d56971837afd5435

        SHA1

        1456d10eb273736f4e630e1db9de9df7a1811225

        SHA256

        9a166c5445e461eda86f1af395596cd139a29b49608e64e3bbbdd611eda1570e

        SHA512

        b79f7b06a4711a9194d1327e6de345c002881c05c1cf93b9c6eccdc1d047ed38acf4b2a3529eb81f7bbc10fdca09fc55bf43bd083637ccf32304f8b2e4d3dfb4

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        260f2d5dd95d3eb829a3f791af8a4719

        SHA1

        2d6d56154912a0f6f80b99e38c5b8b9355c57f53

        SHA256

        c1bfa7c1da734398fd95a54634ec2259bd79f8bf13bef7bb122483466b568bb7

        SHA512

        07f84006e46ea56923c75adc22df92cd307df8476271c11c3caafcd65e27a6d3d8d92a6c1a583b7df2f1afa3a30ccffb737e545166a98944b30fd93c85de1532

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        152613fb301bb63c1ca6dd44d929b5a4

        SHA1

        c8885e3cf372b5bc8d344da73343a71fc3bce85f

        SHA256

        b213bbcfbaa8467e9ac611ff4861e5a5480b950e25f0357ebad74b8e4f962067

        SHA512

        3ae43105f276968d9795dbc0329560043f58603c55ec461ed78eea929c566de74f19091477387d6d9626096f5e54a3bec13e67879ab3845d0f469d6c0c6a5438

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        b6a822fb474e813b9ad527aeb74f1969

        SHA1

        dff4b9147c14345520b8ce3f9b54d9944d72567c

        SHA256

        7db4abb61da08eff5075de011ffaf9e5d2cd0338ff1e91d257a5eccaa3e658c8

        SHA512

        ae19746a80752f635834cdbcac9f0e0bea47374b7193628fdea4252db2382f8cb934563776451e2d42e336ac2c8e4724654a37fb716590d9b6e962f5496b6690

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        0ed1f1703b1c8cb07b05130bf9bf7873

        SHA1

        c344629a7038f6f89b4e2bc6846c642d3473d323

        SHA256

        96492bd9527e80e650f26b6701720aa3aa38e2d8048ca341cbb2973896b715ba

        SHA512

        646a47dc065f94ecbde3ad702ca798c80651dd9dd716bba90d00ee2a1dd1fd7808c6df466f0143f70017679ba0eb8c744c1c025ad1c9206f4c2ebb7b210e1c5d

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        d7e302d16668e042deadc55d5f7592bf

        SHA1

        78118b4f97a2833f1c140ad71c2d900692e32fac

        SHA256

        1fa5f686c966400d7beb83fcc6de00bb0f9890384a5447636cd7e2e0c4aabf41

        SHA512

        e173624ded7807dbd7e817e85588059c4af464b68193ff3b73fb286160f210ae4a16babb1cbc314567c92669d135732b2b638fcdd64a7476fa2cd93abfb6fdfe

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FE7BC541-B9A7-11EF-A51B-E61828AB23DD}.dat
        Filesize

        5KB

        MD5

        c5eb6b66977295c1a616cd4801b46b24

        SHA1

        7fa7083c58525197044e6816dfa8daab8ec45d42

        SHA256

        8f03831e811b10870b805d1abbb54215a52296d27f4201d5a29085d1b5adc07e

        SHA512

        bee165eb35600c58113273c29f1d37ccbdd1e3242fcd3723cfea4a9e597f6d1d4ce2dcbd76340b2b4102f55adaca5cf447e673c04fe4afda7d58e051657c0c27

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Cab4943.tmp
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Tar4956.tmp
        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Buyout.n
        Filesize

        113KB

        MD5

        164724978a7243bdc20d1ac77eba6418

        SHA1

        3fa0cf927cee74db40bda63a8fb51c5ab31c2366

        SHA256

        dab48b011cd01ed12b86d8881ad3cc85913875fea9b17008a33123b40a87da78

        SHA512

        30b09df3d90075402995b92a16d7c5c42d4c0ed8dff95af494aec430011cf07e96941c33a4af42ecf5243f2f878d3351c6f496f0d40e64da1db5f9973b0e4f21

        Download Submit

      • C:\Users\Admin\AppData\Roaming\FogCattleman.jvS
        Filesize

        2KB

        MD5

        70c0bfe7c834d097e805787ed2f123a4

        SHA1

        fded0dc703add894b981c6ca64a56b8c67fa1544

        SHA256

        91d313b0cd8e40919b541b43113283d6dde03a7c663917b883a45f09ef7925ca

        SHA512

        b68beb9eed98888bb6aebe2f8fa1642849f5ffc0c7816614615d5ed4f85e6b7c6d73baf10d0bdbaa180aa21275bf5fb3fce490267fa90213e5e5e35b1f001e20

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\shrpubw.lnk
        Filesize

        1KB

        MD5

        71d9cfd7071a666eaf2696178bc99fb7

        SHA1

        c7ce822f1c320d9da254b889b77ee5582324e7e7

        SHA256

        eaf1b54e7fd8be768b46d18c7e4b7159d25081e08bafc3813e4cca149add74eb

        SHA512

        8f217b5727ac8bc151caf562cfd02cdb276d0925d459df2a6428a581b7db72461431fbd263652edc1e817a183ac4d26557b01214dacb16e7ca79e98f817057a7

        Download Submit

      • \Users\Admin\AppData\Local\Temp\nsjE707.tmp\System.dll
        Filesize

        11KB

        MD5

        883eff06ac96966270731e4e22817e11

        SHA1

        523c87c98236cbc04430e87ec19b977595092ac8

        SHA256

        44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

        SHA512

        60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

        Download Submit

      • \Users\Admin\AppData\Roaming\ProxySettings.dll
        Filesize

        84KB

        MD5

        f47a66f7cf15f17cc98d4cb4f0b34bc2

        SHA1

        e6ae6734c0acf0beab835f168881c6cfa98ac515

        SHA256

        06df7ee9794cc4db9950e0ea805add4870276a794a8756484a6ccd0a96783aa1

        SHA512

        76afe23aae871ef77e8d03248dee2555d64e3eece66561b453f075d871cd7fa477f3715d1663f3de00c1258e53bf87cf5e955d267884874ae196605a80eea81d

        Download Submit

      • \Users\Admin\AppData\Roaming\{24904338-379E-53D6-B3B4-47BAA50F43E4}\shrpubw.exe
        Filesize

        226KB

        MD5

        ed28a3189aefa3589a8602d24d19f1cb

        SHA1

        4619f493d165ffc9893f19a32e197b7572497cd2

        SHA256

        52e15e0deb115003af9f56c7f4e66076a4c859b4e8d782e5ad1d29a95b9164bc

        SHA512

        06577460509c754a2850f69ac250132e73e2367995825632cf358cf7dd20f1774cb38a7c2a214209fe74a10ca8bac7fdf3bc84d0447fe77963a926333d3d73de

        Download Submit

      • memory/580-74-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/580-85-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/580-73-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/580-76-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/580-454-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/580-80-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/580-81-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/580-83-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/580-86-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2380-30-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2380-12-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2380-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2380-29-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2380-27-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2380-23-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2380-19-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2380-48-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2380-13-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2380-15-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2380-17-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2540-56-0x00000000008B0000-0x00000000008D0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2540-70-0x00000000008B0000-0x00000000008D0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2684-24-0x0000000000BC0000-0x0000000000BE0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2684-9-0x0000000000BC0000-0x0000000000BE0000-memory.dmp

        Filesize

        128KB

        Download