Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
13-12-2024 23:12
General
-
Target
ed28a3189aefa3589a8602d24d19f1cb_JaffaCakes118.exe
-
Size
226KB
-
MD5
ed28a3189aefa3589a8602d24d19f1cb
-
SHA1
4619f493d165ffc9893f19a32e197b7572497cd2
-
SHA256
52e15e0deb115003af9f56c7f4e66076a4c859b4e8d782e5ad1d29a95b9164bc
-
SHA512
06577460509c754a2850f69ac250132e73e2367995825632cf358cf7dd20f1774cb38a7c2a214209fe74a10ca8bac7fdf3bc84d0447fe77963a926333d3d73de
-
SSDEEP
6144:BQGB/n4ZWOeRzb2RL6nDHoEpgYH79X+9Ac:l4ZADDHofYGAc
Score
10/10
Malware Config
Extracted
Path
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.txt
Family
cerber
Ransom Note
C E R B E R R A N S O M W A R E
#########################################################################
Cannot you find the files you need?
Is the content of the files that you looked for not readable?
It is normal because the files' names, as well as the data in your files
have been encrypted.
Great!!!
You have turned to be a part of a big community #Cerber_Ransomware.
#########################################################################
!!! If you are reading this message it means the software
!!! "Cerber Ransomware" has been removed from your computer.
#########################################################################
What is encryption?
-------------------
Encryption is a reversible modification of information for security
reasons but providing full access to it for authorized users.
To become an authorized user and keep the modification absolutely
reversible (in other words to have a possibility to decrypt your files)
you should have an individual private key.
But not only it.
It is required also to have the special decryption software
(in your case "Cerber Decryptor" software) for safe and complete
decryption of all your files and data.
#########################################################################
Everything is clear for me but what should I do?
------------------------------------------------
The first step is reading these instructions to the end.
Your files have been encrypted with the "Cerber Ransomware" software; the
instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt")
in the folders with your encrypted files are not viruses, they will
help you.
After reading this text the most part of people start searching in the
Internet the words the "Cerber Ransomware" where they find a lot of
ideas, recommendations and instructions.
It is necessary to realize that we are the ones who closed the lock on
your files and we are the only ones who have this secret key to
open them.
!!! Any attempts to get back your files with the third-party tools can
!!! be fatal for your encrypted files.
The most part of the third-party software change data within the
encrypted file to restore it but this causes damage to the files.
Finally it will be impossible to decrypt your files.
When you make a puzzle but some items are lost, broken or not put in its
place - the puzzle items will never match, the same way the third-party
software will ruin your files completely and irreversibly.
You should realize that any intervention of the third-party software to
restore files encrypted with the "Cerber Ransomware" software may be
fatal for your files.
#########################################################################
!!! There are several plain steps to restore your files but if you do
!!! not follow them we will not be able to help you, and we will not try
!!! since you have read this warning already.
#########################################################################
For your information the software to decrypt your files (as well as the
private key provided together) are paid products.
After purchase of the software package you will be able to:
1. decrypt all your files;
2. work with your documents;
3. view your photos and other media;
4. continue your usual and comfortable work at the computer.
If you understand all importance of the situation then we propose to you
to go directly to your personal page where you will receive the complete
instructions and guarantees to restore your files.
#########################################################################
There is a list of temporary addresses to go on your personal page below:
_______________________________________________________________________
|
| 1. http://cerberhhyed5frqa.xmfhr6.win/9E14-7C32-26AF-0063-76AD
|
| 2. http://cerberhhyed5frqa.cmfhty.win/9E14-7C32-26AF-0063-76AD
|
| 3. http://cerberhhyed5frqa.dk59jg.win/9E14-7C32-26AF-0063-76AD
|
| 4. http://cerberhhyed5frqa.xmfu59.win/9E14-7C32-26AF-0063-76AD
|
| 5. http://cerberhhyed5frqa.er48rt.win/9E14-7C32-26AF-0063-76AD
|_______________________________________________________________________
#########################################################################
What should you do with these addresses?
----------------------------------------
If you read the instructions in TXT format (if you have instruction in
HTML (the file with an icon of your Internet browser) then the easiest
way is to run it):
1. take a look at the first address (in this case it is
http://cerberhhyed5frqa.xmfhr6.win/9E14-7C32-26AF-0063-76AD);
2. select it with the mouse cursor holding the left mouse button and
moving the cursor to the right;
3. release the left mouse button and press the right one;
4. select "Copy" in the appeared menu;
5. run your Internet browser (if you do not know what it is run the
Internet Explorer);
6. move the mouse cursor to the address bar of the browser (this is the
place where the site address is written);
7. click the right mouse button in the field where the site address
is written;
8. select the button "Insert" in the appeared menu;
9. then you will see the address
http://cerberhhyed5frqa.xmfhr6.win/9E14-7C32-26AF-0063-76AD
appeared there;
10. press ENTER;
11. the site should be loaded; if it is not loaded repeat the same
instructions with the second address and continue until the last
address if falling.
If for some reason the site cannot be opened check the connection to the
Internet; if the site still cannot be opened take a look at the
instructions on omitting the point about working with the addresses in
the HTML instructions.
If you browse the instructions in HTML format:
1. click the left mouse button on the first address (in this case it is
http://cerberhhyed5frqa.xmfhr6.win/9E14-7C32-26AF-0063-76AD);
2. in a new tab or window of your web browser the site should be loaded;
if it is not loaded repeat the same instructions with the second
address and continue until the last address.
If for some reason the site cannot be opened check the connection to
the Internet.
#########################################################################
Unfortunately these sites are short-term since the antivirus companies
are interested in you do not have a chance to restore your files but
continue to buy their products.
Unlike them we are ready to help you always.
If you need our help but the temporary sites are not available:
1. run your Internet browser (if you do not know what it is run the
Internet Explorer);
2. enter or copy the address
https://www.torproject.org/download/download-easy.html.en into the
address bar of your browser and press ENTER;
3. wait for the site loading;
4. on the site you will be offered to download Tor Browser; download and
run it, follow the installation instructions, wait until the
installation is completed;
5. run Tor Browser;
6. connect with the button "Connect" (if you use the English version);
7. a normal Internet browser window will be opened after
the initialization;
8. type or copy the address
________________________________________________________
| |
| http://cerberhhyed5frqa.onion/9E14-7C32-26AF-0063-76AD |
|________________________________________________________|
in this browser address bar;
9. press ENTER;
10. the site should be loaded; if for some reason the site is not loading
wait for a moment and try again.
If you have any problems during installation or operation of Tor Browser,
please, visit https://www.youtube.com/ and type request in the search bar
"install tor browser windows" and you will find a lot of training videos
about Tor Browser installation and operation.
If TOR address is not available for a long period (2-3 days) it means you
are late; usually you have about 2-3 weeks after reading the instructions
to restore your files.
#########################################################################
Additional information:
You will find the instructions for restoring your files in those folders
where you have your encrypted files only.
The instructions are made in two file formats - HTML and TXT for
your convenience.
Unfortunately antivirus companies cannot protect or restore your files
but they can make the situation worse removing the instructions how to
restore your encrypted files.
The instructions are not viruses; they have informative nature only, so
any claims on the absence of any instruction files you can send to your
antivirus company.
#########################################################################
Cerber Ransomware Project is not malicious and is not intended to harm a
person and his/her information data.
The project is created for the sole purpose of instruction regarding
information security, as well as certification of antivirus software for
their suitability for data protection.
Together we make the Internet a better and safer place.
#########################################################################
If you look through this text in the Internet and realize that something
is wrong with your files but you do not have any instructions to restore
your files, please, contact your antivirus support.
#########################################################################
Remember that the worst situation already happened and now it depends on
your determination and speed of your actions the further life of
your files.
URLs
http://cerberhhyed5frqa.xmfhr6.win/9E14-7C32-26AF-0063-76AD
http://cerberhhyed5frqa.cmfhty.win/9E14-7C32-26AF-0063-76AD
http://cerberhhyed5frqa.dk59jg.win/9E14-7C32-26AF-0063-76AD
http://cerberhhyed5frqa.xmfu59.win/9E14-7C32-26AF-0063-76AD
http://cerberhhyed5frqa.er48rt.win/9E14-7C32-26AF-0063-76AD
http://cerberhhyed5frqa.onion/9E14-7C32-26AF-0063-76AD
Extracted
Path
C:\Recovery\WindowsRE\# DECRYPT MY FILES #.html
Ransom Note
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Cerber Ransomware</title>
<style>
a {
color: #47c;
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
body {
background-color: #e7e7e7;
color: #333;
font-family: "Helvetica Neue", Helvetica, "Segoe UI", Arial, freesans, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";
font-size: 16px;
line-height: 1.6;
margin: 0;
padding: 0;
}
hr {
background-color: #e7e7e7;
border: 0 none;
border-bottom: 1px solid #c7c7c7;
height: 5px;
margin: 30px 0;
}
li {
padding: 0 0 7px 7px;
}
ol {
padding-left: 3em;
}
.container {
background-color: #fff;
border: 1px solid #c7c7c7;
margin: 40px;
padding: 40px 40px 20px 40px;
}
.info, .tor {
background-color: #efe;
border: 1px solid #bda;
display: block;
padding: 0px 20px;
}
.logo {
font-size: 12px;
font-weight: bold;
line-height: 1;
margin: 0;
}
.tor {
padding: 10px 0;
text-align: center;
}
.warning {
background-color: #f5e7e7;
border: 1px solid #ebccd1;
color: #a44;
display: block;
padding: 15px 10px;
text-align: center;
}
</style>
</head>
<body>
<div class="container">
<h3>C E R B E R R A N S O M W A R E</h3>
<hr>
<p>Cannot you find the files you need?<br>Is the content of the files that you looked for not readable?</p>
<p>It is normal because the files' names, as well as the data in your files have been encrypted.</p>
<p>Great!!!<br>You have turned to be a part of a big community #Cerber_Ransomware.</p>
<hr>
<p><span class="warning">If you are reading this message it means the software "Cerber Ransomware" has been removed from your computer.</span></p>
<hr>
<h3>What is encryption?</h3>
<p>Encryption is a reversible modification of information for security reasons but providing full access to it for authorized users.</p>
<p>To become an authorized user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key.</p>
<p>But not only it.</p>
<p>It is required also to have the special decryption software (in your case "Cerber Decryptor" software) for safe and complete decryption of all your files and data.</p>
<hr>
<h3>Everything is clear for me but what should I do?</h3>
<p>The first step is reading these instructions to the end.</p>
<p>Your files have been encrypted with the "Cerber Ransomware" software; the instructions ("# DECRYPT MY FILES #.html" and "# DECRYPT MY FILES #.txt") in the folders with your encrypted files are not viruses, they will help you.</p>
<p>After reading this text the most part of people start searching in the Internet the words the "Cerber Ransomware" where they find a lot of ideas, recommendations and instructions.</p>
<p>It is necessary to realize that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.</p>
<p><span class="warning">Any attempts to get back your files with the third-party tools can be fatal for your encrypted files.</span></p>
<p>The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files.</p>
<p>Finally it will be impossible to decrypt your files.</p>
<p>When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly.</p>
<p>You should realize that any intervention of the third-party software to restore files encrypted with the "Cerber Ransomware" software may be fatal for your files.</p>
<hr>
<p><span class="warning">There are several plain steps to restore your files but if you do not follow them we will not be able to help you, and we will not try since you have read this warning already.</span></p>
<hr>
<p>For your information the software to decrypt your files (as well as the private key provided together) are paid products.</p>
<p>After purchase of the software package you will be able to:</p>
<ol>
<li>decrypt all your files;</li>
<li>work with your documents;</li>
<li>view your photos and other media;</li>
<li>continue your usual and comfortable work at the computer.</li>
</ol>
<p>If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files.</p>
<hr>
<div class="info">
<p>There is a list of temporary addresses to go on your personal page below:</p>
<ol>
<li><a href="http://cerberhhyed5frqa.xmfhr6.win/9E14-7C32-26AF-0063-76AD" target="_blank">http://cerberhhyed5frqa.xmfhr6.win/9E14-7C32-26AF-0063-76AD</a></li>
<li><a href="http://cerberhhyed5frqa.cmfhty.win/9E14-7C32-26AF-0063-76AD" target="_blank">http://cerberhhyed5frqa.cmfhty.win/9E14-7C32-26AF-0063-76AD</a></li>
<li><a href="http://cerberhhyed5frqa.dk59jg.win/9E14-7C32-26AF-0063-76AD" target="_blank">http://cerberhhyed5frqa.dk59jg.win/9E14-7C32-26AF-0063-76AD</a></li>
<li><a href="http://cerberhhyed5frqa.xmfu59.win/9E14-7C32-26AF-0063-76AD" target="_blank">http://cerberhhyed5frqa.xmfu59.win/9E14-7C32-26AF-0063-76AD</a></li>
<li><a href="http://cerberhhyed5frqa.er48rt.win/9E14-7C32-26AF-0063-76AD" target="_blank">http://cerberhhyed5frqa.er48rt.win/9E14-7C32-26AF-0063-76AD</a></li>
</ol>
</div>
<hr>
<h3>What should you do with these addresses?</h3>
<p>If you read the instructions in TXT format (if you have instruction in HTML (the file with an icon of your Internet browser) then the easiest way is to run it):</p>
<ol>
<li>take a look at the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfhr6.win/9E14-7C32-26AF-0063-76AD" target="_blank">http://cerberhhyed5frqa.xmfhr6.win/9E14-7C32-26AF-0063-76AD</a>);</li>
<li>select it with the mouse cursor holding the left mouse button and moving the cursor to the right;</li>
<li>release the left mouse button and press the right one;</li>
<li>select "Copy" in the appeared menu;</li>
<li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li>
<li>move the mouse cursor to the address bar of the browser (this is the place where the site address is written);</li>
<li>click the right mouse button in the field where the site address is written;</li>
<li>select the button "Insert" in the appeared menu;</li>
<li>then you will see the address <a href="http://cerberhhyed5frqa.xmfhr6.win/9E14-7C32-26AF-0063-76AD" target="_blank">http://cerberhhyed5frqa.xmfhr6.win/9E14-7C32-26AF-0063-76AD</a> appeared there;</li>
<li>press ENTER;</li>
<li>the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling.</li>
</ol>
<p>If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the point about working with the addresses in the HTML instructions.</p>
<p>If you browse the instructions in HTML format:</p>
<ol>
<li>click the left mouse button on the first address (in this case it is <a href="http://cerberhhyed5frqa.xmfhr6.win/9E14-7C32-26AF-0063-76AD" target="_blank">http://cerberhhyed5frqa.xmfhr6.win/9E14-7C32-26AF-0063-76AD</a>);</li>
<li>in a new tab or window of your web browser the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address.</li>
</ol>
<p>If for some reason the site cannot be opened check the connection to the Internet.</p>
<hr>
<p>Unfortunately these sites are short-term since the antivirus companies are interested in you do not have a chance to restore your files but continue to buy their products.</p>
<p>Unlike them we are ready to help you always.</p>
<p>If you need our help but the temporary sites are not available:</p>
<ol>
<li>run your Internet browser (if you do not know what it is run the Internet Explorer);</li>
<li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li>
<li>wait for the site loading;</li>
<li>on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li>
<li>run Tor Browser;</li>
<li>connect with the button "Connect" (if you use the English version);</li>
<li>a normal Internet browser window will be opened after the initialization;</li>
<li>type or copy the address <span class="tor">http://cerberhhyed5frqa.onion/9E14-7C32-26AF-0063-76AD</span> in this browser address bar;</li>
<li>press ENTER;</li>
<li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li>
</ol>
<p>If you have any problems during installation or operation of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=install+tor+browser+windows" target="_blank">https://www.youtube.com/</a> and type request in the search bar "install tor browser windows" and you will find a lot of training videos about Tor Browser installation and operation.</p>
<p>If TOR address is not available for a long period (2-3 days) it means you are late; usually you have about 2-3 weeks after reading the instructions to restore your files.</p>
<hr>
<h3>Additional information:</h3>
<p>You will find the instructions for restoring your files in those folders where you have your encrypted files only.</p>
<p>The instructions are made in two file formats - HTML and TXT for your convenience.</p>
<p>Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files.</p>
<p>The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.</p>
<hr>
<p>Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data.</p>
<p>The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection.</p>
<p>Together we make the Internet a better and safer place.</p>
<hr>
<p>If you look through this text in the Internet and realize that something is wrong with your files but you do not have any instructions to restore your files, please, contact your antivirus support.</p>
<hr>
<p>Remember that the worst situation already happened and now it depends on your determination and speed of your actions the further life of your files.</p>
</div>
</body>
</html>
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Cerber family
-
Contacts a large (16398) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 6 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 4 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 2 IoCs
-
Modifies Control Panel 4 IoCs
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 51 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed28a3189aefa3589a8602d24d19f1cb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ed28a3189aefa3589a8602d24d19f1cb_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ed28a3189aefa3589a8602d24d19f1cb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ed28a3189aefa3589a8602d24d19f1cb_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{119B54CC-A93F-97E8-FF36-2FE4920876BE}\systeminfo.exe"C:\Users\Admin\AppData\Roaming\{119B54CC-A93F-97E8-FF36-2FE4920876BE}\systeminfo.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Gathers system information
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{119B54CC-A93F-97E8-FF36-2FE4920876BE}\systeminfo.exe"C:\Users\Admin\AppData\Roaming\{119B54CC-A93F-97E8-FF36-2FE4920876BE}\systeminfo.exe"4⤵
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Gathers system information
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc2ee246f8,0x7ffc2ee24708,0x7ffc2ee247186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,7268644388418295415,11406523857788564880,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,7268644388418295415,11406523857788564880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,7268644388418295415,11406523857788564880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7268644388418295415,11406523857788564880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7268644388418295415,11406523857788564880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7268644388418295415,11406523857788564880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7268644388418295415,11406523857788564880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7268644388418295415,11406523857788564880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,7268644388418295415,11406523857788564880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,7268644388418295415,11406523857788564880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7268644388418295415,11406523857788564880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7268644388418295415,11406523857788564880,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7268644388418295415,11406523857788564880,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7268644388418295415,11406523857788564880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:16⤵
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt5⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cerberhhyed5frqa.xmfhr6.win/9E14-7C32-26AF-0063-76AD5⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc2ee246f8,0x7ffc2ee24708,0x7ffc2ee247186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,14986743176421830221,8614587922406243146,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"5⤵
-
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "systeminfo.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{119B54CC-A93F-97E8-FF36-2FE4920876BE}\systeminfo.exe" > NUL5⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "systeminfo.exe"6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "ed28a3189aefa3589a8602d24d19f1cb_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\ed28a3189aefa3589a8602d24d19f1cb_JaffaCakes118.exe" > NUL3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "ed28a3189aefa3589a8602d24d19f1cb_JaffaCakes118.exe"4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x380 0x4141⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Service Discovery
2Query Registry
2Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5a5dff08e41c7b457bb72347d8856fefe
SHA11e54c6f24429bfd26efdfbbc91715e0953da4ce6
SHA2564ad76f90b775aa04a7f563879dd678f0b7dfe7ce33dc3bbb0b78ad6f70579498
SHA512864b761b1719184a5c0698ff56d1118dd0f6495600d7789f419a6a50c9f1a4bfa753c5b80b0d82de471c36f02796d08f23fcfa07588de2f6e3e94c46c0d93e76
-
Filesize
10KB
MD5f94cb61e218ce3fc34a6582481d5b8f9
SHA1851d8fa6677b986fa336c0626aeb81b79db38438
SHA2563fba65fdae461a6a7dc3be928a91f3c134514bb7031fa8bcfa79f9c8f6f8047d
SHA5125c453cd6ca4edf14109df807db5d91ca2ded5463eac97a4d8b5938b848dc24a9515f292a441f7b838c2f76c26a584c8157dbc522206283d09cafd860d383df55
-
Filesize
85B
MD59641f489984f2e522616eaea45115590
SHA103ea5f3a2e203f509185013098bdabdd3895237c
SHA2564ba6ca4be56e49ddb5101d55d513b1cb2fc87c3315a53109dc00ac89e87d4136
SHA512253a6cc18a17fceab6e6df4c525a0d174af1331c28e7b5fae2564fcef436d351bb115f7e8434aa1d87614136f35319a33f2b69b62106d23a1cc62b5b30540708
-
Filesize
152B
MD5a0486d6f8406d852dd805b66ff467692
SHA177ba1f63142e86b21c951b808f4bc5d8ed89b571
SHA256c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be
SHA512065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a
-
Filesize
152B
MD5dc058ebc0f8181946a312f0be99ed79c
SHA10c6f376ed8f2d4c275336048c7c9ef9edf18bff0
SHA256378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a
SHA51236e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa
-
Filesize
5KB
MD542cc5e3f4e7f3075f9410fc18d9e8b28
SHA12a2998871bfb1832fff03075592684fb4e3846cc
SHA25695c079ff3691c35d7cb10c468c7421ec7880efeb40c6d9e10455ead79eaa5f83
SHA512f9e92f833e67e39f397eaa86873552f01972bd0ffd1d9cd1c102886f98fa2c9d59d822bc354f8d91e2730365506f0d9e988ecb37eceb78eef922f5d5af9b88e3
-
Filesize
6KB
MD500a87edc1982b58d4f627a751498f1f0
SHA11aad4fb3f88c28d8a8c62720866e2a2187571933
SHA25652ec57d28c96b13ee06f07cbbeae8861478d28bbc7038fd0fd8abc3f277b5f4d
SHA512e25823976beb72a66c829d95656d86e122e329df70bc30b0b6f12bed9bc4a2a5f647237dcc5fd4fe390b5a9b41dff8ccc05a7b5ee77fd48c11095b0851b47a1a
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5cd6ce9cbf8b15defc9cc1b3747716140
SHA154b6241a114e596c4a5c3a0ea5d2cd461ab07279
SHA25643214d0ddfc06340264a931e6c2fc418429c501a9b5ee1d8d64f6572f40fd213
SHA5129ad4b22eb51dff4780195ba43ca28987fa06dfd9358edd453a133318f4c35120e227a2357e7a5e1ad9d9bd1aa859810485578305b5209026bef200a2dc08b812
-
Filesize
8KB
MD58fea0a0ed84b5724920e7935291a7401
SHA1f24f2bc12daf0d6f1848d878cfd7a2be0b9c88f1
SHA25622184ed1861916c91f04ba374466c7482ba119def28f4bb21620778bf06a128f
SHA512bab54e242eb20c3e528b85aefc45a481c425e58f9a8dc4a593ea00167635e0f86105ab1ef8b92ca1130012d1a080f69f4da0b3bdf970d47b54eed5e04d1605cb
-
Filesize
11KB
MD5883eff06ac96966270731e4e22817e11
SHA1523c87c98236cbc04430e87ec19b977595092ac8
SHA25644e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82
SHA51260333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390
-
Filesize
1KB
MD5d0cede259e6e2e380331eeea1e1983f7
SHA150b24fddb05e61c37f4c9bf1fd6db67e5d67f5b6
SHA2565b9701c24fd591d6cdc28a8129c29ff8f5acdb91f5079f7400264861a7a5afa3
SHA512e360d1e802ec80b39eee3cfb104a9f5f1546cfb6681f4cc24acb67ef200ab19e6b97a0a848d742e72114666c0444ac6c2f1524daca4b6f46e1395e50239d2087
-
Filesize
84KB
MD5f47a66f7cf15f17cc98d4cb4f0b34bc2
SHA1e6ae6734c0acf0beab835f168881c6cfa98ac515
SHA25606df7ee9794cc4db9950e0ea805add4870276a794a8756484a6ccd0a96783aa1
SHA51276afe23aae871ef77e8d03248dee2555d64e3eece66561b453f075d871cd7fa477f3715d1663f3de00c1258e53bf87cf5e955d267884874ae196605a80eea81d
-
Filesize
226KB
MD5ed28a3189aefa3589a8602d24d19f1cb
SHA14619f493d165ffc9893f19a32e197b7572497cd2
SHA25652e15e0deb115003af9f56c7f4e66076a4c859b4e8d782e5ad1d29a95b9164bc
SHA51206577460509c754a2850f69ac250132e73e2367995825632cf358cf7dd20f1774cb38a7c2a214209fe74a10ca8bac7fdf3bc84d0447fe77963a926333d3d73de
-
Filesize
219B
MD535a3e3b45dcfc1e6c4fd4a160873a0d1
SHA1a0bcc855f2b75d82cbaae3a8710f816956e94b37
SHA2568ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934
SHA5126d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB