babuk | c2f96661a63e6a894a46ae5bf83f85c3f9fa74cf20cc7b6d34b4888289ea7ae4

System Information Discovery

Processes:

fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

T1497

Processes:

fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Wine	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\Z:	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
File opened (read-only)	\??\W:	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
File opened (read-only)	\??\T:	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
File opened (read-only)	\??\I:	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
File opened (read-only)	\??\O:	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
File opened (read-only)	\??\H:	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
File opened (read-only)	\??\J:	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
File opened (read-only)	\??\L:	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
File opened (read-only)	\??\X:	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
File opened (read-only)	\??\V:	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
File opened (read-only)	\??\B:	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
File opened (read-only)	\??\E:	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
File opened (read-only)	\??\G:	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
File opened (read-only)	\??\M:	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
File opened (read-only)	\??\A:	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
File opened (read-only)	\??\S:	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
File opened (read-only)	\??\K:	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
File opened (read-only)	\??\Q:	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
File opened (read-only)	\??\R:	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
File opened (read-only)	\??\Y:	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
File opened (read-only)	\??\U:	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
File opened (read-only)	\??\P:	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
File opened (read-only)	\??\N:	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe

pid process

3112 fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

5008 vssadmin.exe
1064 vssadmin.exe

pid	process
5008	vssadmin.exe
1064	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe

pid	process
3112	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
3112	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
3112	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
3112	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 3056 vssvc.exe
Token: SeRestorePrivilege 3056 vssvc.exe
Token: SeAuditPrivilege 3056 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	3056	vssvc.exe
Token: SeRestorePrivilege	3056	vssvc.exe
Token: SeAuditPrivilege	3056	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.execmd.execmd.exe

description	pid	process	target process
PID 3112 wrote to memory of 3688	3112	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe	cmd.exe
PID 3112 wrote to memory of 3688	3112	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe	cmd.exe
PID 3688 wrote to memory of 5008	3688	cmd.exe	vssadmin.exe
PID 3688 wrote to memory of 5008	3688	cmd.exe	vssadmin.exe
PID 3112 wrote to memory of 4212	3112	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe	cmd.exe
PID 3112 wrote to memory of 4212	3112	fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe	cmd.exe
PID 4212 wrote to memory of 1064	4212	cmd.exe	vssadmin.exe
PID 4212 wrote to memory of 1064	4212	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd49374b6bf5ddfcf665a110da75f127_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:5008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery