sodinokibi | 6329693e5c61a2f0fa1a53bd177f5a332ef729050b3f109630b759c792f0b986

Resubmissions

04-05-2024 21:53

240504-1r3k9sfe77 10

04-05-2024 20:28

240504-y9hmpsdd79 10

Analysis

max time kernel
124s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
Size

416KB
MD5

145ba213336bbb05c09d2bcf198aa3bd
SHA1

517dc0d3d853c09fd7cb69aa85fc8f37b9bf3a87
SHA256

6329693e5c61a2f0fa1a53bd177f5a332ef729050b3f109630b759c792f0b986
SHA512

1868d5e625f2fb48f1ca59a34d6b0ebee612d5c657adc349ddc9b5984409e0e9844f5a31f81a1f1e1234e44064f695de07843f1fad3aad54e051e6620127a4b1
SSDEEP

6144:RQNOV3wQRokxB8n7zPUmmTg2OJH80FjTz/XmlH9n7a:qCFRoI8zP38OJ80Fjff49u

Score

10^/10

sodinokibi 17 11 ransomware spyware stealer

Malware Config

Extracted

Family

sodinokibi

Botnet

Campaign

Decoy

texanscan.org

g2mediainc.com

avis.mantova.it

cac2040.com

zumrutkuyutemel.com

livelai.com

floweringsun.org

jandhpest.com

agora-collectivites.com

mikegoodfellow.co.uk

letterscan.de

voice2biz.com

biodentify.ai

csaballoons.com

angeleyezstripclub.com

innovationgames-brabant.nl

oraweb.net

transifer.fr

alattekniksipil.com

ruggestar.ch

Attributes

net
true
pid
17
prc
mysql.exe
ransom_oneliner
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. For futher steps {EXT}-readme.txt that is located in every encrypted folder
ransom_template
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got {EXT} extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/{UID} Page will ask you for the key, here it is: {KEY}
sub
11

Extracted

Path

C:\Users\Default\3k2fd94-readme.txt

Family

sodinokibi

Ransom Note

Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got 3k2fd94 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4ACF03FFBC917B86 Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/4ACF03FFBC917B86 Page will ask you for the key, here it is: locVvP7q+hmXasFOOb0tlBRk9+/FLseMFPicq4egDoUQuYi3aJkGWIXI3xBIq2XR 3eY+qhh/5gYzjIrfRKsZ9TepmLEyUEkNp3VThKYrLDW1qIViL2X/f1bFhP+kG8kE 9CEGUvXl0cBCxuIzMih+0V8Q89mpaKWPzlH2V3cwx/oxpWaEiWhRlrMx6O2vqUmS fJhVph7jLd6zWGOq0eMc9noSchKpeVfqfF5MllCaVi6RyRM1P/kiw6hhajl8iLqW EyhL3NG2cWoEKKoIMsBAV1soKsDtjkBOW3uEKLrJewGFq8uNZm9IiT40H1YMzuQS eOpxC5UWyuMIdnMBuVvCuZ5yMEgxQeOKDv0E5V4Dzmkv+t3uVg0r6V+BDabX001K Wo+WvuckSuWBZo7OwCl4bptljn7qr04e4JnkueHn2ePcqGgGRXkLXvkM/5gQOz9u RS9VEP3SBFx4v3KtZgbXJgrpjgaD2QGMXKUy4tjXk6y2HtQ/D1Uy1+NevC1kDRC5 58RIsjKhMRMAeZmpurC9trZD7xzlcano6qC5vqRemzI9NPxsH5M+YuGvxWPZeLcx WeTc6dlj+PicWEq1ebu0qphbCM5yB6ahKD17uSKfQStSSfz72iGDvk+qWzSTatZw TkkQ2yN5affvk0qegvj4SaoM0zamk9KaYhuRMXQMILJtOevikB+4QtwG/4XHcMBl r0vNQiXesrVGfDAUY8SD11IruEBf6k25+vPp8s8bFCXMP6Npnl3L23lZthxzYNUe 9cIkXCMTIDCrA9Ab0+IE3KiangTbn6UvKrokdvfG85BKtutZ7FImxgKd03mJaHsU O3JKAxuLYfN6+qp8ozW1xfQFUSWgB7Tk0pIDWRcb0hi3AA0vLuUeEOBhpAI92YZ7 dQQRAAP6oz80Vq/sZK21bTrXS09U7xfn8PbY9xjAORTHaea7kWM13tvFuhODF1lj /ZMSNb+j33X8wVAPU3JfbqufJXaVe9RuBazUdgm4prRV9MB8YyAZb5JtqXoxpDJ0 E1ETMPq4wkC+HR8FERQpeLUOJHCemktkGTGs/qfn98TbgyIWhFEKWY1zVm2tYgef 9P6XzmSZZ2Ix0VIDICuk66nZTj8RcNaBgK+iWciAfKwPZqafD491wPHjU0hi7Y5j GNqlk7YVDa+15082VRS3HmsgNccaBhDMMUrCYjE2qbs=

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4ACF03FFBC917B86

http://decryptor.top/4ACF03FFBC917B86

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Renames multiple (142) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\N:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\H:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\K:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\V:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\Y:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\G:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\O:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\F:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\M:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\I:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\R:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\X:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\A:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\L:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\T:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\J:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\E:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\Q:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\B:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\U:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\W:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\Z:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\D:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\S:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\44yidu1cn8.bmp"	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_ro-ro_7b81ce88dad4adc1.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_86d2322d49223ce5_vds.exe.mui_2268d934	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_ko-kr_f780a3426d25fec1_msimsg.dll.mui_72e8994f	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_3f7ee0a8ee28ef7d_tcpipcfg.dll_e3a99e8a	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_b951d0f9879ec306_wiarpc.dll.mui_0c913b87	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-watchdog_31bf3856ad364e35_10.0.19041.868_none_3e4e95ab0859be2d_watchdog.sys_6114703c	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_es-mx_7b5686460babe52a_bootmgr.exe.mui_c434701f	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_da-dk_c6bdf9af39b53c71.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_it-it_176364e83131332c_wmiapsrv.exe.mui_b1567840	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-csrss_31bf3856ad364e35_10.0.19041.546_none_4131d52a7745babe.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directory-services-sam_31bf3856ad364e35_10.0.19041.1_none_7234113374b2d6da.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-commonlog.resources_31bf3856ad364e35_10.0.19041.1_es-es_c81525929a05b49e_clfs.sys.mui_1310ba12	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ui-xaml-inkcontrols_31bf3856ad364e35_10.0.19041.1023_none_432d585a19d46624_windows.ui.xaml.inkcontrols.dll_523c865d	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_nl-nl_2fcd1b9b27a6e45b_comctl32.dll.mui_0da4e682	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_pl-pl_6c22b0c49894068b_memtest.efi.mui_71e15c22	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_vga852.fon_0a8e74dc	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_it-it_b1f14780879a25d0_msimsg.dll.mui_72e8994f	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-gdi32_31bf3856ad364e35_10.0.19041.1_none_19c461d21d0fd3e1.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog.resources_31bf3856ad364e35_10.0.19041.1_it-it_e0a2a6402a577815.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_bg-bg_72e4e16994b25d0f.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e_comctl32.dll_9c499789	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msvcp110_31bf3856ad364e35_10.0.19041.546_none_d6043c58044619d5.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.19041.1_es-es_ebe6f36b4c5f3ce9_appidsvc.dll.mui_6717e231	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b68b71ac47f7eb2c_kmddsp.tsp.mui_80ddeedb	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-time-service_31bf3856ad364e35_10.0.19041.546_none_66a0aaafcc19efa6_w32time.dll_2a7540a9	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-win32kbase.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_057ff0e8d689e0d1_win32kbase.sys.mui_07d441e9	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_734900fc110387b6.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_es-es_8145b05544cb69cd.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.19041.1_es-es_0f152ce0e82a41ba_applockercsp.dll.mui_d2a0df70	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-network-security_31bf3856ad364e35_10.0.19041.1266_none_41ea436edfbc2e32_ikeext.dll_3ac4406c	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.19041.1_it-it_4db68c64ae1f912f_trustedsignalcredprov.dll.mui_5edc427b	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_10.0.19041.1266_none_4cae1618139e7579_afd.sys_084af4a8	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_en-gb_1dbdc338c2468486_msimsg.dll.mui_72e8994f	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_54a73aad2cc2f922_storsvc.dll.mui_2fc7b1d3	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..n-cmdline.resources_31bf3856ad364e35_10.0.19041.1_es-es_8559d1e56d0ddfe6.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc_31bf3856ad364e35_10.0.19041.1081_none_e07df81d711ca0d9.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d..opwindowmanager-api_31bf3856ad364e35_10.0.19041.746_none_c85cd9abd32d61b4_dwmapi.dll_2f4f8b34	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-t..services-publicapis_31bf3856ad364e35_10.0.19041.1_none_8776a3339a138491.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b921fe5fa26ac15c.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1202_en-us_d882497830128342_userdeviceregistration.ngc.dll.mui_d2c6ca95	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_2d3b6ea159ff4dae_mofd.dll.mui_793ef98d	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.19041.1_none_3500efd1cdfd0fad.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_es-es_a9823ca2bdf0059f_scfilter.sys.mui_cebab716	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.19041.1_de-de_7ce61c7d809eedfd_storagehealth.adml_00c6b7b3	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_4ebe9cd18298b39c_services.exe.mui_86ea5e71	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-t..localsessionmanager_31bf3856ad364e35_10.0.19041.1_none_5b35da44a9e83608.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_3f7ee0a8ee28ef7d.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d588cc6bee78032c.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_ba1334d77db7a118.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wintrust-dll_31bf3856ad364e35_10.0.19041.1266_none_64740d4b4f423b2c_wintrust.dll_abec426a	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.19041.1_none_ce261fb74e2d8d8f.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_hu-hu_63478ee6e449e6fd.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9baaad1ae7af9c30.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-svc-config_31bf3856ad364e35_10.0.19041.1_none_31ab6511787e9317.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-win32kbase.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_00b8d7c9475f0fb0_win32kbase.sys.mui_07d441e9	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.19041.1_none_3947da6a963cb0d8_hvgasys.fon_9f580ce4	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_sl-si_0c94bc70042838ff_msimsg.dll.mui_72e8994f	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-windowsuiimmersive_31bf3856ad364e35_10.0.19041.1202_none_a690000a893f966b_windows.ui.immersive.dll.mun_6e49d10e	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_da-dk_d112a4016e15fe6c.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-cryptbase_31bf3856ad364e35_10.0.19041.546_none_4db3c6cb412a03a7.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-oleacc_31bf3856ad364e35_10.0.19041.1_none_2aca75a3f62203f9.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1202_en-us_e2d6f3ca6473453d_dsregtask.dll.mui_5e1b9353	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-userenv_31bf3856ad364e35_10.0.19041.1_none_508622491f012218.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-dfsclient_31bf3856ad364e35_10.0.19041.1_none_3d8b3b6185796b59.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
4260	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
4260	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2396	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	taskmgr.exe
Token: SeSystemProfilePrivilege	2396	taskmgr.exe
Token: SeCreateGlobalPrivilege	2396	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4260	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 2236	4260	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe	99
PID 4260 wrote to memory of 2236	4260	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe	99
PID 4260 wrote to memory of 2236	4260	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe	99

C:\Users\Admin\AppData\Local\Temp\145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:2236

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2396

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1248

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\3k2fd94-readme.txt
1⤵
PID:3796

C:\Windows\System32\6fedgwzhcgwmc.exe
"C:\Windows\System32\6fedgwzhcgwmc.exe"
1⤵
PID:804

C:\Windows\System32\7bmpgk.exe
"C:\Windows\System32\7bmpgk.exe"
1⤵
PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Default\3k2fd94-readme.txt

Filesize
3KB

MD5
01472d29e3ce83c611784f752f3444af

SHA1
b7dc0bbe3dc1042a0a961b079ca1702f4d29cc80

SHA256
ee120807898317e9c792ff4a25a8bb3a259485f42ccfb8c4be53b4a94989e38c

SHA512
18f70d7c5ac52ea3756e5e53d83beed6b85eb00ad58222165781316fd102faff78d18d2a8b8fb3993b57df63dc9fd9b54be5d96e16d49c5b4d7b7132bab6cea9

Download Submit
memory/2396-8-0x000001DDC9840000-0x000001DDC9841000-memory.dmp

Filesize
4KB

Download
memory/2396-1-0x000001DDC9840000-0x000001DDC9841000-memory.dmp

Filesize
4KB

Download
memory/2396-3-0x000001DDC9840000-0x000001DDC9841000-memory.dmp

Filesize
4KB

Download
memory/2396-7-0x000001DDC9840000-0x000001DDC9841000-memory.dmp

Filesize
4KB

Download
memory/2396-2-0x000001DDC9840000-0x000001DDC9841000-memory.dmp

Filesize
4KB

Download
memory/2396-13-0x000001DDC9840000-0x000001DDC9841000-memory.dmp

Filesize
4KB

Download
memory/2396-12-0x000001DDC9840000-0x000001DDC9841000-memory.dmp

Filesize
4KB

Download
memory/2396-11-0x000001DDC9840000-0x000001DDC9841000-memory.dmp

Filesize
4KB

Download
memory/2396-10-0x000001DDC9840000-0x000001DDC9841000-memory.dmp

Filesize
4KB

Download
memory/2396-9-0x000001DDC9840000-0x000001DDC9841000-memory.dmp

Filesize
4KB

Download
memory/4260-0-0x0000000000427000-0x000000000042D000-memory.dmp

Filesize
24KB

Download
memory/4260-17-0x0000000002400000-0x000000000242B000-memory.dmp

Filesize
172KB

Download
memory/4260-18-0x0000000002400000-0x000000000242B000-memory.dmp

Filesize
172KB

Download
memory/4260-19-0x0000000000427000-0x000000000042D000-memory.dmp

Filesize
24KB

Download
memory/4260-14-0x0000000002400000-0x000000000242B000-memory.dmp

Filesize
172KB

Download
memory/4260-347-0x0000000002400000-0x000000000242B000-memory.dmp

Filesize
172KB

Download
memory/4260-348-0x0000000002400000-0x000000000242B000-memory.dmp

Filesize
172KB

Download
memory/4260-351-0x0000000002400000-0x000000000242B000-memory.dmp

Filesize
172KB

Download
memory/4260-352-0x0000000002400000-0x000000000242B000-memory.dmp

Filesize
172KB

Download
memory/4260-354-0x0000000002400000-0x000000000242B000-memory.dmp

Filesize
172KB

Download
memory/4260-355-0x0000000002400000-0x000000000242B000-memory.dmp

Filesize
172KB

Download