sodinokibi | 67dfdd2f62f976b1c265dfe2adb349163ec39e3087948120b1584b6cf71ac2c9

Analysis

max time kernel
133s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
Size

158KB
MD5

128d82b29a73c5ca4cbab8d745720e80
SHA1

6c57602a0896cf725552aa8334a4faa53bc8e9ce
SHA256

67dfdd2f62f976b1c265dfe2adb349163ec39e3087948120b1584b6cf71ac2c9
SHA512

688158bc844459cc1f5ff5b0ee0ffb25014b11501e520c65860f36fb94e8b4457c940a7bb12383569e1664fc56c2b0a0fdea85ae88d71ab7acd894bdaafa1af5
SSDEEP

3072:gnItsOCo4mHLbi4eTMlwDCnutNWXZXXWFeQU:WIyOCvUbnWJt8pnWFe

Score

10^/10

sodinokibi ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\651gzbi7-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 651gzbi7. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7D18945AFB4DF26D 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/7D18945AFB4DF26D Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: J4oHbsgmfML0L9U+AmW6GOGkG8UMIV+UIDrX6pJZ4eiKhyWpmKo5iQe8mZcvaQZY 2UD5h1wNN1F5JF/Bw9TZl5V1kd4ONGxjTJUwpLOmhz3DnGRr6pYvuqN+WFbt51FS VYDQrKiRLuWnHCuIYQoYwmMjFP1kjSrGiHRi5A7BkAninGuttbxICMVLGjNcdnBL /zs4nEA9TRllEN5skc7D6pxO9YBZynAskRk9p3yxVgpIE80SWkGkh502T4vgekMe aNIy9uu5Cai/qEnRrQR15rgNxoTZIQqvyv8J7s0fTS2hfk6o7M2bn4QpwxUL4HSY wO8k22smIYUdsRvOzFoBNK2xy0DlHset+i3HHEba0w+XyKZPWmAJyk/dNKy8MDug lPbZsSA6dXAO0mNwNkvU9tQJ9BfUVm/kDXz58pLqfVvTe/RVREDSY2AyEuEtFLpe CoigFQfsXKOoD+GJ/NQr/pFaa+M1nVtG09FiaqZtbHG54oeQjlI26Xif8qe8WQYy qmZjeFCjXXSh71sijcxQjCkSDb1XfpA/Oc8KZi1lVOU0htHfLhVWIq3y/T3ksNgW Xa6JhRSrYktFwhFE6JKlnNF5+244azYTmLqlW0B1jh3UU6f0aPW48WELJH3f+xoD k2cB1CUM2p0Sp2NEhZb4rIjpRukhE8Xci7TEvOnB4Y85r4HYtKCmGxepj5Vp4nSW v1q8W5NLcUKWszR+jmx6jzQHYyyfeH+D3VXgZefOSHddOd1gOhu6kNvhAY5U/V3A 5aSuTC0z4OcqOPMO+jEXOVrJIntsLhlq/Zj71iWdG1wR5jxg0NorAGm6zANW9vDs qfuwQOHyefCUMia9We+Q4Ya9R51pj+dw5xPkYF8DgDdtXNLpSDEAhH433SXlvp37 O2/+AHBtu/zKVq5BRCdoUEUwY+im3lG2fQdh7pnVRFcT0DuX3FbhtjP+fNrODkfV pagk8Aj2w2TPB+3hg1RiNoISxf9FBbtic3hABFWhrx6gcYbH9eLRGS+M0UBKEEWz +DTL1eTOvJj4rOBIUpr0tAL2MzjcDO7dOcVAVaRbd7uqWcytKsR0FiMCi7NsYjGr 7DbvtIP+ub/smdKGbLhAvyPpHeZi9wJPfsrAjSxn/gFET5UT9uWqBGkwH0Ysx4en YPSOVwYmA+bxQjC0HOtTfbKS6XcqzUmBPrvwNuWB Extension name: 651gzbi7 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7D18945AFB4DF26D

http://decryptor.top/7D18945AFB4DF26D

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Renames multiple (162) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened (read-only)	\??\R:	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened (read-only)	\??\H:	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened (read-only)	\??\E:	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened (read-only)	\??\I:	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened (read-only)	\??\P:	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened (read-only)	\??\W:	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened (read-only)	\??\Y:	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened (read-only)	\??\A:	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened (read-only)	\??\D:	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened (read-only)	\??\Z:	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened (read-only)	\??\O:	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened (read-only)	\??\S:	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened (read-only)	\??\U:	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened (read-only)	\??\V:	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened (read-only)	\??\F:	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened (read-only)	\??\K:	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened (read-only)	\??\L:	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened (read-only)	\??\M:	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened (read-only)	\??\T:	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened (read-only)	\??\G:	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened (read-only)	\??\X:	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened (read-only)	\??\B:	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened (read-only)	\??\Q:	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened (read-only)	\??\N:	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\06ehl7dol2q.bmp"	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ui-xaml-controls_31bf3856ad364e35_10.0.19041.1023_none_8ab455d5934af9be_windows.ui.xaml.controls.dll_4c861b99	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.19041.546_none_9e094af3987dca57_svchost.exe_4dd0f0bc	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_en-us_34c90260884a74ea.manifest	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..eelawadeeui_regular_31bf3856ad364e35_10.0.19041.1_none_15844d67340cfd5a_leelawui.ttf_ce0cc416	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_cga40737.fon_2c4b9363	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.19041.1_en-us_65e4d1beb3d1f96f_winhttp.dll.mui_f661192f	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.19041.1_none_9064b8c1b47576c0.manifest	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua.resources_31bf3856ad364e35_10.0.19041.1_es-es_a447346a0bd38af5.manifest	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.gdiplus.systemcopy_31bf3856ad364e35_10.0.19041.264_none_c4bc376754eedc34.manifest	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7.manifest	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_cga40857.fon_2c8aa2e4	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_nl-nl_4843455ad9f31bfa_comctl32.dll.mui_0da4e682	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-lsa_31bf3856ad364e35_10.0.19041.546_none_8e987c14effb44a8.manifest	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_sk-sk_912df698c3cfac6f_comctl32.dll.mui_0da4e682	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.19041.1_none_3947da6a963cb0d8_vgasys.fon_5d8bebb4	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.19041.1_en-us_14089ec954fee325.manifest	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_10.0.19041.1_it-it_107d1332cd3e32ad_mswsock.dll.mui_d7c2a730	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-usermodensi_31bf3856ad364e35_10.0.19041.1_none_2853306366d1671d.manifest	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_lv-lv_f026fb2cae4de2dd_bootmgr.exe.mui_c434701f	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_10.0.19041.1_es-es_29361d4fb963a715_provsvc.dll.mui_3a2926ae	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.19041.1266_none_14a631980cb7b20a.manifest	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_fr-fr_79675db658605100_comctl32.dll.mui_0da4e682	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_el-gr_6c7fbc7e2aa0f999_memtest.efi.mui_71e15c22	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_es-mx_cd63778c71e5e529_comctl32.dll.mui_0da4e682	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msxml60_31bf3856ad364e35_10.0.19041.1081_none_07a08c6e805601ea_msxml6.dll_ebe15265	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ne-client-overrides_31bf3856ad364e35_10.0.19041.1052_none_a74b8f64d78e3b2f_power.energyestimationengine.standbyactivation.ppkg_21aafe77	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.19041.1_es-es_13d3fbad5525d4ca.manifest	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..n-cmdline.resources_31bf3856ad364e35_10.0.19041.906_en-us_adc1f5c62c383715.manifest	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_ja-jp_a59172735be4e7b4.manifest	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-network-qos-pacer_31bf3856ad364e35_10.0.19041.546_none_d55698a60aca383c_wshqos.dll_f1749d15	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_sl-si_1c174079cf03759e_bootmgr.efi.mui_be5d0075	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ndowmanager-effects_31bf3856ad364e35_10.0.19041.546_none_cefcfcd89d8d8a93.manifest	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_it-it_03d07248da6ea3b2_gpapi.dll.mui_ef0a9748	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.19041.1_it-it_831b0a034ac3fac4.manifest	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_c3dd8e4758ad0702.manifest	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1_none_92e69152510a8cb1.manifest	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.19041.1_none_a6e297e0a15a1f88_sxsoaps.dll_7db29e61	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_428f67dbffd4ce03.manifest	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_pt-br_26e2b4db2a2335ea_msimsg.dll.mui_72e8994f	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_ba47d7f37d90af73_wuaueng.dll.mui_297f975d	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-netapi32_31bf3856ad364e35_10.0.19041.546_none_75820c6594bfeaa4_netapi32.dll_8b1e859a	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_4e11037b7cb5a25c_dsreg.dll.mui_5d9efc7e	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-onecore-pnp-drvinst_31bf3856ad364e35_10.0.19041.1202_none_ca1e0a7a1f21274c_drvinst.exe_6593e92a	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-webauthn.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_013400b3a9b9796a_webauthn.dll.mui_acc69b8d	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_792d1c772443f647_comctl32.dll_9c499789	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-directcomposition_31bf3856ad364e35_10.0.19041.1266_none_1c8f1f932b553c89.manifest	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shell32_31bf3856ad364e35_10.0.19041.1266_none_e0eefe63c72d43e8_shell32.dll_0d29dca9	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_pt-br_c00a97981fcf0ef9_comctl32.dll.mui_0da4e682	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..uetype-malgungothic_31bf3856ad364e35_10.0.19041.1_none_bb40ebfb65874170_malgun.ttf_166813d8	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.19041.1_none_3947da6a963cb0d8_8514sysg.fon_d69594ed	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_10.0.19041.1_es-es_e57fef51be54a1f0_netlogon.dll.mui_ecbeb9bd	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-themeservice_31bf3856ad364e35_10.0.19041.1_none_5ff38e2f67ba1cd1.manifest	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_10.0.19041.1_en-us_1cad2165a3d16b35_profsvc.dll.mui_32482e9e	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_es-mx_7b5686460babe52a_bootmgr.exe.mui_c434701f	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_app936.fon_ea7f5612	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shlwapi_31bf3856ad364e35_10.0.19041.1023_none_6eb1689259d35752_shlwapi.dll_1eec0a2e	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_sv-se_b07d2f2bbb5915db.manifest	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-dui70_31bf3856ad364e35_10.0.19041.1_none_17fa67a6d1d90f6d.manifest	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_app850.fon_e2e4776b	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.19041.1_it-it_78c65fb1166338c9.manifest	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.19041.1202_en-us_2d3fe908f2def5d1_wintypes.dll.mui_36d5f25a	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_10.0.19041.1081_none_20871f311cebb1df_rasmigplugin.dll_7ee2aa40	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msasn1_31bf3856ad364e35_10.0.19041.546_none_a5535ccb0430ada2.manifest	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_10.0.19041.1_de-de_73bc4b6cb4f35f70.manifest	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1564	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
1564	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 3724	1564	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe	95
PID 1564 wrote to memory of 3724	1564	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe	95
PID 1564 wrote to memory of 3724	1564	128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe	95

C:\Users\Admin\AppData\Local\Temp\128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\651gzbi7-readme.txt

Filesize
6KB

MD5
c107ede6dba2f5606715bdb1ae4e525b

SHA1
35e2e067e445a3b822c58516320e3afd922023bf

SHA256
46bf45e5aca2bdff05200c2ffaee2bb0e8054284e9796b029b4627125744f947

SHA512
78bd6c05dcd07b907d761cebaf919c12ffe6c847b2c6fb7781bb24acbd47f4cf8b2820d3f5d427c347efff6d0e48671ce965c3396ad4df05c416573267cc3b08

Download Submit