sodinokibi | 6329693e5c61a2f0fa1a53bd177f5a332ef729050b3f109630b759c792f0b986

Resubmissions

04-05-2024 21:53

240504-1r3k9sfe77 10

04-05-2024 20:28

240504-y9hmpsdd79 10

Analysis

max time kernel
140s
max time network
145s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-05-2024 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
Size

416KB
MD5

145ba213336bbb05c09d2bcf198aa3bd
SHA1

517dc0d3d853c09fd7cb69aa85fc8f37b9bf3a87
SHA256

6329693e5c61a2f0fa1a53bd177f5a332ef729050b3f109630b759c792f0b986
SHA512

1868d5e625f2fb48f1ca59a34d6b0ebee612d5c657adc349ddc9b5984409e0e9844f5a31f81a1f1e1234e44064f695de07843f1fad3aad54e051e6620127a4b1
SSDEEP

6144:RQNOV3wQRokxB8n7zPUmmTg2OJH80FjTz/XmlH9n7a:qCFRoI8zP38OJ80Fjff49u

Score

10^/10

sodinokibi 17 11 defense_evasion execution impact ransomware spyware stealer

Malware Config

Extracted

Family

sodinokibi

Botnet

Campaign

Decoy

texanscan.org

g2mediainc.com

avis.mantova.it

cac2040.com

zumrutkuyutemel.com

livelai.com

floweringsun.org

jandhpest.com

agora-collectivites.com

mikegoodfellow.co.uk

letterscan.de

voice2biz.com

biodentify.ai

csaballoons.com

angeleyezstripclub.com

innovationgames-brabant.nl

oraweb.net

transifer.fr

alattekniksipil.com

ruggestar.ch

Attributes

net
true
pid
17
prc
mysql.exe
ransom_oneliner
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. For futher steps {EXT}-readme.txt that is located in every encrypted folder
ransom_template
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got {EXT} extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/{UID} Page will ask you for the key, here it is: {KEY}
sub
11

Extracted

Path

C:\Users\Default\610e21li1-readme.txt

Family

sodinokibi

Ransom Note

Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got 610e21li1 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/58A391D02A3CDDBA Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/58A391D02A3CDDBA Page will ask you for the key, here it is: NtmT7rhyN09AEN4EP+5RjYiEORn/q4IV7rusUSJO1SoZdNfLWaD9Vv33DXEZkWJK RiFvsAmx7pECwdYFY08dJ3N5QJebczAVN2jF5JgljwjBzjgBMgGrrFciIS1MWZi+ EyL4uf5cQd/9P8LHrXt4odqVAaZsOADAjsEkhBv4elrDDpMzJatwYzIjP8z0DO6V s/4ZFUB1o0/BykUtQUTiR2Jsw+1+3ZI35/LslD3C3vzPWk+DHYdX4vc8ZNnoxX1h EjYRN18h1KonPNAzQwvsD27bFRODb20lbTyx6fFGn1b/6lEDyGmB/B2bgcL+i7OL MHyOUJW1JdobBKt7IJgQN/Djygq4dfBwMb9K1WQKIrlChse+J0msd5dr32aPIhy9 A5ph67KPws0Q85h5iiIlEZjHSixFiIp1qqI28uELWWTNytKo/ObfBTgiF0gKBLX2 VedExrEEHe1ZlT8SNZed7rFTHDLGwzh+S0MBthvurXRXsG9NA0tO6Q/VR+bIoLxl Kr1nE4eSyNzvMHsAbC5WTUsfFcXYelJIvcu9c0idHu4SjYCUDFh5ebDJCeWf8MxB MtPExo6as4/ajMewp30A82SBQq6Fo+7sdo1BcM6OE+I9bqiwNCDp79IN/cH/M9RQ oWSwv46ijQB34ffsK+4kirmQL/HRvZu5OJr0xix/+ewIIqt5syq8ccJe4kJhiSMe 0JWdj2Xx4HJiTwf172kOLmCmGSA4C8fuV8CMzmoCQWmEqVacydrOY+kQgUTXJwQG pBjn4TXjikJyFEQ0JL4wJOB+X98NQQccRh4xs8sc5/YYJi8CqvD1tbsvAglQMcSb mVYE5XNtHrD+P+ncVAZ/VuaJz7dKf3rxARkfz02B+o/MywRWpBfrZqVXFa1JxCAY XIsm6baFI/tndBIqXA73EcHlH93qfb4Hzh+Ci8DqFy5cU/IoABD7bx4o5ZtRn183 8Pzr+J4qs3L/84acA9ZBKRaP4wQUT8szlmPkJShAxKv7XVawnzImopM9yYT1BqCg uAy6wRiM0N1UF9gPkHfFmysG+31afIPLzxaRxBelokwSEyDqtJTlVAuIf0xDV458 0eqoBu82fnF9IUfr5JyISpgPPPIa+v+QRFr5uX1FX7zz0u6X/x5BqnVcVeCdgd58 sK9X0ok/yxt5D705ylDcemJROfWt2DMp7ek=

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/58A391D02A3CDDBA

http://decryptor.top/58A391D02A3CDDBA

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (175) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\B:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\H:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\K:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\Y:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\M:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\N:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\R:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\W:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\Z:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\G:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\L:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\U:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\F:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\E:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\J:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\P:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\S:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\T:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\D:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\I:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\Q:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\V:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\O:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\X:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7mms90p86zg.bmp"	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f5d83b1064d90ccb_rasauto.dll.mui_12fa2c50	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-t..-platform-libraries_31bf3856ad364e35_6.1.7601.17514_none_ec7854d0f990441d_icmp.dll_f0a9e399	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-object-picker_31bf3856ad364e35_6.1.7600.16385_none_6b8acc3d2645838d_objsel.dll_9d6ddd89	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_de-de_802b960d331fa12f_acledit.dll.mui_5f932ccb	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-efs-util-library_31bf3856ad364e35_6.1.7600.16385_none_46efb78b042229ec_efsutil.dll_19519f5a	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mprmsg.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1160f636f9408069.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-v..skservice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d0b77acd0b184bdb_vdsutil.dll.mui_0caf9b0e	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_et-ee_42a75c1e8aba4151_comdlg32.dll.mui_ac8e62f4	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-win32k.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a959af1877ef6c96_win32k.sys.mui_c0d34fe8	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_hu-hu_4c936d19ce8f71ba.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-lua.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ed028e8c78f92183_appinfo.dll.mui_cfd93456	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-session0viewer_31bf3856ad364e35_6.1.7600.16385_none_3ddbd9a9605f0519.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_it-it_530088235b3e2bb8.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-f..libraries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d63ded3632fdfecd.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-w..eservices.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d92dea821b79a3bd_sti.dll.mui_00a4f15b	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-duser.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d0f0c72e3ca7f79e.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_6.1.7600.16385_none_59590e92c817a4e0_vga860.fon_07129997	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-htmlhelp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_110e95329adfd6f5_hh.exe.mui_2744e397	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-kernel32.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_3b92880831ee8845_kernel32.dll.mui_c29170cd	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..ional-codepage-1254_31bf3856ad364e35_6.1.7600.16385_none_22d533776b0da1a5_c_1254.nls_7254a9cb	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5810c0c2d427085b_perfhost.exe.mui_2046145e	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-searchfolder.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1fb099f56053fd1b.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-smartcardksp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5dfa0d6aae0352fc_scksp.dll.mui_05f14191	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mpr.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6d89a9aa5ed31424.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-webservices.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f756da735a1be231_webservices.dll.mui_eecc809d	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-o..ct-picker.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6674b4d9f148cbe1_objsel.dll.mui_9b915792	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.1.7601.17514_none_df7c5af777ec4541_drvinst.mof_6593cf80	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_zh-hk_c0d17ceadf33e739_comctl32.dll.mui_0da4e682	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_de-de_902f97fb54831835_slc.dll.mui_dc24f809	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_77f9a2307a488167.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..pwindowmanager-core_31bf3856ad364e35_6.1.7601.17514_none_ebc99983d3d18578_uxsms.dll_ca422e1e	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_478492ee49cae969_wbiosrvc.dll.mui_d5b8b2b8	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7601.17514_it-it_533d0a30cacc966b_ndptsp.tsp.mui_5bee9ce3	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-shdocvw.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5443e0d485ba2199_shdocvw.dll.mui_9b8f26d5	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7601.17514_none_c75e9c99a36a285a_setbcdlocale.dll_77bec53b	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2802c7e3e6fbf6e9.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-o..ct-picker.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f354211fbb4cc7c1_objsel.dll.mui_9b915792	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_sl-si_d44bd64014e9029b.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-winsock-legacy_31bf3856ad364e35_6.1.7600.16385_none_e33b8ccc72da5441.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_6.1.7600.16385_en-us_22d9783c715c7b1c_wudfx.mfl_ed9a43c5	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..ltinstall.resources_31bf3856ad364e35_6.1.7600.16385_de-de_63e0d7a39c6cea56.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0d09bfa184af61af_msobjs.dll.mui_d054e07b	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-ldap-client.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0a1287b745a0addd_wldap32.dll.mui_065dbd9c	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-u..dem-voice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ed9a54ad162a8850.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_6.1.7600.16385_de-de_39abefffc16e5209_lsasrv.dll.mui_d47f7e1c	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_360e4801750ca991.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-netbt_31bf3856ad364e35_6.1.7601.17514_none_c8df7823424473a1.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-authentication-authui_31bf3856ad364e35_6.1.7601.17514_none_0dfae70253a9fb02_authui.dll_05ff9fd2	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8046f18849ea1075_scfilter.sys.mui_cebab716	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-coreos_31bf3856ad364e35_6.1.7601.17514_none_83784bb654f0d178_system.ini_96e9118b	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cecbfd173661bff0_newdev.exe.mui_6ce4084e	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..geadapter.resources_31bf3856ad364e35_6.1.7600.16385_de-de_387d94d0a70893b6.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_de-de_111bacf3e074578c_rasdiag.dll.mui_15cb4ec4	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_6.1.7600.16385_it-it_529d01e809d121ed_services.exe.mui_86ea5e71	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6b83d7cd687b9918_ole32.dll.mui_5035d60a	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_bb92604e3d64e901_printui.exe.mui_5e66aade	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5db7df5b307ffadc_puiapi.dll.mui_e94aeb19	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-winsock-helper-tcpip_31bf3856ad364e35_6.1.7600.16385_none_27a7f7694b388c01_wship6.dll_db4127c3	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-xmllite_31bf3856ad364e35_6.1.7600.16385_none_e5307039bcff94de.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_sr-..-cs_e977d49ab747fe93.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-w..ure-ws232.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b068a5dbd9458c35_ws2_32.dll.mui_f13ef3a5	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f067c9d9c2297404_hidserv.dll.mui_561adfc8	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_ar-sa_10a851fdb05d695d_msimsg.dll.mui_72e8994f	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_6.1.7601.17514_it-it_b5c96023e4e0ea00_winlogon.exe.mui_3280fc46	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2720	vssadmin.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3048	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
3048	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
3048	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
3048	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
3048	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
3048	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
3048	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
3048	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
3048	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
3048	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
3048	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
3048	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
3048	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
3048	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
3048	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
3048	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
3048	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
3048	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2880	vssvc.exe
Token: SeRestorePrivilege	2880	vssvc.exe
Token: SeAuditPrivilege	2880	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3048	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2144	3048	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe	28
PID 3048 wrote to memory of 2144	3048	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe	28
PID 3048 wrote to memory of 2144	3048	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe	28
PID 3048 wrote to memory of 2144	3048	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe	28
PID 2144 wrote to memory of 2720	2144	cmd.exe	30
PID 2144 wrote to memory of 2720	2144	cmd.exe	30
PID 2144 wrote to memory of 2720	2144	cmd.exe	30
PID 2144 wrote to memory of 2720	2144	cmd.exe	30

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fdb8b3f743c1cc065af7523a8d229ca3

SHA1
3babd1918d74e45b6ebb89a91418f1eabe7361ac

SHA256
88f56918e50da4d8de0983a01d1ad631e1ac56b6ee0bd2f9d543b3cc38a9383b

SHA512
84776a2da9b2cfc27bb20f8bf62b5486b8f056846962bd516e501fe93b8b8db17708ff9fe784f1a513e770904cc514498bba09b4bf4e6eac9b08e50244f32886

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b4782d9b8c855562d50962f78adc6da0

SHA1
519dff64fd2d81b532accc81286d2c61b5559374

SHA256
d9f247938d8636d82cf3420b414977a120c3b6baa9aa6b4166cb586d7d380e20

SHA512
19cd2e5ccea4866dce07acd29cf2e6551e793d179de9d08a681e9587e0db6dea59ff019a37e2237e3229b467bbd0f099ee8534bfa318d7638b7395771343640c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar960F.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Default\610e21li1-readme.txt

Filesize
3KB

MD5
fb263c53d652393b3cdf2e5096cf53a2

SHA1
a3e778a7399cbc78a738ec29cca58f7e5bda0d17

SHA256
0e327f60cf191d345e8915cc4851bc770dd124df09d5a9acde9ddf9626a6ff4c

SHA512
ea637d2cd4e38ca7d15ec9e1385639c685005b610ada91971127749c02b780dbf93bc8a64b3ce66fc89012b99b12a27ff9c5ac99fe3b1bd599d7e8c21f048d9d

Download Submit
memory/3048-9-0x0000000000890000-0x00000000008AF000-memory.dmp

Filesize
124KB

Download
memory/3048-7-0x00000000024B0000-0x000000000254F000-memory.dmp

Filesize
636KB

Download
memory/3048-11-0x0000000000780000-0x0000000000786000-memory.dmp

Filesize
24KB

Download
memory/3048-10-0x0000000002920000-0x0000000002A29000-memory.dmp

Filesize
1.0MB

Download
memory/3048-8-0x0000000002550000-0x000000000267D000-memory.dmp

Filesize
1.2MB

Download
memory/3048-12-0x0000000000780000-0x0000000000786000-memory.dmp

Filesize
24KB

Download
memory/3048-14-0x0000000000610000-0x000000000063B000-memory.dmp

Filesize
172KB

Download
memory/3048-15-0x0000000000427000-0x000000000042D000-memory.dmp

Filesize
24KB

Download
memory/3048-16-0x0000000000610000-0x000000000063B000-memory.dmp

Filesize
172KB

Download
memory/3048-0-0x0000000000427000-0x000000000042D000-memory.dmp

Filesize
24KB

Download
memory/3048-429-0x0000000000610000-0x000000000063B000-memory.dmp

Filesize
172KB

Download
memory/3048-6-0x00000000023E0000-0x00000000024A9000-memory.dmp

Filesize
804KB

Download
memory/3048-5-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3048-4-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/3048-1-0x0000000000610000-0x000000000063B000-memory.dmp

Filesize
172KB

Download
memory/3048-538-0x0000000000610000-0x000000000063B000-memory.dmp

Filesize
172KB

Download
memory/3048-539-0x0000000000610000-0x000000000063B000-memory.dmp

Filesize
172KB

Download
memory/3048-540-0x0000000000610000-0x000000000063B000-memory.dmp

Filesize
172KB

Download
memory/3048-621-0x0000000000610000-0x000000000063B000-memory.dmp

Filesize
172KB

Download