sodinokibi | 6329693e5c61a2f0fa1a53bd177f5a332ef729050b3f109630b759c792f0b986

Resubmissions

04-05-2024 21:53

240504-1r3k9sfe77 10

04-05-2024 20:28

240504-y9hmpsdd79 10

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
Size

416KB
MD5

145ba213336bbb05c09d2bcf198aa3bd
SHA1

517dc0d3d853c09fd7cb69aa85fc8f37b9bf3a87
SHA256

6329693e5c61a2f0fa1a53bd177f5a332ef729050b3f109630b759c792f0b986
SHA512

1868d5e625f2fb48f1ca59a34d6b0ebee612d5c657adc349ddc9b5984409e0e9844f5a31f81a1f1e1234e44064f695de07843f1fad3aad54e051e6620127a4b1
SSDEEP

6144:RQNOV3wQRokxB8n7zPUmmTg2OJH80FjTz/XmlH9n7a:qCFRoI8zP38OJ80Fjff49u

Score

10^/10

sodinokibi 17 11 ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

Campaign

Decoy

texanscan.org

g2mediainc.com

avis.mantova.it

cac2040.com

zumrutkuyutemel.com

livelai.com

floweringsun.org

jandhpest.com

agora-collectivites.com

mikegoodfellow.co.uk

letterscan.de

voice2biz.com

biodentify.ai

csaballoons.com

angeleyezstripclub.com

innovationgames-brabant.nl

oraweb.net

transifer.fr

alattekniksipil.com

ruggestar.ch

Attributes

net
true
pid
17
prc
mysql.exe
ransom_oneliner
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. For futher steps {EXT}-readme.txt that is located in every encrypted folder
ransom_template
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got {EXT} extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/{UID} Page will ask you for the key, here it is: {KEY}
sub
11

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\H:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\K:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\S:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\T:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\W:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\Z:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\B:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\J:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\L:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\M:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\Q:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\Y:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\E:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\I:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\N:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\P:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\U:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\X:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\G:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\O:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\R:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened (read-only)	\??\V:	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-crypt32-dll_31bf3856ad364e35_10.0.19041.1202_none_d02feec5930a1e75.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_fi-fi_c42cdfe7b2b01c1a_msimsg.dll.mui_72e8994f	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.19041.1_it-it_1bf36b0c23ae824c_wiarpc.dll.mui_0c913b87	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_sv-se_4660a589b1629b9a.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-atlthunk_31bf3856ad364e35_10.0.19041.546_none_76347da1644ddd4f_atlthunk.dll_61ada5ff	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-apisetschema-windows_31bf3856ad364e35_10.0.19041.1_none_e01d9d0bfa07ae7e.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_fi-fi_d3af63f17d8b58b9_bootmgr.efi.mui_be5d0075	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-webauthn.resources_31bf3856ad364e35_10.0.19041.1_it-it_63d59ac645c938b0.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_10.0.19041.1_de-de_f88fd8d1e0995d78.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_cs-cz_1dee5804823a393a.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.19041.1_none_9ab96313e8d638bb_iscsiconnection.cdxml_1f2347b5	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_nl-nl_25e65642b37198d7.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_de-de_8398f19094835129_winload.efi.mui_35ee487d	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.964_lt-lt_56115177ea09ace6.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_sr-..-rs_646331312131f0de.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ne-client-overrides_31bf3856ad364e35_10.0.19041.1052_none_a74b8f64d78e3b2f.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.19041.1_es-es_25a24f5a6fa3eb67_storagesense.adml_0fc60f43	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-usermodensi_31bf3856ad364e35_10.0.19041.610_none_5aca84205a90fe5e_nsi.dll_e72df756	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..etype-lucidaconsole_31bf3856ad364e35_10.0.19041.1_none_b537ffbd18185517_lucon.ttf_76ed00f1	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_es-es_6871eca24b40d9a0_iscsidsc.dll.mui_6acb64a6	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_56c05939711f0938_kerbclientshared.dll_1fa7b356	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_8ab89bbe670645a7_winmgmtr.dll.mui_741bfb68	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_6c2a09eceb1bb17b_mpssvc.dll.mui_4b194b5f	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-user32.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_2d13f7d6bc2181e3_user32.dll.mui_14652dbb	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-codeintegrity_31bf3856ad364e35_10.0.19041.1_none_5668fec1a41d6ac1.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_da-dk_7f2a1321ccbad7ec_msimsg.dll.mui_72e8994f	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-csrsrv_31bf3856ad364e35_10.0.19041.1_none_7f78448944bb2844.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.19041.1266_none_cfec8db821d83671.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-commonlog_31bf3856ad364e35_10.0.19041.264_none_5c643b8f866d5e2b.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ntdll_31bf3856ad364e35_10.0.19041.207_none_36fc5f8a5adba8ab.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_pt-br_785d60c10b52e5f3.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_8a83f8a2672d374c_wmiapres.dll.mui_c1b8803f	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-user32.resources_31bf3856ad364e35_10.0.19041.1_es-es_fe0f0c83ff027428.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_nb-no_e0132477454b2a7d.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winsock-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_01a52ac31deb1307_afd.sys.mui_ff192075	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_es-es_8145b05544cb69cd_gpsvc.dll.mui_0c160ac2	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.19041.1_es-es_c0476ba913952b3f_keyiso.dll.mui_4bbf12ff	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua-onecore_31bf3856ad364e35_10.0.19041.1266_none_7c78c66cb767e03b_appinfo.dll_6162d887	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ucrt_31bf3856ad364e35_10.0.19041.789_none_89924141786cea16_msvcp_win.dll_48149df4	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_86d2322d49223ce5_vds.exe.mui_2268d934	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_4b7d699c61176a95_profsvc.dll.mui_32482e9e	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ertificates-utility_31bf3856ad364e35_10.0.19041.1_none_3eeeb9b5ca0761f9_fvecerts.dll_cca35228	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_hr-hr_b4205a674b468594_comctl32.dll.mui_0da4e682	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_a5f5f155cd89b58d_gpsvc.dll.mui_0c160ac2	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-homegroup-listsvc_31bf3856ad364e35_10.0.19041.610_none_4cbb0d74d942a05c_listsvc.dll_c76b1498	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directory-services-sam_31bf3856ad364e35_10.0.19041.1202_none_26ae8647562ae5ff_offlinesam.dll_5e21eef0	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d88727f57b0f135a_certprop.dll.mui_602eaab4	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.19041.1_de-de_d942b0e37da37953_netiougc.exe.mui_ad7a9e4d	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_ro-ro_1219f92ac5b548b0.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_windows-gaming-xbox..e-service-component_31bf3856ad364e35_10.0.19041.789_none_3136b8d712da0334.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base_31bf3856ad364e35_10.0.19041.1288_none_82b5dd00dbb53a5c_combase.dll_a2567a6a	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_1f5866fbea0202f7_wudfpf.sys.mui_f61e9e86	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.19041.1_en-us_9eaa18c3f00b3175.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_sl-si_4892e179afed964c_comctl32.dll.mui_0da4e682	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_82c8254d1d7289f0_wevtsvc.dll.mui_f41bf7b7	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-t..nalservices-runtime_31bf3856ad364e35_10.0.19041.546_none_bad936652ad03072_winsta.dll_4e6f9a4e	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-userpowermanagement_31bf3856ad364e35_10.0.19041.546_none_8b678fb390086be3_powrprof.dll_480be757	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog_31bf3856ad364e35_10.0.19041.1266_none_518a2f9fc80a85ad_wevtsvc.dll_add42ce6	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_it-it_a65df33be4649fa7_userdeviceregistration.dll.mui_22ab8f29	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.19041.610_none_afaadb8f0b8a9278_msobjs.dll_052c8a60	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_ja-jp_ed3ea94a706110ba_comctl32.dll.mui_0da4e682	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_cga80woa.fon_40965299	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.19041.1_en-us_c10bc33ae3f4a3aa_trustedsignalcredprov.dll.mui_5edc427b	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_nl-nl_32602d1a95f90be1.manifest	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1384	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
1384	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1384	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 1596	1384	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe	99
PID 1384 wrote to memory of 1596	1384	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe	99
PID 1384 wrote to memory of 1596	1384	145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe	99

C:\Users\Admin\AppData\Local\Temp\145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\145ba213336bbb05c09d2bcf198aa3bd_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1348 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1384-0-0x0000000000427000-0x000000000042D000-memory.dmp

Filesize
24KB

Download
memory/1384-1-0x0000000000427000-0x000000000042D000-memory.dmp

Filesize
24KB

Download
memory/1384-2-0x00000000023F0000-0x000000000241B000-memory.dmp

Filesize
172KB

Download
memory/1384-5-0x00000000023F0000-0x000000000241B000-memory.dmp

Filesize
172KB

Download
memory/1384-6-0x00000000023F0000-0x000000000241B000-memory.dmp

Filesize
172KB

Download