Analysis
-
max time kernel
128s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 00:53
Static task
static1
Behavioral task
behavioral1
Sample
19fe9989b89a24d2fe76644b18944b60_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
19fe9989b89a24d2fe76644b18944b60_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
19fe9989b89a24d2fe76644b18944b60_JaffaCakes118.dll
-
Size
114KB
-
MD5
19fe9989b89a24d2fe76644b18944b60
-
SHA1
ff210251d7832da9661cce50aab2dfb379046aae
-
SHA256
6b8fe4a62fb03dee5dc0802cc168197f3289a5786e1f10729ecbb1678dfa9378
-
SHA512
b65e62d7a09450bc1a38728e89dbe2d2d9420fc71c83254c266db424e159f38b1442f3c2e907a27b5ea7af630482edfea7751c87e766afcd6dcb909a17edce8c
-
SSDEEP
3072:tx9vinMBNZoMIw4ayMteYFJ0uwA9dDoX:f9vinMPrIFajLlrkX
Malware Config
Extracted
C:\Users\4qpcanj0-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/75BFBAB56BC07FA0
http://decryptor.cc/75BFBAB56BC07FA0
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\D: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\X: rundll32.exe -
Drops file in Program Files directory 22 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\program files\EditUndo.aif rundll32.exe File opened for modification \??\c:\program files\InstallApprove.search-ms rundll32.exe File opened for modification \??\c:\program files\OptimizeMeasure.temp rundll32.exe File opened for modification \??\c:\program files\ReceiveGet.html rundll32.exe File opened for modification \??\c:\program files\RequestWatch.asf rundll32.exe File opened for modification \??\c:\program files\RestartPublish.zip rundll32.exe File opened for modification \??\c:\program files\CloseLock.tiff rundll32.exe File opened for modification \??\c:\program files\DisconnectRepair.dwfx rundll32.exe File opened for modification \??\c:\program files\TestWait.xltm rundll32.exe File opened for modification \??\c:\program files\OptimizeDebug.TTS rundll32.exe File opened for modification \??\c:\program files\ResizeMerge.tiff rundll32.exe File opened for modification \??\c:\program files\SplitCompress.txt rundll32.exe File opened for modification \??\c:\program files\CompressUpdate.wps rundll32.exe File opened for modification \??\c:\program files\HideReceive.wmf rundll32.exe File opened for modification \??\c:\program files\EnableLock.xps rundll32.exe File opened for modification \??\c:\program files\HideSubmit.emf rundll32.exe File created \??\c:\program files\4qpcanj0-readme.txt rundll32.exe File created \??\c:\program files (x86)\4qpcanj0-readme.txt rundll32.exe File opened for modification \??\c:\program files\StopShow.snd rundll32.exe File opened for modification \??\c:\program files\WriteMount.wmx rundll32.exe File opened for modification \??\c:\program files\ReadCheckpoint.docm rundll32.exe File opened for modification \??\c:\program files\StartExport.iso rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepowershell.exepid process 1596 rundll32.exe 1596 rundll32.exe 3828 powershell.exe 3828 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rundll32.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1596 rundll32.exe Token: SeDebugPrivilege 3828 powershell.exe Token: SeBackupPrivilege 3516 vssvc.exe Token: SeRestorePrivilege 3516 vssvc.exe Token: SeAuditPrivilege 3516 vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3056 wrote to memory of 1596 3056 rundll32.exe rundll32.exe PID 3056 wrote to memory of 1596 3056 rundll32.exe rundll32.exe PID 3056 wrote to memory of 1596 3056 rundll32.exe rundll32.exe PID 1596 wrote to memory of 3828 1596 rundll32.exe powershell.exe PID 1596 wrote to memory of 3828 1596 rundll32.exe powershell.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\19fe9989b89a24d2fe76644b18944b60_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\19fe9989b89a24d2fe76644b18944b60_JaffaCakes118.dll,#12⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\4qpcanj0-readme.txtFilesize
6KB
MD59cac884eed4e4cbea82c55987b1c1319
SHA1b88c0b25495a688f3df945ee0ba9ff417ec996ad
SHA2563590c481b944bd1b74e15d7b890288d6521e9a1b2660d867e54810e8bf5c9dac
SHA51263adf115bea2cf3d464fd7b3947de47787b793dea4a33ffe5dfc8fd92789527802df09c94d7534f7c559b69361b9d058cef2900c40f0e47c6ea9a750adfb3d31
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d1lowyyy.2wf.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/3828-0-0x00007FFDB57D3000-0x00007FFDB57D5000-memory.dmpFilesize
8KB
-
memory/3828-3-0x00000198DE310000-0x00000198DE332000-memory.dmpFilesize
136KB
-
memory/3828-11-0x00007FFDB57D0000-0x00007FFDB6291000-memory.dmpFilesize
10.8MB
-
memory/3828-12-0x00007FFDB57D0000-0x00007FFDB6291000-memory.dmpFilesize
10.8MB
-
memory/3828-15-0x00007FFDB57D0000-0x00007FFDB6291000-memory.dmpFilesize
10.8MB