sodinokibi | 4447dee4424f298d64e15a4ba543090afe27afc9b839cb186ce4ddad3ca6e6b7

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
13-05-2024 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
Size

373KB
MD5

3efdc5484d5d58b90bdbc48ba7598446
SHA1

24e23dd6e76f1aa0bd66c92ce2ecfa8c47b831ca
SHA256

4447dee4424f298d64e15a4ba543090afe27afc9b839cb186ce4ddad3ca6e6b7
SHA512

c84ceb205550e473251583aaf7364677a7955daba96183289e4d68a42ad7b41ac176dbb7be37361ec0a0958bd6b5d89dbd726de4b4c23dd4f16ffbb197554fb3
SSDEEP

6144:t7eVKANEgjw8TOnLOZEvsMAcgsphgjxgQQ:RWKAGgjgKOAcixgQQ

Score

10^/10

sodinokibi 17 11 defense_evasion execution impact ransomware spyware stealer

Malware Config

Extracted

Family

sodinokibi

Botnet

Campaign

Decoy

texanscan.org

g2mediainc.com

avis.mantova.it

cac2040.com

zumrutkuyutemel.com

livelai.com

floweringsun.org

jandhpest.com

agora-collectivites.com

mikegoodfellow.co.uk

letterscan.de

voice2biz.com

biodentify.ai

csaballoons.com

angeleyezstripclub.com

innovationgames-brabant.nl

oraweb.net

transifer.fr

alattekniksipil.com

ruggestar.ch

Attributes

net
true
pid
17
prc
mysql.exe
ransom_oneliner
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. For futher steps {EXT}-readme.txt that is located in every encrypted folder
ransom_template
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got {EXT} extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/{UID} Page will ask you for the key, here it is: {KEY}
sub
11

Extracted

Path

C:\Users\Default\4r5882w-readme.txt

Family

sodinokibi

Ransom Note

Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got 4r5882w extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7581C0BB6C2082A0 Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/7581C0BB6C2082A0 Page will ask you for the key, here it is: bqhLvf5t3v5q59R0oDFt7UdE+YSdHud5qmrUIbAPZpYJC5Gn1l0gPqgAGw3eX9iv xEJvYOOUcuwA15E3rjTAFLL3/cv4ApkQzlv81gmNWez7coU1xLmZa2hlR6OAifUS 3yIlqj4kcwiD2K+S2c+o0nmLYB+nvwDmUf49GyKqw/uat0qomfUjoJpNEfGf/2PJ G20hJex4eqQtuSI7qqkTBAIb3YEdXV2EHjHJvRpwir91Lc196eQwPmYsYvq31UEn YIiSfy+AgQ2X/9+/X9AyQvXLB31yiv5qEuFQxIrza7fRrdOr/7n7b9VKe918BiTf XGtf9wEh04rbn7D0dq+wYt68qM3vduTNOLUvDYKkv8kCpLskbPnWPsba3xXjhsUl aTr2cXC7adFk7QrI/ekPk2kobACyvCEWaa8HgwubUAywqss8AyjyRfHNUQA5wXKQ NigSPI2wetggcrjTyiS0C7IB5eVfdpHrQhVI2orzS4WEZIJfYd4NRtX+PWQ0eE4u Liip1KnMOWLPee+nTnEmUp901qfsIDqODjs0VS20QtSva0tAZnzuuPKC9jRfmnuZ gc1NRj+xyPpoBLsZO5UTVrUY9oHcyDUVnIBeNWBtnjWnpmLqxzQxiLRs9Fkb6I0e ppRHyM8KBiY7wBfjo2a9+Nib+EfgLgTePrDolC1FnhmG5ry/nmod6YeEDX595qYV DO/HZliNN6I9NkVXYdQX8p7jf+KnSp5Z31WYeq9ZRdMTUr9BxiSifQ8BaQHCa+tB vp7cT2CfHlFfiA56P5mdttAvSTGmtJ3QPqliBSWWkz/PJ6UQ8sJFfQCjgrD3XpHh FpMsD2NV6MOw47MiV8/59eCccE+IuMHdpKYjEqjBysN8ugFSXNLJdJqOIPH581xG vSHsaOw7QTOCU3adZnrcIC8GLfyfnlVpz7x1Z8LaTlZfks+OH/CKcKAQNKYJaWbP Rl/dZ3UFtsO+cevTcx8n78EQz5RZKxhccSDQtos6gA7Hz+7ROWfA7tDhVKGgmR54 mrzhpFHa3LlguUNhR1m5PJNbt8XpwotwqR8+Xsa0BcSrZZFVcFzd6i9wc41gLztJ NsOGKmJcN5GmKFrBBuBlO8ncyOoRGw2rB1CNG1J46BenDj8rycPw3cdcO36Byczh pdb4Mmk6xmHDwFrDfjSuZ06b/UCSdfU3qF8=

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7581C0BB6C2082A0

http://decryptor.top/7581C0BB6C2082A0

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (206) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Loads dropped DLL 1 IoCs

pid	Process
1820	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened (read-only)	\??\B:	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened (read-only)	\??\U:	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened (read-only)	\??\Z:	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened (read-only)	\??\H:	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened (read-only)	\??\O:	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened (read-only)	\??\P:	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened (read-only)	\??\V:	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened (read-only)	\??\X:	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened (read-only)	\??\D:	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened (read-only)	\??\M:	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened (read-only)	\??\W:	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened (read-only)	\??\Y:	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened (read-only)	\??\I:	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened (read-only)	\??\J:	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened (read-only)	\??\G:	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened (read-only)	\??\K:	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened (read-only)	\??\R:	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened (read-only)	\??\T:	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened (read-only)	\??\F:	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened (read-only)	\??\E:	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened (read-only)	\??\L:	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened (read-only)	\??\N:	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened (read-only)	\??\Q:	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened (read-only)	\??\S:	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\67m91r8o6n3x.bmp"	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1820 set thread context of 2676	1820	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe	28

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c0dcaa2ad5c24a80_perfc.dat_f4bd9339	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_69e1726ad300872e_mofcomp.exe.mui_35badf56	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_es-es_72ad61937e044eba_newdev.exe.mui_6ce4084e	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6f478f227a774b53.manifest	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e4caddd130d36cd4_adtschema.dll.mui_208d0981	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-duser_31bf3856ad364e35_6.1.7600.16385_none_b6699ff0162b88a0_duser.dll_a2bd2fa9	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_hr-hr_31db610f5ea8e8d8_comdlg32.dll.mui_ac8e62f4	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-852_31bf3856ad364e35_6.1.7600.16385_none_2add00d6b4e2da5c_c_852.nls_bb0fdbcc	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_019943d7782289a6_printui.exe.mui_5e66aade	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-authentication-authui_31bf3856ad364e35_6.1.7601.17514_none_6a1982860c076c38.manifest	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mssmbios.resources_31bf3856ad364e35_6.1.7600.16385_it-it_90a25fd49cec8308.manifest	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-smartcardksp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_058c51ca4837d7fe_basecsp.dll.mui_04bea7ac	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..ional-codepage-1254_31bf3856ad364e35_6.1.7600.16385_none_22d533776b0da1a5_c_1254.nls_7254a9cb	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ba650fd806606d37_sqlsodbc.chm_92fe0a89	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-credui.resources_31bf3856ad364e35_6.1.7601.17514_de-de_bb31595d11a5d311_credui.dll.mui_34721171	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-rasserver.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7b176a691d8ef141_mprdim.dll.mui_11b5ef08	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_08eb1c04e4e36155_dhcpcore6.dll.mui_27872349	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-legacyhwui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_dbda601010b3d73c_hdwwiz.exe.mui_b4acc7bc	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_37c1dc5aeeb79d37_sppc.dll.mui_0a75786d	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-legacyhwui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_50eb7c559b1066a6_hdwwiz.cpl.mui_cdafedff	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-imagesp1.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2e771ede4247d84b.manifest	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f5d83b1064d90ccb.manifest	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c162de87050a6649_hid.dll.mui_cccd5ae0	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_pt-pt_dd4aec746ec16291_bootmgfw.efi.mui_a6e78cfa	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_it-it_d5c6fcd450b860a2_comdlg32.dll.mui_ac8e62f4	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-phagspa_31bf3856ad364e35_6.1.7600.16385_none_cec462f31334afc8.manifest	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..rics-storageadapter_31bf3856ad364e35_6.1.7600.16385_none_329b3f476f0cd674.manifest	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-t..rk-msimtf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_717f35e98abfe109.manifest	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_015df3e3bafadc7a_winload.exe.mui_3bc5b827	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_3eceef6140ec9728_printui.exe_bb673fff	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c6211bdd913a2fd8_setupapi.dll.mui_bcc172a4	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b6bfad83ec5fabc6.manifest	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-webservices.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0e58d2a9d7ba751b_webservices.dll.mui_eecc809d	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-eventlog.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_28cc097097c60a1c.manifest	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-eventlog.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f9fbc139da800abc.manifest	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-htmlhelp.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9dee017864e3d2d5_hhctrl.ocx.mui_632bdfc0	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-imageanalysis_31bf3856ad364e35_6.1.7601.17514_none_a6821d2940c2bcdc_dbgeng.dll_eefdd445	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_bb92604e3d64e901_puiapi.dll.mui_e94aeb19	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b5c7352fec289a79_acledit.dll.mui_5f932ccb	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_zh-hk_4b2efb22b62d4e89_comdlg32.dll.mui_ac8e62f4	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-wmpdui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_061d873a494c09d5_wmpdui.dll.mui_92411657	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ef8490c876cbbf3a_certcli.dll.mui_1b6822cf	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..resources.resources_31bf3856ad364e35_6.1.7600.16385_de-de_526a9d2a1fa0367c.manifest	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b5fa959a738d6d74_auditpol.exe.mui_df4767d7	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..geadapter.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_103eb300532c9edb.manifest	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-f..libraries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_33bb1a534004f6c6_ulib.dll.mui_bb7d4db5	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..irectdraw.resources_31bf3856ad364e35_6.1.7600.16385_de-de_21b960f797ba24d0.manifest	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_09cf3ec67e6c6b50_rasserver-repl.man_0cfe2e51	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e2e88a7682b25068_expand.exe.mui_3f54e013	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c9f12eb68eff5150_ndadmin.exe.mui_2e106c3e	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-t..rk-msimtf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_87573fa2b38dfb8b_msimtf.dll.mui_e40b8b25	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_sl-si_306a71c3cd4673d1.manifest	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mfc42x.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c2436bebf07f5963.manifest	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-hbaapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_903ffeafc5a64100_hbaapi.mfl_4e36195e	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_361eafdb1f34fd8e_comdlg32.dll.mui_ac8e62f4	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_6.1.7601.17514_none_fed8c13f0d90a8cf.manifest	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_en-us_cd970b6106ea9e70_loadperf.dll.mui_f6faeae0	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f6ea0fa9e9820bd7_activeds.dll.mui_67414db4	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_6.1.7600.16385_none_6bcef05d7f04260a_rasacd.sys_43640ee7	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5bab695d0065bbd0_newdev.dll.mui_914efc6c	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_78142c772a77958d_wmpdui.dll.mui_92411657	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..ineclient.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4c5c5f0b3e948403_scecli.dll.mui_225fa220	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-webio.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_a403d5b489e5518b.manifest	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_47c3a7a7b5db2631_dnsapi.dll.mui_97465f8a	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2768	vssadmin.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2676	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1820	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2528	vssvc.exe
Token: SeRestorePrivilege	2528	vssvc.exe
Token: SeAuditPrivilege	2528	vssvc.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2676	1820	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe	28
PID 1820 wrote to memory of 2676	1820	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe	28
PID 1820 wrote to memory of 2676	1820	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe	28
PID 1820 wrote to memory of 2676	1820	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe	28
PID 1820 wrote to memory of 2676	1820	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe	28
PID 1820 wrote to memory of 2676	1820	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe	28
PID 1820 wrote to memory of 2676	1820	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe	28
PID 1820 wrote to memory of 2676	1820	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe	28
PID 2676 wrote to memory of 2716	2676	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe	29
PID 2676 wrote to memory of 2716	2676	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe	29
PID 2676 wrote to memory of 2716	2676	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe	29
PID 2676 wrote to memory of 2716	2676	3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe	29
PID 2716 wrote to memory of 2768	2716	cmd.exe	31
PID 2716 wrote to memory of 2768	2716	cmd.exe	31
PID 2716 wrote to memory of 2768	2716	cmd.exe	31
PID 2716 wrote to memory of 2768	2716	cmd.exe	31

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Local\Temp\3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe"
  2⤵
  - Enumerates connected drives
  - Sets desktop wallpaper using registry
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:2768

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0c4b76a98ada61a19ad0eea20517351b

SHA1
9ce5634b86c7f9f8e87bccdeece8f4d8919e98d4

SHA256
195eeafed2a1137a1cdbe78963c8cf24938d6b4f799b73335de0283747da7822

SHA512
a14887701978f8e733e3aaf936763d6661b401673aa2e2281f3b6b4b4c75f8a3095514644e462a92bf9a604a7c151e3b9208cee14caab5906433960f5570319b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
21750999bd7472490124782385e09c04

SHA1
9135ebf89b26dcd2e9cf88f3e6072b390d1c90f9

SHA256
52261270771ec94d9497f98b0aacc1f70ee675208065edcac774294fea2fe2e7

SHA512
a3a236d98e911a5eb8c17e639e8b1847e75b845a57a78062483d452d5270351f8d87039ed38a7dc4ef261167b282620495edaaada8f8577dbb6426cd70d36f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8F85.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8FA7.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Default\4r5882w-readme.txt

Filesize
3KB

MD5
bf52d32e0f42facac3cce43bd77ac61d

SHA1
d4fc1b86faf366d6cd341fabda66a70ec9a060bc

SHA256
1ca62ad40291c5db3b7b60f5d1fc301931a9bffd1fc77fb11defbcfb72c0847d

SHA512
ffc34a7aa48bcb1ed5c47e625f3e1a4759d3b5fc9b1d39a3655bda525807cf989c3f5f3bc0493331220e2060d5a92b4c7b1d485ae3dad231321f611c01422e00

Download Submit
\Users\Admin\AppData\Local\Temp\nsi2711.tmp\System.dll

Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
memory/2676-9-0x0000000002090000-0x0000000002159000-memory.dmp

Filesize
804KB

Download
memory/2676-493-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2676-13-0x0000000002620000-0x0000000002729000-memory.dmp

Filesize
1.0MB

Download
memory/2676-15-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/2676-16-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/2676-17-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/2676-19-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2676-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2676-11-0x0000000002200000-0x000000000232D000-memory.dmp

Filesize
1.2MB

Download
memory/2676-14-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/2676-508-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2676-12-0x0000000000380000-0x000000000039F000-memory.dmp

Filesize
124KB

Download
memory/2676-10-0x0000000002160000-0x00000000021FF000-memory.dmp

Filesize
636KB

Download
memory/2676-545-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2676-8-0x00000000001D0000-0x00000000001DA000-memory.dmp

Filesize
40KB

Download
memory/2676-7-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2676-610-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2676-611-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2676-684-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2676-696-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download