sodinokibi | 13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
18-05-2024 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
Size

158KB
MD5

53550156f5250bc445aedad91fa9d665
SHA1

2fec5aca3bdaf419f12795491b70cd7f8fa8371f
SHA256

13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb
SHA512

34caca932ae9e63d5e3ed22369901eb4a3ca68ff9d3c1825c2d47db5530f54c203de7916d256a09bdaab85145a9d64a1ac22e2a957436cc2765747550701b054
SSDEEP

3072:X440HvCjLbi4eTMlwDCnuMMf4crzUxc0+NP:I46v0bnWJSezMc

Score

10^/10

sodinokibi defense_evasion execution impact ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Default\1lgkv-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 1lgkv. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/43F09B535E512F0C 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/43F09B535E512F0C Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 0hVRZ3UPSWEWDswCuoMQ7B14AQaPlcGrTczCW5H7LL1hxkEVY+7aQTnke33ehWxM R9eofqeGPBt3lW/4UfymvzK1US+v2V7okNuXRL0Rp0kJMLO8tDA1sMurBIi0yKgr aZvHOoJGT9FClAMClAdBTjpWSwAad9YyG8tZi4eeHjTIKqUuUpg8PpVfd0WQcPLv wWCn5jvglQPJvl/BnpoY7dLYmvvICyrSRXryB1gKMFj2oCQbSkCc2QpM4N/yMAhQ mfev7OcpXH0WsfwBMYj5VAm/V3RYhyFV5zqVKUru7u7sAF/q497cpxXLMn+vqCs1 C9AxDD0m62l7RmMYiljEc/uf4M31PU2DLyCxDJq02/ch86WCyNDcrusEHrT+1tYN ZeszJShllmiKhwDgwZsthyEBbIG3kYhovoiMd2bt7twCw+7glF7L3BthyP30qio2 nn7LiglitakQE5kpP/jekJdApFJ5+zdkzx6A5aqZqS2HgawPWFFttzG+qXBavLrn hFISI16tQmdUTnrFcpvflywjMJvBgopF/2Wts8d6Jwf4KqXaVfaPX+CkIcaqVFdi IP63U5J8/PxI7aXPlQOmU/+YFu9/JqLv3bf7uBI4eoS3eMqXH/0iiqFLKu1WArrQ ih91AH5+3jhXfMgH4uNlBDq+HDILJuuZyJUwmmQIGmHB8BFLq+ER/nCepoxfC7qy h3xcRK686A4LqiE9iEgt1j6pRSmlxYA9P1S3lURNs3b9V+MV8y/7arId4972Kns8 J6T8PDwgYx9L1T7MImM5MdJWqJgsu3q6OKGydAhNcedGzNLdx0iUxf0vd6GTHlmA 5oIRCUPbSPW24xfWTpnkkt0szAmrHntQWidVHF9XzBVS142oaT/juhnao9gNUd7P ZYU5ih8KPF+iuYoLQSJTwTXkvUIBcQAmejslKPPFmKlm7P1CK2dqwc9ySpnUKQ4z lvkkjJsNFpj9R0coSTheagO19iXvLuIciVxoTFsEuXeOpC/7QBcMfUkM2IrxzUTI iqw/DxFQxcpme62glO0xXtVopzJDzNX8LBK41XeBCcJv5y0Wc9Ybek+Pj+5aic10 g6Qbe6nzQ8N1+naDMD8hEbOr79unMlEE1EKT7VGPTG4QqFe9zeSg4wtpYSzlAt3X aEZfYRpjaEoP8tF2aPmFYJW1n7eMddKt Extension name: 1lgkv ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/43F09B535E512F0C

http://decryptor.top/43F09B535E512F0C

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (220) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened (read-only)	\??\X:	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened (read-only)	\??\Y:	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened (read-only)	\??\E:	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened (read-only)	\??\J:	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened (read-only)	\??\O:	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened (read-only)	\??\P:	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened (read-only)	\??\K:	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened (read-only)	\??\T:	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened (read-only)	\??\V:	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened (read-only)	\??\F:	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened (read-only)	\??\D:	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened (read-only)	\??\B:	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened (read-only)	\??\G:	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened (read-only)	\??\S:	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened (read-only)	\??\U:	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened (read-only)	\??\I:	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened (read-only)	\??\M:	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened (read-only)	\??\H:	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened (read-only)	\??\N:	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened (read-only)	\??\R:	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened (read-only)	\??\Z:	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened (read-only)	\??\A:	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened (read-only)	\??\L:	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened (read-only)	\??\W:	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iuy09.bmp"	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_bg-bg_5abc71b3b20b3a94_comdlg32.dll.mui_ac8e62f4	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-ucrt_31bf3856ad364e35_6.1.7601.18972_none_09a44b6a3051f6fe.manifest	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_f212a9458fcfdbd5_perfd.dat_f1e3dfd2	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c40f51aeb9049490_sppc.dll.mui_0a75786d	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7601.17514_none_da00ad1949e715ad_lodctr.exe_b02cefba	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_en-us_541d3a4db051d913_sdbinst.exe.mui_258ad624	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-dui70.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_603f82557031dca6_dui70.dll.mui_de5f27e2	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase_31bf3856ad364e35_6.1.7601.17514_none_6c066d50910ecf5a_switch.inf_4b9b5a3f	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-crypt32-dll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_250c5db92cbbfe4b.manifest	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b68b0a67ec869d6b_memtest.exe.mui_77b8cbcc	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_it-it_436a76adb68a994b.manifest	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-duser.resources_31bf3856ad364e35_6.1.7600.16385_it-it_01b197f04e4e8248_duser.dll.mui_3c369ac4	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_nb-no_95998ca48a79e748_bootmgr.efi.mui_be5d0075	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-kokila_31bf3856ad364e35_6.1.7601.17514_none_4d4bb384a78cecc3_kokilabi.ttf_822b42fe	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-raavi_31bf3856ad364e35_6.1.7600.16385_none_a2d43ed8e3097243_raavib.ttf_325ee9c9	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-network-security_31bf3856ad364e35_6.1.7601.17514_none_2b4a7558412a624a_nshwfp.dll_a8fa0a82	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..re-memorydiagnostic_31bf3856ad364e35_6.1.7601.17514_none_da3cb85562df73c9_memtest.exe_01d80391	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..irectdraw.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f97a7f2743de2ff5_ddraw.dll.mui_95b8c3ab	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_d4183db432a5f29d_msimsg.dll.mui_72e8994f	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-winsock-core.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a7ddb2029817a18e.manifest	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-winsock-helper-tcpip_31bf3856ad364e35_6.1.7600.16385_none_27a7f7694b388c01_wship6.dll_db4127c3	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-smartcardksp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_058c51ca4837d7fe_scksp.dll.mui_05f14191	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_80e558338e88b98f.manifest	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-winbio.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4ededf901613f76b.manifest	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_f212a9458fcfdbd5_lodctr.exe.mui_4ac7d1a1	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-sens-client_31bf3856ad364e35_6.1.7600.16385_none_5d37a06dd6d242cc_sensapi.dll_9e623aad	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_6.1.7601.17514_es-es_e55a1685a53ea786_mpssvc.dll.mui_4b194b5f	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-imageres.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0717549385e2c80a_imageres.dll.mui_3e41dee6	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-userenv.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c26a086b301c0205.manifest	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_tr-tr_14424567ab0c4d42_mlang.dll.mui_2904864a	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-usermodensi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_deaa3f2f341fcff5.manifest	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-dynamicvolumemanager_31bf3856ad364e35_6.1.7601.17514_none_3b28c7719cc8612d_volmgrx.sys_f02896c6	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c5a9614052e986a8.manifest	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-usermodensi_31bf3856ad364e35_6.1.7600.16385_none_d8abbed91585a944_nsi.dll_e72df756	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-u..dem-voice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ed9a54ad162a8850_serwvdrv.dll.mui_6a9f4568	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_pl-pl_856144d7e24caf0a_mlang.dll.mui_2904864a	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..itmap-ms_sans_serif_31bf3856ad364e35_6.1.7600.16385_none_ac9f9e10add68c8b_ssef874.fon_594e8893	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mssign32-dll_31bf3856ad364e35_6.1.7600.16385_none_2628bf25f41e9a5c_mssign32.dll_441d133c	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-security-spp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4fcc12c061ad9631.manifest	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-imagesp1.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3033044d96cf553a_imagesp1.dll.mui_14e4c892	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cb31547d0a230c7b_loadperf.dll.mui_f6faeae0	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7601.17514_en-us_57ee6a4218527f7e_dhcpcore.dll.mui_8b901fc3	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f6e1ec9fa2e0ba82_setupapi.dll.mui_bcc172a4	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_99076bac95fbcc5d.manifest	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_en-us_921f7aaac68bcb70.manifest	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9b553d0b8f9855ac_iscsiexe.dll.mui_7d81b1cc	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c27c626d1e4bdd06.manifest	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-webservices.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_997c59804d36f40c_webservices.dll.mui_eecc809d	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-wininit.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d02acaa3e17e4bae.manifest	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-crypt32-dll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cdc890961bc0fbb5_crypt32.dll.mui_4268f86a	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3e80b31cc7dc75d0_authui.dll.mui_19b92789	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_17013cbdbd7efe45.manifest	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9e8c88ba3cdfd040.manifest	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_6.1.7600.16385_none_df4bbe8e10903104_vgasyst.fon_aefdfa30	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-msvcp60_31bf3856ad364e35_6.1.7600.16385_none_4277eab412b31810_msvcp60.dll_d804e509	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.1.7601.17514_none_0a43accb08f0eac5_ole32.dll_e9dcc2e3	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..libraries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2f78a00e3a072173_iphlpapi.dll.mui_9531144c	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1c8666cba19c26e1_mdminst.dll.mui_19a87063	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-unimodem-config_31bf3856ad364e35_6.1.7600.16385_none_50f69335385bc360_uicom.dll_d72e5b75	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-crypt32-dll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_812af93ce5196f81.manifest	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-feclient_31bf3856ad364e35_6.1.7600.16385_none_beb0674eb8e86a51_feclient.dll_248fccac	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17514_none_04709031736ac277_cng.sys_050526ad	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-msxml30.resources_31bf3856ad364e35_6.1.7600.16385_it-it_225e9c962aa93521.manifest	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-mlang_31bf3856ad364e35_6.1.7600.16385_none_bd28e772321016e1.manifest	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2572	vssadmin.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2916	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
2916	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
2916	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
2916	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
2916	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
2916	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
2916	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
2916	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
2916	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
2916	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
2916	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
2916	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
2916	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
2916	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
2916	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
2916	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
2916	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
2916	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2692	vssvc.exe
Token: SeRestorePrivilege	2692	vssvc.exe
Token: SeAuditPrivilege	2692	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 1724	2916	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe	28
PID 2916 wrote to memory of 1724	2916	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe	28
PID 2916 wrote to memory of 1724	2916	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe	28
PID 2916 wrote to memory of 1724	2916	53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe	28
PID 1724 wrote to memory of 2572	1724	cmd.exe	30
PID 1724 wrote to memory of 2572	1724	cmd.exe	30
PID 1724 wrote to memory of 2572	1724	cmd.exe	30
PID 1724 wrote to memory of 2572	1724	cmd.exe	30

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2572

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
79c8118b234de1b1c2392baecfeeb6ae

SHA1
5169c8196aab0c33fbca52674e29038385d373eb

SHA256
b284db45e3b5ec75a8f766962b41b394d88a004290414b53af32185fec7a179d

SHA512
c862d23f68c3c03198f0caafb6569c11d97196404c95e4a31826020abaad18119a69c89da74baf2a701058d7f2b31a6cd50718699920502de1e2b2270d1568b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9CAF.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9CC1.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Default\1lgkv-readme.txt

Filesize
6KB

MD5
8d82313a67d6ef04d8660e4ba921847a

SHA1
5d440c516e57906f3f544e7b212cfc2407b9a2b2

SHA256
2b499879d98675bc830e5f6854d28ef48f68899280373f5373d56ebf6eddc26d

SHA512
f0cbd5793b023cea0f83a9b09721d447e37137027350c6c4d8dd8115af8f0e8ffb1a07103c80c94f045e6ff3cd7b388661f73f9ece2e9aeb1d19e4e432797a0d

Download Submit
memory/2916-8-0x0000000000430000-0x0000000000436000-memory.dmp

Filesize
24KB

Download
memory/2916-7-0x0000000000820000-0x000000000083F000-memory.dmp

Filesize
124KB

Download
memory/2916-6-0x00000000021B0000-0x00000000022DD000-memory.dmp

Filesize
1.2MB

Download
memory/2916-5-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2916-3-0x0000000002110000-0x00000000021AF000-memory.dmp

Filesize
636KB

Download
memory/2916-4-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2916-2-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2916-11-0x0000000000430000-0x0000000000436000-memory.dmp

Filesize
24KB

Download
memory/2916-0-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2916-9-0x00000000025F0000-0x00000000026F9000-memory.dmp

Filesize
1.0MB

Download
memory/2916-10-0x0000000000430000-0x0000000000436000-memory.dmp

Filesize
24KB

Download
memory/2916-1-0x0000000002040000-0x0000000002109000-memory.dmp

Filesize
804KB

Download