sodinokibi | 5fe8e804cc0e7d211019bf37dbb18e4a00af24be11cc9407fac6d648c01716fb

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
Size

157KB
MD5

619bcc16546e3d7ddea8045fa88f65fc
SHA1

bab813d5a45552978bba9a413089222c3f225a6c
SHA256

5fe8e804cc0e7d211019bf37dbb18e4a00af24be11cc9407fac6d648c01716fb
SHA512

22997dc1a27b3ee620ab248336dd7a373d7a5217c30135a36943555e605ae7ea81fe55b5c0b596bc14748831144ae91b4272dd6a319cc3d69bea2fa7caccdded
SSDEEP

3072:Fi8Iy8EytSLbi4eTMlwDCnuZ3jmOaqGpeT3:U8IUykbnWJZ3jmOaqFT3

Score

10^/10

sodinokibi ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Default\121q42l-readme.txt

Family

sodinokibi

Ransom Note

Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got 121q42l extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/578D93FF9A00C149 Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/578D93FF9A00C149 Page will ask you for the key and extension name: 121q42l. Your key code: dedGPfkRndvBohy3Z7W8sAVFkoLX/io+FrVlI+AKOkPRzq2mSTDhCWtqNcVYHeaN 3k8kgf9U6a1ABlRqwltPkxF35GJCPAv6HkkGA4xeJKtQoBfcQKkC4FNzUIwJ0AO0 /PhjkpraqMpyvnG53mp3XsAsqiX8Wf4/iyCMPnHw2OomdCEvIfknd24b2fOWsHjN gmyphIyPDXp7hc6kdVcxJ0fVmZVlAK20tGXx9wdVqBGMgml8XP+wSvqVTTNkX2D1 g4+v7ypwCVPEvK1357Ug8YqlKp89yuZjjRJRPrlPJnybacuvzBS+Xf0ECkDVn/9d YZVWODvaC2BRrf2VFyZ9q+nQz19Nra54oaai9wV6wQxsclgmMi/CkI8Mde+5NajP zifH7PSP84P6Gwwsch0OXPkzq/uyXvagRmaQsOt6BiNBnjwOxXnOS7ARvxSkl420 Khi0ox8AFuprux769a+pzQILP5OOBuR1Ftdf+DCL1VQE6AKs68uT00Z2ao1A2l3d ZNeYOdsRlPMZ5Z/hkM3SRIfAmTK1drnv7D1Ma3zb9lrMafN140Y1ttEFXHAYud+p ffiiHF8EDdRRtMnaBnEMpeSnOvpkUOEKREBB3KksD+vm1PmlIeeRfYFQyOdFqM5b VsVdzwKLy3PsbqMVT2v9zYMrTSXQgtqRmhd2f65bKSLuDGvf7noEdNBq6aVTqvuI lXxUlN/4eRkUXMcAPm10RZbsLpc3OPcQQ2vVEbuCxoynlMHBN7r9fOMvjKcchlzf gu/VD2X6M4x3GFud/MknYAE/lxWohWLwL4p8M+1rmkaTrCTtMub0S3ouwrhPUEgt oEM6jJ6jLTxWUw8rRYNsce+OJcW6VpMPxnacmm2Ra+4O5zi45QM6wea5xP2FoIEg Nc4lSFjrU7rnYrfdcb8ky9y63XBfWJQzv1dArTcUHl+xgmmmHDAA9g8k7ZheggGz csmv926iMSm97+I7nMePq4HxDXm75mKrNRbw3rzDEBo3PY72mh5gqfRzl86W7nS9 ae9dTydbZjE3n1uYoqq0zD/C7l8cymL9gn7cb5TAV9SGC8WY67r6alrUtdsakVIL NQZCYG34lrz9alLbkE7Nn84MKRD/fwsR7MVBjJ8Szt1sKTfX3+wTLfy5G4Q8iGRx e/Gp1XocbCphaqZGe7GvvG/GAJSPz8ZCFNbQjnWq

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/578D93FF9A00C149

http://decryptor.top/578D93FF9A00C149

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Renames multiple (155) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened (read-only)	\??\X:	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened (read-only)	\??\A:	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened (read-only)	\??\I:	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened (read-only)	\??\K:	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened (read-only)	\??\M:	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened (read-only)	\??\T:	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened (read-only)	\??\U:	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened (read-only)	\??\V:	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened (read-only)	\??\Z:	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened (read-only)	\??\D:	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened (read-only)	\??\F:	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened (read-only)	\??\B:	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened (read-only)	\??\Q:	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened (read-only)	\??\R:	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened (read-only)	\??\S:	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened (read-only)	\??\W:	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened (read-only)	\??\E:	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened (read-only)	\??\G:	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened (read-only)	\??\J:	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened (read-only)	\??\O:	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened (read-only)	\??\L:	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened (read-only)	\??\H:	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened (read-only)	\??\P:	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened (read-only)	\??\Y:	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4efuhj5n696.bmp"	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_pt-pt_6f586ad4968d0a4b.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-cryptdll-dll_31bf3856ad364e35_10.0.19041.546_none_e397cce70c94bb9c.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ndis-minwin_31bf3856ad364e35_10.0.19041.84_none_50f89b6d5629756f.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.19041.1_it-it_bddceaf325c3cfd0_rtm.dll.mui_55e4e990	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-onecore-pnp-umpnpmgr.resources_31bf3856ad364e35_10.0.19041.1_es-es_1b9eaea5281dc1e4.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-usermodepowerservice_31bf3856ad364e35_10.0.19041.1023_none_d2e23d980197bef4_umpo.dll_d1843b37	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.19041.1_it-it_1bf36b0c23ae824c.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ncrypt-dll_31bf3856ad364e35_10.0.19041.1_none_1e240d67c55a5719.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_a82483f2ca370f3a_bootmgr.exe.mui_c434701f	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.19041.964_none_21f025fe4ae682b3_winipsec.dll_abfff1a2	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_ar-sa_90a6dad6f86cae6b_msimsg.dll.mui_72e8994f	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.19041.746_none_ebd9b2add93e89de_pppmenu.scp_74b84d65	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_ab83828872bfa667.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ldap-client_31bf3856ad364e35_10.0.19041.546_none_db8a38e9e99bc04d_wldap32.dll_09c99dc1	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ntasn1-dll_31bf3856ad364e35_10.0.19041.546_none_a281e1595804c734.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-bcrypt-primitives-dll_31bf3856ad364e35_10.0.19041.1202_none_86f1a64ecc40a477_bcryptprimitives.dll_5dcb347c	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-spp_31bf3856ad364e35_10.0.19041.173_none_f837263e7fdd508f.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-time-service.resources_31bf3856ad364e35_10.0.19041.1_de-de_6006045d449d1cd6.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-usermodensi.resources_31bf3856ad364e35_10.0.19041.1_es-es_f20d80907f57aa9d_nsisvc.dll.mui_237a741f	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.19041.1_none_9064b8c1b47576c0_iscsisession.cdxml_9cd8900b	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-advapi32_31bf3856ad364e35_10.0.19041.1_none_99395f2e25df3f2b.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-m..ntmanager.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_21ce86839bea8f66.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_uk-ua_a0ca5953ccba1693_comctl32.dll.mui_0da4e682	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.i..utomation.proxystub_6595b64144ccf1df_1.0.19041.1_none_a6e297e0a15a1f88_sxsoaps.dll_7db29e61	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_es-es_2511db3abd9629f0_msimsg.dll.mui_72e8994f	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.1_cs-cz_b9bcb23617239319.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.19041.1_de-de_d431d440f6bef2b0_rasautou.exe.mui_55686a97	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_fr-fr_79675db658605100_comctl32.dll.mui_0da4e682	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_sv-se_8e0ddc60c5dec4a0_comctl32.dll.mui_0da4e682	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.19041.1_none_3947da6a963cb0d8_vgas1257.fon_a23f7007	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-version_31bf3856ad364e35_10.0.19041.1_none_caef5cb2f043426f.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_es-mx_cd63778c71e5e529_comctl32.dll.mui_0da4e682	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_fr-ca_665a4a2f6afc7e06.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-onecore-ras-base-vpn_31bf3856ad364e35_10.0.19041.1266_none_9123280a93582482_vpntoasticon.png_e607ca23	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_10.0.19041.1_de-de_f88fd8d1e0995d78.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.19041.746_none_f62e5d000d9f4bd9_switch.inf_4b9b5a3f	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-onecore-pnp-drvinst_31bf3856ad364e35_10.0.19041.1_none_0b4eeb140948562c.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-partitionmanager_31bf3856ad364e35_10.0.19041.1110_none_56683e3b6f9cb252_partmgr.sys_fcac898c	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..gc-kspsvc.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_f1e103d17e2d973d_ngcsvc.dll.mui_96312421	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_bg-bg_88616845ca1cafcb_comctl32.dll.mui_0da4e682	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_10.0.19041.546_none_a0a14858c07bcb00.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-codeintegrity_31bf3856ad364e35_10.0.19041.1266_none_153dc4c3b9f13a6f_driver.stl_8a4e6441	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..n-cmdline.resources_31bf3856ad364e35_10.0.19041.1_de-de_dc9d9f087e08e27c.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shsvcs.resources_31bf3856ad364e35_10.0.19041.1_it-it_da88293649d0d609.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid_31bf3856ad364e35_10.0.19041.1202_none_cc0c3d35675da3a1.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d2d_31bf3856ad364e35_10.0.19041.546_none_85962dc4bac043a9.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-themeservice.resources_31bf3856ad364e35_10.0.19041.1_it-it_a404249a5c38819f_themeservice.dll.mui_9e71f1ab	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.19041.1_none_ce261fb74e2d8d8f.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1202_none_a391067a6b9b433c_appidtel.exe_b664fbc5	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d88727f57b0f135a_scardsvr.dll.mui_5f6fb64f	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_lv-lv_ab9bc1d129a747ed.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_vga737.fon_11d63f16	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_uk-ua_4f4fad6deb8a668a_msimsg.dll.mui_72e8994f	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profapi-onecore_31bf3856ad364e35_10.0.19041.1_none_bc0d9057164c1e84.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.19041.1_it-it_e4acb32056072b0a.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-drv.resources_31bf3856ad364e35_10.0.19041.1_it-it_906025eeef4f8476_mpsdrv.sys.mui_b2aea3b6	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_es-es_a8bd371b7dd7b043.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_509c290d28f760ee_apphelp.dll.mui_59096153	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_pt-pt_c0ec67041f3e7ed5.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_th-th_9d3487b5c119fc22.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_it-it_621da0698f796e95.manifest	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ngc-ksp_31bf3856ad364e35_10.0.19041.1_none_217aa39bb332ab57_ngcksp.dll_a56a189a	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d88727f57b0f135a_scdeviceenum.dll.mui_815e7662	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_10.0.19041.1_it-it_8f7ee59fb65a0495_efssvc.dll.mui_03cc4e41	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2784	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
2784	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2228	2784	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe	90
PID 2784 wrote to memory of 2228	2784	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe	90
PID 2784 wrote to memory of 2228	2784	619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Default\121q42l-readme.txt

Filesize
3KB

MD5
568dead0a841e1e945386680e715af62

SHA1
5eb34389e04422d47e0913f4442ba314dba88d9e

SHA256
7534be702eb4b531c979e5151a109966abe939f6db7e535af7a0e9031893996f

SHA512
9e33bc3468323d14372916f5637cc90f64cc0074d7ad8148e63d7a8668e43014b1d275dd208b62443b849c92baa580a7bcd694039235fbc724031b005ca3b61e

Download Submit