sodinokibi | df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919

Analysis

max time kernel
134s
max time network
142s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
Size

164KB
MD5

7419fb7e3354a8d3fed0213d888312ae
SHA1

bbfe9e30414da1a127c65ed6915e30131dd6db81
SHA256

df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919
SHA512

342d58371a58a1f3361dfaa51e27623d3a835782a196f0daa2349ecace963611ac2e839006be1db42ae6b4f591f591661ee062090ea8b2fd7c8a028fc1496072
SSDEEP

3072:oRud7cQgLbDkQjKiNLDIFjKbnSEagbje61A8U:o0qQe52GIFGHJ261BU

Score

10^/10

sodinokibi defense_evasion execution impact ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\oj14vb0zi-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension oj14vb0zi. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/78B9E2B21B8B20E4 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/78B9E2B21B8B20E4 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: KBBG7J6T5fi9NFgEWazipLHZ9TkcYA6dGwo9chJvNNOrlnhTvcADOpx4aWn9IWOx MF5yBrTqE0m47oQGPRonoBeOncpoZ4P2AO1P5UK8DU4hP63qoXEUXVQga9bIcVXR VuA8XY4OmrGMKZlbAyJ4eCzBCtNa5qyNnIRf0rh9zwjVu7aX5ru9ORfRc0TFd23k kWk/0u7P2pp3g0N8GG+EoBE7XFlJwYhS8uWkxPHtujMwW2MQwSvkGtKQySMs3aNw 8YzfpS0QX4pNFpv8XUqFMjKZLof+/KbU0MtkkOFFdPqWmibXKzWOcwMNZaz+iaWi tTBkrLCHl1qhxx2l5IqhHO165TNrwpoXwTIFbuB11GHPdWyagirj6oO2A8N07DMI yCCm1jgGv5WAbBSm4IdkW+DeDazF5tg+kQZCXeFMAbTygRW5YnupvRqyUNxz5I3M uExwGIG7Fh919aTThY6RRP1UwZwPbP3lDNv8IlrOA5AuRDD1Po7925foQ80YJ50W im7L7XMkAkyimD9oL7uP+D0yI2H/Zrh2rYasKfg5P4USMlSIgmEczt27xmTs+L5A uZpjlnws/lJ6rTZIHXYJuPKSxn+W2Au3uVpAcnTj3C5d5oyBOgMSjut0zeLOS7Vo 9tmPDkr9df7NvWfa0G2UKxoAcNEkqZlOICdZ5J5wCpxvVG5jmounAiDzUZsya7Hy pCUXir7nrgSUZhsrtzP4gzVPSBIrgn8KFxkj21NrNOrzu4L1J/mPbnNpoVGoLD+x 8IUSUSKN2DDFZl+GY7YmgVQFuQv1mXV+z4HVcUcVM2LYeUK0W6Qn2wrq5oIrxIHS BzVFlhPfs2Dz6JO68Rk+RvIiujZbvKXlw7Yp8RE8vKCRMkJLdMKTvLfvdJBhRn2G 5Gvs2Y9m/GeWnd2RcEhEY4DjBN3Qz+3R1UM4lSvZiaQYx5eFKlZxyg0XAL9bY6xH 9t4CiE0kol/W7D+Ebk5xNwmIwqktqa8TtMPuSK6TbI1KFKdI4Yx35y8VxaI7u1Wm r0YM2U8YFzsPC0hsWMmXfJnT4bCbfcq15iWEE8Wjvtc+eJEBeiQyjf0N4V77EVVD 3cW0hfk9/4MTy4bMRVzlD0OjTG4sNZO8M4cjq941iac28DHJoqG7VvcEu77PHsWX 2e3qdX7IivV5C8TsRzPX/22UhHak7JIdyDc1Np1UAosSIq3t636TkJN49yhNVFyJ WD3JURl5P7VmQkSA8Npglw== Extension name: oj14vb0zi ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/78B9E2B21B8B20E4

http://decryptor.top/78B9E2B21B8B20E4

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\P:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\G:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\O:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\E:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\T:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\Z:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\B:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\M:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\U:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\Y:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\D:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\F:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\I:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\Q:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\R:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\S:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\W:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\A:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\J:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\K:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\L:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\N:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\V:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\X:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\57l5979.bmp"	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\JoinEnable.vsw	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\RevokeRepair.wmx	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\RevokeStart.rtf	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\StepMount.avi	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\UndoCompress.kix	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\MovePush.odt	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\RestoreUndo.mp4	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ResumeMerge.css	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\PublishProtect.tiff	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\GrantTrace.ADT	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\PingBlock.rm	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ProtectSend.inf	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\oj14vb0zi-readme.txt	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ExitSwitch.jpe	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ReceiveConfirm.ogg	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\StartTrace.mov	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\RemoveInitialize.MTS	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File created	\??\c:\program files\oj14vb0zi-readme.txt	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\DismountInitialize.vsdx	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ExitComplete.WTV	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\UnregisterClear.vstx	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\UpdateBackup.mpe	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\AddConnect.ram	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\RedoEnable.aifc	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\RequestDisconnect.pcx	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ExportWait.dwfx	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\InstallMerge.png	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\JoinRead.au	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ReceiveImport.eprtx	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\SuspendStep.dib	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\oj14vb0zi-readme.txt	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\oj14vb0zi-readme.txt	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File created	\??\c:\program files (x86)\oj14vb0zi-readme.txt	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ConvertFromDeny.3g2	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\DisconnectCompare.potm	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..gine-isam.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1edda9a99ffeed56.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-x..ollmentui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c3a194a371438ae1.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b6bfad83ec5fabc6.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c9f12eb68eff5150_newdev.dll.mui_914efc6c	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_de-de_964af31d4c0ac434.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3f3bc9163ae8cff9_expand.exe.mui_3f54e013	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-shlwapi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_afc46a483dba13d4.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..endencies.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aa60e56750ed0f15.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_he-il_6cbb737c4d8a4e44.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-small_31bf3856ad364e35_6.1.7600.16385_none_d7839341959a2de0_smallet.fon_f3d5df91	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-857_31bf3856ad364e35_6.1.7600.16385_none_2adc8eeeb4e35a81_c_857.nls_accf5ac9	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-security-spp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4fcc12c061ad9631.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ef3f3b3b9e7e8bff.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-cryptui-dll.resources_31bf3856ad364e35_6.1.7601.17514_it-it_9214614bc6c64f8a_cryptui.dll.mui_9728c1dd	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-wmpdui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_061d873a494c09d5.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..orerframe.resources_31bf3856ad364e35_6.1.7600.16385_es-es_af38ff0e0c7a9cb9_explorerframe.dll.mui_074caeb5	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c4612d3f03b3254c_ndptsp.tsp.mui_5bee9ce3	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9365f544be6e4e04.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17514_none_04709031736ac277_sspicli.dll_bcec1809	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-ntlanman.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c686c1311f544cad.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-imageres.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c0d0c2c8f6537156.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..e-sakkalmajallabold_31bf3856ad364e35_6.1.7600.16385_none_48cbf868d7b65eee.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7601.17514_es-es_b79b28ecefa21fda.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-smartcardsubsystem_31bf3856ad364e35_6.1.7601.17514_none_76234513809272a3.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2cd61650c375bd11.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-webservices.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0d2ee42c82e9fcb3_webservices.dll.mui_eecc809d	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-spp-main.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_bf2cff0b66713162_spp.dll.mui_42138158	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mssign32-dll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_14dcc6c966568f9e.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-uxtheme.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_44c69dc0653f7644.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_da-dk_a2ffc87595d912be.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-webservices.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f756da735a1be231_webservices.dll.mui_eecc809d	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-winbio.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4ededf901613f76b_winbio.dll.mui_7a8d17bd	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-msxml30.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9fd3daa29505fb3c.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-dui70.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ee48dd188f0650ee_dui70.dll.mui_de5f27e2	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-r..intmapper.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e9108e6c063a7919_rpcepmap.dll.mui_349798e1	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-vssapi_31bf3856ad364e35_6.1.7601.17514_none_330ce3bf9861358f_eventcls.dll_09ce86ba	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_sv-se_a3dab79bf7c211cf_comctl32.dll.mui_0da4e682	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_6.1.7600.16385_none_59590e92c817a4e0_85775.fon_f144fe91	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mssign32-dll_31bf3856ad364e35_6.1.7600.16385_none_2628bf25f41e9a5c.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_it-it_dc658d0c024781ab.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-credui.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_06a50238f37ce6dd.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-msvcrt_31bf3856ad364e35_6.1.7600.16385_none_d12b8c440039b31e_msvcrt.dll_ee71f3d5	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_uk-ua_732562c1b4a8a15c_comdlg32.dll.mui_ac8e62f4	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mprapi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_bcfcc41d8e6964d0.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4e23429b0fff2c9_tcpipcfg.dll.mui_a5479fc1	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..e-ws2ifsl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_dcb97024f9925cb8.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-uiribbon_31bf3856ad364e35_6.1.7601.17514_none_db578bdb5e3559c6_uiribbon.dll_8a707982	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_da-dk_a30ceec4cc4e21a8.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..utoenroll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6e3ba8f78468edc8_pautoenr.dll.mui_9667d15f	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-o..iles-core.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b6b4d0ce04c0bca3_cscmig.dll.mui_7e59bd05	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-dhcp-client-dll_31bf3856ad364e35_6.1.7601.17514_none_35802f0f452f59bb_dhcpcore.dll_8036fe08	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7438b7499bb92a94.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_uk-ua_1706c73dfc4b3026.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-imageres.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4d1e381cc0a068af_imageres.dll.mui_3e41dee6	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-profsvc_31bf3856ad364e35_6.1.7601.17514_none_59d75cdc494c95ea.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-crypt32-dll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cdfd33b21b9a0a10_crypt32.dll.mui_4268f86a	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b98e60acbd094074.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-msxml60.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3153a0d9a132d2c6_msxml6r.dll.mui_4516d602	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..onmanager.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b12fe15175794c34.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-font-registrysettings_31bf3856ad364e35_6.1.7601.17514_none_fe2c02fcfc1cf640_muifontsetup.dll_47a24edd	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_zh-cn_3a5350f1e9bfcf28_bootmgr.efi.mui_be5d0075	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_fi-fi_e802953b7bce56ec_comdlg32.dll.mui_ac8e62f4	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..rastructure-ws2ifsl_31bf3856ad364e35_6.1.7600.16385_none_ab7b927be17eace8.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_da91c3e3638f49b4_odbcjet.chm_2a003207	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1728	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2988	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2848	vssvc.exe
Token: SeRestorePrivilege	2848	vssvc.exe
Token: SeAuditPrivilege	2848	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2056	2988	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe	28
PID 2988 wrote to memory of 2056	2988	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe	28
PID 2988 wrote to memory of 2056	2988	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe	28
PID 2988 wrote to memory of 2056	2988	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe	28
PID 2056 wrote to memory of 1728	2056	cmd.exe	30
PID 2056 wrote to memory of 1728	2056	cmd.exe	30
PID 2056 wrote to memory of 1728	2056	cmd.exe	30
PID 2056 wrote to memory of 1728	2056	cmd.exe	30

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab8307.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8329.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\oj14vb0zi-readme.txt

Filesize
6KB

MD5
f20e5e9d72c5024b14870f4c7f2ef436

SHA1
706b785e64e9f16d8dc466c69e3e5aeef2a77820

SHA256
1df1a3a7fcca1dc89deeb584982511be05a3b7e14eced9a5a35db736e06255f6

SHA512
4d8e210a8b7d40cf9614dafa5556f9e6b6df241f27b6d5170b10f287fbaa10552faea63e13060944ea921f630bbaf229d62a7fe85ad301bbd65b1a89559b53d1

Download Submit