sodinokibi | df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919

Analysis

max time kernel
135s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
Size

164KB
MD5

7419fb7e3354a8d3fed0213d888312ae
SHA1

bbfe9e30414da1a127c65ed6915e30131dd6db81
SHA256

df1b009ed5edf9d754dd6e1f8b4918c55260eb6d91d1c8bbcf909afa2e2c9919
SHA512

342d58371a58a1f3361dfaa51e27623d3a835782a196f0daa2349ecace963611ac2e839006be1db42ae6b4f591f591661ee062090ea8b2fd7c8a028fc1496072
SSDEEP

3072:oRud7cQgLbDkQjKiNLDIFjKbnSEagbje61A8U:o0qQe52GIFGHJ261BU

Score

10^/10

sodinokibi ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\34f69-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 34f69. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F6A946E7E4664445 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/F6A946E7E4664445 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: UjBSFFo3mY5cfRMQyp5ppt5GgBBfLIRxDqVgChf81ZOSh1ODcLMLtCuYk1+UWnJS FgjZAgJOgtcQZ5vT88zOn1L+76w4qvsC1zt2fuOPcl3LvB66dkaUiGfcFiAeM7zE wG/qrPhL1955LUPno12cy+ZGdvS4FE1islsv8oPlJlnNnzA5jLsG5CuPm46v05cS z+KoHS4dbqzDmdOsB4HUeJIkVfr1OY7r8K2QHOkctSAVVpZV9TcJfxFm/VGblh+4 5tqhXQSyP2CDhLWelxEkY/d9zBdaKQ/DoQHNcCty5XsW/WVZphQj7IeVsLFzNumx hNLXn8PrYo2tEr/Ip7AzOI7/mX3VmcB8LrrHr/czKB6CloAoFEzg5ftPtJHjhC8l hu2iXpeQHtAy5E4Z6l4pzY4ydo7+LObKJcPj9U9k4DWb0Hb0M52pElExddaThjYx OXxZI0BxNHzpPqADdmf3s+ABL31aMakMZNGLCHkNuDlLj4vmJRHMmFTam7WTNdaJ cyTir114gqkQv1isnujCXSIhmEYpTYQzF1+KonW3VIL0dr8zTjIArVDDw9rtox5d N5yzC8wbo4Bfe/3fk2yZ8lyhMvyEE7VkvtoUOCOvao3ci7UOLSuA76i8E4TtzwJh q4dqAHWZG2xTlVT1nl416skOHFLheR91E6BeCxNNq9FdBs3yb4Tao7jrTiFxbBWt PottjzmFlksGSbXCvqzvbMCsigEkg0sYgndEyEBOIi7GaYXw7s+lXpF6a8vryaKj Vn40Yio7ZW8hVtQYFlsvsm4jiCygN4y+J/Icfhl3MohfOx2pfXXA7BTIGUByvWWB 83v9iPk9KejDGsZEKV5PMrTMn5fZjAMwxz2ljrD+FDMOT9RUWDFRVXgnZfm+DNL9 jo1VUb0IoesyvFH0eBt4ji1tBuHvg6J5gUukIa0wB7aDhfLHQjbxzZX/vHdCx8rE HIHPWfsGStLgzhJ411DvLOnUrtTFHxm1hBJT/M9K4fcYWHOtds+mpiLvfbh/hm6P /IEcE67ocs17zYmWhri6GXZaWMjq1Npe4gk1zNQ0jBSzTMjzdx8r6WyH13lLiPcI db9xGzGtavGYV0W2py61z+Ho23Ms4IMvnXvbuAa0I7IijE4yzPJOloLGA/bznCRU beEm6vFv6JficZU1yqC72ZC8qyd5MVlwROHAz85xrCZvZvCNET3WXi0Z4c1wa46e YAIdF8ufgOwvAdQYHaw= Extension name: 34f69 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F6A946E7E4664445

http://decryptor.top/F6A946E7E4664445

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\O:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\Q:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\F:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\A:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\I:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\J:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\K:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\Z:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\S:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\D:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\B:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\E:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\R:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\U:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\W:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\N:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\T:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\G:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\M:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\X:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\Y:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\H:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\P:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened (read-only)	\??\V:	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\viae6vb86d.bmp"	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\FormatRegister.html	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\MergeConvert.reg	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\MergePublish.ini	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\NewRevoke.tiff	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ResizeOptimize.potm	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\RestartLimit.3g2	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\TraceWatch.mpp	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File created	\??\c:\program files\34f69-readme.txt	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\UninstallUnblock.css	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\UnblockPublish.vstx	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\AssertRestart.ADT	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\CheckpointResize.xps	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\GrantMeasure.rle	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\StartInitialize.php	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File created	\??\c:\program files (x86)\34f69-readme.txt	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ProtectSkip.js	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\CompleteNew.txt	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\RepairRegister.mp2v	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\SearchTest.wav	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\WatchPublish.htm	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	\??\c:\program files\PublishRestart.m4v	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winsock-core.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_30aa1615db0a20c2.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_de-de_157d8b1ac43d0595_comctl32.dll.mui_0da4e682	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-atlthunk_31bf3856ad364e35_10.0.19041.1_none_43d799d2707b5758.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-lsatrustlet_31bf3856ad364e35_10.0.19041.1288_none_5961108733e967c9_lsaiso.exe_51c00eb7	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.19041.1_it-it_ad9e9ef8adfd68d5.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_nb-no_862dd322fb07020b_comctl32.dll.mui_0da4e682	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-cryptsp-dll_31bf3856ad364e35_10.0.19041.546_none_11ab5f5f99fc8eda.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-duser_31bf3856ad364e35_10.0.19041.546_none_386df5495b49cc70.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi32full_31bf3856ad364e35_10.0.19041.1110_none_cab79e1fdc701903_gdi32full.dll_ffcb16f4	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_6b692a0bf33edd02_lsasrv.dll.mui_d47f7e1c	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..onmanager.resources_31bf3856ad364e35_10.0.19041.1_de-de_0b2bfd2dfb25cc08_partmgr.sys.mui_b800c491	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..r-library.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_b3f2501cfb88a63d.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-commonlog.resources_31bf3856ad364e35_10.0.19041.1_es-es_c81525929a05b49e_clfs.sys.mui_1310ba12	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-win32kbase.resources_31bf3856ad364e35_10.0.19041.1_it-it_635a71dbe36ecef6_win32kbase.sys.mui_07d441e9	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-hardware-policy_31bf3856ad364e35_10.0.19041.1_none_b8115bbc4932577a.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-t..localsessionmanager_31bf3856ad364e35_10.0.19041.1266_none_1a0aa046bfbc05b6.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fa84bcd97ed5458c.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-gdi32_31bf3856ad364e35_10.0.19041.1202_none_d893813832e8a501.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-t..nalservices-runtime_31bf3856ad364e35_10.0.19041.546_none_bad936652ad03072.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_cs-cz_33d8c3da77d0026d.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_de-de_8398f19094835129_winresume.efi.mui_f412814e	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..vices-sam.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6cf41ed5d1ce056f.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_pt-br_785d60c10b52e5f3.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-basedependencies_31bf3856ad364e35_10.0.19041.546_none_e09b38c4879eb2b7.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ntmarta_31bf3856ad364e35_10.0.19041.546_none_597fc8a7ee70e8c9.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_ro-ro_c00d07e45f7b48b1.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_dos737.fon_8de20802	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.1_es-es_fcde5a75fe44e11c.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-usermodensi.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_21126be33c76b858_nsisvc.dll.mui_237a741f	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ntdll_31bf3856ad364e35_10.0.19041.1288_none_d7f32f1de5be2a2a.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b641f2883587d6aa_axinstui.exe.mui_aea34130	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-cryptbase_31bf3856ad364e35_10.0.19041.546_none_435f1c790cc941ac.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lsa-minwin_31bf3856ad364e35_10.0.19041.1266_none_b2317523477fbd48.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.19041.1_en-us_25d6f2766f7cf9c2_storagesense.adml_0fc60f43	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_6762f0cd5bf0e05a_firewallapi.dll.mui_43c7a05b	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-sechost_31bf3856ad364e35_10.0.19041.906_none_703c15786005c809.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-twinapi-appcore_31bf3856ad364e35_10.0.19041.746_none_9be9f1245111722d_twinapi.appcore.dll_8d6512dc	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_412ceba6e304397c.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_10.0.19041.1_it-it_8099ce7794a5ae0d_user32.dll.mui_14652dbb	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..gon-tools.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_f5a6cd2c5f2cdd9c_wlrmdr.exe.mui_ee563c83	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_ja-jp_9014eb97267a94f8.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.19041.1_de-de_181aed41f51697e5.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.19041.1_en-us_c10bc33ae3f4a3aa_trustedsignalcredprov.dll.mui_5edc427b	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wintrust-dll_31bf3856ad364e35_10.0.19041.1266_none_64740d4b4f423b2c_wintrust.dll_abec426a	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_a5ff576d1c105e2b_memtest.exe.mui_77b8cbcc	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_el-gr_6c7fbc7e2aa0f999.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_ro-ro_7b81ce88dad4adc1_bootmgr.efi.mui_be5d0075	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-bcrypt-dll_31bf3856ad364e35_10.0.19041.1023_none_636449faa48a1497_bcrypt.dll_e2f091ac	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lddmcore_31bf3856ad364e35_10.0.19041.207_none_89ee19e7423ac211.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.964_lt-lt_ce47d201c53c798b_comctl32.dll.mui_0da4e682	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase-core_31bf3856ad364e35_10.0.19041.1_none_f22c316c97d7c109.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_bg-bg_ba921840a92e8615_comctl32.dll.mui_0da4e682	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_10.0.19041.1_it-it_725f5b9788589dd0_netlogon.dll.mui_ecbeb9bd	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..cs-client-extension_31bf3856ad364e35_10.0.19041.1_none_3b544d0451866b3d.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..memanager.resources_31bf3856ad364e35_10.0.19041.1_it-it_e72f62f8f173d32f.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_31a464aca9751670.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_zh-cn_7294ce476ec912f1.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ng-client-overrides_31bf3856ad364e35_10.0.19041.1266_none_8e5f726ca832e39d_power.settings.idleresiliency.ppkg_de8e690f	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_sl-si_5e0f6855e557e908.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_de-de_d8897d7855c66c63_gpapi.dll.mui_ef0a9748	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_zh-tw_0c7481fb62437520.manifest	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvcext_31bf3856ad364e35_10.0.19041.1081_none_99079f18291a3688_profsvcext.dll_5740fcb8	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b103cf1329c78478_tcpipcfg.dll.mui_a5479fc1	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1524	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
1524	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 4748	1524	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe	94
PID 1524 wrote to memory of 4748	1524	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe	94
PID 1524 wrote to memory of 4748	1524	7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe	94

C:\Users\Admin\AppData\Local\Temp\7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7419fb7e3354a8d3fed0213d888312ae_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\34f69-readme.txt

Filesize
6KB

MD5
f52d0a85294372b992407fadf1aa1e23

SHA1
bc7c5d23aad009346886c33bcd64bf5e86b85466

SHA256
4e2f06cf75ce079aa2f9f517eec6bd3042eedcae026fffa601563f86df895697

SHA512
dfc9b24b8274a1fa5a62f33a9b057d3daccf6aba5c3e1997fb9e1fdd60a7610704caf50cc29ab726b13006186f2a973a0e16ed984eba1bb07c81f78d5811cad9

Download Submit