sodinokibi | 5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-06-2024 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
Size

164KB
MD5

890a58f200dfff23165df9e1b088e58f
SHA1

74e3d82f7ee81109e150dc41112cf95b3a4b5307
SHA256

5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93
SHA512

2ee3636833cd9b02f5e311401817b15514845d4c12c1416d7e345845f8084775bf8c5f8f32822066b75a6b627a93138a0b27deb99c8bbb1f8d640132a2d8de0d
SSDEEP

3072:Hp5SexkWi1Lbi4eTMlwDCnu/q2GB96W/y:JvGWwbnWJ/yB9

Score

10^/10

sodinokibi ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\n2v10-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion n2v10. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C82A46F0B1B5FCF6 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/C82A46F0B1B5FCF6 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Ux0z3qhVr+fsmnCWBksdM33deX+jywe/URz/Wlj3VMo3n7y8bTavq/0JkeN0EBg9 fWUDbOtYBgbRxuXnPAdCyeqhgW3G7k0Se0obLs7sSvqWnBBo7vTEnrsHBJhQVAzQ dYWsHquVdcVvpyGh8S5yQ/UfsQ+yV5utqSMkCUGi5UEQJ8ZhQm7S8SNDr9oDLTo8 3IdW9xWQU/Qwv9/59/B1OhY151ibmA4rqBtv+pgILhueFMjAntxXbqWPIMsVdXU6 DvGMsl0eQP/RZpRRXD701z+FxkKFuyV9+Vf1M+YDfUGX4KQcnkl30gI/Urc9YyJV 8YSTnJDqoGQnpTju2EyjiHAYvNHzVr3rNn/4rO/wXe+Sdc/LBSaR5zGCWXjqiugM 2ndeIX+QNkcdhCDCN5MccBZqj/kwOsIKp6PAa6oUhdr0/RkDTI598x20wNqYQ+fX Ip8MQvhQAzUp5A/+WlJ1QklZqT0aXeAowXCbl2mdWAuzYCWMz535+CLL9h+yMOxP DRSR+qeM0kAOo1jBaQ525vBl2nNVlvf1x+2WbRpBbtdmVa1bW2PpX8McxbQ5lgE/ b/pLfApmj64XbneHKa3GSgacTWWBSiuY6V6Iw4J91ezaID8PS4cVQhMkxXT6TxdF zvsvmQkZeAWqWOYzKvj5EQvyNWAKjXHbyptaccjbc5+FEktIPtc76SHKU7lxfYor l9s3IjUQ8HpBNe2gdAX9rQn5oORPtdyM7Y6AxCGEm+KSVVFZdDbEZ1q4j7dOIQ4E 1PPid61K8h8XT7AwLGF/6dD09oePAXe1UzVWwySetMCjHtUhhz9Soz8fPb5CfomA OHlPc5zeSQbQbMeasPaPrnsrWF3W264I+QMh4uxSgLp7n2/IU1excQIEJObZk+BV Zao0z0yYY7F0lGTYyPXLybDzMoKslo3Dhx8iGSF51SLZLyUBmHd+eh7TXKFOTpTi +zBInMxIs9HAEwEtGiFYLg3iLT8wmQgpPHv4gNAtyQVWFu+iJ/ryWIL9sPXkQ/SV CsQNLpum9RKiusOiJYmcL4aQwZPlAs7BvgyqKsYKMOH6KVjxlYMi5wJN0EU+6Mft 5zUewDFoD7dAPap7aAHpVlWfFM6zXbam/emvjcPFQkpX/2WQujOwUmVsXQvwYb/I JjTnxHciBmUqlpN48pCNSAN92dYs/K/E0LBWukgEdwOWwRKajZ3DBAinW7VlXmZn iso6WI6DBvRieFx6 Extension name: n2v10 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C82A46F0B1B5FCF6

http://decryptor.top/C82A46F0B1B5FCF6

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened (read-only)	\??\L:	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened (read-only)	\??\M:	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened (read-only)	\??\W:	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened (read-only)	\??\G:	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened (read-only)	\??\Y:	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened (read-only)	\??\D:	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened (read-only)	\??\E:	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened (read-only)	\??\Q:	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened (read-only)	\??\B:	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened (read-only)	\??\U:	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened (read-only)	\??\F:	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened (read-only)	\??\K:	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened (read-only)	\??\T:	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened (read-only)	\??\A:	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened (read-only)	\??\O:	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened (read-only)	\??\P:	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened (read-only)	\??\R:	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened (read-only)	\??\S:	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened (read-only)	\??\H:	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened (read-only)	\??\J:	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened (read-only)	\??\X:	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened (read-only)	\??\Z:	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened (read-only)	\??\N:	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened (read-only)	\??\V:	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdo.bmp"	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	\??\c:\program files\n2v10-readme.txt	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\JoinUnprotect.css	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\OpenGrant.dwg	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\SetSplit.dxf	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\UnlockUninstall.DVR-MS	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File created	\??\c:\program files (x86)\n2v10-readme.txt	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\InvokeSet.mpv2	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\SplitConvertTo.pot	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\UseMount.sql	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File created	\??\c:\program files\d60dff40.lock	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File created	\??\c:\program files (x86)\d60dff40.lock	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ApproveConvertTo.inf	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ConvertGet.mp2v	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ConvertUninstall.mpp	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\LockPing.ppsx	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\WriteRename.rtf	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\AddRestore.TS	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\BlockSubmit.i64	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\CheckpointEdit.aif	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\EnableUnregister.kix	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\LimitExit.vstm	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\MergeInstall.ttf	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-time-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_08f6da56337b289b.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_8e9e696a3f31534b_appidsvc.dll.mui_6717e231	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi32_31bf3856ad364e35_10.0.19041.1_none_0f6fb77fe8af11e6.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.19041.1_it-it_bddceaf325c3cfd0_iprtrmgr.dll.mui_eb023b92	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-spp_31bf3856ad364e35_10.0.19041.173_none_f837263e7fdd508f.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-smartcardsubsystem_31bf3856ad364e35_10.0.19041.844_none_f5f48bc2c8c3f7a0_scdeviceenum.dll_01ce0fa9	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ng-client-overrides_31bf3856ad364e35_10.0.19041.1266_none_8e5f726ca832e39d.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..onal-keyboard-kbdus_31bf3856ad364e35_10.0.19041.1_none_3ef7d405e850df76.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_pt-pt_37470850f46de265_bootmgfw.efi.mui_a6e78cfa	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..e-nirmalaui_regular_31bf3856ad364e35_10.0.19041.1_none_23b3cc627fe715d7.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-m..ntmanager.resources_31bf3856ad364e35_10.0.19041.1_it-it_7fa90776a8cf7d8b_mountmgr.sys.mui_71b54a25	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.19041.1_it-it_bddceaf325c3cfd0_rtm.dll.mui_55e4e990	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_10.0.19041.1_it-it_33634d5efb5cf151_umpo.dll.mui_cac12e54	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_sk-sk_4980bfc1af538369.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_sk-sk_912df698c3cfac6f_comctl32.dll.mui_0da4e682	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-t..nalservices-runtime_31bf3856ad364e35_10.0.19041.546_none_bad936652ad03072_winsta.dll_4e6f9a4e	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-windowsuiimmersive_31bf3856ad364e35_10.0.19041.1202_none_a690000a893f966b_windows.ui.immersive.dll_549e9b42	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_hr-hr_b4205a674b468594.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-userpowermanagement_31bf3856ad364e35_10.0.19041.546_none_8b678fb390086be3.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-cryptsp-dll_31bf3856ad364e35_10.0.19041.1_none_df4e7b90a62a08e3.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a_wowreg32.exe_94fc2d06	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_10.0.19041.1_it-it_2e2b77f499a256c2_wbiosrvc.dll.mui_d5b8b2b8	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-w..nfrastructure-ws232_31bf3856ad364e35_10.0.19041.546_none_db05a21561861236_ws2_32.dll_89b90cb6	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1_none_ef1691668a233417.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_04431f7682948070.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-cryptdll-dll_31bf3856ad364e35_10.0.19041.1_none_bb8f936a4d22f7a0.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..memanager.resources_31bf3856ad364e35_10.0.19041.1_de-de_b193c3d6386ad9e5_volmgrx.sys.mui_b0c205d7	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_22bf4d8487c0bfe8.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_10.0.19041.1_es-es_f5275ef67022cea8_webclnt.dll.mui_e8f04040	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lddmcore_31bf3856ad364e35_10.0.19041.1288_none_20903f2898bc8195_cdd.dll_01f58cd5	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.19041.1_es-es_13d3fbad5525d4ca.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon_31bf3856ad364e35_10.0.19041.1266_none_e488d49c8a22d21e_winlogon.exe_ac37d0c5	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_4fc41e05a1187ab0.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..re-bootmanager-pcat_31bf3856ad364e35_10.0.19041.1288_none_dbd2bd89b002cded_bootvhd.dll_c136fd9e	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_da-dk_bb28382b78803539.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_ja-jp_fa31753930710f39.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_es-es_791f98a00d18017f_bootmgr.exe.mui_c434701f	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_sl-si_a5bc9f2cf9d4120e_comctl32.dll.mui_0da4e682	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d74bd5437b437cf1.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_24b659bf5f7a8d1f.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_de-de_e1c7c5c5782839e2_mofd.dll.mui_793ef98d	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ldap-client_31bf3856ad364e35_10.0.19041.546_none_db8a38e9e99bc04d.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.19041.1288_none_ea022bbb47fc9865.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..r-library.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b8b9693c8ab3775e.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.1_nb-no_b7dfa3b285f9e1a9.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_10.0.19041.1_de-de_93a80bdc471ad1dd_lsasrv.dll.mui_d47f7e1c	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_10.0.19041.572_none_104ce2457a4ea0ee_gpapi.dll_868dd225	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directui-resourcesrs3_31bf3856ad364e35_10.0.19041.1_none_11f4e387011f6d3e.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-pdc-mw_31bf3856ad364e35_10.0.19041.1052_none_97ace0ce224e6958.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-etw-ese_31bf3856ad364e35_10.0.19041.1_none_8fa08a745a1a81a2_etweseproviderresources.dll_f21e8ea7	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_zh-tw_d05d0ca80efc5352.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..vices-sam.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6cf41ed5d1ce056f_samsrv.dll.mui_32250491	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..ertificates-utility_31bf3856ad364e35_10.0.19041.1_none_49436407fe6823f4.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_zh-cn_944f6cce6f6c4efc_bootmgr.efi.mui_be5d0075	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.19041.1_en-us_313221c95b98e24b_mprdim.dll.mui_11b5ef08	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_uk-ua_a0ca5953ccba1693.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_10.0.19041.1_it-it_33634d5efb5cf151.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ntosext_31bf3856ad364e35_10.0.19041.1_none_89e4438cceba3f44_ntosext.sys_e9e096c6	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_nl-nl_32602d1a95f90be1.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_1484daa47b73afab_netlogon.dll.mui_ecbeb9bd	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_236c71f1966d00bc.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_uk-ua_4f4fad6deb8a668a.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ncrypt-dll_31bf3856ad364e35_10.0.19041.662_none_3bbdfd78507f28c7.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_zh-cn_d64794aa85c0c266.manifest	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2236	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
2236	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 1768	2236	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe	86
PID 2236 wrote to memory of 1768	2236	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe	86
PID 2236 wrote to memory of 1768	2236	890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\890a58f200dfff23165df9e1b088e58f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\n2v10-readme.txt

Filesize
6KB

MD5
f98335f6f4dc950d920a666199a70eee

SHA1
20d3fb5a7d94b76808cc9c491987b73374a7b221

SHA256
716f6281dc4a6735a38ecfcabdde2d4b3dc65c6eebba13219f0a26c6663207d4

SHA512
99ba3a4dc5ea11b14bb35f82bea734b991502e891fd5cbda7786aec5683f080c0eb6892a0d9acfedcd4b436e554a06bfd9f1f12cfef30045dd41bcb13308e413

Download Submit