sodinokibi | a801a78613cbf86186b524c19f7631a5e4571e94a63df867635602624643d362

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
Size

164KB
MD5

aad705e43f95a736d120d1a8cda30519
SHA1

be7106e9066e12276d0e1c3504eb5d46a6edb296
SHA256

a801a78613cbf86186b524c19f7631a5e4571e94a63df867635602624643d362
SHA512

455ce98a3e3c5c4be3a1c5fc0239467e0447049e218eb3175814246cedc042bebf4bf66bd90393f544d22e75975fadca17bceb7985af7c7591a8936be1c713f4
SSDEEP

1536:bs2B7p26CaItF5gNHhKWluLpWmRHICS4AH3o/qTneyW7ZZOBml2uBbKbxoVgAy6o:9fg0NBlu9CNTed7/kBazzFbULA90kY8

Score

10^/10

sodinokibi defense_evasion execution impact ransomware spyware stealer

Malware Config

Extracted

Path

C:\5maxx-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 5maxx. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C34287B7D7533DE9 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/C34287B7D7533DE9 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: RS59kILB3WC87JmJQX6u6z9p+XNxZHK2eMMHvAkoaxQg94o9ukLntwN+pnHOmcA2 pjO12cjVk/SDLmxJ7UbBuLnlrbgziSwOPfhmEZMtiQeNo/UvktainKbDqNOgvG8b aZXnuuTQJXKGgnMnM48dfERoW0I9vk3pXiNo8gP646Zkfog/iHSpS716xFBlrEVh 1T69+030OmsWb2BALU17bMHTpaE9GuaDhcW4SOHxi+Ua+NWKuvGd4UD0/3782Jjg Kav0HgHJ+7sJr5ibvYzkYAzyO8KuvkRyLwrdYSNzSjMj4avrNot34caLtENshuor kiT7jIdFW4fZM/K5gQWYbXpv6AdJ5KpvZLtR5tayYPHZ4RHt1OrkAW9EiWLH4Unl ZH+Bk4XRyLfqCOwK2QaaydFMsBxgA430GVq8co9z3j6Fu7uTo4MuFuUjQl0bLQkc 9xHIzdkX9XZFSRcHTGv/o/s1BRhcGZKSnjEy0mNSOCwX15VMRzLF7mLEjt2FXF07 LvKiYe39/f/4sn5yJklrGjJplQNNtEACLZSlIUnq5BmG7+94p1G2d6zRfqfDvpe6 /XOUR9CE4JyNNEfOGKOaYwaWwzqMCNgprB8362jIvWFXX1My2NiZXjGzexuKr8Er rg16kP2G8l5Gb3btwJr0jUVVUC7bN8j59zB+yw/tUq3EBCaZx5Mk5cnYesoMJqkk Lbmnoc1bIfulZNwSHC63o2fBZy63JqWFBA6leHhw1tHTiDxZbLlchx/GiZwSpeIR F7dEkd/cZfC9xeSW2ssBo67rA7k3ipFzMuNOmdYX0bpxZDUQYJpcu+I3NLEdJ1H3 QUc67XIh1PrQrGlaJays5j6ftAnu4b/QV2OgxAQr/pardVLPdwqQIRPOpqPkukkV eNc9j2uc5p3Ydv5qp89mEUuF7SEucPEzbUrPhfNElq4op6CMl/M0AjRU3hn9eKPD 4U9uueBddouAgcJ9Pnmhj/EPgVx70YUb+u6/p8LIgah/L41fTMiGBOAd1zhRi+eZ bvpV23jfdCR0WlYrJdHFtw8cGW1BXYOSnyPuVc5EBZoYvkOwNf7lQIt04DpQ8wsb 2boaqMjRYJSeafRdP0VuqPTrXm3BFIjKvZfSMZkTxfDu09Ep64YOmBrozMM3Uv4t bqMbtvkQAMQKNCV5ZHxRRG+KlBcH7Pxzh1NNx5EbnyoXZ8uOUFA1PtmmQg0H7NB3 RPR0fQaD Extension name: 5maxx ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C34287B7D7533DE9

http://decryptor.top/C34287B7D7533DE9

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\R:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\W:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\Y:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\G:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\U:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\V:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\A:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\X:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\T:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\H:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\N:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\O:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\P:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\S:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\J:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\L:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\M:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\F:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\B:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\Z:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\D:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\E:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\I:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\Q:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\592lq86jjxz.bmp"	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\CheckpointTrace.wma	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\LimitFormat.dxf	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\5maxx-readme.txt	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\FindWait.mpeg	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\GetExpand.png	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\NewUpdate.au	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\5maxx-readme.txt	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\5maxx-readme.txt	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File created	\??\c:\program files\5maxx-readme.txt	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\RepairOut.mpeg3	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\UninstallRead.ppsm	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File created	\??\c:\program files (x86)\5maxx-readme.txt	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\NewSubmit.wmx	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_zh-cn_1e451fe096b5e5df_comctl32.dll.mui_0da4e682	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..truetype-couriernew_31bf3856ad364e35_6.1.7600.16385_none_32383eb7c6ebfd9b.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-dui70.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4a67789c4763c224_dui70.dll.mui_de5f27e2	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_da-dk_3c1b29463bcb5626_mlang.dll.mui_2904864a	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-smbminirdr.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f23c87bc1e87243c.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_11ed75c93fd15e23_netmsg.dll.mui_ab0f7c73	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..owmanager.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a8710044c87a79a8_dwmcore.dll.mui_ebf60d96	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f6a00d30a34ae11a.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-shlwapi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_827616fb42a2a1fe.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..pwindowmanager-core_31bf3856ad364e35_6.1.7601.17514_none_ebc99983d3d18578_dwm.exe_04cf416e	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-d..irectdraw.resources_31bf3856ad364e35_6.1.7600.16385_it-it_fb3664969865ace4_ddraw.dll.mui_95b8c3ab	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d03d19912f2e87b9_sqlsodbc.chm_92fe0a89	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_347a450f0c8bd52d_printui.exe_bb673fff	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-searchfolder.resources_31bf3856ad364e35_6.1.7600.16385_de-de_d43cf1197e7ce94f.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..uetype-malgungothic_31bf3856ad364e35_6.1.7600.16385_none_6144d01edfdac19c.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7601.17514_de-de_0edef610009d2270_shell32.dll.mui_19f538b4	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-ldap-client_31bf3856ad364e35_6.1.7601.17514_none_f543b182b4adcce6.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-v..skservice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d0b77acd0b184bdb.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_es-es_91ead78ec6b2bd15.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-consolehost.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c92bbd3b7c238f30.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-wininit.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2e054b96ee6339d3_wininit.exe.mui_997435f5	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-webio.resources_31bf3856ad364e35_6.1.7601.17514_en-us_5d9f9e554f49baba.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-webservices.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0d2ee42c82e9fcb3_webservices.dll.mui_eecc809d	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a22051423878c3c6_provsvc.dll.mui_3a2926ae	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-htmlhelp-infotech_31bf3856ad364e35_6.1.7601.17514_none_f8ab56ff71fc562a_itss.dll_f5d929eb	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9c7424fcfaec8d6b.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-fms_31bf3856ad364e35_6.1.7601.17514_none_a5f8bb0ccaefbe07_fms_metadata.xml_ad942f19	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-imagesp1.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ff72338b8528ca90.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-msxml60.resources_31bf3856ad364e35_6.1.7600.16385_de-de_88976dfcb22dd55c_msxml6r.dll.mui_4516d602	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-profsvc_31bf3856ad364e35_6.1.7601.17514_none_59d75cdc494c95ea_userprofilewmiprovider.mof_b1cb7e72	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_es-es_02b53e1d98470ee8_erofflps.txt_649e76ed	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c10af1bed239c523_gpapi.dll.mui_ef0a9748	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2403bfdae4c06f52_activeds.dll.mui_67414db4	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-activexcompat_31bf3856ad364e35_8.0.7601.17514_none_6f29eb5391300db2.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a6c9ede9493e8861_scfilter.sys.mui_cebab716	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-userenv.resources_31bf3856ad364e35_6.1.7600.16385_de-de_76f65f8f4e44ee39_userenv.dll.mui_e516a7e7	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-dui70.resources_31bf3856ad364e35_6.1.7600.16385_es-es_616970d2c502550e.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-hbaapi.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1d1f6af58faa3ce0_hbaapi.mfl_4e36195e	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d21cadf0731cc748.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_fi-fi_e802953b7bce56ec.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_de-de_227521a01b1e0f11_prflbmsg.dll.mui_4caa0054	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17727_none_6e30004a126a8db7_ntkrnlpa.exe_165c312a	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_99076bac95fbcc5d.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..oexistencemigration_31bf3856ad364e35_6.1.7601.17514_none_7009184192f9f5e7_iphlpsvcmigplugin.dll_b4697821	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_en-us_c342610ed289dc75_perfd.dat_f1e3dfd2	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-shdocvw.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b0627c583e1792cf_shdocvw.dll.mui_9b8f26d5	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8f54bc532eadc7ab.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_de-de_84c970b54d5773ed_msdasc.chm_e6d620a3	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_sv-se_c75396a474adbc87.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-x..nrollment.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a946f0dddb83d182_certenrollctrl.exe.mui_3b48c5a6	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-e..gine-isam.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f85aad48a0aa756a.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_zh-cn_e59f63655b441f61.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..owmanager.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a8710044c87a79a8.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2ca0839b48a081c1_wmpdui.dll.mui_92411657	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9c7424fcfaec8d6b_appidapi.dll.mui_b6af37bb	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_dacce684029df516.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-vani_31bf3856ad364e35_6.1.7601.17514_none_5a885c9b0fafaf30_vani.ttf_cae9a052	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..anagement.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_90082f740162cae1.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-oleaccrc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_666db9f744c2fe32_oleaccrc.dll.mui_26339d25	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b68b0a67ec869d6b.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3e86bb279dec5a9f_dhcpcsvc.dll.mui_186571e1	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-dhcp-client-dll_31bf3856ad364e35_6.1.7601.17514_none_35802f0f452f59bb_dhcpcore.dll_8036fe08	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-ndis_31bf3856ad364e35_6.1.7601.17514_none_05ed313632ae9759_ndistrace.mof_39e216d3	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1180	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2356	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
2356	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
2356	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
2356	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
2356	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
2356	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
2356	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
2356	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
2356	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
2356	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
2356	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
2356	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
2356	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
2356	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
2356	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
2356	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
2356	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
2356	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2392	vssvc.exe
Token: SeRestorePrivilege	2392	vssvc.exe
Token: SeAuditPrivilege	2392	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2808	2356	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe	30
PID 2356 wrote to memory of 2808	2356	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe	30
PID 2356 wrote to memory of 2808	2356	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe	30
PID 2356 wrote to memory of 2808	2356	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe	30
PID 2808 wrote to memory of 1180	2808	cmd.exe	32
PID 2808 wrote to memory of 1180	2808	cmd.exe	32
PID 2808 wrote to memory of 1180	2808	cmd.exe	32
PID 2808 wrote to memory of 1180	2808	cmd.exe	32

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1180

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2740

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\5maxx-readme.txt

Filesize
6KB

MD5
0f231a910624cc52593555be03473df7

SHA1
830fbb8eb2875faa6ccc1cab389d3045402876fc

SHA256
0d6f29d96e16f64f701c3d02ba9af5df447851fdde14a918aaf792b98a7bffbb

SHA512
cc99ef2f0f86dfe144c5b69c5303ea8d0b117cacb0e72e648c08c0c3d26482bca3aa488aa21bdb22014b60600cf6184aacd8a9a48a9482a27559349a4019706e

Download Submit
memory/2356-4-0x0000000002210000-0x000000000233D000-memory.dmp

Filesize
1.2MB

Download
memory/2356-10-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2356-3-0x0000000002170000-0x000000000220F000-memory.dmp

Filesize
636KB

Download
memory/2356-5-0x0000000000820000-0x000000000083F000-memory.dmp

Filesize
124KB

Download
memory/2356-6-0x0000000002670000-0x0000000002779000-memory.dmp

Filesize
1.0MB

Download
memory/2356-1-0x00000000000E0000-0x00000000000EA000-memory.dmp

Filesize
40KB

Download
memory/2356-11-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/2356-2-0x0000000000C60000-0x0000000000D29000-memory.dmp

Filesize
804KB

Download
memory/2356-9-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2356-8-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2356-7-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/2356-12-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/2356-14-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2356-0-0x00000000000E0000-0x00000000000EA000-memory.dmp

Filesize
40KB

Download