sodinokibi | a801a78613cbf86186b524c19f7631a5e4571e94a63df867635602624643d362

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
Size

164KB
MD5

aad705e43f95a736d120d1a8cda30519
SHA1

be7106e9066e12276d0e1c3504eb5d46a6edb296
SHA256

a801a78613cbf86186b524c19f7631a5e4571e94a63df867635602624643d362
SHA512

455ce98a3e3c5c4be3a1c5fc0239467e0447049e218eb3175814246cedc042bebf4bf66bd90393f544d22e75975fadca17bceb7985af7c7591a8936be1c713f4
SSDEEP

1536:bs2B7p26CaItF5gNHhKWluLpWmRHICS4AH3o/qTneyW7ZZOBml2uBbKbxoVgAy6o:9fg0NBlu9CNTed7/kBazzFbULA90kY8

Score

10^/10

sodinokibi ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\34583-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 34583. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9C7DCFE39887C281 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/9C7DCFE39887C281 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: JzWyOWeZncxCY3y53sLpLcGb2qbvlp0cUxYtlC2rkLMUsXibuS1yibCrEek64YCc saXk6s0LxcjR7gyi4j6pd/oBDO50RWBbHh0UZoqvI+R8TmfpUylCYFw2D6MiNcFS 2e+pjJCdbtd58P1+Kdg/zbaotH/a2xfMywhWqXTIQBzkI5ka/3msO3Iz3uof+auA 8/DiTWOXqmOyNsfcVWq3UwXKtH3F8ubabSU4EOSrJA07PNYR+ja2yKF0mMeodFy5 49xKgEfcjMWQcUShm8EjOGDZQa+ELtIN+rr1O6MANKWuuSUr4iaKzQ8v1PUKtTIJ ZHnOuPv6pRpTF41Eqa9qr2pNJFdXi3Y4X9stjslq8n5C3MLVQziWgp3fisWdesPh ucM137wEYb2Ndc7BFNlkQ0WMM08SbOTkaUGaf1qrgAM57eTXfjHJRnXIlxT5vj+M 7IrtPfvj54wUPOLMwqD82oFG5FgYEuJA+uOgxpoR42ziYvYFHqPzxIKgcICkvyZZ HpN7BP53Ky5P5fFAL7BUhHA5HHm37L6adW7MNfPx4E8Ryh60fDndVy7c+CoA+gCZ +b/Pto6PnSMG0DOnX43m7XLiGu2oWzADTEqvgo05B1yRpaw5jRNnvekOecUOS+kg Hcp73DyQCet0kkU4TEpsmuEuKNuv/Um9/5jlzYjHJxFKRCq2Iv0maU+QfMLNz9WQ Sv0XHpnh2k3B6jBnONeiQWaSCVja8IL17o19d6aJVSBop/Bm+I0BFFXMDwpq5Ws0 2h0RVaOWfeRwU9r0S5PPh44mxFnWEHYlHU11paeXJ/hfLwPc+fP3p+QWPXpZOdEh UKtjcq1mPDDCTAqXYLRKgbaHHDsa+BvCzTtLYBkIS4U7Fbcya80rM4VJ8uDoFG1b Y7bg/FXu1xDucxCKO/QhYp+x7tnxv0qUaDaTGhOLkKIR2dculd3J0np+wI991/9q HrMBBikQuVYPAq8KoQUm/URLw9KhXjR0zOlQ8JQSJFKZUwpIVPbNwlPsv/omKDaC zzT+c2D9qx7Zx0BFDNTaFsQkE5U5Rm1wiuXrKgvgMVbzsy0D3MWxPvZ/UAQZsTVX uIx697o3YsRz5TLnj9fL5cNClLcEbD9UQ5RiBF95EGYPZXX+juiqG6KysJgkF5Fj TsZCbODzCAKhSWfW8fcSMoeDMn3WcHzE01XjhKummRY01roNl8+rWRLMofRGqa2i Hq9t+frV4EQnN6G3 Extension name: 34583 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9C7DCFE39887C281

http://decryptor.top/9C7DCFE39887C281

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\M:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\N:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\B:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\G:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\K:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\T:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\S:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\U:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\D:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\F:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\H:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\O:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\Y:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\E:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\Q:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\R:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\A:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\Z:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\P:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\W:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\J:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\L:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\V:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened (read-only)	\??\X:	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ss9.bmp"	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File created	\??\c:\program files\34583-readme.txt	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ConvertWait.wmv	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\GrantCompress.xltm	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File created	\??\c:\program files (x86)\34583-readme.txt	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\OptimizeSync.ppsm	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\StopRestore.emf	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\EnterLock.inf	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\OpenMeasure.tiff	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ResolveInitialize.pptx	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\StopStep.jpeg	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\UnregisterConfirm.au	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ExitPush.mov	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ResetCheckpoint.vsd	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\SplitBlock.jpe	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\EditAdd.M2V	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\SyncUnblock.cfg	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\TraceSave.tiff	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\UninstallDismount.gif	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ConvertUpdate.wmx	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\DisableDebug.wax	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\FormatStart.au	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\InstallBlock.TTS	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\LimitDeny.docx	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\CompareSubmit.htm	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\InitializeCompress.mp3	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\RemoveConnect.avi	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\RepairSplit.m4a	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ResolveRename.mhtml	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	\??\c:\program files\StepSkip.pptm	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_509c290d28f760ee_sdbinst.exe.mui_258ad624	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..istration.resources_31bf3856ad364e35_10.0.19041.1_it-it_2c2b0820313203ea_deviceregistration.dll.mui_5b79527a	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-lsatrustlet_31bf3856ad364e35_10.0.19041.1_none_9a8a77811e17322b.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-userpowermanagement_31bf3856ad364e35_10.0.19041.546_none_8b678fb390086be3.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-winsock-helper-tcpip_31bf3856ad364e35_10.0.19041.546_none_b400f714c4b791cc_wshtcpip.dll_7ee2ca52	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_zh-cn_2ae797705a4ce9eb.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_tr-tr_4c97ad83ea05194d.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_fi-fi_d3af63f17d8b58b9.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0b2962a13e12f002_iscsicli.exe.mui_64c0a23c	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_tr-tr_650dd7439c5150ec_comctl32.dll.mui_0da4e682	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_sl-si_60a279d553aa108e.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_ro-ro_7b81ce88dad4adc1.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_zh-tw_88c9261aa201eecd_msimsg.dll.mui_72e8994f	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.19041.1_it-it_09cd7363afc7ebfa_rasauto.dll.mui_12fa2c50	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_10.0.19041.1081_none_20871f311cebb1df_iprtprio.dll_5829c3c7	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_bc35fcf50d32ba29_userdeviceregistration.ngc.dll.mui_d2c6ca95	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..e-ws2ifsl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_822934dd6115f058.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_it-it_b0b29d8e18c561a2_userdeviceregistration.ngc.dll.mui_d2c6ca95	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_de-de_8398f19094835129_winresume.efi.mui_f412814e	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-t..nalservices-runtime_31bf3856ad364e35_10.0.19041.1_none_9d25a73a9fbf2e71.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua.resources_31bf3856ad364e35_10.0.19041.1_es-es_a447346a0bd38af5.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.19041.1_none_3500efd1cdfd0fad_hvgafix.fon_bf27df1c	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lsa-minwin_31bf3856ad364e35_10.0.19041.1266_none_b2317523477fbd48_ksecdd.sys_dfd5d421	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ui-xaml-phone_31bf3856ad364e35_10.0.19041.1023_none_457e1b66652a9084_windows.ui.xaml.phone.dll_f3375243	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..onmanager.resources_31bf3856ad364e35_10.0.19041.1_it-it_40c79c50b42ec552_partmgr.sys.mui_b800c491	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msvcrt_31bf3856ad364e35_10.0.19041.546_none_b9a3277332162a1f_msvcrt.dll_ee71f3d5	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.19041.1_none_3500efd1cdfd0fad_vgafixt.fon_de219118	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..onmanager.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_569fa609dcfcdfd4.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..wmanager-compositor_31bf3856ad364e35_10.0.19041.1288_none_7a49f980f48daa96_dwmcore.dll.mun_ebf60d69	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_d3c00ed5ebe44239_scardsvr.dll.mui_5f6fb64f	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_10.0.19041.1_de-de_4afe2f54db9cb4c3.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_10.0.19041.1_en-us_f3ef054dca7ac088.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.19041.1151_none_d57e154a0a8460d3_winhttp.dll_6cd72d6e	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.19041.1_fr-fr_0867a4a1a6cb0176_winhttp.dll.mui_f661192f	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b988e3f5244c4507_wmiapres.dll.mui_c1b8803f	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_el-gr_766681d69ed6451d_comctl32.dll.mui_0da4e682	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.264_qps-ploc_5fe0c6cc0fbfcd94.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.19041.1_es-es_1b5efa638ab6e61d_hidserv.dll.mui_561adfc8	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-csrsrv_31bf3856ad364e35_10.0.19041.1_none_7f78448944bb2844.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-eventlog-api_31bf3856ad364e35_10.0.19041.1_none_6c76b9f239087add.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ntdll_31bf3856ad364e35_10.0.19041.207_none_36fc5f8a5adba8ab.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-c..r-library.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b8b9693c8ab3775e_credprov2fahelper.dll.mui_71e4ecb5	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b68b71ac47f7eb2c.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.19041.1_it-it_0ede500636ac729d_netiougc.exe.mui_ad7a9e4d	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_uk-ua_00edb9ea93827738_comctl32.dll.mui_0da4e682	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_509c290d28f760ee_apphelp.dll.mui_59096153	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_zh-tw_984baa246cdd2b6c_bootmgr.efi.mui_be5d0075	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ndowmanager-effects_31bf3856ad364e35_10.0.19041.546_none_cefcfcd89d8d8a93_wuceffects.dll_0c15b7d5	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-spp_31bf3856ad364e35_10.0.19041.1266_none_8f272afdd624490f.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_86d2322d49223ce5_vdsutil.dll.mui_0caf9b0e	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b04a9ba801ea7788.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.19041.964_none_2c44d0507f4744ae_winipsec.mof_abfff45a	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_1ea3d2b20faf7de3_lpk.dll_ebdc1de9	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shsvcs_31bf3856ad364e35_10.0.19041.1_none_83216aadbc4b1d5d_shsvcs.dll_f8739230	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_2d3b6ea159ff4dae_ncprov.dll.mui_40240de1	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c376a8b1d6cb8357_listsvc.dll.mui_27f0fc85	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_en-us_34c90260884a74ea_bootmgfw.efi.mui_a6e78cfa	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_it-it_b93490b34d8c4a73.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.19041.1_de-de_178b38cc24902dd5.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_ja-jp_41deac1044ed383f.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-r..intmapper.resources_31bf3856ad364e35_10.0.19041.1_es-es_a05534499914e28b.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-partitionmanager_31bf3856ad364e35_10.0.19041.1_none_978d210f59cd170e.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.19041.1_de-de_af1113fd9cfe31c0_vds.exe.mui_2268d934	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.19041.1_de-de_6b17c8d06620d760.manifest	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4544	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
4544	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 1432	4544	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe	90
PID 4544 wrote to memory of 1432	4544	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe	90
PID 4544 wrote to memory of 1432	4544	aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1432

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\34583-readme.txt

Filesize
6KB

MD5
d6c1f20dc0618c5b4d781b0d2dbc86ce

SHA1
871aea1b27a2ded05e4a1bfffe5e9ea87b732c1b

SHA256
c0cdfcc77f096014f634b4e9afc481a864fa21b66f2a7165e7ec380303fb663e

SHA512
fbaf96e30c18e26fd9d3b45fec2dd9123a15673e2b962409463c8bfa749b64bcf6a0e639c2452f2e88e6f0b35e5cf6dc299dd14e2ca371edeb1ed48a1585bc56

Download Submit