sodinokibi | 34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160

General

Target

ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
Size

292KB
MD5

ccfde149220e87e97198c23fb8115d5a
SHA1

d514d08571ecd8cece8d704adc8d0c4fa87665ca
SHA256

34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160
SHA512

392a14c9a0c3a98c46e15b873919bdae13f5306a937fd8c869b2a2b435d236433a1eb78d6a953a1722d5b43cb69b4028459d6ea2387a904b4c0f2ec5bc36992e
SSDEEP

6144:qGZamLIoveyefyOrA80qE1lHJv3loPHVb6L:qEsomyef5k8k3Sby

Score

10^/10

sodinokibi 7 3 defense_evasion discovery execution impact ransomware spyware stealer

Malware Config

Extracted

Family

sodinokibi

Botnet

7

Campaign

3

Decoy

sochi-okna23.ru

www.blavait.fr

kamin-somnium.de

geoweb.software

www.drbrianhweeks.com

kombi-dress.com

johnkoen.com

prodentalblue.com

transifer.fr

matteoruzzaofficial.com

jax-interim-and-projectmanagement.com

hawaiisteelbuilding.com

www.kausette.com

www.galaniuklaw.com

www.atma.nl

www.piestar.com

www.kerstliedjeszingen.nl

biodentify.ai

endlessrealms.net

condormobile.fr

Attributes

net
false
pid
7
prc
mysql.exe
ransom_oneliner
Image text
ransom_template
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got {EXT} extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/{UID} Page will ask you for the key, here it is: {KEY}
sub
3

Extracted

Path

C:\Users\Default\j4xg27p-readme.txt

Family

sodinokibi

Ransom Note

Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got j4xg27p extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E7A5BF92BB389A48 Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/E7A5BF92BB389A48 Page will ask you for the key, here it is: X+/OhohqssfsR9rQ2Bl79BeNIsCqBLGNePFsnkWG2Fhs7joAO+kqPrls7NFsoR7y rWNwfhTvfJH9twzwhtQKWvHDtLzXLetepxcQhFW4mFUVr7Tuiu/QIWmZr5vqrAdB bQAF1ygJNEOGKuWVMs/C9ICDrUJ33a92qObX3t1gSHDpKL+DHe97t3b49owthmsl xmZF/Mfw/aUCfxfHtu92KSqUwsTdA7p2SsgFzvU4XAFyfl7XrM+m0sxdSTqpRNE4 GV5yt/LoNGx1+Nan6HA/VmlGI+rxV40DAKoEP8Jjg+UYSd68FFsH230IWBBVK6uq t+tdd5nm+EWihzziHwJ0lRlfydogRWlx49e3jESuAnI0kOSel6rudEzwPEjbT5BK 6PyHEiUF0Zf3tYZbVKUPnt/sS0n943jGnJPQzaY0DXGncB+2NHAFb2fKc0u5mr2M GBy7+wm21JidKpVSt0xJ/D5YtRahfZhhRgf4mjpY0fiagG7wI4WCS0OPFvR8ZW0o JPzp1FyGiRVgiI3oaI3MBMVJrRAXjR9YbzuMw/bLBwHhyFa5soVPCwjikxO07af8 6c7XV2dlyzneNKTT6FXkkqiYZlqi50Vrr49lghy6py2Q0Dk0k+Kc4Yj5vITk3uOD uPdWyTrWrT7bEKGIbzGMN2e72mX5ia8RcnFDy375lzNnVbdabqmPd3SHCAgsOyvE EAg9ITOyh7o2wlyuUw3EDTVwrxnSlbYWkQ7xfvcegUWJC0x1mfKkWF/AvGo3E83s hq7P9MQXdFOg7xtpVD3Q+RFSrBniDxgWWIErSq80vxcUlIEfimQMuqGpk8m+ndF8 YMhd9b1vq8EyNbXzrdmhBURldRT5CU3sA0hWeyTcc1s8lPXSSdnrC9zM/kwZHNhA vEGT55HsFceHMEr188J7NsHpfegrsPKkFzSYZqf6pcNzIyWZgMataEwA11++eCKq srMr6t9roSSg5EEoT8XMAvhohFBxIqLgWK85T0QhPVi2nyvI9yzvDqGmAEjloBpP ucs8enLsUSnuTUhfJK27wQEhEfgutfX0Snq+SNfZcSIAc7/PlvfmB0BgpZrt60/V TvbqotK07EJ8p0aMOERj9L8UOCvCovxmtNl/jjiQHPIsKDV67Qg0cLVuXq/NmTUw uAIjBa6CDmH+m8hCK4FtKcFN2eXMdg==

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E7A5BF92BB389A48

http://decryptor.top/E7A5BF92BB389A48

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (202) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\M:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\O:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\R:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\Y:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\I:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\U:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\X:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\A:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\K:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\E:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\P:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\B:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\S:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\J:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\N:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\D:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\F:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\H:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\L:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\Q:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\V:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\W:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\G:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\T:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\Z:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a56m.bmp"	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

Processes:

ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_lt-lt_34c4065f51729de0_comctl32.dll.mui_0da4e682	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-kernel32.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_3b92880831ee8845.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..temclient.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7497a71c57e547ec.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6777afadccc8e29b_bootmgr.efi.mui_be5d0075	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-small_31bf3856ad364e35_6.1.7600.16385_none_d7839341959a2de0_smallft.fon_f426f380	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_en-us_cd970b6106ea9e70.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-basic-misc-tools_31bf3856ad364e35_6.1.7600.16385_none_17330d9420bf24e8_expand.exe_f43b24c8	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-efs-core-library_31bf3856ad364e35_6.1.7601.17514_none_58a94d70f5cca7eb.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-courier_31bf3856ad364e35_6.1.7600.16385_none_5283fef09ca6fa1a_couret.fon_79d1ee47	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_cba169dd0daf0482_winlogon.exe.mui_3280fc46	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..ionengine.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8ba155016eda35d6.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-systemindexer_31bf3856ad364e35_6.1.7600.16385_none_319108f33cd99029.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_networking-mpssvc-svc_31bf3856ad364e35_6.1.7601.17514_none_f83a40e7de7c47da_firewallapi.mof_b78002ca	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_it-it_12c3c2213e4d32d4.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_it-it_12c3c2213e4d32d4_mlang.dll.mui_2904864a	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-t..libraries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_08f5a3ad3ab2a987_iphlpapi.dll.mui_9531144c	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-x..nrollment.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4d28555a2326604c.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-marlett_31bf3856ad364e35_6.1.7600.16385_none_aa49e9141901cae9_marlett.ttf_4c6c9093	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..ltinstall.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3ba1f5d34890f57b_infdefaultinstall.exe.mui_ea4c5b8c	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rpc-local.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f7b09044d73c37a9_rpcrt4.dll.mui_9745823e	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a56cb41c8b19254a_wer.dll.mui_e68ddae7	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_6.1.7600.16385_none_59590e92c817a4e0_vga866.fon_08f91131	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_698ac5bc9a8c1572_rasauto.dll.mui_12fa2c50	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_e6a0143facc12d95.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-pshed.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ef54932792fc58dd_pshed.dll.mui_d7f9a40f	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_ro-ro_8fe226220f8cbade_msimsg.dll.mui_72e8994f	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-imageanalysis_31bf3856ad364e35_6.1.7601.17514_none_4a6381a588654ba6_dbghelp.dll_417263a2	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-imageres.resources_31bf3856ad364e35_6.1.7600.16385_de-de_755d19ed147c5d8a_imageres.dll.mui_3e41dee6	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-imageres_31bf3856ad364e35_6.1.7600.16385_none_dc93f95659399ba8_imageres.dll_44f44625	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-hbaapi_31bf3856ad364e35_6.1.7601.17514_none_b18e5ca4be201fbf_hbaapi.dll_4e36083f	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-wmi-core-wbemcomn-dll_31bf3856ad364e35_6.1.7601.17514_none_6bf5ddbe6e32b8d7_wbemcomn.dll_e2337e3c	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_da-dk_dffc8dc2836de4f0_mlang.dll.mui_2904864a	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..rvice_mof.resources_31bf3856ad364e35_6.1.7600.16385_es-es_80f1f0a40b5d6999_iscsidsc.mfl_20ed5374	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e0c803777a7cc698.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7600.16385_none_cd7aeeff1897d018_perfi.dat_e3a35ecf	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..edstorage.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_a3d5488f6ee5d330.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_347a450f0c8bd52d_findnetprinters.dll_d9721533	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_de-de_f06f5fc570802050_winhttp.dll.mui_f661192f	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-gisha_31bf3856ad364e35_6.1.7600.16385_none_9cb7ddca79444d70.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-offlinefiles-core_31bf3856ad364e35_6.1.7601.17514_none_fc6e4e567286d457.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..sition-coreservices_31bf3856ad364e35_6.1.7601.17514_none_90ba4080c9f2e648_wiatrace.dll_dfb4e972	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-kernel32.resources_31bf3856ad364e35_6.1.7600.16385_de-de_fa73897e84783674_kernel32.dll.mui_c29170cd	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-v..skservice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_446a057940cb5482_vds.exe.mui_2268d934	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..edstorage.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_fff3e41327434466_psbase.dll.mui_c28690ab	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-winbio.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f79b126d0518f4d5.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_41ae913e62031c5c.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_6.1.7600.16385_en-us_667ff2e88dc1b9c6_keyiso.dll.mui_4bbf12ff	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-spp-main.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1caa2c287378295b_sxproxy.dll.mui_f9d8f818	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..installer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_752a818fe660eceb.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-credui.resources_31bf3856ad364e35_6.1.7601.17514_de-de_bb31595d11a5d311.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8f54bc532eadc7ab.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a34eb21187cbf59e_advapi32.dll.mui_28c7718f	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..installer.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0209edd5b064e8cb_sti_ci.dll.mui_f0a16278	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8f1e1b0781b835e8_odbcjet.chm_2a003207	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bc8810265da7f7a9_hidserv.dll.mui_561adfc8	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..ionengine.resources_31bf3856ad364e35_6.1.7600.16385_de-de_402dac258d03220a.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..owmanager.resources_31bf3856ad364e35_6.1.7600.16385_en-us_05ee2d61d58171a1_dwmcore.dll.mui_ebf60d96	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5c8f55cfc24b6b58_rascfg.dll.mui_0b036e1f	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..tionauthorityclient_31bf3856ad364e35_6.1.7601.17514_none_35a3baeb53471267.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3e86bb279dec5a9f_dhcpcore.dll.mui_8b901fc3	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mpr.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a32548cd17dc0d6e.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-msxml60.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3153a0d9a132d2c6.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ba0c82eccf526351_rascfg.dll.mui_0b036e1f	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_09cf3ec67e6c6b50_rasbase-rassstp-repl.man_f9e15598	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.execmd.exevssadmin.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

2276 vssadmin.exe

pid	process
2276	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe

pid	process
2104	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
2104	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
2104	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
2104	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
2104	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
2104	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
2104	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
2104	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
2104	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
2104	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
2104	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
2104	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
2104	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
2104	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
2104	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
2104	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
2104	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
2104	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2784 vssvc.exe
Token: SeRestorePrivilege 2784 vssvc.exe
Token: SeAuditPrivilege 2784 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	2784	vssvc.exe
Token: SeRestorePrivilege	2784	vssvc.exe
Token: SeAuditPrivilege	2784	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 2104 wrote to memory of 2272	2104	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe	cmd.exe
PID 2104 wrote to memory of 2272	2104	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe	cmd.exe
PID 2104 wrote to memory of 2272	2104	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe	cmd.exe
PID 2104 wrote to memory of 2272	2104	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe	cmd.exe
PID 2272 wrote to memory of 2276	2272	cmd.exe	vssadmin.exe
PID 2272 wrote to memory of 2276	2272	cmd.exe	vssadmin.exe
PID 2272 wrote to memory of 2276	2272	cmd.exe	vssadmin.exe
PID 2272 wrote to memory of 2276	2272	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2276

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

1

T1006

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Default\j4xg27p-readme.txt

Filesize
3KB

MD5
f4178fb06e391837ed688df31e97139b

SHA1
b1ef9de1bcc3117e0ce787fa55ae3ef27e2098f9

SHA256
008abdf35e4055313902a46549b46543335dc7b6419f3625ac38c3730afb10f0

SHA512
95b0d043a0f824181122b68efb496fe8daef022dd02bc3c7177d43d5a0a0c50caaccc79b3dc4533f5877e975cddda3c393d3a5b8cb47143c2bd7f1342a1ead02

Download Submit
memory/2104-5-0x00000000021F0000-0x000000000228F000-memory.dmp

Filesize
636KB

Download
memory/2104-6-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2104-4-0x0000000002120000-0x00000000021E9000-memory.dmp

Filesize
804KB

Download
memory/2104-7-0x0000000002290000-0x00000000023BD000-memory.dmp

Filesize
1.2MB

Download
memory/2104-9-0x0000000002700000-0x0000000002809000-memory.dmp

Filesize
1.0MB

Download
memory/2104-10-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download
memory/2104-3-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2104-1-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2104-8-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/2104-11-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download
memory/2104-13-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2104-14-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2104-15-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2104-2-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2104-483-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2104-484-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads