sodinokibi | 34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160

General

Target

ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
Size

292KB
MD5

ccfde149220e87e97198c23fb8115d5a
SHA1

d514d08571ecd8cece8d704adc8d0c4fa87665ca
SHA256

34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160
SHA512

392a14c9a0c3a98c46e15b873919bdae13f5306a937fd8c869b2a2b435d236433a1eb78d6a953a1722d5b43cb69b4028459d6ea2387a904b4c0f2ec5bc36992e
SSDEEP

6144:qGZamLIoveyefyOrA80qE1lHJv3loPHVb6L:qEsomyef5k8k3Sby

Score

10^/10

sodinokibi 7 3 discovery ransomware spyware stealer

Malware Config

Extracted

Family

sodinokibi

Botnet

7

Campaign

3

Decoy

sochi-okna23.ru

www.blavait.fr

kamin-somnium.de

geoweb.software

www.drbrianhweeks.com

kombi-dress.com

johnkoen.com

prodentalblue.com

transifer.fr

matteoruzzaofficial.com

jax-interim-and-projectmanagement.com

hawaiisteelbuilding.com

www.kausette.com

www.galaniuklaw.com

www.atma.nl

www.piestar.com

www.kerstliedjeszingen.nl

biodentify.ai

endlessrealms.net

condormobile.fr

Attributes

net
false
pid
7
prc
mysql.exe
ransom_oneliner
Image text
ransom_template
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got {EXT} extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/{UID} Page will ask you for the key, here it is: {KEY}
sub
3

Extracted

Path

C:\Users\Default\21x75d7i3-readme.txt

Family

sodinokibi

Ransom Note

Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got 21x75d7i3 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4CFECFDC36A9209F Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/4CFECFDC36A9209F Page will ask you for the key, here it is: +dIAUEyMbA5+bgfa3xnD1jk2eBPiKktuFEeiK3RE8ilXTvGYuX0P2Diizy2rVjkf kOQvgYrSjn75v2NXWW/SYZclgPCFvfnT2JNYPpZ120agi52BM5/dNPZIdNyzjSOm 0PF5HJZMYkewh8bT6ktZ66+dYkHsEEVwpg36yxtUeXT0XQYoYGxY0qMnH/Lld7K4 wlRMHpzsiq/rfiOVSp3vUhwCl92B0A25BqMaboAnwb+9rob95WEsGrfEi41eUDkI W26aEeI79Yv+CTutDytQJC9pxITKm8HKfCdu14BbsSZE7u5tEc1/TmmN3hlPfd35 ujWj74ek3YPzIqaUVsA2Yx8p6W2c649gDHkCKgcdGqKEqaTFuUq3zpxjq+zukp11 5ZP3uVCvLIV5XasvIlJHatJ7VuMPMldRRCFWqiSzmGAGjWNzoEvFIzxUG6AGpFeq gC/aQOeNnrPZgMMO1sleEOEZfipAaai+24+UGnP2YcVXuzzj8cpR5UGLlVgQEJKG KfPqawiShjhwVYqFa2kgXLv/EncM2PSIE6US6bK9DwdotfzSVj13iJeYB6eyPUuk 1Fb8W7P+KSBDGrZghcCLgqRhYQUorvCIRtxZDzEfLLxWHFTViEBUiIfc2/etqYat cs8O0Xx/oNtgO7QffcFHHWr7ueyf5T6gxDv+XAY1ZR5MFxONuWmZW7DHR1mCTNfV G5pEu3opzji+diS4BiyBHf9c4Zb1BlT3ymH21B7xdquz9/vD4cJPlihIXVztn8+7 Qs2efBx9+fbpj5RLwGYRwrXMmaYtYOR/X9ykecL+3S/9C374/te01+9sBn+We2bC qjEg5HkXkm6sGVZFcVSXoB0ppTGdIMwy2r5bPW/3vKBMxQLlH2kyANYYfpZ7a0WL 8UGE1Ze3h/tTSu6kDVEa62r0Auf92/VFx14aEh67Be/kJ8pXV7ZeOGlDEQOKz/Jd xEZAdfJ1fjn49Ow7ku2/UwRo4DrWZB1jjWaX54iQtq+WmuTop1gYVjnUvOltG3Xc jJlFXdGoqK/OzMjorr1JgabfzmoDx3or+exxwyxVaR3ShGVEYhU+S7jG6D0BMVqx ikctmxhkIa4snNbyyI0cSoCjIrGkFQdpH8ql4LzaiyrxevlWv8cq8zNNx8VPkFBp q7TQkDNkbT36pZTU/gHRbG+yi7ys051yxlR/bQ==

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4CFECFDC36A9209F

http://decryptor.top/4CFECFDC36A9209F

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Renames multiple (185) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\E:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\J:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\O:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\D:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\S:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\T:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\V:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\A:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\L:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\R:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\H:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\K:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\Q:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\X:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\Y:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\Z:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\N:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\F:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\B:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\P:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\U:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\G:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\I:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\M:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened (read-only)	\??\W:	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\p9e6xn3o.bmp"	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

Processes:

ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon_31bf3856ad364e35_10.0.19041.1266_none_e488d49c8a22d21e_winlogon.exe_ac37d0c5	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appid_31bf3856ad364e35_10.0.19041.546_none_3f9a019e45575878_appidapi.dll_affa6810	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_10.0.19041.1_none_de146f6286602c80.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.19041.1_it-it_bddceaf325c3cfd0_iprtrmgr.dll.mui_eb023b92	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog-api_31bf3856ad364e35_10.0.19041.1266_none_20f6d5a21a7b8890_wevtapi.dll_df064540	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua-onecore_31bf3856ad364e35_10.0.19041.1_none_bda4006aa194108d.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-winsock-helper-tcpip_31bf3856ad364e35_10.0.19041.546_none_b400f714c4b791cc.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..se-platform-service_31bf3856ad364e35_10.0.19041.84_none_cc8b03b372325d69.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ui-resourceswin8rtm_31bf3856ad364e35_10.0.19041.1_none_40a3e631822403fd.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..n-cmdline.resources_31bf3856ad364e35_10.0.19041.1_es-es_8559d1e56d0ddfe6_dsregcmd.exe.mui_8ce2c638	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..ore-bootmanager-efi_31bf3856ad364e35_10.0.19041.1_none_3d71f65b3bbd6193.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.19041.610_none_a556313cd729d07d_msaudite.dll_9eacd00a	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.19041.1_de-de_7802ffd5f4f46f8b_listsvc.dll.mui_27f0fc85	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_fr-ca_c03f9b83b540a678_msimsg.dll.mui_72e8994f	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-pdc-mw_31bf3856ad364e35_10.0.19041.1_none_d8c3201e0c8a5167.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_he-il_b203a7874c9318ce.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.19041.1_none_9ab96313e8d638bb_iscsi.psd1_8e91985d	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_c8514oem.fon_9ff1fe45	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-network-security_31bf3856ad364e35_10.0.19041.1266_none_41ea436edfbc2e32_fwpuclnt.dll_d0a74ee5	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_uk-ua_3d1792f0b5c2671e.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9776d7f5085fe75b_iscsidsc.dll.mui_6acb64a6	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-webauthn.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_013400b3a9b9796a.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_sv-se_f82a6602cfd53ee1_comctl32.dll.mui_0da4e682	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ucrt_31bf3856ad364e35_10.0.19041.789_none_89924141786cea16_ucrtbase.dll_a00b9625	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msxml60_31bf3856ad364e35_10.0.19041.1081_none_07a08c6e805601ea.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.19041.546_none_edd345b6c42269da_rasadhlp.dll_7438be63	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_it-it_03d9d86028f54c50_memtest.exe.mui_77b8cbcc	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_4e11037b7cb5a25c.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.964_lt-lt_9dbe884efe85d5ec_comctl32.dll.mui_0da4e682	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-onecore-pnp-umpnpmgr.resources_31bf3856ad364e35_10.0.19041.1_es-es_1b9eaea5281dc1e4.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..onmanager.resources_31bf3856ad364e35_10.0.19041.1_en-us_b41cd326ea03d7cd.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_it-it_580bf62c3d55fd5e_comctl32.dll.mui_0da4e682	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_ko-kr_4b8e60a7bca7d650_bootmgr.exe.mui_c434701f	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_10.0.19041.1_none_619a46db072a678a.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_it-it_580bf62c3d55fd5e.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-sechost_31bf3856ad364e35_10.0.19041.906_none_703c15786005c809.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_8514oeme.fon_dbdae0a9	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tdi-driver_31bf3856ad364e35_10.0.19041.1_none_1cdf560fd553ffa5.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d..oryservices-ntdsapi_31bf3856ad364e35_10.0.19041.546_none_b72b37b884665d49_ntdsapi.dll_23e20303	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_de-de_7b16fe6b5fbc6858_dsreg.dll.mui_5d9efc7e	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_c3dd8e4758ad0702_mofcomp.exe.mui_35badf56	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_ega40857.fon_5e965632	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_ba47d7f37d90af73_wuaueng.dll.mui_297f975d	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-volsnap_31bf3856ad364e35_10.0.19041.488_none_3cf9fb87005e2f89_volsnap.sys_d7206f48	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-shell32_31bf3856ad364e35_10.0.19041.1_none_2c6ee2b3e5ba3635.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-atlthunk_31bf3856ad364e35_10.0.19041.546_none_6bdfd34f2fed1b54_atlthunk.dll_61ada5ff	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..vices-sam.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f94194299c1afcc8.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_de-de_ec1c7017ac88fbdd.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_es-mx_aaf424c17c6b93ee_comctl32.dll.mui_0da4e682	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.19041.1_none_3947da6a963cb0d8_85s1256.fon_3e26940d	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_sk-sk_b39d4963b949fdaa.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_es-es_2c55246d83884e93_winresume.exe.mui_ff8b5358	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_10.0.19041.1_it-it_2e2b77f499a256c2_wbiosrvc.dll.mui_d5b8b2b8	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shsvcs.resources_31bf3856ad364e35_10.0.19041.1_es-es_4da8bcf07fccda29.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_2d3b6ea159ff4dae_mofcomp.exe.mui_35badf56	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_cs-cz_1dee5804823a393a_comctl32.dll.mui_0da4e682	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-pshed_31bf3856ad364e35_10.0.19041.1_none_11e3f0d3cc72158f.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1202_en-us_d882497830128342.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.19041.1_es-es_57cd46da8c032f2a.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasrtutils_31bf3856ad364e35_10.0.19041.1266_none_8c3011e8d40ca7c1.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_es-es_a8bd371b7dd7b043_comctl32.dll.mui_0da4e682	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_42d8e7001244e285.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip-driver_31bf3856ad364e35_10.0.19041.1288_none_4cc02c3b6c5e5630.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d..oryservices-ntdsapi_31bf3856ad364e35_10.0.19041.1_none_8f22fe3bc4f4994d.manifest	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5104 3608 WerFault.exe ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe

pid	pid_target	process	target process
5104	3608	WerFault.exe	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe

pid process

3608 ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
3608 ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe

pid	process
3608	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
3608	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe

description	pid	process	target process
PID 3608 wrote to memory of 3772	3608	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe	cmd.exe
PID 3608 wrote to memory of 3772	3608	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe	cmd.exe
PID 3608 wrote to memory of 3772	3608	ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ccfde149220e87e97198c23fb8115d5a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1804
  2⤵
  - Program crash
  PID:5104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3820,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=4768 /prefetch:8
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3608 -ip 3608
1⤵
PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Default\21x75d7i3-readme.txt

Filesize
3KB

MD5
b1ec8ff5c22167ecc795ace895a289d2

SHA1
e4f7a39e5da5c2ecb55ee9853b2c317d74623fbd

SHA256
def16714e59dd381de562b47ab514ad13d33688b599b9a4c9634ccf1610167d0

SHA512
22f1415e376a641cf1d17be5aa95ae25b90c08866109abb69112fd13ac269df7d24430d37287502a438a72aac03ce5625b20ec49f453c2972bc3547cc38686ad

Download Submit
memory/3608-1-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/3608-2-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-3-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/3608-5-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3608-4-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3608-420-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3608-423-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3608-424-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads