Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06-09-2024 19:03
Behavioral task
behavioral1
Sample
d04208e8499134779820f61c15d2ff37_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d04208e8499134779820f61c15d2ff37_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
d04208e8499134779820f61c15d2ff37_JaffaCakes118.dll
-
Size
161KB
-
MD5
d04208e8499134779820f61c15d2ff37
-
SHA1
56770b21d974922a42c6dc80e433490d1aba8624
-
SHA256
d765650f9f566880df22f1dbabcd8da0dc81d6e10ffe3baee3166ac87ab12a91
-
SHA512
4443dce1f06c9ab3843f50546f4d192e6cceeb483ec8d468574e6d555dc560e4abd7405d058e4d6f21601876f63c8146f167e6d25bd3e1a2c46d75bb4e416d70
-
SSDEEP
3072:SrVv1LsjovMDkQjKiNLDIFjKbnSEYaQG8uVsR2q:SrRijAi2GIFGHYQ5yR
Malware Config
Extracted
C:\Users\yhhyv-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/04AB4409CB516FB4
http://decryptor.top/04AB4409CB516FB4
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 7 IoCs
flow pid Process 4 2692 rundll32.exe 5 2692 rundll32.exe 7 2692 rundll32.exe 8 2692 rundll32.exe 10 2692 rundll32.exe 11 2692 rundll32.exe 13 2692 rundll32.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\D: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\V: rundll32.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5f12asruy37i.bmp" rundll32.exe -
Drops file in Program Files directory 49 IoCs
description ioc Process File opened for modification \??\c:\program files\ExportResume.vsdx rundll32.exe File opened for modification \??\c:\program files\ImportMeasure.cab rundll32.exe File opened for modification \??\c:\program files\ConvertUninstall.rmi rundll32.exe File opened for modification \??\c:\program files\ResetGroup.lnk rundll32.exe File opened for modification \??\c:\program files\ResolveSave.xltm rundll32.exe File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlceer35EN.dll rundll32.exe File opened for modification \??\c:\program files\ClearExit.mid rundll32.exe File opened for modification \??\c:\program files\RegisterRename.easmx rundll32.exe File opened for modification \??\c:\program files\UnpublishReceive.svg rundll32.exe File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlcese35.dll rundll32.exe File opened for modification \??\c:\program files\CheckpointOpen.iso rundll32.exe File opened for modification \??\c:\program files\CloseGroup.xps rundll32.exe File opened for modification \??\c:\program files\ConvertToRename.xla rundll32.exe File opened for modification \??\c:\program files\RestartShow.xlt rundll32.exe File opened for modification \??\c:\program files\SendEnter.cab rundll32.exe File opened for modification \??\c:\program files\UnprotectTrace.wmx rundll32.exe File opened for modification \??\c:\program files\GrantLimit.aifc rundll32.exe File opened for modification \??\c:\program files\RegisterUnpublish.mpg rundll32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\yhhyv-readme.txt rundll32.exe File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlceca35.dll rundll32.exe File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlcecompact35.dll rundll32.exe File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlceoledb35.dll rundll32.exe File opened for modification \??\c:\program files\AddExit.gif rundll32.exe File opened for modification \??\c:\program files\AssertSwitch.xsl rundll32.exe File opened for modification \??\c:\program files\ConvertToOpen.mpe rundll32.exe File opened for modification \??\c:\program files\JoinInvoke.gif rundll32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\yhhyv-readme.txt rundll32.exe File opened for modification \??\c:\program files\LimitConvertFrom.ogg rundll32.exe File created \??\c:\program files (x86)\yhhyv-readme.txt rundll32.exe File opened for modification \??\c:\program files\LockGrant.tiff rundll32.exe File opened for modification \??\c:\program files\ExpandRestart.wvx rundll32.exe File opened for modification \??\c:\program files\ExportLimit.xsl rundll32.exe File opened for modification \??\c:\program files\InstallMerge.i64 rundll32.exe File opened for modification \??\c:\program files\RestartMerge.scf rundll32.exe File opened for modification \??\c:\program files\SendProtect.svgz rundll32.exe File opened for modification \??\c:\program files\SyncGet.WTV rundll32.exe File opened for modification \??\c:\program files\UnpublishResolve.wma rundll32.exe File opened for modification \??\c:\program files\PopConfirm.ini rundll32.exe File opened for modification \??\c:\program files\RepairGrant.m1v rundll32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\yhhyv-readme.txt rundll32.exe File opened for modification \??\c:\program files\EnableReset.css rundll32.exe File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlceme35.dll rundll32.exe File created \??\c:\program files\yhhyv-readme.txt rundll32.exe File opened for modification \??\c:\program files\EnableStop.mp2v rundll32.exe File opened for modification \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlceqp35.dll rundll32.exe File opened for modification \??\c:\program files\ConvertFromComplete.jfif rundll32.exe File opened for modification \??\c:\program files\RenameUnlock.vb rundll32.exe File opened for modification \??\c:\program files\SaveBlock.ADTS rundll32.exe File opened for modification \??\c:\program files\WriteExpand.wm rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2828 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2692 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 716 vssvc.exe Token: SeRestorePrivilege 716 vssvc.exe Token: SeAuditPrivilege 716 vssvc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 816 wrote to memory of 2692 816 rundll32.exe 31 PID 816 wrote to memory of 2692 816 rundll32.exe 31 PID 816 wrote to memory of 2692 816 rundll32.exe 31 PID 816 wrote to memory of 2692 816 rundll32.exe 31 PID 816 wrote to memory of 2692 816 rundll32.exe 31 PID 816 wrote to memory of 2692 816 rundll32.exe 31 PID 816 wrote to memory of 2692 816 rundll32.exe 31 PID 2692 wrote to memory of 2816 2692 rundll32.exe 32 PID 2692 wrote to memory of 2816 2692 rundll32.exe 32 PID 2692 wrote to memory of 2816 2692 rundll32.exe 32 PID 2692 wrote to memory of 2816 2692 rundll32.exe 32 PID 2816 wrote to memory of 2828 2816 cmd.exe 34 PID 2816 wrote to memory of 2828 2816 cmd.exe 34 PID 2816 wrote to memory of 2828 2816 cmd.exe 34 PID 2816 wrote to memory of 2828 2816 cmd.exe 34 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d04208e8499134779820f61c15d2ff37_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d04208e8499134779820f61c15d2ff37_JaffaCakes118.dll,#12⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2828
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD56963bfc1e7ae43a3948713b9ceb4d0ff
SHA17800466380b18e6dadb5aa6bba36fddc5d457545
SHA256d7c98cddd365d3ed7dd2cacb62cbdad0400a1f394b32bb98bf5c3cc8a5909e89
SHA512ee4a8c0e8e960e35f8d14160e548d78dc844d5dff53f4d41076f04e4505775c8cd91e5402957faaf5765bfb8cf15fbf3ae192734096991f6e5c51148ae08fad8