sodinokibi | 6cff57ed233dd9083464ccc23c0a59df300c8a0aece0d3651e5c9e7984c937fd

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
Size

115KB
MD5

da50c8e2aeeecc39e8ae49cef8271733
SHA1

768d0597775446938114e0b5f1ad74b7c51b2a5b
SHA256

6cff57ed233dd9083464ccc23c0a59df300c8a0aece0d3651e5c9e7984c937fd
SHA512

adf77baf9095cd1be5a9a2639978e9b1150485d08c09d8146645930528e552bb1329467cc4e70901c17faee0b734b849d5ef83feb0da760ef7d636d75e1c4786
SSDEEP

3072:mlnXEXyk7yvh4NKm437uM0IItpaHV6B+:mtqyg34L8tpky+

Score

10^/10

sodinokibi credential_access discovery persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\ProgramData\c3b71ms3o-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension c3b71ms3o. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1DDD5635137CE474 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/1DDD5635137CE474 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: NMgMQunswdYneyPDYvBYJlrGl9elsaeBsvBYPMQbTxdPrdWSRzrlbH/fTXcMMOl4 qyM1f9YXA1Fk4ZK3C2gWCmbXl1JNM1J5sp3NUQGP4jtuFVDHp3VXOv+KQPfx+MDC Hgm73/gszC18aiNV4l2indHqucKnKFb5S0JD+b16LBA5Z/LrHrco842/ZTUdc0hn G9GXXyFws3A2DySKUeBDPEe1ea7TBBVsQnx+L193GAiKwkVMVacQht7GYp/sz3hS DtcZRxwnwGGcqtT6djPxI8x6DhOnitECNp1M8ulZHiR4DPlIAtS0utCPgbtVb1ZN hdrSuWEqejQILRUHMa2LxZ+x6ThPRXOHiNguUWvXdNs/kqKmPdZgAhOeknmPn/a9 cO1PTVkPY+I7rUoxlf/vjUhedQPywE5+2RWtwFqaEAahoY/l7IeuCHL3RAbNVNuJ 0n7WCGxP7s1viHAtCcFNEjtF/bqKUNHGalddphQTLNsPZuouEze2O1y6vYRU/ucb KHhsDTvuB//BJpIYYU9tUEruM+CXFXvbzvt/eyN/mnSGdtGjGVk3fiab9hU+mBUl v26HEniVh5w6j2hwN/8G/igs2iLp4Kneogx2zo7J1tkINcyxr9DeifLEaNRmg56C FXh5yODqzg5gj7IsZ5Q725oFGhfvxF78jNkxQUpE7fqqcVU2wxxNkBWDH97B6gP6 tIp35PLuZ+aiBubTgspDNAQ+DbWFc3yPhF0Qw9z2PtPQaifLxEBtpASYrq9XwUHF qCl+byxbf+SMu+DdZcBfiiUcYcqS8amm+UH2NTcg4I4TmEI3jHF19/dmEV4kErNC 8yYujEdt+41OE8xGHLbGiGyJRXmaZ4yTPAAW3HDlkzKfbvk9Mt+BmXMliO/0wRfC QVgrvIiZGeY9m78j+uZGVMd007V34Onv2PJZ6sOlZAvotTbF+AZ2jT9bCkS2Hox8 jnoqa0vBHJ5Gp9Z2eN1IjZmkqdYJb8mnv5ftORLE/7XOE2bp2ulicMS2oJb/PYe1 YSwKBlkGyVCJJWjPQIOW4iHNOy/prI32WGBzTkqViIdYCTVcumUhRF9ZdWrssWxX k7brguyQVV8j+i3PjyYMYl4GXx9qVd9wvb9WE9TYPd7Rh53TRNCn0gt+ukSsUDtv 1yn0Ajoak8LgkNWJL5x1MT0mVqQcRyvWH+/3zziRJM/0axzEu4ffThMTo7T2fg8E CT6fMoh4YOh96/TN/vrXjazzuDpsi7TQ40evaDIItB+OxMV25nBFs5jYSomy3/Ta lI2oN9BS6YGNdzaUKcUdSD3Ujh5O9Njr1QdoT7TNg5VyirqhGjzVNIcN2Lsp83JG sGNKJ3Uvn/Q6qo4MIZmOGV7J2GdrgjwbkSkPTpVoDzN9o+Jr/dY9iKSmvRs= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1DDD5635137CE474

http://decryptor.cc/1DDD5635137CE474

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 2 IoCs

description	ioc	Process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\c3b71ms3o-readme.txt	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7THSMUAouJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe"	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\desktop\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\favorites\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\administrative tools\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\onedrive\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\accountpictures\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\videos\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\programdata\microsoft\windows\start menu\programs\system tools\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\contacts\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\documents\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\windows\burn\burn1\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\recent\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\default\appdata\roaming\microsoft\windows\sendto\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\windows\winx\group3\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\accessibility\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\windows\winx\group1\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\links\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\pictures\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\videos\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\libraries\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\music\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\programdata\microsoft\windows\start menu\programs\accessories\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\windows\winx\group2\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\accessibility\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\music\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\documents\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\windows\burn\burn\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\default\appdata\local\microsoft\windows\winx\group1\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\programdata\microsoft\windows\start menu\programs\administrative tools\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\programdata\microsoft\windows\start menu\programs\maintenance\Desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\libraries\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\sendto\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\maintenance\Desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\saved games\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\desktop\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\programdata\microsoft\windows\start menu\programs\startup\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\programdata\microsoft\windows\start menu\programs\accessories\system tools\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\windows\burn\burn2\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\accessories\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\searches\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\pictures\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\public\downloads\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\pictures\camera roll\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\pictures\saved pictures\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\default\appdata\local\microsoft\windows\winx\group2\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\default\appdata\local\microsoft\windows\winx\group3\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\system tools\Desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\downloads\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\favorites\links\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\programdata\microsoft\windows\start menu\programs\accessibility\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\default\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\programdata\microsoft\windows\start menu\programs\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\windows\application shortcuts\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\accessories\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\programdata\microsoft\windows\start menu\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\programdata\microsoft\windows\start menu\programs\windows powershell\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\accountpictures\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\system tools\Desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened (read-only)	\??\K:	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened (read-only)	\??\N:	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened (read-only)	\??\E:	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened (read-only)	\??\G:	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened (read-only)	\??\H:	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened (read-only)	\??\M:	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened (read-only)	\??\F:	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened (read-only)	\??\T:	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened (read-only)	\??\X:	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened (read-only)	\??\Y:	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened (read-only)	\??\Z:	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened (read-only)	\??\B:	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened (read-only)	\??\I:	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened (read-only)	\??\U:	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened (read-only)	\??\O:	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened (read-only)	\??\R:	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened (read-only)	\??\S:	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened (read-only)	\??\D:	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened (read-only)	\??\W:	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened (read-only)	\??\J:	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened (read-only)	\??\L:	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened (read-only)	\??\P:	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened (read-only)	\??\Q:	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened (read-only)	\??\V:	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\161505g1vf53.bmp"	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe

Drops file in Program Files directory 37 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\DenyAssert.DVR	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\DisconnectInitialize.jpe	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\GroupDismount.css	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\SkipPop.wvx	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\NewComplete.vssx	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\NewPush.ttf	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\WatchAdd.dll	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\desktop.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ApproveStart.wmf	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\CompressStep.potx	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\MeasureLock.txt	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ProtectApprove.mp2v	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\AddInitialize.vstx	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ApproveResolve.ps1xml	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\RedoCompare.search-ms	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\SkipDeny.asx	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\CompleteTrace.M2TS	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ConvertToResume.mpp	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File created	\??\c:\program files (x86)\c3b71ms3o-readme.txt	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\CheckpointConvertTo.mp2	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\CloseReceive.wps	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\InvokeOut.ini	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\MeasureConnect.dxf	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\PingRead.dxf	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ReceiveDebug.pptx	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\EditOptimize.m4a	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\InitializeEnable.js	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\InstallRequest.m4a	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\PingAdd.dotx	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ResumeUnblock.gif	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\UnlockImport.emf	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File created	\??\c:\program files\c3b71ms3o-readme.txt	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ClearSubmit.bat	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\CompressExport.vssm	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ConvertToGroup.jpe	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ProtectConfirm.asp	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{0A799B41-511E-45BF-BCDF-84F5D891EC22}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1540	da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
Token: SeShutdownPrivilege	2632	explorer.exe
Token: SeCreatePagefilePrivilege	2632	explorer.exe
Token: SeShutdownPrivilege	2632	explorer.exe
Token: SeCreatePagefilePrivilege	2632	explorer.exe
Token: SeShutdownPrivilege	2632	explorer.exe
Token: SeCreatePagefilePrivilege	2632	explorer.exe
Token: SeShutdownPrivilege	2632	explorer.exe
Token: SeCreatePagefilePrivilege	2632	explorer.exe
Token: SeShutdownPrivilege	2632	explorer.exe
Token: SeCreatePagefilePrivilege	2632	explorer.exe
Token: SeShutdownPrivilege	2632	explorer.exe
Token: SeCreatePagefilePrivilege	2632	explorer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe

C:\Users\Admin\AppData\Local\Temp\da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Caches\{811D10E7-63B6-4581-ADA9-2A2816DF1D43}.2.ver0x0000000000000001.db.c3b71ms3o

Filesize
1KB

MD5
e44c21afe8ec75c09908a2f3024bdf5a

SHA1
d6d6475dbb085683da63ca1b56e1da5b2a7d5cc7

SHA256
f7f94d9eb99b10f0ef85aa655b5643ea3fafc75ca040c3e32e28fecc62597b11

SHA512
9002215c72201e25c0ba46b41eba38c2b04f184504b300a3d5bab5213b29f0f3e437b1011681b3d578009f82856f589e910d421eebe9cec6edfa57372755a2ec

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.c3b71ms3o

Filesize
623KB

MD5
9f43f7955c1acc1f6f57f0c7f93459de

SHA1
cc3883026018fd3c7989d157445003ee4ca01746

SHA256
2ec126bbc87884878511e8664bbe4ada295bce2440b6bc5864729c7fdd505b2e

SHA512
bc18b66fba1ca83dae3fd513dfa6a0d8646b9a9a37ed8e318dde3a1d5ea2b444487244eb4c2db97bb43a43e8e4a793301938dcd444e999e0a71eefd4166f6599

Download Submit
C:\ProgramData\c3b71ms3o-readme.txt

Filesize
6KB

MD5
3af1aab38745de75235f459d7fd10c04

SHA1
612481caa138a08c41619f5ff0e80ec7dec725c8

SHA256
c91919488beb18bc720eb50fd7f66aff504f2641ff2d542c456e332b81b8efbc

SHA512
ea3cd3ce9a83d43ef3f5dc079cb1df1b58e0c7c4922827f2dbbfa3faa20552c07fe1fb330abbab979e2523876926451fe1338d8ce519aa368efbd9db8c80df33

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads