sodinokibi | 08542ea965f7ac97c90635444860c5d35a8e8e81c7edf3ddbf6c1736a8c61b63

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-09-2024 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
Size

157KB
MD5

e62c896825a6d186f34fb16b1f57490a
SHA1

3287ff1b9d6256bcd31567c97e90a9bc89cd4f2d
SHA256

08542ea965f7ac97c90635444860c5d35a8e8e81c7edf3ddbf6c1736a8c61b63
SHA512

1c8e60da15ce4dacfc4f4a8fe3c90c3f37034a1333198e834c6924a15b35afb215dbf77361d3547cc254c16e3c8d289df639d174f569d0389307906cc3c3e7ab
SSDEEP

1536:LWlo4vFAPi8hnuy8Ey7pAe3U7Pbi4eTMluxtXDCntTnICS4A33eKWKOgwoAN61Vj:Fi8Iy8EytSLbi4eTMlwDCnuZ3N9w0IE

Score

10^/10

sodinokibi defense_evasion discovery execution impact ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Default\70aq3vd-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 70aq3vd. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8F6162888EE7A841 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/8F6162888EE7A841 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 2nYmhUE0KX5AKkrR4mOOKWqg8qoqUAX4PttFqQS69ZfCirTPFO+ACH1s/MI6TiP9 THLuF+KHL6LuLvbkZXu0UboIPq1BcyuyrNISXIPkWY8ZfANk8Ah0EGWslnMPiDNi 5NdBu92XtwH7DX/Ui1RmhpHgcLsnH3VV0RBKjQpYBIueVo1DG1GP7dQ4PTyvn0yE yo2swDPkqnZ5RWQKCmmn6aM9noiyKwvA6nYnch1LDm+5OewW3CJKcRAPWJoBBO7z nqbTmAEiSX2Aw35GZZE1USdxy4VISfHNYlxibmlntERPj4UmiG3okFvBzYnE/M/V j3NHbuke0q30MvB2SRzPNrI92XKMfzMLyzBGJGqejZUYe5CgLoVpviEn9gnRxmga iiluOYV5bl13oniZ7MvDdn+Klw9EYp/9gKutg6/WB24ib6BUkVAlNkOHiQJVqX7S b3xNDY11/8oOsMzUP3IG6nd3szl5MxMvhjN3FAxCuhwQN3iQCdjHg9+a2Yin/SaS nvnPQTip7E1BD2VkeRU+JtKzP3eeI3K4jZtw8a/Rn51EIkpXq7tnhODfJ51qRWXK eEyfdBOO6R2x/SpOacQLRfO4xGwvnaCsj7pzZJZmB+KGV3vwGKLYutTK1CjlpQYB +NlAzQcAZISe3g2zVMYIwuaeI9qJ+w2oew+lqrlUlbnEDMJJuhdoDFkUEaFoXus5 6oXs2MJ8syHO8rB01FrJCB08PqSqz321Vn80KmaeUduxXuY+ZDLlMezXmi0xan6c VAqKY6RO1DfChkz/yV0VNe7WiKF09lBsljs42ASjdfnxRNDSBNez68CZ858VYOow R3g7M9qniM9ZVH/DpJAxOM3QrLcuIwKe8xLagMkb1OIOUJUxwnzAhRtBice1OWs4 u+8lt68lW2sifcqQa8PIln8BFM1k1Ovw2eP4cThOrS41FRcBsUYpxEYZG34/3okb nwu40IxdqKciY0TP9rKjTKGy5Z+pbtoygq3Dvzy39daUMxBG0lGQW4Lbptjg5HfG rXRQPEXAnJF5cwlJ91X4EPQYWp3GCSHPvW5nX5jfoNkVzphvWpIyMH3f0l87H3e0 w249TKbPSdV36iMQS8XRyrrNaO353PldLEbzxMNzGccWJFf3LCp1hXkETbvGG/Ai zd9+vRg8yHklulNLWJeu47Eu/BblYkGah2E= Extension name: 70aq3vd ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8F6162888EE7A841

http://decryptor.top/8F6162888EE7A841

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (188) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\N:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\S:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\A:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\O:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\B:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\P:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\M:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\H:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\Z:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\E:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\T:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\U:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\J:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\Q:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\V:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\Y:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\K:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\F:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\D:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\L:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\R:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\W:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\X:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\G:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e26872dtp.bmp"	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_bb92604e3d64e901_compstui.dll.mui_0724407b	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-smartcardsubsystem_31bf3856ad364e35_6.1.7601.17514_none_76234513809272a3.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6fc7f6bc4cb64c48.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-object-picker_31bf3856ad364e35_6.1.7600.16385_none_0f6c30b96de81257.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..ltinstall.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_af54807f7e43fe22_infdefaultinstall.exe.mui_ea4c5b8c	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-vani_31bf3856ad364e35_6.1.7601.17514_none_5a885c9b0fafaf30_vani.ttf_cae9a052	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_7e8b0c18f5629386.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_dba340d7365a2c01_slc.dll.mui_dc24f809	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5f3874d6c7dfca9f_winresume.exe.mui_ff8b5358	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-s..ty-cng-keyisolation_31bf3856ad364e35_6.1.7600.16385_none_2a863865442ba065.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-e..sam-win2k.resources_31bf3856ad364e35_6.1.7600.16385_en-us_278079a6bd283e55.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-msidle_31bf3856ad364e35_6.1.7600.16385_none_cb5832fe03fa7bbb_msidle.dll_fb421a48	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-security-spp_31bf3856ad364e35_6.1.7601.17514_none_78875ce737927d27_security-spp-ppdlic.xrm-ms_399d0f6b	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_en-us_72e204af7ddd5d15_newdev.dll.mui_914efc6c	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ea0031961eb6e40c.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-crypt32-dll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_29e72c19d41e6ceb.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e8dccb238c9862b1_netrasa.inf_loc_67293ca2	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_it-it_dc658d0c024781ab_scfilter.sys.mui_cebab716	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_en-us_291c6c0621fdacf4.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-hbaapi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_32f774aeb8785762.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9e8c88ba3cdfd040_drvinst.exe.mui_e88f4c73	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_114ca177b1fcad24_newdev.dll_7eb7622f	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-shacct.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_05b5021d1c212c08.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-x..rtificateenrollment_31bf3856ad364e35_6.1.7601.17514_none_f59e20ddece8f922.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1c8666cba19c26e1_mdminst.dll.mui_19a87063	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ure-other.resources_31bf3856ad364e35_6.1.7600.16385_en-us_09d25d5db275f73d_wshelper.dll.mui_be261ecd	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_019943d7782289a6_compstui.dll.mui_0724407b	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_it-it_42a55ec43db85af9_auditpol.exe.mui_df4767d7	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_zh-hk_1cf0186e9791586f.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-credui.resources_31bf3856ad364e35_6.1.7601.17514_en-us_64222f560083ded6_credui.dll.mui_34721171	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6084741c7167c84b.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-shfolder_31bf3856ad364e35_6.1.7600.16385_none_eef3c430806831de_shfolder.dll_4d2402cf	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-userenv.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1ad7c40b95e77d03.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7601.17514_de-de_ad5d781cbe6250e8_apphelp.dll.mui_59096153	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_019943d7782289a6.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-shdocvw.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1ea841b1ccb1284f.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_caba3de2d9ce0d4b_netiougc.exe.mui_ad7a9e4d	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d70162d0d613541c_mprdim.dll.mui_11b5ef08	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-cryptui-dll.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_3439e058b9e16165.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mfc42x.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c2780f07f05867be_mfc42.dll.mui_66106d85	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_ro-ro_28f060a37f09ef5c_mlang.dll.mui_2904864a	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_65c533f1c582e47c_prflbmsg.dll.mui_4caa0054	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_6.1.7601.17514_none_092d6b9141f16aca_winmgmt.exe_8f8eb7b1	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_11ed75c93fd15e23.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7002897809b71b0c.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..owmanager.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9298f68b9fac5f26_dwmredir.dll.mui_08a6874d	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_6.1.7600.16385_none_db04d3f548508fd9_svgafix.fon_52683949	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_fi-fi_24ff5a886963291e_mlang.dll.mui_2904864a	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-usermodensi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3bf2c930414db993_nsisvc.dll.mui_237a741f	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-codeintegrity_31bf3856ad364e35_6.1.7601.17514_none_fe9df6ad1b5f6e87_ci.dll_070fb998	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_6.1.7601.17514_de-de_3c9de3a8b639aa1c_mpssvc.dll.mui_4b194b5f	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_bg-bg_d05ef37bdb11d344.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_it-it_cbe692400513bd7e_expand.exe.mui_3f54e013	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_09cf3ec67e6c6b50_rasddm-repl.man_f70b2fe7	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-security-spp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_278d30f00dd1a156_sppsvc.exe.mui_40875a72	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a34eb21187cbf59e.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..edstorage.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cef288146d0ec16c.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mpr.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ba5be41f9553aeb3.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-sens-service.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a1c3034d4d83b9c6.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_de-de_299cd5b40ed6d155_winresume.exe.mui_ff8b5358	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-userenv.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1ad7c40b95e77d03_userenv.dll.mui_e516a7e7	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ty-protectedstorage_31bf3856ad364e35_6.1.7600.16385_none_a43e06414a0fcb4b.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_zh-hk_4068f777147d0327_mlang.dll.mui_2904864a	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_6.1.7601.17514_es-es_28e9f3de1adcee20.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1680	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1744	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2924	vssvc.exe
Token: SeRestorePrivilege	2924	vssvc.exe
Token: SeAuditPrivilege	2924	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1432	1744	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe	30
PID 1744 wrote to memory of 1432	1744	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe	30
PID 1744 wrote to memory of 1432	1744	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe	30
PID 1744 wrote to memory of 1432	1744	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe	30
PID 1432 wrote to memory of 1680	1432	cmd.exe	32
PID 1432 wrote to memory of 1680	1432	cmd.exe	32
PID 1432 wrote to memory of 1680	1432	cmd.exe	32
PID 1432 wrote to memory of 1680	1432	cmd.exe	32

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1680

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Default\70aq3vd-readme.txt

Filesize
6KB

MD5
8d6a9bad438f5b92bec0d08a33363b01

SHA1
ef51ad996aea846bda2aeed696bacdd39e5c5017

SHA256
7cd1545bdcadf212aa7288bf479ce6d73b96bc6d1d1d6f572b0b9c5ab5645497

SHA512
da08b50898ce5dd7454b515497578329bf250f6c853969a270854307498a4ea92b75bbe3bf26ed747cea68081d42c5802dddc5480750eb1f70ef7dd17c0dcd70

Download Submit