sodinokibi | 08542ea965f7ac97c90635444860c5d35a8e8e81c7edf3ddbf6c1736a8c61b63

General

Target

e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
Size

157KB
MD5

e62c896825a6d186f34fb16b1f57490a
SHA1

3287ff1b9d6256bcd31567c97e90a9bc89cd4f2d
SHA256

08542ea965f7ac97c90635444860c5d35a8e8e81c7edf3ddbf6c1736a8c61b63
SHA512

1c8e60da15ce4dacfc4f4a8fe3c90c3f37034a1333198e834c6924a15b35afb215dbf77361d3547cc254c16e3c8d289df639d174f569d0389307906cc3c3e7ab
SSDEEP

1536:LWlo4vFAPi8hnuy8Ey7pAe3U7Pbi4eTMluxtXDCntTnICS4A33eKWKOgwoAN61Vj:Fi8Iy8EytSLbi4eTMlwDCnuZ3N9w0IE

Score

10^/10

sodinokibi discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Default\s35351-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion s35351. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3E9BE02DE900A378 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/3E9BE02DE900A378 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 978AC/e1b9pc7WPy3EkURkFVI5uadjW3ezxohg4lhyyVIBgQF1yI9gpnR3dVPKQ+ UvdvJ4CqS3JGgJLrSljZxfSlOjOYZc1eFp7WhNdyFTcWYEBwJxAjbioXDJXTtXhB JheS0OY8ZSdi+x/IHmhe/rDEH94dCdLI2+tv5gG+s9D/WFJ9lrIR9wT5fmhqg0Lw Mn5OSbWdj2ZLAhawgeV3hpUkhGpwHBOo0/55sRlqSB7480dJa6TqVWeNmsqdEtkz wCjXOh+m0ZOcBQ1lUQ1NcKvOE/RGx98S5YcTfz9pAIs1taNnQUbdpPmgdm57D49P 0HIwvJPBZTtHlU4FkHGIqVmQV0Cq8OXzxJQMnMKxDE0HQ/yvLLe/t+RIZhrYgR4e EZ24upIw+DyyOILRKjDvi84i9nrPrSo7Z+obRCTMbWGk42cBD2Ta6rk4pNwESNNE rp3fYQyaqhB35BKKXHp0MOuLLpPdkW04nm2jWUt2Raq26YSc2uIecRX0S2wFM8JA ngLNf/exQJwODofQ3932wqq1WxUTGecsjhBkltILoAccuOhNBTRnAxhu+/ujZNYD nYotLjQg0UPo3+y3qkTBOq+2udsKqJqWuJENLSVHmtjpabBLdOI1SbeZc9YJmgSA JvnRyboyslRGnGZKMOCEQUIW5NYZ+C/2bqBPqD5t2DG467umTnw6g9odjvNZ54tg q4lKEicKBTCXd/HG+K9us9xNe+GFBN5Q0C3kxmqsnvroin9stdZM9X+U9R/Jc88F 90LSxug/Vs5SuTESzKMFS8JAB8qFehb8xqCC7V5AvLCyAkcP6Lp22p+57Po+iomE WPU7xMe+t/1IfqaWwslUpsiLvxy/DQngdIS9X+0vVmb8EhjKdPujv+jCiiGDXBQp khyiojkEgYPoNXaXB3CaycDGiw15sS2OE8vNwiQbOjgC9NYQlFfwEVRvWlzCLCq/ B0gMet8LMQhkx1TpbavbObl5hB54xTiJOa3POYJPamvHMufC8kC5IhdbK373rhM5 bFwuSCUeo0KJOSvudyqqerhTC8PvaGf0JDdVjccLnFKf2fFDe+zIGcoclx0qjN3z ikC9vq59uK5QvJkXWDdfCsLK5ZIRMSYrBv/1MSqxLNo1O2jTdmESt9cljcMbSXFO JtvjLyNAp1+1Q25vTIGmgyYJcGFR2TbCK+ZtPO9xzi4= Extension name: s35351 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3E9BE02DE900A378

http://decryptor.top/3E9BE02DE900A378

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Renames multiple (162) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\Q:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\V:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\A:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\R:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\M:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\S:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\U:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\X:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\I:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\L:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\T:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\Z:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\B:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\W:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\F:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\K:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\O:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\D:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\E:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\N:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\J:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\P:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\Y:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\G:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened (read-only)	\??\H:	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2i6324.bmp"	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

Processes:

e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ctui-resourceswin81_31bf3856ad364e35_10.0.19041.1_none_d1d99fdd2c96dd2d_windows.ui.xaml.resources.win81.dll_d426e245	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_10.0.19041.1_it-it_8206cb3c3a26ca88_webclnt.dll.mui_e8f04040	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.964_none_5c42846f47acb1a6.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-onecore-ras-base-vpn_31bf3856ad364e35_10.0.19041.1_none_d24e62087d8454d4.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-sens-service.resources_31bf3856ad364e35_10.0.19041.1_de-de_22421b8ad284b186.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_uk-ua_e877902ae1363f99_comctl32.dll.mui_0da4e682	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_1fa57d1cd896067c_rasautou.exe.mui_55686a97	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_ro-ro_05272d3c05a54a31_comctl32.dll.mui_0da4e682	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_it-it_b0b29d8e18c561a2_dsregtask.dll.mui_5e1b9353	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_afb9e74560b9f815_winlogon.exe.mui_3280fc46	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_pt-pt_79ad1526caedcc46.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_ro-ro_a7fd6f88bbbece6f_comctl32.dll.mui_0da4e682	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-a..on-authui-component_31bf3856ad364e35_10.0.19041.1_none_9d1d02bbe396027f.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_en-us_a9b6dfbebdc913fa.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.19041.746_none_f62e5d000d9f4bd9_pppmenu.scp_74b84d65	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-m..pointmanager-minwin_31bf3856ad364e35_10.0.19041.1_none_864c9e3e6c9f9e12_mountmgr.sys_77371b26	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_10.0.19041.1_it-it_725f5b9788589dd0.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msvcrt_31bf3856ad364e35_10.0.19041.546_none_b9a3277332162a1f.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nt-core-bootmanager_31bf3856ad364e35_10.0.19041.1_none_a1c3d9420e6939cc.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-crypt32-dll_31bf3856ad364e35_10.0.19041.1202_none_d02feec5930a1e75.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.264_none_4298d4188a939fa9.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_cga80857.fon_2e82e0e8	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_es-es_a9823ca2bdf0059f_scdeviceenum.dll.mui_815e7662	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a_setupapi.dll_8d9de2e7	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_nb-no_cddb09fa0f832b11_comctl32.dll.mui_0da4e682	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.19041.1_es-es_f80c2ec488f97398_clipsvc.dll.mui_18823613	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_aba5dc4fb44efa50_wudfhost.exe.mui_1fc689ff	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_734900fc110387b6.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.964_lt-lt_9dbe884efe85d5ec.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_8514oem.fon_c20e1190	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_it-it_3661a8e887f4017f_certprop.dll.mui_602eaab4	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..onal-keyboard-kbdus_31bf3856ad364e35_10.0.19041.546_none_67000d82a7c2a372.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_nl-nl_32602d1a95f90be1_bootmgr.exe.mui_c434701f	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.19041.1_en-us_c10bc33ae3f4a3aa.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_10.0.19041.1_it-it_8099ce7794a5ae0d_user32.dll.mui_14652dbb	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_10.0.19041.1_it-it_bc383e9a8755fadf_wmpdui.dll.mui_92411657	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_ab83828872bfa667_gpsvc.dll.mui_0c160ac2	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-spp.resources_31bf3856ad364e35_10.0.19041.1_de-de_a9c82e9ce75a1605_sppsvc.exe.mui_40875a72	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ui-xaml-inkcontrols_31bf3856ad364e35_10.0.19041.153_none_ac41106ac38a1fe3.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_it-it_3661a8e887f4017f_scfilter.sys.mui_cebab716	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d88727f57b0f135a_scfilter.sys.mui_cebab716	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_4e11037b7cb5a25c_dsregtask.dll.mui_5e1b9353	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-xmllite_31bf3856ad364e35_10.0.19041.546_none_6734c593021dd8ae_xmllite.dll_ce078c31	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-spp.resources_31bf3856ad364e35_10.0.19041.1_it-it_e9b87811d4c3d14a.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.19041.1_es-es_25a24f5a6fa3eb67_storagehealth.adml_00c6b7b3	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_10.0.19041.1151_none_9cf376ee9c2c46c1_gpsvc.dll_970be02b	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_uk-ua_4f4fad6deb8a668a_msimsg.dll.mui_72e8994f	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-sens-service.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6db5c466b45bc552_sens.dll.mui_64739194	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_ro-ro_bd79f664f129212b_comctl32.dll.mui_0da4e682	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b04a9ba801ea7788_gpsvc.dll.mui_0c160ac2	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasrtutils_31bf3856ad364e35_10.0.19041.1266_none_8c3011e8d40ca7c1.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.19041.1_none_3947da6a963cb0d8.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-netbt-minwin_31bf3856ad364e35_10.0.19041.1_none_a19d8ec5773d4c59.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_94d8a2f49b8df947_mofd.dll.mui_793ef98d	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_54a73aad2cc2f922_storagehealth.adml_00c6b7b3	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..opwindowmanager-api_31bf3856ad364e35_10.0.19041.746_none_be082f599ecc9fb9_dwmapi.dll_2f4f8b34	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.19041.1_none_3947da6a963cb0d8_j8514sys.fon_cfb116c0	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-spp.resources_31bf3856ad364e35_10.0.19041.1_es-es_52846179d65f136f_sppsvc.exe.mui_40875a72	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_pt-pt_c0ec67041f3e7ed5.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..se-platform-service_31bf3856ad364e35_10.0.19041.1151_none_49b7fb8af93e9473.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..se-platform-service_31bf3856ad364e35_10.0.19041.1151_none_49b7fb8af93e9473_clipsvc.dll_0a2c978a	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..memanager.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_8954e205e48ee50a_volmgrx.sys.mui_b0c205d7	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..configurationengine_31bf3856ad364e35_10.0.19041.1_none_6f15f13727f830cc.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-atl_31bf3856ad364e35_10.0.19041.1_none_61114d49f90ff362.manifest	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe

pid process

4644 e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
4644 e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe

pid	process
4644	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
4644	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe

description	pid	process	target process
PID 4644 wrote to memory of 1184	4644	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe	cmd.exe
PID 4644 wrote to memory of 1184	4644	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe	cmd.exe
PID 4644 wrote to memory of 1184	4644	e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e62c896825a6d186f34fb16b1f57490a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Default\s35351-readme.txt

Filesize
6KB

MD5
1a19dd7aba25e94e7900706c0bce42ab

SHA1
4fec96a19ea621c3d51c9ffe0fe2e56229aad608

SHA256
d57d01c18d51bf38a2dc8c7b0ca4a375635312d70d126fccf9ebba88d2068f82

SHA512
03114c9ac82ec75e5bb7017fdba657cdd8aaa151d9095a5ee1833fc04d499788e1a470877457dcae47631bd163cd6fd800691542ae8f033e3f75f5227bd35c17

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads