Analysis
-
max time kernel
82s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-09-2024 20:23
Static task
static1
Behavioral task
behavioral1
Sample
f6cb21f0df5dbb445d8c6692ffd3838a_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f6cb21f0df5dbb445d8c6692ffd3838a_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
f6cb21f0df5dbb445d8c6692ffd3838a_JaffaCakes118.dll
-
Size
116KB
-
MD5
f6cb21f0df5dbb445d8c6692ffd3838a
-
SHA1
80cf9b5dda4c3c9e85c32b7b1fe06e7f7dff42c7
-
SHA256
f67864421d6271aa65d39cb68bb836d2838c681aedade4c77ca198d3e78c70fb
-
SHA512
1fb84fa9c7b8c3f19c8114a51cda62a1d1a3bd5f9d1182bb9a0dd1bcf9b1811c9deb9ce062a953c0fc72553150d136d8efe8866fcb5bafac98de2c2f34302d82
-
SSDEEP
1536:CPp8kFF4+utlznGEvCrUmUYwGOmpX2yaICS4Aa7AgIiF1NlwSJlzUki+p/34:8vnuGqfGOqVB6Fl17Lz/I
Malware Config
Extracted
C:\Users\6q0p7xu1-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E8290E501CFFB1C6
http://decryptor.cc/E8290E501CFFB1C6
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\K: rundll32.exe -
Drops file in Program Files directory 21 IoCs
description ioc Process File opened for modification \??\c:\program files\ResetGrant.rar rundll32.exe File opened for modification \??\c:\program files\ResolveTest.dib rundll32.exe File opened for modification \??\c:\program files\ExitRedo.aif rundll32.exe File opened for modification \??\c:\program files\ExpandProtect.vsd rundll32.exe File opened for modification \??\c:\program files\GrantAdd.csv rundll32.exe File opened for modification \??\c:\program files\RedoConvertFrom.js rundll32.exe File opened for modification \??\c:\program files\SyncOut.png rundll32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\6q0p7xu1-readme.txt rundll32.exe File created \??\c:\program files\6q0p7xu1-readme.txt rundll32.exe File opened for modification \??\c:\program files\ResumeReceive.fon rundll32.exe File opened for modification \??\c:\program files\SaveExit.i64 rundll32.exe File opened for modification \??\c:\program files\SetReset.dwg rundll32.exe File opened for modification \??\c:\program files\ClearRestart.m1v rundll32.exe File opened for modification \??\c:\program files\GetMount.inf rundll32.exe File opened for modification \??\c:\program files\RepairStop.pub rundll32.exe File opened for modification \??\c:\program files\UpdateSplit.emz rundll32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\6q0p7xu1-readme.txt rundll32.exe File created \??\c:\program files (x86)\6q0p7xu1-readme.txt rundll32.exe File opened for modification \??\c:\program files\CompressSubmit.mpeg rundll32.exe File opened for modification \??\c:\program files\ConvertSwitch.aiff rundll32.exe File opened for modification \??\c:\program files\FindWatch.temp rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2728 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2728 rundll32.exe Token: SeTakeOwnershipPrivilege 2728 rundll32.exe Token: SeBackupPrivilege 2908 vssvc.exe Token: SeRestorePrivilege 2908 vssvc.exe Token: SeAuditPrivilege 2908 vssvc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2140 wrote to memory of 2728 2140 rundll32.exe 30 PID 2140 wrote to memory of 2728 2140 rundll32.exe 30 PID 2140 wrote to memory of 2728 2140 rundll32.exe 30 PID 2140 wrote to memory of 2728 2140 rundll32.exe 30 PID 2140 wrote to memory of 2728 2140 rundll32.exe 30 PID 2140 wrote to memory of 2728 2140 rundll32.exe 30 PID 2140 wrote to memory of 2728 2140 rundll32.exe 30 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f6cb21f0df5dbb445d8c6692ffd3838a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f6cb21f0df5dbb445d8c6692ffd3838a_JaffaCakes118.dll,#12⤵
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1208
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD58514b2d578f5529e15f5fd4e13be73ca
SHA11fd93b3b254eb50a690cd28e79c7486efee3e4f3
SHA2566991be92ffa7d7554fae679bb8219cb8a2f1421ad05d589a84dfe1160c9d6635
SHA5124ea7784345ece47fe17541866ab3292d4476c97bcb0a8406558586c5f3c7ae2aeee33c19a014fb9336f8b34a6e90bb009aaff91cceaacc50e78ea293e4e4d502