Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2024 20:23
Static task
static1
Behavioral task
behavioral1
Sample
f6cb21f0df5dbb445d8c6692ffd3838a_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f6cb21f0df5dbb445d8c6692ffd3838a_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
f6cb21f0df5dbb445d8c6692ffd3838a_JaffaCakes118.dll
-
Size
116KB
-
MD5
f6cb21f0df5dbb445d8c6692ffd3838a
-
SHA1
80cf9b5dda4c3c9e85c32b7b1fe06e7f7dff42c7
-
SHA256
f67864421d6271aa65d39cb68bb836d2838c681aedade4c77ca198d3e78c70fb
-
SHA512
1fb84fa9c7b8c3f19c8114a51cda62a1d1a3bd5f9d1182bb9a0dd1bcf9b1811c9deb9ce062a953c0fc72553150d136d8efe8866fcb5bafac98de2c2f34302d82
-
SSDEEP
1536:CPp8kFF4+utlznGEvCrUmUYwGOmpX2yaICS4Aa7AgIiF1NlwSJlzUki+p/34:8vnuGqfGOqVB6Fl17Lz/I
Malware Config
Extracted
C:\Users\61rls155-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B6A3C96171C6CFD6
http://decryptor.cc/B6A3C96171C6CFD6
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\Z: rundll32.exe -
Drops file in Program Files directory 27 IoCs
description ioc Process File opened for modification \??\c:\program files\SelectRestore.3g2 rundll32.exe File opened for modification \??\c:\program files\SetDisable.mht rundll32.exe File opened for modification \??\c:\program files\UnblockResolve.potm rundll32.exe File opened for modification \??\c:\program files\JoinExit.docm rundll32.exe File opened for modification \??\c:\program files\PingSuspend.jpeg rundll32.exe File opened for modification \??\c:\program files\SelectShow.ppsm rundll32.exe File opened for modification \??\c:\program files\ConvertFromAssert.mpeg rundll32.exe File opened for modification \??\c:\program files\UnprotectResolve.odt rundll32.exe File opened for modification \??\c:\program files\InitializePop.doc rundll32.exe File opened for modification \??\c:\program files\ResumeComplete.ppsm rundll32.exe File opened for modification \??\c:\program files\ConvertFromCheckpoint.eps rundll32.exe File opened for modification \??\c:\program files\LockEdit.avi rundll32.exe File opened for modification \??\c:\program files\ReadFormat.mp2 rundll32.exe File opened for modification \??\c:\program files\StopBackup.ttf rundll32.exe File opened for modification \??\c:\program files\ExitSplit.midi rundll32.exe File opened for modification \??\c:\program files\UnblockStart.mid rundll32.exe File opened for modification \??\c:\program files\UpdateSubmit.vbs rundll32.exe File opened for modification \??\c:\program files\ConvertFromUnblock.cfg rundll32.exe File opened for modification \??\c:\program files\TestBlock.xlt rundll32.exe File opened for modification \??\c:\program files\UnprotectInitialize.ADT rundll32.exe File created \??\c:\program files\61rls155-readme.txt rundll32.exe File created \??\c:\program files (x86)\61rls155-readme.txt rundll32.exe File opened for modification \??\c:\program files\AssertSearch.vst rundll32.exe File opened for modification \??\c:\program files\FindMount.eprtx rundll32.exe File opened for modification \??\c:\program files\NewRename.xps rundll32.exe File opened for modification \??\c:\program files\ConvertRevoke.wav rundll32.exe File opened for modification \??\c:\program files\ExpandClose.docx rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4424 rundll32.exe 4424 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4424 rundll32.exe Token: SeTakeOwnershipPrivilege 4424 rundll32.exe Token: SeBackupPrivilege 940 vssvc.exe Token: SeRestorePrivilege 940 vssvc.exe Token: SeAuditPrivilege 940 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1428 wrote to memory of 4424 1428 rundll32.exe 82 PID 1428 wrote to memory of 4424 1428 rundll32.exe 82 PID 1428 wrote to memory of 4424 1428 rundll32.exe 82 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f6cb21f0df5dbb445d8c6692ffd3838a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f6cb21f0df5dbb445d8c6692ffd3838a_JaffaCakes118.dll,#12⤵
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4424
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3524
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:940
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5c4c42b166d9a57622e44d495ff17b8d2
SHA1d0f67f09e0ae277b82c1257aa9a95de157ca6673
SHA2564bcfcd15dd3fa134e14ed53ce6b262e42a56577d874f915177f69cbe78d2d077
SHA5120a93331950ad1173cdf53c75e192a91f53eb8ae7750a4ceee6f82b76611ece6493c7f9e2c5904a9b8180e1d64acc84767c8a73d45e078d7df10a3ee96bf2976b