Analysis Overview
SHA256
faf94b3ba043e0d4b7463497b69690938f8ecaac9f65fb972b5b1f6bfb51eca8
Threat Level: Known bad
The file JaffaCakes118_faf94b3ba043e0d4b7463497b69690938f8ecaac9f65fb972b5b1f6bfb51eca8 was found to be: Known bad.
Malicious Activity Summary
Sodin,Sodinokibi,REvil
Sodinokibi family
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in Program Files directory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Uses Volume Shadow Copy service COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-22 01:35
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-22 01:35
Reported
2024-12-22 01:37
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Sodinokibi family
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pz4.bmp" | C:\Users\Admin\AppData\Local\Temp\fa7d2020776a080d2580c0cad013be84484cbaa8d927fedd51914bad567d3278.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fa7d2020776a080d2580c0cad013be84484cbaa8d927fedd51914bad567d3278.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fa7d2020776a080d2580c0cad013be84484cbaa8d927fedd51914bad567d3278.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fa7d2020776a080d2580c0cad013be84484cbaa8d927fedd51914bad567d3278.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2156 wrote to memory of 2224 | N/A | C:\Users\Admin\AppData\Local\Temp\fa7d2020776a080d2580c0cad013be84484cbaa8d927fedd51914bad567d3278.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2156 wrote to memory of 2224 | N/A | C:\Users\Admin\AppData\Local\Temp\fa7d2020776a080d2580c0cad013be84484cbaa8d927fedd51914bad567d3278.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2156 wrote to memory of 2224 | N/A | C:\Users\Admin\AppData\Local\Temp\fa7d2020776a080d2580c0cad013be84484cbaa8d927fedd51914bad567d3278.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2156 wrote to memory of 2224 | N/A | C:\Users\Admin\AppData\Local\Temp\fa7d2020776a080d2580c0cad013be84484cbaa8d927fedd51914bad567d3278.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\fa7d2020776a080d2580c0cad013be84484cbaa8d927fedd51914bad567d3278.exe
"C:\Users\Admin\AppData\Local\Temp\fa7d2020776a080d2580c0cad013be84484cbaa8d927fedd51914bad567d3278.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
Files
memory/2156-1-0x0000000000650000-0x0000000000750000-memory.dmp
memory/2156-3-0x0000000000400000-0x000000000048D000-memory.dmp
memory/2156-2-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2224-8-0x000007FEF58BE000-0x000007FEF58BF000-memory.dmp
memory/2224-9-0x000000001B530000-0x000000001B812000-memory.dmp
memory/2224-10-0x00000000027A0000-0x00000000027A8000-memory.dmp
memory/2224-11-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp
memory/2224-12-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp
memory/2224-13-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp
memory/2224-14-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp
memory/2224-15-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp
memory/2224-16-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp
C:\Users\umo6tpg08-readme.txt
| MD5 | a59586880f60be884ccd3e8e0a5d9cfd |
| SHA1 | 4c865740676663674b4b433a9dfdb61bb5f7ab0e |
| SHA256 | 5b35924ef701b732acba17e46291c9604c95492c55a28d36668ba3cd0d4e798e |
| SHA512 | a256c5ffc4dbf46f7d105d593fa1e3a834f27d239ebb64d07c2ed8d25aeb1eb7642d3c612083e7fabf9af23b2af3bb609c37f1f0d2fbb979a4f956e5aa0ac85a |
memory/2156-89-0x0000000000650000-0x0000000000750000-memory.dmp
memory/2156-90-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2156-91-0x0000000000400000-0x000000000048D000-memory.dmp
memory/2156-456-0x0000000000400000-0x000000000048D000-memory.dmp
memory/2156-461-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2156-460-0x0000000000400000-0x000000000048D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-22 01:35
Reported
2024-12-22 01:37
Platform
win10v2004-20241007-en
Max time kernel
96s
Max time network
143s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Sodinokibi family
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\u434fyoq23.bmp" | C:\Users\Admin\AppData\Local\Temp\fa7d2020776a080d2580c0cad013be84484cbaa8d927fedd51914bad567d3278.exe | N/A |
Drops file in Program Files directory
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\fa7d2020776a080d2580c0cad013be84484cbaa8d927fedd51914bad567d3278.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fa7d2020776a080d2580c0cad013be84484cbaa8d927fedd51914bad567d3278.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fa7d2020776a080d2580c0cad013be84484cbaa8d927fedd51914bad567d3278.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fa7d2020776a080d2580c0cad013be84484cbaa8d927fedd51914bad567d3278.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4528 wrote to memory of 3300 | N/A | C:\Users\Admin\AppData\Local\Temp\fa7d2020776a080d2580c0cad013be84484cbaa8d927fedd51914bad567d3278.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4528 wrote to memory of 3300 | N/A | C:\Users\Admin\AppData\Local\Temp\fa7d2020776a080d2580c0cad013be84484cbaa8d927fedd51914bad567d3278.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\fa7d2020776a080d2580c0cad013be84484cbaa8d927fedd51914bad567d3278.exe
"C:\Users\Admin\AppData\Local\Temp\fa7d2020776a080d2580c0cad013be84484cbaa8d927fedd51914bad567d3278.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4528 -ip 4528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 656
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/4528-2-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4528-1-0x0000000000580000-0x0000000000680000-memory.dmp
memory/4528-3-0x0000000000400000-0x000000000048D000-memory.dmp
memory/3300-4-0x00007FF856083000-0x00007FF856085000-memory.dmp
memory/3300-14-0x000001FECB8F0000-0x000001FECB912000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_klv3cf0f.2io.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3300-15-0x00007FF856080000-0x00007FF856B41000-memory.dmp
memory/3300-16-0x00007FF856080000-0x00007FF856B41000-memory.dmp
memory/3300-19-0x00007FF856080000-0x00007FF856B41000-memory.dmp
memory/4528-21-0x0000000000580000-0x0000000000680000-memory.dmp
memory/4528-22-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4528-23-0x0000000000400000-0x000000000048D000-memory.dmp
C:\Users\08125vk301-readme.txt
| MD5 | 80dc3919e37343a02477891f5170c571 |
| SHA1 | 98d73720eb9773a52ca09c9afedc7e062dde40f8 |
| SHA256 | 5ae833417040a94d7b2912ac498e18a469f0cc2c5933b6910e1188484180a990 |
| SHA512 | fb04ea3f18d2012b730a073f34fee2e44ebc7cb9233039488fa1f8c4209a0e17b29486717f65d139e7a71db726d5cf255d52bff009b7b28c991047332d0e98f2 |
memory/4528-96-0x0000000000400000-0x000000000048D000-memory.dmp
memory/4528-436-0x0000000000400000-0x000000000048D000-memory.dmp
memory/4528-441-0x0000000000400000-0x000000000048D000-memory.dmp
memory/4528-442-0x0000000000400000-0x000000000041F000-memory.dmp