Malware Analysis Report

2025-01-18 18:25

Sample ID 241224-r9cywszpar
Target JaffaCakes118_3f50b89979ffff65668924c1b935cf655b8efc46d4c121ae8627a0474f1d9e0a
SHA256 3f50b89979ffff65668924c1b935cf655b8efc46d4c121ae8627a0474f1d9e0a
Tags
sodinokibi $2a$10$ipiw2kvz6.encqncwsh0doqxumqo.zrlyn0mvyoeggivyldglggmg 6769 credential_access discovery ransomware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3f50b89979ffff65668924c1b935cf655b8efc46d4c121ae8627a0474f1d9e0a

Threat Level: Known bad

The file JaffaCakes118_3f50b89979ffff65668924c1b935cf655b8efc46d4c121ae8627a0474f1d9e0a was found to be: Known bad.

Malicious Activity Summary

sodinokibi $2a$10$ipiw2kvz6.encqncwsh0doqxumqo.zrlyn0mvyoeggivyldglggmg 6769 credential_access discovery ransomware stealer

Sodin,Sodinokibi,REvil

Sodinokibi family

Credentials from Password Stores: Windows Credential Manager

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Browser Information Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-24 14:53

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-24 14:53

Reported

2024-12-24 14:55

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

149s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f50b89979ffff65668924c1b935cf655b8efc46d4c121ae8627a0474f1d9e0a.dll

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Sodinokibi family

sodinokibi

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\D: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\regsvr32.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1ut768.bmp" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\RequestApprove.dxf C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\EnableRedo.vbe C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\ExitSwitch.ADT C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\ExpandRevoke.mp3 C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\NewJoin.crw C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\UpdateUndo.jpeg C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\AddCheckpoint.m1v C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\BackupResume.svg C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\MeasureComplete.midi C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\SuspendTrace.shtml C:\Windows\SysWOW64\regsvr32.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\regsvr32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\regsvr32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2768 wrote to memory of 4604 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2768 wrote to memory of 4604 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2768 wrote to memory of 4604 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f50b89979ffff65668924c1b935cf655b8efc46d4c121ae8627a0474f1d9e0a.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f50b89979ffff65668924c1b935cf655b8efc46d4c121ae8627a0474f1d9e0a.dll

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/4604-0-0x0000000000400000-0x00000000004A7000-memory.dmp

memory/4604-1-0x0000000000404000-0x0000000000406000-memory.dmp

memory/4604-2-0x0000000000400000-0x00000000004A7000-memory.dmp

memory/4604-3-0x0000000000400000-0x00000000004A7000-memory.dmp

memory/4604-5-0x0000000000404000-0x0000000000406000-memory.dmp

memory/4604-6-0x0000000000400000-0x00000000004A7000-memory.dmp

memory/4604-62-0x0000000000400000-0x00000000004A7000-memory.dmp

C:\Users\Admin\pz370-readme.txt

MD5 d0a64ddbf3fd0fcae684af14143514b5
SHA1 4bba69767fe5418bb3a71b6c498d474502ce9c9a
SHA256 943924515c3d716f79ce451c0dd80e5b173b9d8c7e1c120a8234e57055849d42
SHA512 1be4fce152b01caf24fbdc406b215160d18c7950008131e36b72d9f5ae121442c4bc6b7ba241a4e0331e2a61fec89dbbe9211b5147c48a8ecb76cdffde94c90c

memory/4604-433-0x0000000000400000-0x00000000004A7000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-24 14:53

Reported

2024-12-24 14:55

Platform

win7-20241010-en

Max time kernel

120s

Max time network

138s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f50b89979ffff65668924c1b935cf655b8efc46d4c121ae8627a0474f1d9e0a.dll

Signatures

Sodin,Sodinokibi,REvil

ransomware sodinokibi

Sodinokibi family

sodinokibi

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\D: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\regsvr32.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\regsvr32.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\57u1rs.bmp" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\UpdateGrant.M2T C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\ConnectInvoke.m4a C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\LockDisconnect.aiff C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\RestoreRepair.js C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\SearchUpdate.wps C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\ShowPop.mp3 C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\CompleteRepair.odt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\FormatUndo.001 C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\PingRestart.vdx C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\SubmitRead.WTV C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\LockConvert.mpg C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\RedoMeasure.png C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\TraceEnter.xlsm C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\CompressEnable.vstx C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\DebugUpdate.au3 C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\EnableNew.easmx C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\ExportEnter.search-ms C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\JoinSkip.tif C:\Windows\SysWOW64\regsvr32.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\05281emiw-readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\05281emiw-readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\05281emiw-readme.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\CompressAdd.cr2 C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\PopRemove.mov C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\PushUnprotect.odt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\RegisterStart.sql C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification \??\c:\program files\SplitJoin.pot C:\Windows\SysWOW64\regsvr32.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\regsvr32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\regsvr32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 1988 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2904 wrote to memory of 1988 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2904 wrote to memory of 1988 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2904 wrote to memory of 1988 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2904 wrote to memory of 1988 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2904 wrote to memory of 1988 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2904 wrote to memory of 1988 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f50b89979ffff65668924c1b935cf655b8efc46d4c121ae8627a0474f1d9e0a.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f50b89979ffff65668924c1b935cf655b8efc46d4c121ae8627a0474f1d9e0a.dll

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

N/A

Files

memory/1988-0-0x0000000000940000-0x00000000009E7000-memory.dmp

memory/1988-1-0x0000000000944000-0x0000000000946000-memory.dmp

memory/1988-2-0x0000000000940000-0x00000000009E7000-memory.dmp

memory/1988-4-0x0000000000944000-0x0000000000946000-memory.dmp

memory/1988-16-0x0000000000940000-0x00000000009E7000-memory.dmp

memory/1988-15-0x0000000000940000-0x00000000009E7000-memory.dmp

C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\05281emiw-readme.txt

MD5 0e19cf0e63d82be2a76fe198e3c06b16
SHA1 2ae5e616315dbbd25e83debda2314da3e2e1cb90
SHA256 f32d92ce64f3a10d5eecea0e88661d327868a9355abf21737b92f908ad9a85ee
SHA512 11d8fa68742681ed5e3b1495501396c0228f5a497052b1686fe49c96fe57432425005f620e1f4825c517c6031e4fa8273175e09cec90961d80c36ada3cce1cc2

memory/1988-516-0x0000000000940000-0x00000000009E7000-memory.dmp