Analysis Overview
SHA256
3f50b89979ffff65668924c1b935cf655b8efc46d4c121ae8627a0474f1d9e0a
Threat Level: Known bad
The file JaffaCakes118_3f50b89979ffff65668924c1b935cf655b8efc46d4c121ae8627a0474f1d9e0a was found to be: Known bad.
Malicious Activity Summary
Sodin,Sodinokibi,REvil
Sodinokibi family
Credentials from Password Stores: Windows Credential Manager
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Browser Information Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-24 14:53
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-24 14:53
Reported
2024-12-24 14:55
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Sodinokibi family
Credentials from Password Stores: Windows Credential Manager
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1ut768.bmp" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\program files\RequestApprove.dxf | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\EnableRedo.vbe | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\ExitSwitch.ADT | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\ExpandRevoke.mp3 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\NewJoin.crw | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\UpdateUndo.jpeg | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\AddCheckpoint.m1v | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\BackupResume.svg | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\MeasureComplete.midi | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\SuspendTrace.shtml | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2768 wrote to memory of 4604 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2768 wrote to memory of 4604 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2768 wrote to memory of 4604 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f50b89979ffff65668924c1b935cf655b8efc46d4c121ae8627a0474f1d9e0a.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f50b89979ffff65668924c1b935cf655b8efc46d4c121ae8627a0474f1d9e0a.dll
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/4604-0-0x0000000000400000-0x00000000004A7000-memory.dmp
memory/4604-1-0x0000000000404000-0x0000000000406000-memory.dmp
memory/4604-2-0x0000000000400000-0x00000000004A7000-memory.dmp
memory/4604-3-0x0000000000400000-0x00000000004A7000-memory.dmp
memory/4604-5-0x0000000000404000-0x0000000000406000-memory.dmp
memory/4604-6-0x0000000000400000-0x00000000004A7000-memory.dmp
memory/4604-62-0x0000000000400000-0x00000000004A7000-memory.dmp
C:\Users\Admin\pz370-readme.txt
| MD5 | d0a64ddbf3fd0fcae684af14143514b5 |
| SHA1 | 4bba69767fe5418bb3a71b6c498d474502ce9c9a |
| SHA256 | 943924515c3d716f79ce451c0dd80e5b173b9d8c7e1c120a8234e57055849d42 |
| SHA512 | 1be4fce152b01caf24fbdc406b215160d18c7950008131e36b72d9f5ae121442c4bc6b7ba241a4e0331e2a61fec89dbbe9211b5147c48a8ecb76cdffde94c90c |
memory/4604-433-0x0000000000400000-0x00000000004A7000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-24 14:53
Reported
2024-12-24 14:55
Platform
win7-20241010-en
Max time kernel
120s
Max time network
138s
Command Line
Signatures
Sodin,Sodinokibi,REvil
Sodinokibi family
Credentials from Password Stores: Windows Credential Manager
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\57u1rs.bmp" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\program files\UpdateGrant.M2T | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\ConnectInvoke.m4a | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\LockDisconnect.aiff | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\RestoreRepair.js | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\SearchUpdate.wps | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\ShowPop.mp3 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\CompleteRepair.odt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\FormatUndo.001 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\PingRestart.vdx | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\SubmitRead.WTV | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\LockConvert.mpg | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\RedoMeasure.png | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\TraceEnter.xlsm | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\CompressEnable.vstx | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\DebugUpdate.au3 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\EnableNew.easmx | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\ExportEnter.search-ms | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\JoinSkip.tif | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\05281emiw-readme.txt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | \??\c:\program files (x86)\microsoft sql server compact edition\05281emiw-readme.txt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\05281emiw-readme.txt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\CompressAdd.cr2 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\PopRemove.mov | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\PushUnprotect.odt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\RegisterStart.sql | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | \??\c:\program files\SplitJoin.pot | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2904 wrote to memory of 1988 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2904 wrote to memory of 1988 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2904 wrote to memory of 1988 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2904 wrote to memory of 1988 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2904 wrote to memory of 1988 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2904 wrote to memory of 1988 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2904 wrote to memory of 1988 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f50b89979ffff65668924c1b935cf655b8efc46d4c121ae8627a0474f1d9e0a.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f50b89979ffff65668924c1b935cf655b8efc46d4c121ae8627a0474f1d9e0a.dll
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
Files
memory/1988-0-0x0000000000940000-0x00000000009E7000-memory.dmp
memory/1988-1-0x0000000000944000-0x0000000000946000-memory.dmp
memory/1988-2-0x0000000000940000-0x00000000009E7000-memory.dmp
memory/1988-4-0x0000000000944000-0x0000000000946000-memory.dmp
memory/1988-16-0x0000000000940000-0x00000000009E7000-memory.dmp
memory/1988-15-0x0000000000940000-0x00000000009E7000-memory.dmp
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\05281emiw-readme.txt
| MD5 | 0e19cf0e63d82be2a76fe198e3c06b16 |
| SHA1 | 2ae5e616315dbbd25e83debda2314da3e2e1cb90 |
| SHA256 | f32d92ce64f3a10d5eecea0e88661d327868a9355abf21737b92f908ad9a85ee |
| SHA512 | 11d8fa68742681ed5e3b1495501396c0228f5a497052b1686fe49c96fe57432425005f620e1f4825c517c6031e4fa8273175e09cec90961d80c36ada3cce1cc2 |
memory/1988-516-0x0000000000940000-0x00000000009E7000-memory.dmp