Overview

overview

10

Static

static

10

128d82b29a...18.exe

windows7-x64

10

128d82b29a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-05-2024 11:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe

  • Size

    158KB

  • MD5

    128d82b29a73c5ca4cbab8d745720e80

  • SHA1

    6c57602a0896cf725552aa8334a4faa53bc8e9ce

  • SHA256

    67dfdd2f62f976b1c265dfe2adb349163ec39e3087948120b1584b6cf71ac2c9

  • SHA512

    688158bc844459cc1f5ff5b0ee0ffb25014b11501e520c65860f36fb94e8b4457c940a7bb12383569e1664fc56c2b0a0fdea85ae88d71ab7acd894bdaafa1af5

  • SSDEEP

    3072:gnItsOCo4mHLbi4eTMlwDCnutNWXZXXWFeQU:WIyOCvUbnWJt8pnWFe

Score
10/10
sodinokibiransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\651gzbi7-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 651gzbi7. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7D18945AFB4DF26D 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/7D18945AFB4DF26D Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: J4oHbsgmfML0L9U+AmW6GOGkG8UMIV+UIDrX6pJZ4eiKhyWpmKo5iQe8mZcvaQZY 2UD5h1wNN1F5JF/Bw9TZl5V1kd4ONGxjTJUwpLOmhz3DnGRr6pYvuqN+WFbt51FS VYDQrKiRLuWnHCuIYQoYwmMjFP1kjSrGiHRi5A7BkAninGuttbxICMVLGjNcdnBL /zs4nEA9TRllEN5skc7D6pxO9YBZynAskRk9p3yxVgpIE80SWkGkh502T4vgekMe aNIy9uu5Cai/qEnRrQR15rgNxoTZIQqvyv8J7s0fTS2hfk6o7M2bn4QpwxUL4HSY wO8k22smIYUdsRvOzFoBNK2xy0DlHset+i3HHEba0w+XyKZPWmAJyk/dNKy8MDug lPbZsSA6dXAO0mNwNkvU9tQJ9BfUVm/kDXz58pLqfVvTe/RVREDSY2AyEuEtFLpe CoigFQfsXKOoD+GJ/NQr/pFaa+M1nVtG09FiaqZtbHG54oeQjlI26Xif8qe8WQYy qmZjeFCjXXSh71sijcxQjCkSDb1XfpA/Oc8KZi1lVOU0htHfLhVWIq3y/T3ksNgW Xa6JhRSrYktFwhFE6JKlnNF5+244azYTmLqlW0B1jh3UU6f0aPW48WELJH3f+xoD k2cB1CUM2p0Sp2NEhZb4rIjpRukhE8Xci7TEvOnB4Y85r4HYtKCmGxepj5Vp4nSW v1q8W5NLcUKWszR+jmx6jzQHYyyfeH+D3VXgZefOSHddOd1gOhu6kNvhAY5U/V3A 5aSuTC0z4OcqOPMO+jEXOVrJIntsLhlq/Zj71iWdG1wR5jxg0NorAGm6zANW9vDs qfuwQOHyefCUMia9We+Q4Ya9R51pj+dw5xPkYF8DgDdtXNLpSDEAhH433SXlvp37 O2/+AHBtu/zKVq5BRCdoUEUwY+im3lG2fQdh7pnVRFcT0DuX3FbhtjP+fNrODkfV pagk8Aj2w2TPB+3hg1RiNoISxf9FBbtic3hABFWhrx6gcYbH9eLRGS+M0UBKEEWz +DTL1eTOvJj4rOBIUpr0tAL2MzjcDO7dOcVAVaRbd7uqWcytKsR0FiMCi7NsYjGr 7DbvtIP+ub/smdKGbLhAvyPpHeZi9wJPfsrAjSxn/gFET5UT9uWqBGkwH0Ysx4en YPSOVwYmA+bxQjC0HOtTfbKS6XcqzUmBPrvwNuWB Extension name: 651gzbi7 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7D18945AFB4DF26D

http://decryptor.top/7D18945AFB4DF26D

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Renames multiple (162) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\128d82b29a73c5ca4cbab8d745720e80_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
        PID:3724

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\651gzbi7-readme.txt
      Filesize

      6KB

      MD5

      c107ede6dba2f5606715bdb1ae4e525b

      SHA1

      35e2e067e445a3b822c58516320e3afd922023bf

      SHA256

      46bf45e5aca2bdff05200c2ffaee2bb0e8054284e9796b029b4627125744f947

      SHA512

      78bd6c05dcd07b907d761cebaf919c12ffe6c847b2c6fb7781bb24acbd47f4cf8b2820d3f5d427c347efff6d0e48671ce965c3396ad4df05c416573267cc3b08

      Download Submit