Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

12d60944c5...18.exe

windows7-x64

10

12d60944c5...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/05/2024, 12:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12d60944c52bcc294d5c55bc20860ec7_JaffaCakes118.exe

  • Size

    164KB

  • MD5

    12d60944c52bcc294d5c55bc20860ec7

  • SHA1

    37563cca9ff0ed0f4f4bed5e831d845cae3597c0

  • SHA256

    2ca519d47ac0ab709cabe70a89504d134475d68be47081be4ccd758d371619a4

  • SHA512

    16a2d8b9a6d592c822131fa94b3160af6a6a7ddba06934dd60b6dab97f2bd9e9e4fd2338aa45e458b33e5a1f612bed36cd7a848f9bf5788e51f9f3636275270d

  • SSDEEP

    3072:ffYWjswg4fQlt4ndm8jX5IXzs+M9VQHDOoOarvil:ffYWAw9fcUdmwIXo+M9VQHDZOAi

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\Users\wy36fc-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension wy36fc. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6C3D83F5201C8948 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/6C3D83F5201C8948 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: M2SfOMxooP9jo5wH5MIfFnOGd9kzvMlhmav9lQHPc+Ieti8YSpLOh8213OjlO/71 NBY/SsSIYFA/F7RqrQPl0C1iOtl4JF8b4pe/2ekaYPhgXniJd9uE/ckBTCRqY//s YEiz88I6h7F1RCrxGwsvzEUgBZIJuXpx7CVTEYhRFeZ8fZytBvfg+MJ8Kn7o9tSv fdqM9trAy9e2Bedg5zMcPRct9cfCbPSTS79gopqOhSx0bvasahzLPyXv98Q2IROM rvrV7w3Spc+3Q7CnnojVpDFW3DoOMKjC8aDklRfxTbqmCGIe7HiBT3z0pfHuNPWj qHZx8jUNTeZwSvv57pWdRpdLAtTkTRzG017NbtMw3uogTd0HJEqATackhS5jW+8L c8y929kj6eoPgApKbF9DET3LheOHHPNmJTZkKwkONms2mzu95tHsSpjZP/kwoKRc q8or7u4+IOcb+4rgHpKsxjpSzEKd9YrpTJMJFeMeuajDYifpI+zSZNOdCqcRLJmT PrQ1/+Im6uNNyQrWGwr3nTWYnrmyC3XJorSyG4I7RaQn8LWJqzhdPrtAkbQf7Ah0 WJ/+HMgoAKrSumoGHNmoqupJSO1Er4bfjEKNjIYfzDkKsyG2ZrcXp4+q2K67/MSK RY3x/4FFE1blbiUp79Y2bnhroIZhmZ20VOa6bIvn49L4TD6HUioYI2MB74u98zv8 FNkoguvSSAfhB1BNlypQFatIwSCGaCIzs9+9oc0mgubpbb4n/ZLcPyWT+/nBXKND RxWj+kRAQccmRW17X9yBQqTTJO21lJJwmhOLsT+5kG8Pu3t1Bv4YupB60rnhdc9U PQYmJlEWjL1GYSKKOtSQr1QovfMMkvYXXXWDnAh60fCgMMCNssRxVPPu541nAsK8 TkVCpq2isYZOexYdWWFZglqfUz0c7D/4zqlVsUhfIEjWK5VE2NcX3E9FjpLOaIrU ZEKshDpRGnzYFdsgxDzx9e2DCys0HpvQStkZqsnhmHv+Ym0rVbehkajBfArRnMD0 amq6wUGO5zQ5XpStXbIBzNfSawasXJUAZ1qjiwVi7u3qQjbN/i1mgQprZvuuHD9T 10inhKTXYCSX9uHE4K/Yq2Kys1t3VzB/XGOHKhsjBQ8KURbX8Fq7/bXiklpltlAO ciX/mGO6XcMLmtVxMWOFb/AUEnDAT7efo8X6U9aMo7i30mO/JAKVCAYEB8n0tL42 j4ha4nHiwR3gANR4 Extension name: wy36fc ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6C3D83F5201C8948

http://decryptor.top/6C3D83F5201C8948

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 25 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\12d60944c52bcc294d5c55bc20860ec7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\12d60944c52bcc294d5c55bc20860ec7_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2612
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1652
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2344
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2588

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\wy36fc-readme.txt
      Filesize

      6KB

      MD5

      9d58178d262691dce073c2b5ab69f83e

      SHA1

      42ddffcbd664d7e4ac8ba5b3f6814bf212de0a87

      SHA256

      437266cf6633b042b55ac2762ef70da2bbe3dbcafaeffd519f52c233c3f12fb1

      SHA512

      df5bf351e6dcb6568aff512234b30cdd4d2009633ef9ad2dd2ef905a03744d5b5c9e78fa7f8a19b44a7f5c96b77284c6461d06325205e4394254adecb46426a1

      Download Submit

    • memory/1652-4-0x000007FEF604E000-0x000007FEF604F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1652-5-0x000000001B710000-0x000000001B9F2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1652-6-0x0000000001E80000-0x0000000001E88000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1652-7-0x000007FEF5D90000-0x000007FEF672D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1652-8-0x000007FEF5D90000-0x000007FEF672D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1652-9-0x000007FEF5D90000-0x000007FEF672D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1652-10-0x000007FEF5D90000-0x000007FEF672D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1652-11-0x000007FEF5D90000-0x000007FEF672D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1652-12-0x000007FEF5D90000-0x000007FEF672D000-memory.dmp

      Filesize

      9.6MB

      Download