Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

19e7e57a76...18.dll

windows7-x64

10

19e7e57a76...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    06/05/2024, 00:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19e7e57a7622586a96b10cc489303d0e_JaffaCakes118.dll

  • Size

    164KB

  • MD5

    19e7e57a7622586a96b10cc489303d0e

  • SHA1

    09e751d3f6078b21a534a319af248e03d82decdd

  • SHA256

    c25b0b627ea052c67ef549e1040e5a33779f8661172c2df6420de1d2b228f7b7

  • SHA512

    d059f5ba4cf37389a6d12701d7d37e4ec1815367a7c9822ff22a287ec3dcb99a669d8b48bea0948948d4235f86c0808ce8d0a01bbd9bc1914056c5e9874f7554

  • SSDEEP

    3072:v0XoUeZ/DVS8L73ea4MoCLfqQvFfp/TIdPVBf:veoUeZR2TRCWQFfhTId

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\Users\34as0d2y-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 34as0d2y. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B52086FF733C4617 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/B52086FF733C4617 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: B4zpnf3KTbAxuHsSuQ0Kkdtl1nNqEa3jlCtC+oRzVfrqQGUtrycpao7rWwG4kMNQ C8hiG8783yirCkMMv6RuBeuws7ssK6vgO+Y6VOX8MEwmHQSLQTGR1Yk5akxQxTSn /UqOhLgyajQ0rHrXWtJPR7PNaU1bq6sE1Lx5Nhn6RYUNKZlapwXPKCsbj1e7epxa zuGcXLwaaZydEq1uWBqIUCrc0IrUdK/Xg/jkmOnjvR67AhSQNGr3rKG5F8YBUF3A uRYB8KzYn69WttUWFYl6jrMzvU1atVyBgq5cilc4/eqh65AukgREzoH2WIhvyLjF T58A57f4G50jDHIS+ZS0I29/rsjbJMMJda/y5VFdLIU8GBqp7ER7e7s0hPfId1nV Zlchr4Myb5Mfv2j8RQyCKG3Fjr7k8gkmgZq3kItBfppKUASzm82bI911ey0dNkXz lbkotgb+cIGPLbz9yRbjrThZtZKtolTGIu0MgYMSIeYAHcElgjhGJWf0A9L9TDoh y+BkyWpV1CUsmkagT1chmf2C48GTY9yWL/jhyL+JdZV3huUwoKeaE6n9CGwMnCC+ +LxVNy5Iqu4fDV2rD0vC/vYSXzg9P5qb1+HIS3SzfXOkG5Wmv2CVShls+ya81w1H /h1FtsZhg7Jpuua5/mdyrxn1s2O9e1McJ7iokfXn0XpJN+EusmYiVe6RzzMswZKL 5LC2/jrAigbRvnKum8wh4BCS0UUDMD2o03FwOK5Gx4edkTUcuiWaZ8UEEnXioCpk CmWl2UNYEruonvkZUmP7WHHtSlkgSQ0d28W2aDc7DjdW3QDBM7hRpHKIIBZarKhp 5TV8LktV9Oqe/RkMgY9vDOMQx2vPpKNsyKwE4OZil3oytcMy9/r1o4Qfq3RwXo2A EhPoF4XPECRTEzMwkdRkpDW+V7eRoYNTajnBygNrr2F+YIQmPpNQRNjh9nIOKWlF cfECYsf7boCi6n3X2c1bjik8Z+PNPB2kvIb/XSgfIayfo3ulf8TdsM1FJxJgODTI xYncni6vMovZPMtOS8gN9IafXQzDlGwk1T9+viq4V3tSl91xbHgwa69GHPN1bTfa 9uAZpn1RPKEVR3G714YSrWcRbDLLPC2ojIxqigL3mihIx1PI6vogroY86emLgUfM 941dnzNA8LU6RA/ZCYzhuC6RQgD1YtD7n1/NGDMA7D1VM78ngLMmcgvc2xS1CxkY Go/Dy0S9C17iSQq/84QR3Q== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B52086FF733C4617

http://decryptor.cc/B52086FF733C4617

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\19e7e57a7622586a96b10cc489303d0e_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\19e7e57a7622586a96b10cc489303d0e_JaffaCakes118.dll,#1
      2⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2232
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2220
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2624
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2456

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\34as0d2y-readme.txt
      Filesize

      6KB

      MD5

      79ef12f508f4e396a4174248c69fe196

      SHA1

      3fa90e82de1ae332059fae6ce4e1df2e4813d01c

      SHA256

      1696a68117401365320c554f5ea27268762046f6afca2a47d01aefa4747adc3e

      SHA512

      b9cd3579534cb8408cc920f8045ad0888ed8d8336843003e65e33ff71bad2ed4f13952aab453cbf3e949fd032b152d1975087818c389fb885654bbbc9146ed66

      Download Submit

    • memory/2220-4-0x000007FEF5D4E000-0x000007FEF5D4F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2220-5-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2220-7-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2220-6-0x0000000002340000-0x0000000002348000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2220-8-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2220-9-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2220-10-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2220-11-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2220-12-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

      Filesize

      9.6MB

      Download