Overview

overview

10

Static

static

10

275148bda4...18.exe

windows7-x64

10

275148bda4...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    08-05-2024 23:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    275148bda4cdfce06afc24b35ff9dc21_JaffaCakes118.exe

  • Size

    168KB

  • MD5

    275148bda4cdfce06afc24b35ff9dc21

  • SHA1

    1a158b97cd5cbf70ac34ac53b88689451f16713c

  • SHA256

    637b1a6dccd40e8ae16b78addd3f4f7a3d816210ea67a9f1c7d6efbfc58c66da

  • SHA512

    ef6cd57d3c2a5e9b7c2e7b607b463c6b79e9287375cc228ce526ec53b04830795f58d6ba183964606c7033a8b93a2a6d56bf2806bf487b94b4fca84ff17c2c3d

  • SSDEEP

    3072:eCEq0R0nZ5ys5n4Y9doh7O79siUs/NaXXQbU8IYz:lw02sJPi7O93NLbLIYz

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\Users\8y7b3gzaa-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Clasquin. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 8y7b3gzaa. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/85D72FCA1995DD96 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/85D72FCA1995DD96 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: NJDqwfMpthbG+SpcUaUMTitMNhuV69I9jSlZD/bkGFYy07D3NZksZe2wUqJ7khPw QyqGawDkCOj3JsDe3hlvMwsK3j/q5fNC98fQPA7d5uBQ39vNAr6i+iEzR9iDDnnv 0NSER+MjQoW+UiAbz6le2mpEMDiW1uFlZTaq/4+JTpJdECFmXvmAjNfM7MdUoj/s tdaNH2huRyo1T3MGQYJuasw3nXHMA5U7LRifNuJN91u6v/2O05Xs3WfJshb3Nrn4 mhrzAWVcVEvcKYTX3LmAIZENhaXQprz1hsPIiMZOflkvnYSXP4gSmDRY/XQt4Qis JZl4Wbq4CxuoqU20ULxQUD0NMDZG1flXcMALnVxgFOvEVe8AWWlb8WchTe0cMbnz lJOXVcNorv26VM3ZS9CE/kZFAZutQeE5212xaVnpw5Z6sABCC7KLTSazISILFeOL RbAg9OfA7HZH9mVIO1XqxGZh4as71TOm4o76thfT4xnZadcy+uYgX96Ay6HSklny XW6E9yZn2ofuYBZhvHj9c5kl6SVydThcrNHpE6b9bfW4S2vLHsNRgB+G01DSr473 f1IZgMJRT9BGgJ7449Y1179lKIBRKvTO+D0Yqa9t93KhBT6+0JGX+FtyIDY4YYNI YOkQ33WNzoIjUcDsbavD7EbVReAKTViPpJbkdtQ43fiLMuOhjnmsrG6Y+J+nYwWF fGXO7TZ9aQHczw6XS1fRdwS2kdndJIxW+HF02r4aSzKuTr5xggBD4GLyTZ9aa3th fqkkgtjbIJJejar/V2u+OTbxlKHp0NpfBWFmJB1scqUENzUZdqCis/kIulOEVz0n jlzcjIQYRg1t33QVsyh2xc4AHUUGqMFKBBD9dcpwlu8FsQDvHLuhuNqKLiOsaH+e /AvosCPBN0LV0Nc7b2A5eWlXPbhIpKB+r6MqFE/7ELA50+0CeyXZ7xiJ+gjYJoM/ FS/WObSCH07oz7za6v8k1yMqBWJgp6OuAHuU1m09G4Vrf/xq3XQ6JWduNVKqmWGk ZIeECCnop76+WaOthXbsDoC9auQaGFUAMNl60Oz1HDO2qEzXw5HkM2B/D5A9s1Z9 lj8WVPb1rZOIECLHrqJyLCVvzuXTDExpoKbSYl/CXyOI2nhdxES8trl4hPwro2Yj WkviEwvwjIhFxD5qjWpdRzb+ZTWEZvL58/SlESMYzdWT+ZHdkuNr9efyq9UsP23d rcmbZ+COhZVtxRfNFxUFq67B Extension name: 8y7b3gzaa ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/85D72FCA1995DD96

http://decryptor.top/85D72FCA1995DD96

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\275148bda4cdfce06afc24b35ff9dc21_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\275148bda4cdfce06afc24b35ff9dc21_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3052
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2604
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2644

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\8y7b3gzaa-readme.txt
      Filesize

      6KB

      MD5

      0d1fb12f296f649f6dd0cd007998b92d

      SHA1

      8ca6a6dfbdb848c0c6629c6f59346a57d3faf1e6

      SHA256

      10bbab2a69098861f855e7a98cabfcdd5882aae1e5911c380b11bad7e87a8ac2

      SHA512

      876b8643f974b8bef22e541bc4300129b7db169b13bbb3a684df42133d8694ffd468515b062beed5a897e75f753b78726aca956ab2821eae4d3bf85ca54c9ddf

      Download Submit

    • memory/3052-4-0x000007FEF593E000-0x000007FEF593F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3052-5-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/3052-6-0x0000000001D90000-0x0000000001D98000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3052-7-0x000007FEF5680000-0x000007FEF601D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3052-8-0x000007FEF5680000-0x000007FEF601D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3052-9-0x000007FEF5680000-0x000007FEF601D000-memory.dmp

      Filesize

      9.6MB

      Download