Overview

overview

10

Static

static

10

275148bda4...18.exe

windows7-x64

10

275148bda4...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-05-2024 23:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    275148bda4cdfce06afc24b35ff9dc21_JaffaCakes118.exe

  • Size

    168KB

  • MD5

    275148bda4cdfce06afc24b35ff9dc21

  • SHA1

    1a158b97cd5cbf70ac34ac53b88689451f16713c

  • SHA256

    637b1a6dccd40e8ae16b78addd3f4f7a3d816210ea67a9f1c7d6efbfc58c66da

  • SHA512

    ef6cd57d3c2a5e9b7c2e7b607b463c6b79e9287375cc228ce526ec53b04830795f58d6ba183964606c7033a8b93a2a6d56bf2806bf487b94b4fca84ff17c2c3d

  • SSDEEP

    3072:eCEq0R0nZ5ys5n4Y9doh7O79siUs/NaXXQbU8IYz:lw02sJPi7O93NLbLIYz

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\Recovery\9963l-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Clasquin. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 9963l. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5D13F2E580B1B29A 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/5D13F2E580B1B29A Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: bpeEsx6qjT02oxFpuV7Gu6pOEuNDOCGIysmZrEEskI7Ig2HFoyJxVBZk4RZdsD8r AJCvDSOQKSih0YI6xkCPfksYCGM9ncAjYCpylMsmbui1iv0rXrUjctwkMJIjFKsC NRG7dDWtcfvJKwrgSLDNq6sITF5jbVLwYh5DtJ9D5hhLqyOiOh07GbC1ob9LV7iV zvA0V6rNQfdkTXpKTz5XbsJ04R4qyDjufcKi32vTbNFJUbJ4LnAE5OTeHgQ+rVGt HnhfjGAsDCAZM8cX9w5tB8VbLvjfJPU8QG/3QEPgF1jq7llgy+w1/SCm+GDxR8pO ZwbLwxtRdUjXI4BUB9KTPMF3o6QTJapGJVN4Qf3RXEFQT3a8UBO54nHIs8vvCTlr gjSKim0G/9qSH9wuNek4f250qqJeoNdSBfohqc2lEjgDFP/FoTO33nlyliy21//j 56b2QctSx9yrsEJTXgA3C/X6Qqldnwz5/0B4lYjnXLcfUz0KdJvbywnNlf6g7Nzd /d/ErQtLYpDMgDMa4rAEowhH+zlrY1nMnYIeHr6HEvTqxNzqwKQ3xF6nhgPAQvt7 yJCoL6pLDDJY7RpRxLWi6WKznQbpKuANqAcath7oXmg4B3fN+dG4HTTqYnKugS9p yYxyPiqniYUjsv+EX6Nmav1OGNVwKPmsp9p9f96WB5H9A///41BauNb0mgJHAOu/ Bfb1ukEJHMYhU7/VjcjNRkGiK2NJ1CtnIs/zVrX8vb3B0/+K13RwboVae5KFGkHR 6TRsCsvTPIxcqoZQ/7XSqfDzvwabmho4LRoHxb6SM9MkHfsG+0TtXfn1eAsVuuW1 76u/3sUQQ8ZmzP9u8NiDQf4OiIUTxTjy8WDDVsDm4rETrfWcxKGhgTUZEwi2mwm8 NYUqRjbZMma25WtU8xfuYKjFA2Cg4mj/SRBfXB6PwK715LXchW2ICg7Yf/dTFeAl SfwM2wPzPxBQ3JxNo/qvH/Ns+XIYXM2vy+RK0Cb18m5fbIeC/+3/MNEc3mHomvS9 VH3rkeS+2l2YJjaNjH9Zj2Ks8j6RCSFTkjf4J6YUQMLOY8HPh9HyplatE0ZXmL3B EmtumMjFr0duTVos13SLh/RklIedHGaZx59KJYiWSi27jfRcM4eFKRjkvwiB2wX/ /F6W/QNg0DUMUG+644s5TzQGj51B/rddGSZ65PMMdWxVOdGfLov0ued7VmPSzWlt TeJUL+0ZfOQa/rPmGqpjYg== Extension name: 9963l ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5D13F2E580B1B29A

http://decryptor.top/5D13F2E580B1B29A

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 29 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\275148bda4cdfce06afc24b35ff9dc21_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\275148bda4cdfce06afc24b35ff9dc21_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:228
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:856
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:896
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:3396

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Recovery\9963l-readme.txt
        Filesize

        6KB

        MD5

        8551570f941f83cf98fd618a385de69b

        SHA1

        55a04a18f369038b409b4f74a44d769037a9b2cf

        SHA256

        7ba98930aea82a9a2357eed92b7672334513756b9073fa70f65aefd671f6a47e

        SHA512

        d933a80d68213c779eb4557e3fa17e16c2c40b720d4ff30b2c478247c3946597895dd889f0deadc7a28b5bd01595409766e307951b8481140a743dbb0795c8b8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ce0xyoi2.cdq.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/228-0-0x00007FFC8C9B3000-0x00007FFC8C9B5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/228-10-0x00000165BBBC0000-0x00000165BBBE2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/228-11-0x00007FFC8C9B0000-0x00007FFC8D471000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/228-12-0x00007FFC8C9B0000-0x00007FFC8D471000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/228-13-0x00007FFC8C9B0000-0x00007FFC8D471000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/228-16-0x00007FFC8C9B0000-0x00007FFC8D471000-memory.dmp

        Filesize

        10.8MB

        Download