Overview

overview

10

Static

static

10

2c448be318...18.exe

windows7-x64

10

2c448be318...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    09-05-2024 23:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c448be318e53757eeb78e1a1ec2245a_JaffaCakes118.exe

  • Size

    161KB

  • MD5

    2c448be318e53757eeb78e1a1ec2245a

  • SHA1

    072d3c8b6bb946acfe17656071faec4bac7c8b46

  • SHA256

    c5b521000c1d318921b58f7b5db3a067d28e6badd304ea9085831af8985b9fec

  • SHA512

    bf6614f3ac3556b3d049bc4192e49680025758174bb2c0873fe5967f8bc3e29f82ae2046876f1502c3db7adf51775ff7b2c34ad9c9cdea4e7a16d23f6f4e7f91

  • SSDEEP

    3072:oRud7cQgLbDkQjKiNLDIFjKbnSEg//b5Y7H:o0qQe52GIFGH8bK

Score
10/10
sodinokibidefense_evasionexecutionimpactransomware

Malware Config

Extracted

Path

C:\Recovery\079fs2468k-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 079fs2468k. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/62E52E1E68834A71 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/62E52E1E68834A71 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 0Are/k4BiwCG/6ihymgpLnLchUIF2I49E6hxgl8ePz1xbFFWhJmvlBIsHtb6MtQm zd2N4bxaQPBJtMrBF8ZdzoHFz1g/Nqcsp/VDW5ulpGLuNYq3zGBOnHrrZqA581iG kdbI9A4xAzHt6CW2zLfu4CIHJ1wGUJtacYaPW3bMrhbYHl+XC96vXN2GikFqQQVP V2bdQx11pEsoLoDUr0sYTVoh2te51uh5jcpkp4YHnvMn7t1285TraoruN5VZrh2f BMGYVI6LQs1mbxfP0jd8ocaR/4KOc37IgZLEIPJLsBN+VNowsJd3IvzGMhGpUPZW dbmiIXiZs9UdmDRw/8Pd5VbJQFrmDE64jKkldgR09RgK8LXydgBRa9GSJTZ2tw7K Lw0mQwsW1iU5sLdRwkcn5oE6gTZO9IF2biozvgtmEkuKnQB+3kRIT8P4Xi/CPt3d GbHhbeSMF6nXLougntdlz+c9Fo6k77l8AMeo0jE6PLyb+21ch3t1Ziuv1xDbe+6z E87SKDmVyZEj36KDzCmgKd3JWRyMqfvu8UWt25RVhLfZVe3P28hejbzU77azpE7e 8cXm73CEFiZMGWBu67IjQye6r/5FIdVYVPmTZxly8Sg4oYo/pO9KuSX8gtWHK6xw Kh/CNBgvnjd3nWVH2BiTZVnCLAbFpqNHQQGhEkKL8xDvhi/j96scNh3gou7EiVPU d8TTroHufK7eqAiMuiTCARcQS1fgE96441MvI7ae+Xgbxdmrs7XnydGd4xfV7H2D JaPI/ZtuwjciEig7Dhle2Z20lp7mOxsXhSOr5mZezlVRP3fvgfCYDuXPIQrJsgx0 Yx0mPOtByYO81PKEfiwBjhTWAxw2lTzxz5mAN7jR/161BLIvvD7BG3rpi38Wh6MO InlYnXwlMsRDHTIjEJzWauD0V/0ZvXY9v07fblwtVzI9teI1OWMorBHKwbjem9SO KoXBFJYDx41W+EA/AUQlL1AEiMARo6vxMiot/9Aua8EKnpKiKvJv/wfArMq2vAGt szcqYrplpsb+iC+X7V3HblKpODpVGvwxLJShCgm3+wGaNo1skryyd1LMFwsRh2Nq t8X95Ro4UJ21uJqfe7XOFy7d85AJr7VQUJdfa7bq5XbN+3ro37CBD9j17onldXeD 3ODxXT68FOB6iOiuQRv892okq9vY7nQ0X0JZVdLlddnH9JaorLk19+kVS8ehc7t/ mza3n7Wun5Ae+X5qDSlytKfV Extension name: 079fs2468k ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/62E52E1E68834A71

http://decryptor.top/62E52E1E68834A71

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c448be318e53757eeb78e1a1ec2245a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2c448be318e53757eeb78e1a1ec2245a_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2260
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:2648
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1260

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recovery\079fs2468k-readme.txt
    Filesize

    6KB

    MD5

    0884e9bda108c1a7128dd33d24e0e46c

    SHA1

    d7533ffed05fa86606b6d656a56f0b5a32fe534a

    SHA256

    b2c541ffa840632482de04147c46332e82091bdf327649f7e746623683bde3a8

    SHA512

    4a82076586e5fb855d077e9980ee596f410793cec0969415368517f0690c055f83cd4d56e8a99eac9c3225f4e8274a7e5aa4b0896aca2577da54f83815eed8a5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabA141.tmp
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarA163.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    Download Submit