Overview

overview

10

Static

static

10

3875e73189...18.dll

windows7-x64

1

3875e73189...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/05/2024, 05:20

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    3875e731897235291834fe7eae0279d0_JaffaCakes118.dll

  • Size

    164KB

  • MD5

    3875e731897235291834fe7eae0279d0

  • SHA1

    37b3d4a1fb5779826b82bb34f913a5e3c3c245d2

  • SHA256

    98127ecf793399daae7b15595978f9d8e39f3ba89551f0379f28f4fd1984ec22

  • SHA512

    9422bf401fc05f7afac0442a1e5271487e538cc41c03ec18bd9db9e9926ddf97649d89be75539182ff7f95b925cab742278c04e5066d858867cdedd8832ef669

  • SSDEEP

    3072:gdh/MHQzMozq4ndm8jX5IXzs+M9VQHDO3d0h:gdh/EGMgpdmwIXo+M9VQHDedE

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\Users\1x6x731os-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 1x6x731os. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/411388CE9536B8E9 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/411388CE9536B8E9 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: rj0JgtfhbaAQMUL/T63Dqua1nrbRTmTEcmojSgBiOsH9ERA1jkklpSEvJ76I7QgG nagpnmjJN6KrQawqoTCw3G9sZ5yHXp/yILFqo3F0D6FNYWp3Yc1xu2na3I7MHL9k UbuoNWEiLhcrRshpt4HRsBiiOMdgF8BNotkVSaXcWk4w5qE+dBzgd4MwIphFgMuC XQuTY34s+z4tt4M/o/U96GAl4nMkS7DHgBbSEx3tGOxqgoziSxtz71kMHAFzqJYQ C1fvehE+GqgCSWMsLQosEPONLo1n0YMIw/21vDjtnZV6yPhpTSuQTG+EFhaV0lME 0VOQXUtM+iR/snd0dB41bCry1ulKdfyFGt8TeuViee1xSRLwUR2CLNwCSI+JI3Mx ZH+61FTwZGDJuDFxjzi6M0nZL2SYsLrgr7lcAs0tiLrqEMcyjKeT98sMHf/uTRmM X1sYRagDRcUovA2MctCA7G7vJrjtKwcJhfQzMXcqVSmkSs1qL2+v11x5Mp9i/h9o fhsFnO54/nn1weeah09PczrBw+yPlHM/Ct+7E3Yjf+inZujLytE9BlypYHjxfS4e hLN9/Op4pvZ+ZTTTVLcNi+sg3uPRTAxnPAE9fzny5kr+9sCIhwUykR8PTUabfiOC nD7Cbv+bXYxGvON2n970KGCqau2BNPYeD4Kla8kQmihq3Na7WN03+USZZRql58ei //1EZsWr/6XgO6DiXCDXbIeKy1S+lqsUfDfGO1xKKaBDEOaROhFdmlOT8hkvYVad XcNyct25znka3R0hBpn2sFgV2KfNoU+whEHIly3cpb/TtmW8/OFVLrZC70KF1KXw xlUgpne5PQm0WZ7XhQLIClSKTExBqYMgc1oiD/ljLUEWoo7Pnj+KO0d5LmobMGd6 TKdPvJoipFlODJYa5klB7Z2Z1jYiA2Mo6az1PWkv5QkQegNqtyRXDPCCucgMrasi 3HaO1SJKMgamfGErsURX0CmYMawKUNxAZfHuBoyAp9kIgovcEecPxX0KAGLOh5vX 0UrmwZAfxJCnsv5Odb7L0I7LOeI7zWgEq05BahgxTLJvLb+0p9CoXyqZJ1UIV7Qh nksFmCFVkGqtd2l1hoKg+pJKOVrvAciAZUKPKUGBd4zps82KieBcpgz73PI6NraL n28nHC6lzzyOboVp1HKxRFhgUFmxLWd+hh/T70Raj1zQRe5jhdoHm/uGcvgII158 LUuSGTjBZwtz2fQSQvri6cXs3AUVE4Dj Extension name: 1x6x731os ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/411388CE9536B8E9

http://decryptor.top/411388CE9536B8E9

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 29 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3875e731897235291834fe7eae0279d0_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3948
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\3875e731897235291834fe7eae0279d0_JaffaCakes118.dll,#1
      2⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2408
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2128
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3708
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2416

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\1x6x731os-readme.txt
      Filesize

      6KB

      MD5

      f2bb6a36887844ccb8292c8fa2508e52

      SHA1

      72de97d4c7cac4334295ec8c5e2900840780720b

      SHA256

      e94ea6dda9a3c2ccc626c88040ab4cb2ee753560c3144da9a23c477328faed8e

      SHA512

      23c85647e28d46a135bfb7beaf50db0737d879dbd96b5566040861ef61286794ef34668a2231f80f0ff66018b54b946a2c11e40fd1cbfb5f26570a8cd33c73a6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xsivnqqy.mw3.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/2128-0-0x00007FF830D03000-0x00007FF830D05000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2128-6-0x000001B03C500000-0x000001B03C522000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2128-11-0x00007FF830D00000-0x00007FF8317C1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2128-12-0x00007FF830D00000-0x00007FF8317C1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2128-15-0x00007FF830D00000-0x00007FF8317C1000-memory.dmp

      Filesize

      10.8MB

      Download