Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
13-05-2024 10:16
General
-
Target
3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe
-
Size
373KB
-
MD5
3efdc5484d5d58b90bdbc48ba7598446
-
SHA1
24e23dd6e76f1aa0bd66c92ce2ecfa8c47b831ca
-
SHA256
4447dee4424f298d64e15a4ba543090afe27afc9b839cb186ce4ddad3ca6e6b7
-
SHA512
c84ceb205550e473251583aaf7364677a7955daba96183289e4d68a42ad7b41ac176dbb7be37361ec0a0958bd6b5d89dbd726de4b4c23dd4f16ffbb197554fb3
-
SSDEEP
6144:t7eVKANEgjw8TOnLOZEvsMAcgsphgjxgQQ:RWKAGgjgKOAcixgQQ
Malware Config
Extracted
sodinokibi
17
11
texanscan.org
g2mediainc.com
avis.mantova.it
cac2040.com
zumrutkuyutemel.com
livelai.com
floweringsun.org
jandhpest.com
agora-collectivites.com
mikegoodfellow.co.uk
letterscan.de
voice2biz.com
biodentify.ai
csaballoons.com
angeleyezstripclub.com
innovationgames-brabant.nl
oraweb.net
transifer.fr
alattekniksipil.com
ruggestar.ch
-
net
true
-
pid
17
-
prc
mysql.exe
-
ransom_oneliner
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. For futher steps {EXT}-readme.txt that is located in every encrypted folder
-
ransom_template
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got {EXT} extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/{UID} Page will ask you for the key, here it is: {KEY}
-
sub
11
Extracted
C:\Users\Default\4r5882w-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7581C0BB6C2082A0
http://decryptor.top/7581C0BB6C2082A0
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (206) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies system certificate store 2 TTPs 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3efdc5484d5d58b90bdbc48ba7598446_JaffaCakes118.exe"2⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD50c4b76a98ada61a19ad0eea20517351b
SHA19ce5634b86c7f9f8e87bccdeece8f4d8919e98d4
SHA256195eeafed2a1137a1cdbe78963c8cf24938d6b4f799b73335de0283747da7822
SHA512a14887701978f8e733e3aaf936763d6661b401673aa2e2281f3b6b4b4c75f8a3095514644e462a92bf9a604a7c151e3b9208cee14caab5906433960f5570319b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD521750999bd7472490124782385e09c04
SHA19135ebf89b26dcd2e9cf88f3e6072b390d1c90f9
SHA25652261270771ec94d9497f98b0aacc1f70ee675208065edcac774294fea2fe2e7
SHA512a3a236d98e911a5eb8c17e639e8b1847e75b845a57a78062483d452d5270351f8d87039ed38a7dc4ef261167b282620495edaaada8f8577dbb6426cd70d36f25
-
C:\Users\Admin\AppData\Local\Temp\Cab8F85.tmpFilesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\Tar8FA7.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Default\4r5882w-readme.txtFilesize
3KB
MD5bf52d32e0f42facac3cce43bd77ac61d
SHA1d4fc1b86faf366d6cd341fabda66a70ec9a060bc
SHA2561ca62ad40291c5db3b7b60f5d1fc301931a9bffd1fc77fb11defbcfb72c0847d
SHA512ffc34a7aa48bcb1ed5c47e625f3e1a4759d3b5fc9b1d39a3655bda525807cf989c3f5f3bc0493331220e2060d5a92b4c7b1d485ae3dad231321f611c01422e00
-
\Users\Admin\AppData\Local\Temp\nsi2711.tmp\System.dllFilesize
11KB
MD5fbe295e5a1acfbd0a6271898f885fe6a
SHA1d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA5122cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06
-
memory/2676-9-0x0000000002090000-0x0000000002159000-memory.dmpFilesize
804KB
-
memory/2676-493-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2676-13-0x0000000002620000-0x0000000002729000-memory.dmpFilesize
1.0MB
-
memory/2676-15-0x0000000000220000-0x0000000000226000-memory.dmpFilesize
24KB
-
memory/2676-16-0x0000000000220000-0x0000000000226000-memory.dmpFilesize
24KB
-
memory/2676-17-0x0000000000220000-0x0000000000226000-memory.dmpFilesize
24KB
-
memory/2676-19-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2676-20-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2676-11-0x0000000002200000-0x000000000232D000-memory.dmpFilesize
1.2MB
-
memory/2676-14-0x0000000000220000-0x0000000000226000-memory.dmpFilesize
24KB
-
memory/2676-508-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2676-12-0x0000000000380000-0x000000000039F000-memory.dmpFilesize
124KB
-
memory/2676-10-0x0000000002160000-0x00000000021FF000-memory.dmpFilesize
636KB
-
memory/2676-545-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2676-8-0x00000000001D0000-0x00000000001DA000-memory.dmpFilesize
40KB
-
memory/2676-7-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2676-610-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2676-611-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2676-684-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2676-696-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB