Overview

overview

10

Static

static

10

443a365311...18.exe

windows7-x64

10

443a365311...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-05-2024 02:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    443a3653113457b08fa41ce46eb3b677_JaffaCakes118.exe

  • Size

    207KB

  • MD5

    443a3653113457b08fa41ce46eb3b677

  • SHA1

    c6ebcf8ed468511153c741d8d58fad07beab7048

  • SHA256

    486a7dd8a65128960ef6c89c4143f0edbf7fab0f8f07045328ad6675cd1d870f

  • SHA512

    bd7ca0759441b3168d78039962f76f5fd61fb9ef985d328f58dbe56b73a949004182fe9dcd1103766198498b4349e7160e8f875d12a40dce81926484bd31bfc4

  • SSDEEP

    3072:sr85CIyy2RjLTuVyu7CJDgoMT3QG9BEJfMt0HzLFrb30BRtBZZg+i2v:k9ny2RsQJ8zgG9jt0HJ0BXScv

Score
10/10
neshtasodinokibi193134persistenceransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

19

Campaign

3134

Decoy

mank.de

work2live.de

triggi.de

innote.fi

iwelt.de

mdacares.com

celularity.com

wychowanieprzedszkolne.pl

bildungsunderlebnis.haus

urmasiimariiuniri.ro

devlaur.com

philippedebroca.com

kaminscy.com

boompinoy.com

webcodingstudio.com

onlybacklink.com

victoriousfestival.co.uk

levdittliv.se

rosavalamedahr.com

DupontSellsHomes.com
Attributes
  • net

    true

  • pid

    19

  • prc

    visio

    ocautoupds

    synctime

    dbeng50

    infopath

    tbirdconfig

    oracle

    winword

    firefox

    dbsnmp

    mydesktopservice

    msaccess

    xfssvccon

    sqbcoreservice

    mydesktopqos

    sql

    onenote

    outlook

    ocomm

    steam

    excel

    ocssd

    thebat

    agntsvc

    powerpnt

    thunderbird

    mspub

    isqlplussvc

    encsvc

    wordpad

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3134

  • svc

    vss

    sophos

    mepocs

    veeam

    sql

    backup

    svc$

    memtas

Extracted

Path

C:\Users\q9ox0053h-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension q9ox0053h. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B751597EA850569A 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/B751597EA850569A Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: mfX3tjwlXq72ZorF8I9Vj3YIlUBlP5iiT14ilSLspGSZpEtAViVW/FnR/ljKFp6X 0rRzMFa4J9RpWRafCdWoIn+1fOrvrr5w4Gu8PPi+Mq1XXyKoUt57fYux703wYSuF M1yLSTm2zglxuFVASM3bpiiga5AaNsI0ctaLI6yMjzaRcs2qHsofal+GXxZD7yk4 USrpoBUbCgMnBUSAJESc8IoWms4f9rK0Oxy70whKABsqIrU0wbvlOiWHi+P8zScq VUdGnsnwpFDH0xRtuHKeXpG5a9dwzpgHZfZ06jALVZmMrE0ZLVZEpW1qGHN+Vgy/ Bds2E5DDkbZVzWL/vRZAjt2kEpIDeK9eCTgKD81jP+4R08ZOeqyU2zv7rMlcI/GW CyJGH4uiKSeylL7R7igijUKpF6z2dR3igFjuMWNa404dV3BIJQWSwvcfBhB0n+wX kXQhNVeFV2bP4c8bq2LajFDgCRXmI9T38aQhYqfK9SQvWqnfcX4uDFhXVi94LJPb VhaqnTDaM0Po//r0uG/wIdVzBOCmJL3f4uCFKpngSiImyQNLMzSOlcH2/Lo8v1cw mhAs/hs+MPf6NteG3hrGqjcdzyiTl1gZgag3mNppzniU/N6gUnCHQj+YTYtLrUiL 98cw9ZXRSzeXHWYgG1hI1KmfnDVGsPLCzW0JYwiqNeraS5iuDzWX6YiXCz3hTz4b Kk9FLUmmUgzD137b8IP3I5y5z7gJ9d9wl6xmq+uPM5ww/sdoXHZ0iHof4O9RBNNi IOIEVOq12s3yjX814rdHe2sk6Yd4gyisZT4bwWUtsNgJ23+0c6TZgfs7Rmmq8g+X Zs6hqC6MnTZ54QohaRUGpUVYm60B3Zhgvze92dyUbphIFHtAzLdy6XGoNIYV3A7c +vi6K97ZfRoQ5l4e6QQDJ/vUmXMstV23jzc7lEky3wW7ALXLblgPf21wOHfJ0Zvo Z18p3essSFBe/Foh84UoXGm1Kqx9HSN8bJjp9dz/nU5S+h9x/D6uxCuIXXUWHtSy 1hFD/17vi1+saDO+dm3KjbqCkaTmRxHrHfa7iba7P848LvVlR3i4dyQ40d68tidu kqy59TrNo1V5qU6SW0wFeAZYxwe13BoMUJIXITow4ryTnaik0ELXZ2eFPEdGdFcK SL0EZq1MRrTeXvJnzvCH0t9fNcMGdG8wNaVF5jEp9keR4Mn7zJPTanQ8KdR2NPq5 kGVqVMKq8mOdUSoNmrj9ayno ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B751597EA850569A

http://decryptor.cc/B751597EA850569A

Signatures

  • Detect Neshta payload 3 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\443a3653113457b08fa41ce46eb3b677_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\443a3653113457b08fa41ce46eb3b677_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Users\Admin\AppData\Local\Temp\3582-490\443a3653113457b08fa41ce46eb3b677_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\443a3653113457b08fa41ce46eb3b677_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1920
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2748
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:340

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Change Default File Association

    1
    T1546.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Change Default File Association

    1
    T1546.001

    Defense Evasion

    Modify Registry

    4
    T1112

    Subvert Trust Controls

    1
    T1553

    Install Root Certificate

    1
    T1553.004

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
      Filesize

      547KB

      MD5

      cf6c595d3e5e9667667af096762fd9c4

      SHA1

      9bb44da8d7f6457099cb56e4f7d1026963dce7ce

      SHA256

      593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

      SHA512

      ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarFEB1.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit

    • C:\Users\q9ox0053h-readme.txt
      Filesize

      6KB

      MD5

      e8092c6ef203a78ef2c62879c04e0393

      SHA1

      c48e898930629b8b9f97e5540b13630dc8f536a3

      SHA256

      3f7355dc0b11e435f62d138753217792b1582170fedd51541edb1a149b3a7aeb

      SHA512

      d888e3b45843b2a83a4fb3f73945f58937a7b89d1da482ac1ec95bec8d3335b84341a300a373d4b2b655532766edc921c24a02600d5f480377ad915dbf4a7c55

      Download Submit

    • C:\Windows\System32\catroot2\dberr.txt
      Filesize

      192KB

      MD5

      db9ccb53a476325304b9bb4ab585a0d6

      SHA1

      cf7ca9d80734db7d256f81113f9fe5264c1bf765

      SHA256

      01c395aa3a1bb32978a795912a1ff665b7844267addbab9d929b23ad2b10f896

      SHA512

      4e701b4740ef4efa46525568f82cbd2e88656c9748b09b783a1f570fd4dd6a66ea0122953c1418bae3c5a8a9dcc1679900b7b1c2c50821beb60e098128847c38

      Download Submit

    • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
      Filesize

      252KB

      MD5

      9e2b9928c89a9d0da1d3e8f4bd96afa7

      SHA1

      ec66cda99f44b62470c6930e5afda061579cde35

      SHA256

      8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

      SHA512

      2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

      Download Submit

    • \Users\Admin\AppData\Local\Temp\3582-490\443a3653113457b08fa41ce46eb3b677_JaffaCakes118.exe
      Filesize

      166KB

      MD5

      43e9093ffc8dd69985a9ae65b26f5551

      SHA1

      7b268ff84e824ddcd8b7df3cf9993be012489d01

      SHA256

      42c28feb23c992a350673d63413bf11bc816d00a079462ab524934219d46430d

      SHA512

      118d879750d0456f5b2e31818815ef9465fb40eac24f4784236c626d2a2e753b5a85ec5b2c66a755b10855c9caaf77bd85b6b3d1fc7003fb029cb703ead9037c

      Download Submit

    • memory/1920-90-0x000000001B6A0000-0x000000001B982000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1920-91-0x0000000001E70000-0x0000000001E78000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1936-527-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1936-529-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download