Overview

overview

10

Static

static

10

456f237fec...18.dll

windows7-x64

1

456f237fec...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-05-2024 08:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    456f237fece3615ed4eaf4b7cd4bf75c_JaffaCakes118.dll

  • Size

    164KB

  • MD5

    456f237fece3615ed4eaf4b7cd4bf75c

  • SHA1

    8348f8350ff9a0d4a95ac46ea51f434dbff19404

  • SHA256

    3bbebbba9d302fc277c1107fd05218cf92087bfa5246509cab6e1fc6eab12012

  • SHA512

    febb0ac4e67423c6a83d21b124a04a64e7323fba6626d7963bfb1dcb7c0dd1084788c3e9efebcd4bda908bc6b96ad2ee52b9c8ada56d5fec2235774a0350bd29

  • SSDEEP

    3072:v0XoUeZ/DVS8L73ea4MoCLfqQvFfqboC0K:veoUeZR2TRCWQFfYoDK

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\Users\8uv1o99bn4-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 8uv1o99bn4. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/18762A4030310B8D 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/18762A4030310B8D Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ne3WIZPl8pp/GzSzh3cPqsI8AvSFcd4Q5VKIgI7AxjvxWDtlyTACTJdg7zOZh1kh +gPIVn/cESyyN1EGafMlz8RwTNGRWgHBf9YJWjw+zoLd/1+jc7cHizzaiR6V1ODT wU9+PurESt75ifeQKjfkLBfOgmL/naZghG3RlZw+kVWe4mds0uuLLMQq2Nd3hKaZ ZVrMuC0cqlcIgGYHUphFQS/eFs6rHlC0T5F5s1TsVP8XVjV2cMErwKW5Nb4bPz5U mPFirCkI8BBT7RufymaUNi6LKBoXLzl7OPYEzuzHRKAWbCdDl75MGMjVMXHvx2O7 DDz2dEzpenzryvVy2H2YqGS39f4LFMWvWFAxzFILGv1gQe8f68MqX1HumOnAuE9Z R0F4eBYoEj0BWsCoNl9yZ+K1Zv2oECoLZQXBlN66SYWr6hVN3puKomIu6FKIlfZ5 1XAaAjZ/CE4ap5mLxMBWTQMhB+rD9bEYSIqeRRF/aAzOvB7QeCbfmc/Nag4Tx7NK jH0lwVUPnQ7vDQwmBc/a6XIO5M6eVqZFLtZX+ZOd6uPCaODQ9yaiFGmRg4YZ9Ygu 7dpGP1qVx7A6dCq6WUTP9ZKsvfu2LVFBM+RZOd4yzC8cNgEE7kq0Omtn9iKTvHYu RShVwF2C6N1809ebuOXJFwcFcLOyYsdIAwi15Hp72GXtLrBuC6HxjQIi+r9YHPoo 4kor6+j1GQGkG+S50AHnE8tqpg0CvnLamP2RbZMGTbJU/eywPSltXJfkQy8Sxc58 8XElXDU6oHaLuDxGnrtKBNMnIDQznhe4LJ4IzMZxSKjQn/66xRmdrhG4Oh0C1HQl okFyB6we2F2ax4JdnSLPWftiLVYyipIwoQB+9nuPisMY2abBeOOOgmkGsky/3aBm x3rWAQY2C4VRwTEN+hzVgUO/tzp3V+KJEuSIAykvhuq4qHtFC4CCahxLrBo1gVZ0 gvynPy9b3i5W64oxia5a96xt6+QRrWjEvhuyO/mOPq5zPxJ3FvQ6NjVsA9PjsmSQ +O1FmpzvsZ87y3WgAeiiawic0XSDduvfO/wR7JxN+j3GzYRv+i6aWt53umXgLk8x p+yWcJybbUryYZYKcztikLrMj70sJj6AP+gslFSQihAIRxpOuCJxlvhkxza3qeZ9 3LUDJqR2lJSBxXAodJpfniDXE95qW1gfAvC4H0I3cc5aIioSxbBDNrWJMxs1LRaN Nrw6eatsTEG1txZedqk6Fh/+38VuPdxZnko= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/18762A4030310B8D

http://decryptor.cc/18762A4030310B8D

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 39 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\456f237fece3615ed4eaf4b7cd4bf75c_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4240
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\456f237fece3615ed4eaf4b7cd4bf75c_JaffaCakes118.dll,#1
      2⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4016
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1632
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1360
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:904

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\8uv1o99bn4-readme.txt
      Filesize

      6KB

      MD5

      29436725bbf10da729dfc4fe3ab17f81

      SHA1

      c3c750fb3e3df1865f0fd694f13dee44b1481d26

      SHA256

      dbe416ce600d218e02d101de75288b2fe8437c627e7b546722b381aa0ec6352f

      SHA512

      ade1b21c2d545e78500f434755d0f05c4435ea050b6df701b4d6e9523bddb9ac2963f8bc5f72cdf5ff9130f86fcf4712765ba3e5d748dfda6217b7f44f57ff53

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zq4s33pj.ejz.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/1632-0-0x00007FFAF0643000-0x00007FFAF0645000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1632-10-0x00000212A7710000-0x00000212A7732000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1632-11-0x00007FFAF0640000-0x00007FFAF1101000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1632-12-0x00007FFAF0640000-0x00007FFAF1101000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1632-15-0x00007FFAF0640000-0x00007FFAF1101000-memory.dmp

      Filesize

      10.8MB

      Download