Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

53550156f5...18.exe

windows7-x64

10

53550156f5...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/05/2024, 06:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe

  • Size

    158KB

  • MD5

    53550156f5250bc445aedad91fa9d665

  • SHA1

    2fec5aca3bdaf419f12795491b70cd7f8fa8371f

  • SHA256

    13857b32be96e622e1416dab5bac7a65042f5cc5ab8b094ddc7421838d2f2adb

  • SHA512

    34caca932ae9e63d5e3ed22369901eb4a3ca68ff9d3c1825c2d47db5530f54c203de7916d256a09bdaab85145a9d64a1ac22e2a957436cc2765747550701b054

  • SSDEEP

    3072:X440HvCjLbi4eTMlwDCnuMMf4crzUxc0+NP:I46v0bnWJSezMc

Score
10/10
sodinokibiransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Default\t9g764ttz4-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion t9g764ttz4. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/29ABF3FBD67AFD64 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/29ABF3FBD67AFD64 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: hLhBLLDh7ai+bZ/dvf31yWelo4oE422/fZqFUBWzpiszRTQeg1x2bVsJXX03juKI IeAKTitnZvxYm+gOW6WOVE8fnsU/ycSE5dGNJhjBoc2Ln6v/VkqC9XEBj6yFp/rb yxEbme3LFiVdTtToJtX7599GRlA7MlajmSsdFpgbd5DF3XM5UA2QN8Raf6FT0utz Ina0vovIE4r2voveV5Wc1W0OqxPUfW2mVXo6eTbQaGWJcH/p18++nU7xyJLq8RO/ omUp3RYtVohbfLk4hHRjVDDmEjAHxey4qwQo0hXf4vuQVdqpaLUvJam0d/CmmIpJ w7CJYj2jddu8CN19bLMq77q/I9aPvzfIElLHEiKrWN7LLlQ/zvTe57G6CB/AQVy9 XJpKpEjgq3VXgG/dujyMyppEOYjwfMnnxEpsi+qn4k+FKvTEw/0U5X8Pn0cDXvHq 2yOv7jOVa4s26gOiP40sqsQr0tBCx6RsXoYkCqwoFC/eYxqRDK5bpGIMzDglXSKk nPTFYRKXSIdBVZWvfdwrQhJDPldP/p+WP0yUFIP2Vc79QUUxSJLIBmWA3fgCYVs0 Qbi8XNsYmNM5QMUdvZwD7/td7c997UVo117JvFJQ3jl6Y8Jd7kQsUZvVpOjt5P+B W+v7B5JWtauqOwvVJhOd7CBTw8uFtfTSynXliDUHeWGdDXSF1NQEFhzvC2BrnrWc T6XOnopYB6yIi4xyp6iFWdRrlnAHXHKwIgSMgRTlwJ63VUwsf5Xbu3DUfvKUG/NL fNl8a5I6GZgK5E5xyaaP5fusU4uDkTDC+Md9cgf+FeX7CrebyWv8y37gKc9twpug cQcnxa1wxezRj1EpsKsw+s+ujLcFJRigapZW63bAFIEt/+RjxoKXAlqQXfVq2Na+ IsghJAvgWIlRjsaUWqi5TBfph6d88Ax21xo6R8iB/P99SSKwZ37PdiIPzek3RYBc 8L9f99vRo+cM5T+UuCdZAyX1W6M/q3W1z3kESkhaTYnXC+0p2SvNedd2uOZb0wPL 5nYRl4ruhmaoQutneAi7sAHD8+XEhBioP8bpNLAGljvEi6iDql8isal7Hep/Y1XL pkBje8y55uNQTfhVJHj770qsE/FkS61riTyA4dgdP6eiLr97g8wgJl2NMl3Xvbw+ acdtKR2T/PYiQmNlTItNUuqOHpyIkmIMuZYVxOsw Extension name: t9g764ttz4 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/29ABF3FBD67AFD64

http://decryptor.top/29ABF3FBD67AFD64

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Renames multiple (197) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\53550156f5250bc445aedad91fa9d665_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:232
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
        PID:1976

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Default\t9g764ttz4-readme.txt
      Filesize

      6KB

      MD5

      d4a331cc1c292fcdb57a331aa5a0ef4e

      SHA1

      33c854c71c68c92a62ad29df55476d499a28c4df

      SHA256

      a8d04b72bcebe34410dfde80bd74c775e68ed4b618c71bfa423b0819f60d7afd

      SHA512

      c21ce5bffb4fba73ae1dcf57ea237c9bc92371a114ad13b355e5fffdffbb21cf509760908ac62c1b3d94789ee32d1beabd86fe4203e92075edf6cf89c5200eac

      Download Submit