Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

619bcc1654...18.exe

windows7-x64

10

619bcc1654...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21/05/2024, 01:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe

  • Size

    157KB

  • MD5

    619bcc16546e3d7ddea8045fa88f65fc

  • SHA1

    bab813d5a45552978bba9a413089222c3f225a6c

  • SHA256

    5fe8e804cc0e7d211019bf37dbb18e4a00af24be11cc9407fac6d648c01716fb

  • SHA512

    22997dc1a27b3ee620ab248336dd7a373d7a5217c30135a36943555e605ae7ea81fe55b5c0b596bc14748831144ae91b4272dd6a319cc3d69bea2fa7caccdded

  • SSDEEP

    3072:Fi8Iy8EytSLbi4eTMlwDCnuZ3jmOaqGpeT3:U8IUykbnWJZ3jmOaqFT3

Score
10/10
sodinokibidefense_evasionexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Default\zg1l099-readme.txt

Family

sodinokibi

Ransom Note
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got zg1l099 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2F15BDB62D29967B Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/2F15BDB62D29967B Page will ask you for the key and extension name: zg1l099. Your key code: Q8+TJ4w35bz7ikW/EwuVHBPfHiWkzej1groA+WJia2FEnbCWk3+30gS2vaq/jBa3 HuXWVKPQA4M918uabvpLPOAIB6+lWHBi+HmM9R4PQpqPO107bD1pIk1PCopSOZbY m5R9+UNzvHiWX+ia8nycNhRax8mh0bVKuJCN7oIvKndrZI/JrmHtHYaHx+3WhbMb YoaVTkSttGFp/A+MW4gnBIWnEu1HeH6Tdrj3JbJDfa1KknsugquyjJpKGVSszms8 oI9hptbOSirDb+DCDRiB5f6QZywISuG7tWzVi5izZp8+Mj2ogP2qIrgLuj7iSxTV pLw6xfPc63Dmf+WhAstnhC3te35ntLJlWtNKoG/xuRxjS7S0lbqOUFmRYeBr2HhX aSdwWOrhpvszNhqeRPwx4MryBSbd0YDH/13ZWyGv0fcjCdaJ/VRSGs2QrOBhK7oZ /1jX2J8fpLg6Ptu3RR2dz4/hyu+XAgccZ5HGi6n1OhUN0ZGkepfESGFPe26/0n4+ scFYLvH7mWm04yau/ly3nb8JZlEmSy0oB+5tXJIN3YDb4T8UHMbzXMB68tbge3Vg ntkNR6Z2bbqzfdrbA1AB/ebnNr1XKy91tYUhPIYU5qfux9Es2kYkF/NJJVwtDOUr PrfPSRbDyN2TLMWiRZ/xBQTjZ4TALEdGq614ABeTf7ix4urMblegkZQz4hYnJnt+ OYAj4IFrrQTFytXgs6MaAuD2o+j14zMcZtTi0ardAF+84PSbj/FNFx5xiakTIzDQ DWJx54C55eWXzUevnhKFAWqNPoqq8vH/m8j/6KZCI22SFTdlfWA+8CNI7t6JAqm8 QJUPKDc3uGKYq7QnyYs+PGjnoo0HrgV6r8UTWbeiXo4WcYT58FTJn9wGOt9y6B0Q 7/VPTHYW8ROWkakpXJ7iZFD5lyhJC4CYSnPQpXOCv7iZYN04t1/7HewAmmmyncjZ MUdC2huy0QLAcrxwTAhr7rY0+tS6DvS/X5B4Y4mufFr9qkBRUesJQHMXG2eWxrel 1ngMrXQAiimaVj9N5hWV0vcgyiXHkeHVf7G6eDe2UGvNw6fqJI+OgHbA84yIiQyf oB4saA3kTeL37XOmTLtcIglhKV19XB8un+HOsYWWKXRVlJJCPqoXFUWOMZa3ow5p XJTGKMR0qbrOAPwnW15j854cytyFWMF/
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2F15BDB62D29967B

http://decryptor.top/2F15BDB62D29967B

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (184) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2360
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:2908
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1376

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Default\zg1l099-readme.txt
    Filesize

    3KB

    MD5

    132dea9d526617f5e040528cbc6cc5fe

    SHA1

    ca94bef2221b6e531d53e648a81ebaed80f80a87

    SHA256

    2fddfc8bedfd281e902eee253e60108df9c921f5c3a682eeff7d77a7a83408cc

    SHA512

    699e1af0280bb4c688250a7bed73865f2b441e09b9c4396a319ef9ea230ed09d11e215059bcb77a41d6a3f384244d9f2ddaf53dcfc6d785812a19bceb8e00068

    Download Submit