Overview

overview

10

Static

static

10

785ba6895d...18.dll

windows7-x64

10

785ba6895d...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    27-05-2024 07:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    785ba6895dfb23837bba5ef9c84d5c74_JaffaCakes118.dll

  • Size

    114KB

  • MD5

    785ba6895dfb23837bba5ef9c84d5c74

  • SHA1

    b78c9d56ffd8775b566daccff497dc2672af8cee

  • SHA256

    e8ef7dc54bd782122e3ce1c1ea14c8325dfcd3f6a255d5526c6e2e7624e0f091

  • SHA512

    7d5969afd121f8e9fdad129addfd84485744d9b013e2f8d16a7d5df95a864cab818810617b9c09733699df5732aca0f65275b1f0d4fea24439275e189b30f799

  • SSDEEP

    1536:6Q2auIslFGhFtuAp75WeNMYLoRGp+K6fHICS4AdfG6NlNmraBXZtT:3sI/hqsMYLoRK7bfxl4rI

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\Recovery\wyj10-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension wyj10. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B68B416ED737BF2D 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/B68B416ED737BF2D Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 0MW9k7Vw1GI/5Mk8WL3AXbDuynfPHc8xGc6a1u+VezbwYWv5Nr6lupPD/87PO4ML R163hHG3VzjE34kaDlssJuGGx92WOHkIGJ297mT2rHvbL+2YzhUmcJiV5Uf/eXBV gO+fjaZ2mVG3WR6Ue6+oehIsOqBQEWMrSw3wBjaTaxdtH1dzwRCIFgMTDew/mUfa 0VEQ95q5nESvWIM4XDX1QJUwDlfRkfvQa41YXFN8jNt4Zp3LujvYw5Ikd7zmO7M4 BWS91eHDTuiXMuKmajnoaDo3Cayp/RhjnEaAQl9opmSpKU3hbdjrhEpWm85lZFES AEc6UIOI9hIRu+IwB9l8h+oqCBnFddS2MdYAny48/yGkVbL/WMGr1Q6p3/5K6/nx k3ow+WfmaYyF0EbYyop8Ch4giyjWah15cqCcuhBwWnkKHiGIVTj7x9zMazI3gO6M Siv3wmYrMzeUtPMBAiqoabs4uI/SPPtEo8dZggKpc2N25DEcUQpwyJsVDmnYs2Bs okqa0QOnNk+YEI9DYaUK9QwUqyrAYIXeH8ymIgDSLtC4PgqcG8gudWaV7Y3SUU7i iaWZlV/I0G3z9nCiR1YCfmx8w/KbMW6CboQHq+aOcEX7JXoLRdSDfKtlGwI3TVPX NxDfVwsXGIXFzOFuctkF0GFTKrVLrIzmDE+WS0V1G/mzm3z3E7poZneufLGuy8od KjTSgejsDMyGQHmX8vew8AqpePcMtdLPsEOcTsI6JWNGqkM9H+7Q+tgqrGOG69CU Lb9tJzWCapJC/EjnApBLdh61uc+H05IxV5inoXOknzYAXHk1dEPG2hnatmTDB61W SPK1eN+A47VGMTGcx0zPXgpia4bb19dNSIDormEClldSpD5h9D9M7ydmLgWpgev9 EAmidymwRRI2324+LSmcJUfUlijdVWtMePvlkupK1MlqbiKq5Sdrp88+dcjj/PDI 6QaPnoRa+lYQCdTwBndc0tbwyeX8ppDXie9w43DH1mAbki6PC2vPfcLSSKXaWnVC czN85QrjwCkEHxc4vy00xAlI1/tafQ/+rwQoIVIu8JVPG1RstLUWxHuCx/jA78Qg jBumrK3S2bm1i4OvpqsHQOwRGEwQf6aS+9EfaStDi0A+x0wsR6EJSfdEIFJJpLJc offMocwAtM7D/ynfp5sBv6ugxEZ+7a2cxgRJzjw75q5Ke/SNFr1bzpO2BLRmQQNW gbZrM8UBadUSgXnnW9JwU2R4dlyhVfpvj60cAdYL/jQG/OB4z/O6XgzyKf93uNGZ +EvKRj7sAT8sBsVVlHuK/hCUe+XI4cfiT5Noqzw6cziToSgzArE1xFc3JD7OoQOU d07056zuJwCJVhnbL1bB/qYcf/bajrtCXsJfVwpQ Extension name: wyj10 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B68B416ED737BF2D

http://decryptor.cc/B68B416ED737BF2D

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 26 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\785ba6895dfb23837bba5ef9c84d5c74_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\785ba6895dfb23837bba5ef9c84d5c74_JaffaCakes118.dll,#1
      2⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2636
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2736
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
        PID:2308

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Recovery\wyj10-readme.txt
        Filesize

        6KB

        MD5

        b5a9d867a3c956ea7cba5ffa1f12898b

        SHA1

        576ce891fe971944eaae856a005cb46fc34744f6

        SHA256

        be4602cba139575753c069e4dde671a7a58d0d196a130f7ff371c24fd827ebb9

        SHA512

        ea5e43a55a3958dc383848f6bf6b39d4c80acc57a9072f1f67605d7004438b42addf88aebe787f9e704e1024a26996a1e252c1ca6770aa56d5eb4850ebab20d8

        Download Submit

      • memory/2636-4-0x000007FEF63CE000-0x000007FEF63CF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2636-5-0x000000001B760000-0x000000001BA42000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2636-6-0x0000000001C70000-0x0000000001C78000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2636-7-0x000007FEF6110000-0x000007FEF6AAD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2636-8-0x000007FEF6110000-0x000007FEF6AAD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2636-9-0x000007FEF6110000-0x000007FEF6AAD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2636-10-0x000007FEF6110000-0x000007FEF6AAD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2636-11-0x000007FEF6110000-0x000007FEF6AAD000-memory.dmp

        Filesize

        9.6MB

        Download