Overview

overview

10

Static

static

10

993f7a8655...18.exe

windows7-x64

10

993f7a8655...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05-06-2024 21:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    993f7a8655043289c7ef2c74e5d59a6a_JaffaCakes118.exe

  • Size

    166KB

  • MD5

    993f7a8655043289c7ef2c74e5d59a6a

  • SHA1

    51c7653cb3efafbf946d4a853847082ca9f783df

  • SHA256

    3338eb73de83e9ab501debbfb28902504af42b7c43490591679267aa59150d51

  • SHA512

    d5630a096067272d2057d244d601bdfb74c62319b2e3e4dbcc3a7a669001abe343be360f74b759bb70e9da37397f562aba6195124d1afe893557903a0555896b

  • SSDEEP

    3072:LLFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3QnFJ05hNl:PJ0BXScFy2RsQJ8zgFJI

Score
10/10
sodinokibipersistenceransomware

Malware Config

Extracted

Path

C:\Recovery\How to decrypt 875dl-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 875dl. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/02B52B35A55CFD9B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/02B52B35A55CFD9B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: t2c9SoHe5SgqFHrClMbD6xAiqN9n9p0/bPheZvIHs227ttwAS6K5oTpXDgfu5W+m qcjB7KNLeBuGD//Jb3T90lEMJCpxTBsxrC18Bm4JgRaoCfTzFqmB69IiLtoMilJh SbQlYW4u7/vPZZ/PmMqFBUgF2AxWZ7TT7Pu49RxVOzdEeFFYgzXMmN/JN8v6UHsH NLVRut+0vAZuE3QWzn9+leEb2um3qULg/TyjYjWRDu5MnIezix7U5pwwRJwJBWyr aCyprKoDiD61iJQ7yQnu8Klp/7bE2IpoY0vbpzvhFmo53uQ/8Z7J0LDX7bP5LVgz psbA4M4LSdOdTDBp30d2xRd411J02B4QMe2WzcO14VTyNfF8Qtd16Vqh8QXZrrIR 905D91WqtqEeLfviBFDH1MlqYTEEKbn7AXrIwZ9bsEdh/JjggdAJmAMb8WTlhnph nD58VVG9AIAVLODxZ9tmR0nphhI7QRphZvke81P4Tqsxgke/ntETeNk+/Pe6P9zg 7yQPJW8tN423zfDESF79jeTqmGZQ4twdjOHg2VyxaHFHOWuU3h7uIDC5ny2vMzBj AZkj0uAyP7GOYKmOWklcr3HiSBoKkz17Q++HvEIbrvm7sWCzTRyvRQCFy+C84NGQ WBxGmKBc4WBbEDn3Cbq+e2s7JHhYpAC8Hcqc30f3nYCdGpl3ZZgCuhwkMbE+EoFE MJmatzv4nG6V8eteA1kXC81pJjl6XldaUsLyEnmzMOfvZLLPoLuIkE1rX5cJyzZO JIRm2GKUUr5SoWbLHzSzlrjcAtHlCFoq5SWK152EM1kXj4O/7JsEw+ZQ67HVDaWE uFlEUny87n8iN+XfK8ZRWO2tH4zPYydh01YC+hN0asYyI5xL+ZVKyZpGVGdnTS/O FVkIJNfyhSMxNCQ8KvBw1dTVJJA9Fi6NupQJ40vIDcvnx3y9GI/untSaUl7t7Lf4 8aiDfO5xbNyKgEl7PbmiYksEFt8wLdpH5Ug/aKiPs8UCSSs59zVbxoFeEcTS7VJm pVndoNCdrCsyOlxPb7CztP+0X4Y3Cmc68uJQytDV0TFzDhx69MoL4xpOjJnkdDRu Anf7QqJj927NFIHs5IY2jLnWDmEjEVcgQnETF6b+RIcMjoZq3vG5WufmOnzXgT2k HT70WioAH3WyhEHKjconXNeIo8VSmCrjttMWHo351sk8d8mIGfKh7d2r5od9dVna 9oJjCWa6A12d/ssFg+9JqLUgzjDfgoLJL5XREtN5ONE/QnhR3p30OegNchwrdPlR bQBCWRlT8IuY5/o8Juu5oVlJeLEdqdnXZtQIhZutmr/ADSKNdAC+7yQmni9SvWGv ej1zuo83Vpj3RUzfi3wi76jWPF9ht/bNJkZxbM0q Extension name: 875dl ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/02B52B35A55CFD9B

http://decryptor.cc/02B52B35A55CFD9B

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\993f7a8655043289c7ef2c74e5d59a6a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\993f7a8655043289c7ef2c74e5d59a6a_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:804
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3040
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
        PID:2756
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
          PID:2452

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Recovery\How to decrypt 875dl-readme.txt
          Filesize

          6KB

          MD5

          ae546f6ec88a54ae49104e8b65449756

          SHA1

          a60c2c98b060cce4f73a6026f2bff5ffa263b061

          SHA256

          509d2a60e44ae7c51cacaf457723b6f9aa32ad1df9ca74c01433431e82e4648c

          SHA512

          7d20e2b8ffe87803fe967ac99dc1b7d195897c9d889b9d5c2b9a74c36d55f84c6d2c12a06e76fc6605cd732bafe6c91473573810b539cf82b7c1cc445a27625a

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\TarCD64.tmp
          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

          Download Submit

        • C:\Windows\System32\catroot2\dberr.txt
          Filesize

          193KB

          MD5

          c03302fe68dd4410aafd42db2148f639

          SHA1

          833ed33fa2a63f8189e47410455f977b9284db7b

          SHA256

          4e69250a1cfa1bb8f9c80362c6253c2cc9cb32a87648ebd1826546491512837c

          SHA512

          c0daf156b44844f34ea93abf2b9fdc9a46dca0ac684eef61c499e41c012d40068e32a645cfa227af772d724b2a2a5c0c3a1198faae97e3dc60f81b43a87e8fab

          Download Submit

        • memory/804-8-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/804-9-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/804-10-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/804-11-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/804-12-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/804-7-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/804-4-0x000007FEF597E000-0x000007FEF597F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/804-6-0x0000000002810000-0x0000000002818000-memory.dmp

          Filesize

          32KB

          Download

        • memory/804-5-0x000000001B550000-0x000000001B832000-memory.dmp

          Filesize

          2.9MB

          Download