Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
11/06/2024, 16:25
General
-
Target
9ecca170d0515fb14c8b78302b8053e7_JaffaCakes118.exe
-
Size
166KB
-
MD5
9ecca170d0515fb14c8b78302b8053e7
-
SHA1
2b498759c83f05beda20adc991be476934ea0fa8
-
SHA256
ec0c653d5e10fec936dae340bf97c88f153cc0cdf7079632a38a19c876f3c4fe
-
SHA512
fa433c9712a8a247825d85c950f9754ec83dbf82fa5f86a2b637727362f22fcdc68cd59bb3845e1d6020d7ce5133a1916b5af0b1ed716bd6d3a696353d2df8bb
-
SSDEEP
3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3Qt6tCIm:ZJ0BXScFy2RsQJ8zgQ
Malware Config
Extracted
C:\Recovery\How to decrypt w92y2gmfr2-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8B78766B5F9AF0DA
http://decryptor.cc/8B78766B5F9AF0DA
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 32 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ecca170d0515fb14c8b78302b8053e7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9ecca170d0515fb14c8b78302b8053e7_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD59f07dc9075e71c5056bdf082d04cf93f
SHA18f8c6cd7f4c577d67b6acdfcc6deef1722ac38ad
SHA256f33f6806665fc093847425fd25f8c4ab068bcfb53efe304822bfb122150025ff
SHA51267c21bab123559fa2fed4655f50ffd7a537f1ff2954bf971c952c3d1669aa121764fdf0515d1e2a91f1533647414574a5d608855c04f5043ae34215ba4f52ffd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB