Overview

overview

10

Static

static

10

ac3317e314...18.dll

windows7-x64

10

ac3317e314...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    15-06-2024 00:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ac3317e314bcdfba26c875d00e3bee70_JaffaCakes118.dll

  • Size

    164KB

  • MD5

    ac3317e314bcdfba26c875d00e3bee70

  • SHA1

    46679779e7de6cbc72b8c58cc64065edd191f226

  • SHA256

    db583e09ea90ded0a3c534b0c71000fd2db204ddb6ade2431faa6c2e5adc4343

  • SHA512

    f3f241370c733cbaf9667d1dc00a8480c8fe67a49118fef757a9bcb4602654db53efa454f03a2108fd49a60cd1be0ff902d535fd6132edc0f061ff42d39f2f97

  • SSDEEP

    3072:FWeI5JXJRGpUhFiWjmfb+HP+rnRfUhdT9sT4JtL8B:FWe29/GuzjmfCHWtUhO4/LO

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\Users\914tn4n40-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 914tn4n40. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/48F9C7B955B3B5D8 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/48F9C7B955B3B5D8 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: mkF2PWRASehjDEcxkupgOWDiHqo2U7smnbW/j+qFY4vwlQ4jB1T+vwiImKxZJjeh Zg0OTRxhJ0RmCzxC6T4H2nymA7/5JYdTszA3vFVtNITimDT3V4Wo7Qp57wjDlET0 jJvBI/e8yMWWajZuTAlPYBr99Fc75PcDQj9s3nW6onDrjMTvAOLqGYgDeHAVOLGP 3cCyQH/MMyEylPDcPdNul9DacKyGVVNRocb55bgdR8jZUKOyi3ncy5XjFAi+Ty2O 0teGRZ3DzjNaoWYD1kGLRlLNLtCQVTtV+p/6ISc0p9FKHGTwjf92hltFyL5HIgfR JDX1qKRjdkqptLErnYBVSPPfun/ZmQeHCcH/al44ThBljXpVBH4E0D/0SVQFz0Rh lA9BSA2nK2Md8GrxM5yS2rLWIMtyMMFy7z84VIjHqj6tUKqd6sLabsiV4/aVAMO+ KJUdqFDfHECzHlO0x9F2mMTTv9sJIJmAU6o7SBlHj1a6Ty5i2VEXiFZsEPQNjayG xtSvIxfuJZC0NVYNJ3+SPKHAeRRzB8uEERcAXsBz5x6gr5i4/NevFCaQBVHg/c0I vM8QrVHz4wahc0tA+MX1yJAzRDqsKHTKZN2PweUemn7aIdy5yH1zZl53HOY+1yOE H4MM1IFO3HrXRBPWtVkMqpJtlSJh0Krjde/543nLeE/UrjRLxzI/knEb9sk6o5cC 1STrJlG4klubYkYr/h0imAnZmm1eql9I31ancMAgazv9KozRi9a0bN2ebrKWbUBY QlSXmABWsgknNhX4cKbcdIn6c0pykfrbiVu5+Luu+IrwnBDAoB7bsq5V/Ghp9i1j q9TXp9MZSpVhqzzxXTnHCzUvzR5z7M18snrP/xHSLatvAgL2jaSia2fZFUU0wfit 4446TKS71EgrZ3mmSQ85+YNAJ/ABCxjjbOe86/pqjamyoBf/IMu2RF7b2+l37mk/ e1fuPTbM0XEYXZkCs/bwRGl4TT8pvY0t9E/Avt8OGy7+2jHLMu6pAOJtlUXKdJIa 8FXLRzyP/5TH5qq9o8Ek8vcCGbMm2dluPQHKR6qlScrFxxwHx47YQBgt4HFPGB7/ k6MptCbTJ/r+plBufq/j6/l+YfZoMCxmD9WWbpoXMG9CNXI0wH7QlKf/kxSu6iNa pLdSwQd8NBtLbEN3aQ6rlpcAN74RcKurTNF2XPnd74LC8pI441AYK+ynEFw3UWLa EnLMNXQyY1ZPr75VW1hBPNPp Extension name: 914tn4n40 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/48F9C7B955B3B5D8

http://decryptor.top/48F9C7B955B3B5D8

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ac3317e314bcdfba26c875d00e3bee70_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ac3317e314bcdfba26c875d00e3bee70_JaffaCakes118.dll,#1
      2⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1744
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1884
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2340
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2800

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\914tn4n40-readme.txt
      Filesize

      6KB

      MD5

      94c5046958644f24ac909c5a3a98dd25

      SHA1

      5043b85b4d465ca1c14b0807572bbbe17fc279ad

      SHA256

      4a92acd053cd8e724b54fe35bbb34e01ba036118adc42441be505d1724bd8aa8

      SHA512

      1e23d093fd4a5304f29a63a7f3016e05c0da37e207cda4b61adfcc42ce96b0f1ebc7ddd4454235b7a3a61c163e5e46bff5cb02f1b71ebd23c8ffc5734b084e5a

      Download Submit

    • memory/1884-4-0x000007FEF56EE000-0x000007FEF56EF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1884-7-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1884-6-0x0000000002620000-0x0000000002628000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1884-5-0x000000001B620000-0x000000001B902000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1884-8-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1884-9-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1884-10-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1884-11-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1884-12-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

      Filesize

      9.6MB

      Download