Overview

overview

10

Static

static

10

ac3317e314...18.dll

windows7-x64

10

ac3317e314...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    51s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-06-2024 00:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ac3317e314bcdfba26c875d00e3bee70_JaffaCakes118.dll

  • Size

    164KB

  • MD5

    ac3317e314bcdfba26c875d00e3bee70

  • SHA1

    46679779e7de6cbc72b8c58cc64065edd191f226

  • SHA256

    db583e09ea90ded0a3c534b0c71000fd2db204ddb6ade2431faa6c2e5adc4343

  • SHA512

    f3f241370c733cbaf9667d1dc00a8480c8fe67a49118fef757a9bcb4602654db53efa454f03a2108fd49a60cd1be0ff902d535fd6132edc0f061ff42d39f2f97

  • SSDEEP

    3072:FWeI5JXJRGpUhFiWjmfb+HP+rnRfUhdT9sT4JtL8B:FWe29/GuzjmfCHWtUhO4/LO

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\Users\003o5in6-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 003o5in6. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/37F30DC96C41006E 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/37F30DC96C41006E Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: oPqlyxUTR0H6qXS8ke/h1SNAqTRDnOo/SPZKC8Rdnf8p6uX5zYnyRhRcIx8SD51g xomqonVe3oM85rWtIXi1WoO/BZBltECK7I+a014taJsYN3gvXG/RxWS2B32gwpS9 3eolgaIq+uTxuen1+L6lkPedfaRKTKqt3Jq7XtDR3W3bEfX0eEFAHVi9DT2eF+D7 Hixh+mL/keEn5X3vuBuKs78EFqixiZCiw115vhq4D2PcGWkDEwzCrOcVubrQfIL1 ojNkgvc4fuRJxTLdzjw4HVmTKrwLR7b5hM58YBZmim0dNhdPDigecKBFgwmW5hRB 2IbP1HPku8IkrRUC6RR/y2ab8kQuXJwwA4qMDnVikH6bf2M8yAJep9aR2IXJ65pu fb6zRLx0R9Bqk9O4pYOrCQrCNJd4//A7lj2vHbe8p/cFyJ+FLZbflt9LiJaI7FFp VuQFrDmqRtqk3Wh/fFLsBPDVFSRIzC9NWHVfz5Z44TBg85u1hp66qj3K87BRuTs5 PhbBUeeqCOp6iDqpWGQGH/XIJB460G3l01LOfguqFqdEO/M7amst44it6rin43e3 y4NqED3+WnAvNhrULtJug+TV7N7hURihgOFSmWmnzI2bxPRFOq59G5pK5C45SuK9 mmMrU0bmQ47YVHU3wPRnqHjVrj1/o6Oq5+bWr++oQuPxkOgEdH8X2GOWpk0YtJWu yU4WXi3EQFy/IdHIN/GfAjLnavylJydvj59ZPGHtzrQEmuUmIPkJQrV36GAo1WPl +/vQqGcfl+Cf4fl7riQ7zs5V5r8wuvXfhKPbP8KRV4eHQgDvF1M6Ckt47enKn5G2 khEjAHkOOtJpWwYw4F6pHFU5WUMPuRJgfjgLpi+qK4CaetiDsvXvaaC4N1xgyJvD 573zflyjTh1MuDOsYFmdVrxxQ9SyGH/8McDf0+3mUe3ON7k3T6w8CkRcmifaFR14 DxHDzdAbrWI6xSlrQ5VVR+3FlKzXz7Z0X19Eewx56chP9eUwNgfoGHBoS0jWvWxo dLrN725j/CG4mlsqlqBbg0HmxARr2LJ2dUTlZqtm9rpZMeHxaxczvAXOqMw8mP4A oAbtGpswSYVpJBO5BwnVZqivEGxvXtD+qeCddD1zyD7hKRDbG5/ZMMP4SPzT5Q5r cYnkheF2L5VTFtyBX0CB2hjbgqxRHk69jsEo4tgeTKJ9d0hnqOcTMvJvA8WGPj41 UAYzmRUhq1wWBzD9ywW2I6d1R83IVQ== Extension name: 003o5in6 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/37F30DC96C41006E

http://decryptor.top/37F30DC96C41006E

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 30 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ac3317e314bcdfba26c875d00e3bee70_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4440
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ac3317e314bcdfba26c875d00e3bee70_JaffaCakes118.dll,#1
      2⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1328
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2152
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:4972
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:544

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\003o5in6-readme.txt
      Filesize

      6KB

      MD5

      85f0400c815c55e85ed4343605dd4e40

      SHA1

      17b1444f0efab089ab151ecaccd2a32a03c1236a

      SHA256

      9be975b7cc454dc76daa3f68acbf77fb938d34011a14d70d25273caf274a69ec

      SHA512

      8a1b06fd162f870d591dc4ab71203167d0ae57e967827ad04995785b416a28c6404ee8a7626029aaf8dede6f3aee9dbd5294b66c8e11ee9ce3d08486dec8d0b5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ckyop4qn.xro.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/2152-0-0x00007FFCCA613000-0x00007FFCCA615000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2152-6-0x000002F65D870000-0x000002F65D892000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2152-11-0x00007FFCCA610000-0x00007FFCCB0D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2152-12-0x00007FFCCA610000-0x00007FFCCB0D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2152-15-0x00007FFCCA610000-0x00007FFCCB0D1000-memory.dmp

      Filesize

      10.8MB

      Download