Overview

overview

10

Static

static

10

b0d6817c4b...18.dll

windows7-x64

10

b0d6817c4b...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    16-06-2024 00:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b0d6817c4bcd8df8703a0aa8d2ba08e3_JaffaCakes118.dll

  • Size

    114KB

  • MD5

    b0d6817c4bcd8df8703a0aa8d2ba08e3

  • SHA1

    29c4c5e9c180c4c1241b69dd72ebdf5234628cbc

  • SHA256

    f4f27a8d8607db742cdc40a1bffe2384f2a3bdeaa4f10c86d0e339f746a00036

  • SHA512

    cbe7efb0bded61d4745783e482fcb4332d238855d175f3d15775ab3f8faa25151898611d46a44c38cd1b5b374eee6b892dd1feb03021031041cb444b0e55f69b

  • SSDEEP

    1536:6Q2auIslFGhFtuAp75WeNMYLoRGp+K6fHICS4Ad1vdhC9fhHNPMf:3sI/hqsMYLoRK7b1TafHW

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\Users\3hl1vetq7-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 3hl1vetq7. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EB42678C7DF80537 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/EB42678C7DF80537 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: gfssW5jIQLR9DMTHeY8kazH6nyGfVeOg+o58D/D9aNT4X+0XG86wNeOTnqpr4mtv HOfSCDNUOWDmywoPyBm8/jy9t2LQNUjCfY3Wjaronqj3IpzEC7GvB/USColiFp8o Cnk1wH6CTAWUQcVw5ivw8jEBGA5oj3SmAwfxdMthXOeMNOLqyHvlVRZwG8nhCJu1 YcgdQwsRa/MPXYM+impsu4OHmW03vpH6DKCBITvp7PlO3O16OOpgtmqlt7BcFb7W GlEgVeLnuboOLO1LrJGmSx7JGnCSGHon+U5F9qqgjRbFIuMVDwqGoiDBAxRJmEMG uf4b9jKkOigXJBky77KS7LxLwgZmYdFwJaUyqvomKwQHClm7iDsPl2V8GJFpBQHt 5Lw2FgJV5b8TnzqKDi1JPiuY1Fm517o4JJ2iWHG6dAMMkyEITXVUH5q8NA/rCAav HhJd+BwtTRdMIiakasW/EL4/e+gY1NsR947shjv3yzl2FkUYBrmC3iJSii2f2p09 OHgwYQpDb7mocvykT0AHnpwOq8OvlA+kEmgLd77gSWxyD1ySDYXy4xyrN1Sjmy/S HrjdLU4BPnOC3I5hh2B5QOwJUkbmzVwVcwsF6ZXM33DxxWLrBEg9kOL6TVzpm/gh hrys97rTSpwVzKxuCjhvOkSFnwyOm+FTfjAJbK+HEv6ELxmlhf9Q68g/1w3PNsx/ /fTozar1SdhB/RXH8Psc8T36m+xPN0bffgfZ5UAXlkj2M/8U+OEDB1G+EvUbMidS h/fUoS0uBJXtEqzgCah8VWpwxs1k6uaKOrBNw6TOg6f3ZTr33HPyb1kDE64hujVH ua4236A0xLYGNAuebDmDjCC0slTxqkn8H9mVKtrvIDt3scCPQMavVRU8QPGJU6e2 3Wy1b/G7Elw8LREhCkRznho4gkIRQ1tr5v62zdC3gKF0mui2GoykmwesK07+BeJd taJh6JMmuKIQvbBspf+bWpHPgip11jn5dPc0CZq4uS+5qjoYI1+/wHz1MuAp6Huw IxKiSvIIR++E5BKqc9nOQKVaeuuq3Wvo48Sm9GR2vGHShhDo4wz1J0HBmz/PgFic 9ErFaarHNh3zEgq3xXtuxWRlI7NFAJHLGv9JM2eyq8vZwqjWCAKJgICd9Oz0OE3r vocw+nxnp9PB2LFYfCe/E+Qj+8/Ma38fFihLLm/jpY925yd5htiX+i5zKmDIYjbu LdW3VEUZyUrhvQqLzhXsJ76UIXVGW7wA6NEJbqICglEiPXe33eewflxP2RMK8jqg ns8d+ebUCbjTIMw0VJsotkzmacuq12Z5C/550Ich/PiYx9kPBVlfFKLR3swKcCWk wPFYML0BdfqA4Vz+mtKYM4gjqX+HVWwQrFvw1YUo6HNeFre4p6I= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EB42678C7DF80537

http://decryptor.cc/EB42678C7DF80537

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 27 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0d6817c4bcd8df8703a0aa8d2ba08e3_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:308
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0d6817c4bcd8df8703a0aa8d2ba08e3_JaffaCakes118.dll,#1
      2⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1788
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2364
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2716

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\3hl1vetq7-readme.txt
      Filesize

      6KB

      MD5

      ab3a0e933621ca33373ee473e7569156

      SHA1

      e72fcdc9cab52998f57e443f3c941b19635cbf3b

      SHA256

      fe4f7e2749b388de2b1356a02358f4a9e20ec9d93444a80e0fc013c5816aa895

      SHA512

      ecfd7df3fefb835a98caec9cc9de6035d5314f6eb95272a1865bb034f0334bbd63bef52e5820c0ca39c19127dc78c4ca4e18107c2374a031e2f4ad19139c08b0

      Download Submit

    • memory/1788-4-0x000007FEF5E0E000-0x000007FEF5E0F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1788-5-0x000000001B570000-0x000000001B852000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1788-6-0x0000000002340000-0x0000000002348000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1788-7-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1788-9-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1788-8-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1788-10-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1788-11-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

      Filesize

      9.6MB

      Download