Overview

overview

10

Static

static

10

b4070a6d33...18.exe

windows7-x64

10

b4070a6d33...18.exe

windows10-2004-x64

10

Resubmissions

16-06-2024 14:39

240616-r1f9ys1dpj 10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16-06-2024 14:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b4070a6d33fd166e115bd0cb2268b7ca_JaffaCakes118.exe

  • Size

    166KB

  • MD5

    b4070a6d33fd166e115bd0cb2268b7ca

  • SHA1

    9f8510cee0c696b3c986c619b012acd19db9a7e7

  • SHA256

    4dd6435f7a4bf6b1ce2e3479230e6d1f9b8730000d3c261ceb3457407bffb701

  • SHA512

    3137b62656a2aee8b65f6dd0e4c79818044bc973f99af878875a3e0fc1a3ab97cea8cd8eaf68377c86840ae680f285893d485c3f521304be0d99751b3a7498dc

  • SSDEEP

    3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3QvOYiEyYFarnufJIIn:ZJ0BXScFy2RsQJ8zgZyYFaifx

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\Users\89d581-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 89d581. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9F483F61986A4589 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/9F483F61986A4589 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: u5BksepoxlftycIzkbtPR6B05/llmPKwjzdJ8uPjKM/0nCb2JnNU8LnH7CyQBPT0 hCR6YBosP+cC/PCX95NPxlonpjRMKzZhMHeaDgc2Qn7qhd3/MLKE7YmD/Fe+Xr2k rdqWnQGqkGrSvSbfMMXE390RbWL8H3slP2545aMqOLviOD15sMAu8ARnkM44pWWI VxZZM+9TnTsFDSGJUluu/9s7ti8ABXNEPE67rsVFqAM4SjXDlMM55s1HOxwh3DkG lLOjXNEvna92vrD8TDvjMRy5/q+bP+SxBeI8eutxNiWiSV/Mz6qHhxO7508xC/z7 xsjc4c/NQP5pbw3A1SEQrQRkrxPpXnzCVWpkwpWhCPnMVyNMBb27gu6EXbEKVgVz YPpt9CrX+K7xO1mw9TqIWc/zvtjatT9X4FvWdR+cs5eS/oaLeP5BnRg3Q/QiDZKP kBntBg1V3PWoBIE84zjQ1JmwxAmtAFTxSPEuBTBYr7EXPd+ruI0fB8Plj+TMcUZn bxKYx/Mml0/oXKgBVtlZJ9DSCFRItWFzsXTcUFzncG/dOWvMxnZ1CSqaORg8JsVq pUi4hqkayoYfaQNx/nNG5Zw8I1VyjuCOWZLI7e5TBIHQd/77m1lXPCv8PhIfI4e+ pTLHmhYRCOzIeyUryg01u1fYyzFcDlbDssh5wpJRW6Pj/Whcg+6Zbozb+rCl95Y/ gK9RPKHBmTiL3euKTNT2fatZzpsE7xU/S4gcvXZd+XfO4EYosDVquifpaq76c/sT 02//P2wEDxKcNK5eoIybohzAgYSfL28Py4b/KRhFKPp7ZTqtQSgSve/JBfC5XAgH FfBVtFZHvg7qEXDS14dy8f/GtYpvYj2aDFNO7IWd09E25zlJQOt0Qb5uuBezetLQ rzwSKEDAP3ebvyrRhNLlpH0lejtNjZY3fCSvdS45xPZC2Hec+YIlNqhNo3XDuvqa HynZfcwjWCzTobfVXYV3htVbAnJIGvzXaGKFl4W54j5YdzFj2z+m0wEEJjZ33PZp 4j+bpzJ0WKrhUTPlSWI0Vty9lUb5IiPaQn3dVgNY6zz9n7TrCaS1CN1BayPn17z0 LPGF+p5967I0tmQhYVoTybq3MxGaOzypj1PFsxPAk9I5JVyXVjT61sbfFmgMue/k 1rF+qzFz9Kkdr17Z0j6iSDvOkuM0SZ/7uyQKLjE4GTOMRrGW7vjC9lGAyqsloXQ9 WFu/VWY6da7HpbG/5f9Sr2/gpLsSJAgw8PFxogCtSl9WEQSt7jTLwvyfrGwOhAXb LA8RTK32KN0gtU/OEZaUBTUNfyWakZROdNNhDHwBll1nE26QfWcehUCMUh4pzyW0 C5BUmDE+NaVwGDrEjWgUGB034TXQlKfHRYw6UWEJ Extension name: 89d581 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9F483F61986A4589

http://decryptor.cc/9F483F61986A4589

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4070a6d33fd166e115bd0cb2268b7ca_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b4070a6d33fd166e115bd0cb2268b7ca_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2008
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2720
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2800

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\89d581-readme.txt
      Filesize

      6KB

      MD5

      c9bf428b700479c4ffda86d5ddb64d79

      SHA1

      a72be2e0ba35d27e52313e1b0240dfe1f5a79caf

      SHA256

      1fbe4bce4ba3992b376837f59c725917b2f4361652bf9be48cd7f24bf2447232

      SHA512

      227d4bcd01376824db7f87ff9718eb5aa4a9222541a7ab2b0142bc78741390ca533bba1cce58157b98421de62d41a05d5315a5201828d38e984afd8b7c3e1810

      Download Submit

    • memory/2008-4-0x000007FEF5A6E000-0x000007FEF5A6F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2008-5-0x000000001B640000-0x000000001B922000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2008-6-0x0000000001FB0000-0x0000000001FB8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2008-7-0x000007FEF57B0000-0x000007FEF614D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2008-9-0x000007FEF57B0000-0x000007FEF614D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2008-8-0x000007FEF57B0000-0x000007FEF614D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2008-10-0x000007FEF57B0000-0x000007FEF614D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2008-11-0x000007FEF57B0000-0x000007FEF614D000-memory.dmp

      Filesize

      9.6MB

      Download