seon | 5b60c68944368c9b21e4333f3f289152f15e69ce2a4ff387fb7a0005cb990bfb

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08-07-2024 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2dbea739ec5c54b1a3bcebcd138d50be_JaffaCakes118.exe
Size

78KB
MD5

2dbea739ec5c54b1a3bcebcd138d50be
SHA1

8983c117646ced45f438e7b5e862e3a4c725edca
SHA256

5b60c68944368c9b21e4333f3f289152f15e69ce2a4ff387fb7a0005cb990bfb
SHA512

0027b04b3f7fa337e7956ac226fd34c7344d0c7a2a32ae58fe730870b7e812a098a3fe713d5fdcf0d797254d4497d3e2511ed09227d308fa671231c0f0f047e4
SSDEEP

1536:JtUknV9M6+ygXCNoNGtmFWZPhV8owtnMQPo9NSw249gdhwA2jeddm0cW:VCygXkoNGtmQZ5wbAzSm9gdhj2aI0cW

Score

10^/10

seon ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note

You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/xAKLXWQm http://goldeny4vs3nyoht.onion/xAKLXWQm 3. Enter your personal decryption code there: xAKLXWQmvBPZzm9mSH3XhGpGLvM4Hue9Vb5gB1bfVh2ievk2hZxvM1pJdNWQiaxwWnwuWea4qge2TjkhHASQXAW3MA7vEoyS

URLs

http://golden5a4eqranh7.onion/xAKLXWQm

http://goldeny4vs3nyoht.onion/xAKLXWQm

Signatures

Seon
The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.
trojan ransomware seon
Renames multiple (244) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
2380	lodctr.exe

Loads dropped DLL 1 IoCs

pid	Process
2792	2dbea739ec5c54b1a3bcebcd138d50be_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2380	2792	2dbea739ec5c54b1a3bcebcd138d50be_JaffaCakes118.exe	31
PID 2792 wrote to memory of 2380	2792	2dbea739ec5c54b1a3bcebcd138d50be_JaffaCakes118.exe	31
PID 2792 wrote to memory of 2380	2792	2dbea739ec5c54b1a3bcebcd138d50be_JaffaCakes118.exe	31
PID 2792 wrote to memory of 2380	2792	2dbea739ec5c54b1a3bcebcd138d50be_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\2dbea739ec5c54b1a3bcebcd138d50be_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2dbea739ec5c54b1a3bcebcd138d50be_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Roaming\{e0919c98-4d31-43ff-bf35-0a346b201389}\lodctr.exe
  "C:\Users\Admin\AppData\Roaming\{e0919c98-4d31-43ff-bf35-0a346b201389}\lodctr.exe"
  2⤵
  - Executes dropped EXE
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Filesize
778B

MD5
accca8dfcbe8608af99222b2685e7685

SHA1
543735cfe6ebc8c5cfbfd53c08a29b0830acbe09

SHA256
64e37021244d98765b7c7bd546f82865bf18e61781dc8875674914594b675353

SHA512
0704d82f2ade9819bcb3b7405a64b9efcb014b9a0219b206f21e763b31ac240c6c42193e7f3260f42a4297c0a8990452a36b78e8836d8a3d5681f9e0da1e8045

Download Submit
\Users\Admin\AppData\Roaming\{e0919c98-4d31-43ff-bf35-0a346b201389}\lodctr.exe

Filesize
78KB

MD5
33e757aedd9ac018c9ad24b5e11afb4b

SHA1
1e95baad8570127fd09cc01eb10b7d2841ef9317

SHA256
ccd7a33594b393bf6afaac05047c2633a02fe5324ebbc81a25127fdea0952415

SHA512
6785db518d3c2bc141227395b6fce68dbbf79fd8e746800ceafd0585b914ecde510076c5f1abb5fe434192bd9b3269c29821846c200fa82a3c4fa3bd6ef09995

Download Submit
memory/2380-16-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2380-17-0x0000000000240000-0x0000000000251000-memory.dmp

Filesize
68KB

Download
memory/2380-20-0x0000000000240000-0x0000000000251000-memory.dmp

Filesize
68KB

Download
memory/2380-515-0x0000000000240000-0x0000000000251000-memory.dmp

Filesize
68KB

Download
memory/2380-514-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2792-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2792-1-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2792-2-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/2792-15-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/2792-14-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download