seon | 5b60c68944368c9b21e4333f3f289152f15e69ce2a4ff387fb7a0005cb990bfb

Analysis

max time kernel
94s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240708-en
resource tags

arch:x64arch:x86image:win10v2004-20240708-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2024 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2dbea739ec5c54b1a3bcebcd138d50be_JaffaCakes118.exe
Size

78KB
MD5

2dbea739ec5c54b1a3bcebcd138d50be
SHA1

8983c117646ced45f438e7b5e862e3a4c725edca
SHA256

5b60c68944368c9b21e4333f3f289152f15e69ce2a4ff387fb7a0005cb990bfb
SHA512

0027b04b3f7fa337e7956ac226fd34c7344d0c7a2a32ae58fe730870b7e812a098a3fe713d5fdcf0d797254d4497d3e2511ed09227d308fa671231c0f0f047e4
SSDEEP

1536:JtUknV9M6+ygXCNoNGtmFWZPhV8owtnMQPo9NSw249gdhwA2jeddm0cW:VCygXkoNGtmQZ5wbAzSm9gdhj2aI0cW

Score

10^/10

seon ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note

You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/pf3zApGB http://goldeny4vs3nyoht.onion/pf3zApGB 3. Enter your personal decryption code there: pf3zApGBMkE5mYoHAKp5wkXVMuNZbzpU28ZSwxPSNsUrmi1ktmcau9VmhPb7F5KeAHSw3a4bcUosmv2yQSMbDxsyeCTph2c1

URLs

http://golden5a4eqranh7.onion/pf3zApGB

http://goldeny4vs3nyoht.onion/pf3zApGB

Signatures

Seon
The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.
trojan ransomware seon
Renames multiple (885) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
940	GameBarPresenceWriter.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 940	1388	2dbea739ec5c54b1a3bcebcd138d50be_JaffaCakes118.exe	82
PID 1388 wrote to memory of 940	1388	2dbea739ec5c54b1a3bcebcd138d50be_JaffaCakes118.exe	82
PID 1388 wrote to memory of 940	1388	2dbea739ec5c54b1a3bcebcd138d50be_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\2dbea739ec5c54b1a3bcebcd138d50be_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2dbea739ec5c54b1a3bcebcd138d50be_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Roaming\{08d4fa83-f22a-4c97-a9bc-7898e87eafe9}\GameBarPresenceWriter.exe
  "C:\Users\Admin\AppData\Roaming\{08d4fa83-f22a-4c97-a9bc-7898e87eafe9}\GameBarPresenceWriter.exe"
  2⤵
  - Executes dropped EXE
  PID:940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\{08d4fa83-f22a-4c97-a9bc-7898e87eafe9}\GameBarPresenceWriter.exe

Filesize
78KB

MD5
fe431146775461bbb823c54dae5bee09

SHA1
7f2c2be3fd644e75cbaa8a5f7e8152314a5f8278

SHA256
675b2dce3a34ed9ee3794c9e590b5491b12bb90e828115b9eadf7bf98cf8d9bb

SHA512
c4fef9bb184e250dbe17d27d1ec74bc00eb638e3d83a9568d931531258d29ff3b610914641901687c8573e09f82ec817c1e360d69d85ba9644f3b07a05b7c559

Download Submit
C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Filesize
778B

MD5
4d982d0651c96b6d17b136970f4da3b0

SHA1
e20fa3343c3ae1c2c8d89538a434514d8fd80af6

SHA256
aaca607aebe8c46e6d2367d1a4127a5014143d590f30bcc5a2dd053ce8f40fff

SHA512
b28c311d6f8366850225826261236b683b52ade6ba07cf39a60afee01708e3a95eada93aeaca8479ecb7a1bb737a4e38b67c3a7d704074d84b7ee646b5dd4e04

Download Submit
memory/940-15-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/940-17-0x00000000005B0000-0x00000000005C1000-memory.dmp

Filesize
68KB

Download
memory/940-1793-0x00000000005B0000-0x00000000005C1000-memory.dmp

Filesize
68KB

Download
memory/940-1795-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1388-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1388-1-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/1388-2-0x00000000008D0000-0x00000000008E1000-memory.dmp

Filesize
68KB

Download
memory/1388-14-0x00000000008D0000-0x00000000008E1000-memory.dmp

Filesize
68KB

Download
memory/1388-13-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download