Overview

overview

10

Static

static

3

7562724773...18.dll

windows7-x64

10

7562724773...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    26-07-2024 19:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7562724773496ecb41bfb251d4e80ac9_JaffaCakes118.dll

  • Size

    238KB

  • MD5

    7562724773496ecb41bfb251d4e80ac9

  • SHA1

    7c0eb4553c962153b63bd56df108cf607c31fdd7

  • SHA256

    304925750c2c72dfce65780bc6b2383b3d9129683efdeb9fd9eb45441d6ff234

  • SHA512

    30a345b02e7d08382443df8b987253b9c4fd9e029dd070605190bcf66a26bf9b8e835d373048c8847af1678b9d35375b35ac491605344db774cfabd41ba529f3

  • SSDEEP

    6144:52nRR7hBiHDzNQKCQiNs8YvMfmznqKa3UxnJvLE2BOWOqANTwmOD:IUviNssOzn+3ITE2vqkf

Score
10/10
sodinokibi$2a$10$ro.lcr6jdp9vjramxcjy3ejtqthl60/x5fkwpmzd.2yvkbcnciits6825credential_accessdiscoveryransomwarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$RO.LCr6jdP9VjRAMxCJY3ejtqThl60/x5fKwpmZd.2YvkbcNCIITS

Campaign

6825

Decoy

rocketccw.com

nhadatcanho247.com

xn--thucmctc-13a1357egba.com

mylolis.com

phantastyk.com

haremnick.com

vibethink.net

manutouchmassage.com

patrickfoundation.net

jenniferandersonwriter.com

deoudedorpskernnoordwijk.nl

gporf.fr

cleliaekiko.online

handi-jack-llc.com

bunburyfreightservices.com.au

lenreactiv-shop.ru

fatfreezingmachines.com

rerekatu.com

otsu-bon.com

arteservicefabbro.com
Attributes
  • net

    false

  • pid

    $2a$10$RO.LCr6jdP9VjRAMxCJY3ejtqThl60/x5fKwpmZd.2YvkbcNCIITS

  • prc

    ocomm

    thunderbird

    tbirdconfig

    encsvc

    isqlplussvc

    agntsvc

    mydesktopservice

    wordpad

    winword

    visio

    dbeng50

    onenote

    sqbcoreservice

    firefox

    oracle

    mydesktopqos

    outlook

    ocautoupds

    infopath

    dbsnmp

    mspub

    ocssd

    powerpnt

    xfssvccon

    thebat

    msaccess

    synctime

    sql

    excel

    steam

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} =========Attention!!!========= Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. ============================== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    6825

  • svc

    sophos

    mepocs

    backup

    veeam

    svc$

    vss

    sql

    memtas

Extracted

Path

C:\Recovery\777f1042-3af1-11ef-b4bd-d2f1755c8afd\7zkh4-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 7zkh4. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/279D4423218DDEEF 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/279D4423218DDEEF Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: xjqjonNZ4j1ObCKHWP0/x4tcavcLGvLaELp72iFBTMZMV/4HaSm6IWa6fQ2qO1q6 MbBo/K88a9IdN78Gh6dXHSuRVozJRX34GTi/rRsFzTot4fu4EWjApe2Mw3aikxqG GCBKuY/KzSGuVsAJBN8Ryl9b+vNbTjTdBXx7dkSkCmAsK1OG48G7xquycqwmApfz K892oqbEcaeOZncXagD4Ag6pMo16ZT7PzoT1dt0teAhDvbIus28MKTWw89iSK/UF WWxSWthQPjd/2IL26Z7/btLL8G5LW3hucGHJRzR9Px2k2TZglRqBevsDFSkWDuKw 6lzdEG9hpQRgTJTxKUOROWpEOMuxHD4rujf5Qr+J8OuktCfqqk0jlZgSkPaRsZzm Mxj593Or1YIw0zJ+uQ4ErtZRRQ+UcVfZi0Vvv2vjxSPjvj4nDLmxs64p7psceBbk vtcKpi7t8pSaexdXVC2s192bxcb2tbBw+ODnTYNQ1v22b8Ky7wiLee/xuq2plywP 80ORgYykU5OBfp/GOvPNDsgHX2e+PwifGjNlMsOS4B1PXkSNf17I95KKUNBQ4UTC mVOOQyZHIxI8qyciFEBTVRNApayJBipvfcZqQlQmwyJpHkqY0+1oILo0lSthdSxU q4tuIQOUw8wMOpXjX/OOvVIj+plyeLzdhYTfC2VIsazWHDY3fwwFMwaYECUKEkGR dZTBkyw/0pc88P9cB8u2A0KrEih4Lx30/hs4H/JpzeqKqbDQ+aqltGDMfAG6Ag0C GgTno9OIoYzc8IfBKvhb7HrsAubZQAsUHaoS79MhTMJdgbF4Vco0qdOUzofO2z4s XkN8grjDMxMFyJCrIfRvl8e7n5oNlHadE59S3b93Ru8gfSIqlnv9rYzV9bfXvWfJ MeQ3/B+hlHY2ilBnWwG2x1Anhgi1gFIvHawGIqXwxw6lirvDM7Jyukr1D8Em4B3z qLkW3l19mBeAZGrZ+zh2HxCcS/g3T+QoUKaTcBxn0TDoK+gqxl2McIW1IceGKcZH o8fmmRyeVkhJpij0AZNxwE11GKsM4UXxNC9WMBOAfseC1Svw/1uCnRAUHNI7qrdI YjaDM1sD4ICLuqh3WRXD6482rgxqiEJRPJnDejBN4o5QhirFiVeZ+pFclZVaivzS KnBmpDMPV4n1irLBlAhFFJwT8pqdf4AN9hxFROkzUI9aZgEXlgWzVkGxiJqbZfyR Mxqt09Y5c27NDnmkExTi7RhrVFKig4N6fAEyQysUYWk/vDfmrD/RA52GlbpA+5oO LEpBsWeTvIFLgrOYo2TmmOKFW/tu/7HpYiuKmlx4RovwCGD5yu3sPNg0ngKJxhcx sI+RN5hQ/MxHAWO/5bS6xoxpkNBVubMsPZ+rScRr =========Attention!!!========= Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. ============================== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/279D4423218DDEEF

http://decoder.re/279D4423218DDEEF

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 16 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7562724773496ecb41bfb251d4e80ac9_JaffaCakes118.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\7562724773496ecb41bfb251d4e80ac9_JaffaCakes118.dll
      2⤵
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3004
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2628
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2640

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\777f1042-3af1-11ef-b4bd-d2f1755c8afd\7zkh4-readme.txt
      Filesize

      7KB

      MD5

      12b231b55618d86995115d1a0a8bc1db

      SHA1

      bc0f8779f390a891b768ce1c89dacca80c23385f

      SHA256

      2f913187306779dff87a025216ac25c06ec8f4b71ba71976c6e7f5160cab9eaf

      SHA512

      f89baf69301395d52b18f3b5da0927ee0cade11f1b610dcfd4643019e8b6c14bd1fdfa33d227b7f847c0b568543e3290a6844ba473747407619843e16a96d20a

      Download Submit

    • memory/3004-0-0x0000000000408000-0x000000000040A000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3004-1-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/3004-489-0x0000000000408000-0x000000000040A000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3004-502-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/3004-503-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download