Overview

overview

10

Static

static

3

7562724773...18.dll

windows7-x64

10

7562724773...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2024 19:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7562724773496ecb41bfb251d4e80ac9_JaffaCakes118.dll

  • Size

    238KB

  • MD5

    7562724773496ecb41bfb251d4e80ac9

  • SHA1

    7c0eb4553c962153b63bd56df108cf607c31fdd7

  • SHA256

    304925750c2c72dfce65780bc6b2383b3d9129683efdeb9fd9eb45441d6ff234

  • SHA512

    30a345b02e7d08382443df8b987253b9c4fd9e029dd070605190bcf66a26bf9b8e835d373048c8847af1678b9d35375b35ac491605344db774cfabd41ba529f3

  • SSDEEP

    6144:52nRR7hBiHDzNQKCQiNs8YvMfmznqKa3UxnJvLE2BOWOqANTwmOD:IUviNssOzn+3ITE2vqkf

Score
10/10
sodinokibi$2a$10$ro.lcr6jdp9vjramxcjy3ejtqthl60/x5fkwpmzd.2yvkbcnciits6825credential_accessdiscoveryransomwarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$RO.LCr6jdP9VjRAMxCJY3ejtqThl60/x5fKwpmZd.2YvkbcNCIITS

Campaign

6825

Decoy

rocketccw.com

nhadatcanho247.com

xn--thucmctc-13a1357egba.com

mylolis.com

phantastyk.com

haremnick.com

vibethink.net

manutouchmassage.com

patrickfoundation.net

jenniferandersonwriter.com

deoudedorpskernnoordwijk.nl

gporf.fr

cleliaekiko.online

handi-jack-llc.com

bunburyfreightservices.com.au

lenreactiv-shop.ru

fatfreezingmachines.com

rerekatu.com

otsu-bon.com

arteservicefabbro.com
Attributes
  • net

    false

  • pid

    $2a$10$RO.LCr6jdP9VjRAMxCJY3ejtqThl60/x5fKwpmZd.2YvkbcNCIITS

  • prc

    ocomm

    thunderbird

    tbirdconfig

    encsvc

    isqlplussvc

    agntsvc

    mydesktopservice

    wordpad

    winword

    visio

    dbeng50

    onenote

    sqbcoreservice

    firefox

    oracle

    mydesktopqos

    outlook

    ocautoupds

    infopath

    dbsnmp

    mspub

    ocssd

    powerpnt

    xfssvccon

    thebat

    msaccess

    synctime

    sql

    excel

    steam

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} =========Attention!!!========= Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. ============================== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    6825

  • svc

    sophos

    mepocs

    backup

    veeam

    svc$

    vss

    sql

    memtas

Extracted

Path

C:\Users\Admin\s8y85509p-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension s8y85509p. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2499497BAA213718 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/2499497BAA213718 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: zNxWoZxodMpiZcjNeTPcBbzvbZfeWJt3+XWW2KHNl197c3xdEcb1TlWnpdiNUDLu uDzAQSnWPZ8bYVWBnj9MFWKiCVbtvlziVwfx7uQZnu9V4uJ5dfhpstOEKJszrJyU OwBMv8jOEb4l28C2aRFQ81kQ64CgnE8DpEvFMIgSYmSa+AARBY+ESmOjiR/Gf+sj xd8rAg6TCVlyO33upd+tD2z0IWP2t33qdfOlrhtERsemf9IBOEX9nlcMhyMYXDLc vizIv9k2aUMle/OkIIsOAOkUI7KBfCFeqdiKockpwJxfRLOI+sA95mKiyUPRCAM8 a5ir8wl4nF9rhFzvHd7+6AZpfKPoXHuZs4zdCU5LU6+TkkrDCaTjaa5W+jcpJuq7 u53XgzTPOKGSvl4dvZkuuL8uRq9ATxwoDWOzTOYqJmel59/ubTgObCQPpQe7+ydT cKHNVHuvN7//zQzULhucgA+Be8gffZ845OA8p6sWiLyE6QJG9kVOw3pgwJsn197G BfMCEkhOCXcFWcya7xrZKVFU9QjDlyvJtf+4m0jxo7zwtvY7TSnBK/s2WtBWwb1F ZDouYR5QCdV8+O5JIhFN/01zVv6RhQJLUDfHcTH6vFf7mpADjorCyppSyjxlWQ1W z0VCnv+aBd0W7aZxAHevsO6PCfvgBq5BdRuk1+I5jVhdEVjubjNe7vS+1HPKekam 8AJqZgEx4Qxmrdzp3DH088smgWPmMVC/qwF5NZK0+9pQ/gWr+F2wRqTsZJa1Cxjn 9dylE1/93tyl/WdaYH+/DutYyMbiEO3mzV4JwzKtrsW3kfXt/oSMpKKYUqv9q6eT ivRDb3GBYH6wIqtSgqc+wjCemUDuOcVAITQBV0sL6H31ZDVx6EBaDIiW53qqMVIw 5zNIcf2Nq/rHSukoS5GC87IBUB0as7BfBhNwNQCgxmoNNrV06JgDkv5MwNsNamAc c8qPdR1qRthGL3lZV21iDf4jadL78QbRy3dSaUPB2N73+49d8SzrDgWdSJeBX5ID 4xOCVjJiOl/DH4XWujDIq5/YvO4mmRGdmrZmFtXXdIgT1dzeEbGMJbNoRGTMiJE8 hb/M2VqdEAblGBldZNdeHzRTUCWJgrXhWva0S87GoiC4OKGoMwQ3XTm0zDYV6x0v +IDSoJvQn2knNcXgFb0PuJTqhAiQqWO1JcT72Fx4l3isEavv3PSBBXdjLOyA/uV9 ojb7GSJ8dUJG289G8irp032Wdcbi17Hl5LsW7zd2gE8fjMU7A4xAR9J6OwHUNBi9 CpgtdpshzbqxPSS7/9Rm2w1C6V6LNKD0eUJi1VrVBPxqGcfZPcw9kGeSbfkazGGI a51NL4iZ0TgvYuuRXNnqAMuEh4yDnIpxGREHA2EzH73lAriysQUyPUXv3qk= =========Attention!!!========= Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. ============================== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2499497BAA213718

http://decoder.re/2499497BAA213718

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 35 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7562724773496ecb41bfb251d4e80ac9_JaffaCakes118.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\7562724773496ecb41bfb251d4e80ac9_JaffaCakes118.dll
      2⤵
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2416
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1672
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4656

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\s8y85509p-readme.txt
      Filesize

      7KB

      MD5

      5bdb59d912023375563a4780d4650410

      SHA1

      a7f73fdddaa0a82fed7e60aba347de5855089115

      SHA256

      3393f4161de976e2144f9e60fa968a820ead155b13d6728b3e5d06f4cb0e8276

      SHA512

      bade9a7ba2b4086e6b1bf773c2553a09cf974d4eae6c8b5e6f84695c37389d6e8d843e04e062b1531596d509fa58deafac7fe0f5a05e2a9aa4a56be304d5e4ca

      Download Submit

    • memory/2416-0-0x0000000000408000-0x000000000040A000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2416-1-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/2416-108-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/2416-467-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/2416-468-0x0000000000408000-0x000000000040A000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2416-473-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download