Overview

overview

10

Static

static

10

7c421ca94c...18.dll

windows11-21h2-x64

10

Resubmissions

07-08-2024 18:16

240807-wwjlqs1hjm 10

07-08-2024 18:14

240807-wvf48a1grn 10

28-05-2024 08:02

240528-jxc45abh5s 10

Analysis

  • max time kernel
    65s
  • max time network
    55s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07-08-2024 18:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c421ca94c441a4b74d364f952f8739c_JaffaCakes118.dll

  • Size

    166KB

  • MD5

    7c421ca94c441a4b74d364f952f8739c

  • SHA1

    e5de78ae8db1aa78e00c1fa1eb5687cd1519843c

  • SHA256

    7afc7a311740da58cb0b7d6c43e28b1ddb6fce9c67614e74902e552b330287b0

  • SHA512

    0eb45486ab306562c267eba5eae7f1b8d6d551b83603d136865c2e1c7c90abb0067effc4a358649846dc89ef37ad9ff266922223f318a631d3f457792f1df4d2

  • SSDEEP

    3072:JLFrb30BRtBZZg+i2ayyYOCWGPyLydrkxMT3QDhqtUczTajkz+XHUU:NJ0BXScFyfC3Hd4ygV6oPHU

Score
10/10
sodinokibidiscoveryransomware

Malware Config

Extracted

Path

C:\Users\nn1hpz4i-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension nn1hpz4i. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E566B346953727E2 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/E566B346953727E2 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: yj0sKpQ5wvBr0/pOB1Nn3AliNy+0Yi4lWglGf3+LAmiCxapuoemcFLJtKTx9a3Zv ny0Rmrw942HSZIC913WHfcZRY8Zk02cnvGmwgJUmqQKntTHSFc9jnmdqKbuMtszV k5P2Fw8OmUUdD9oiqjQ7QnmiNZlU1ISXUfhiUR54qe4TyAk7FBbj7gNL6wPVgKIV NPYj/Jq2RUsgx0VJnZWYKEBxnilf+jcxvJIdpCvidvRkqmh6izVFDacTX81YtLvq iMPvePgAMGDoRNMyVj7FXzvf3c5rEp009hOzErOK628bnMBbHZdDT/LDpLGzJMBp UP97RytPePDdlRJc+2TZ5hAOlLRayqWeXDgWrBt/X/gKGaEfC+OIy2pqgvcFuxXZ pt3AljkbJ5jtcA/168E8By9bBOFXdZDBV+Cvl26L29nCJJVX3ggKvYihAmC/UTao tgHCk72iuYDvyPsy5s+megtaaaM9lGY00nKoMptX/6DUQxkZDRBUNPB71H5hU4MQ WtE9GOQZN7P9DbsqYvcf/T97JiD93CQFNIikBVfCOmeoQyPDNmF0mHlCnNcfRil8 dlIk6Q0UN6z7Rm9Z0jhOF957RCbr4C12W20F1pOa7GSuB950AU9eeWLdoSCDfWM4 K/7Rd9LSMEoo18mqVXdUrItLUngco5rDYpP4aTkllcQPDHunqKS6ihlwu1Q2kowP B5LWRTSikhPKwndrZJkJHT80uwYUjgeCNCM0dv2HHrnpD0ISeU3nFMf6Y3QlSObV Mb6YYdEi36rNotDUOVpNtKHqgqnyuROQ2/WMDUVaooe4cN4Qg/3A+HbC+Ev8BEF3 gZg0cg9mrRCNxwot3lLgNGf+4aDUyWE7E5CMLZ4UEwmFMZA754wDd8MunECdQe7z lR2Sj2polACaA/BNYA3zTCmmXPOeKhzscOqYG41F9/1o8p/PpBetQEos+sRD+RHs HX2IYFC/oEDhUhnLp5oSBapxsQnJQfg8AppT04FY5N6TFbnmgH9a3l0Db/Pm4oGM lOeJ43oVHl3GYMLVpV3UM3brXFGY/qdE78mwTEs1gwOO0yDp2OG59Pdk8hynUIef EjqjE5DlijG55KScTGodTMNRlQjXUjidjjwfHqocG/n2TS99cF2Jsf7rEEog3x1g x9QGyij3d6UXwUWNYdBRLSASrpqSRZBVp2q82FAMxjcelPItWExEDcIHFm4Dav+V zUKE4GzOXJm+DF+WnlwIBpA0BkXe6BAAP8DXth+FJ4NM7HCGntswA5exoxwCtQWK KlAD5cctkFbiV+LDUKESdp1ZDjNMSInVeu7jZMACxqaDnjnJoTeNpfpANRZEKW7n k5jq/W8COUz2AYXWlhDDhXWD/nIxIDH05v5Nt3lhJgTAJ/u4M1WGT/42 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E566B346953727E2

http://decryptor.cc/E566B346953727E2

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 30 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c421ca94c441a4b74d364f952f8739c_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c421ca94c441a4b74d364f952f8739c_JaffaCakes118.dll,#1
      2⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2884
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3228
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1496
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:5356
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5444
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1932 -parentBuildID 20240401114208 -prefsHandle 1844 -prefMapHandle 1848 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd905745-5462-4c63-8e8b-75631c9afcc7} 5444 "\\.\pipe\gecko-crash-server-pipe.5444" gpu
          3⤵
            PID:5608
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2332 -parentBuildID 20240401114208 -prefsHandle 2324 -prefMapHandle 2320 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89017deb-7331-4699-83d3-9d5be2ecbf88} 5444 "\\.\pipe\gecko-crash-server-pipe.5444" socket
            3⤵
            • Checks processor information in registry
            PID:5668
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3208 -childID 1 -isForBrowser -prefsHandle 3228 -prefMapHandle 3288 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec0fb333-de96-43d7-a5e8-596653194aab} 5444 "\\.\pipe\gecko-crash-server-pipe.5444" tab
            3⤵
              PID:6016
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3532 -childID 2 -isForBrowser -prefsHandle 3524 -prefMapHandle 3520 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {067155e7-3f24-482b-8f09-1fd77e90b8e9} 5444 "\\.\pipe\gecko-crash-server-pipe.5444" tab
              3⤵
                PID:4080
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1608 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4524 -prefMapHandle 4520 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac0f1fa4-e7e1-44e6-8bb8-cfacaf61591d} 5444 "\\.\pipe\gecko-crash-server-pipe.5444" utility
                3⤵
                • Checks processor information in registry
                PID:2760
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5336 -childID 3 -isForBrowser -prefsHandle 5332 -prefMapHandle 5324 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f70032d4-818d-4ada-8208-0daa9b1e8729} 5444 "\\.\pipe\gecko-crash-server-pipe.5444" tab
                3⤵
                  PID:2084
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5204 -childID 4 -isForBrowser -prefsHandle 5480 -prefMapHandle 5484 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e9541fd-05e5-4e06-881a-a68a4e6ff831} 5444 "\\.\pipe\gecko-crash-server-pipe.5444" tab
                  3⤵
                    PID:2184
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 5 -isForBrowser -prefsHandle 5660 -prefMapHandle 5664 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b2f3790-14fe-4c98-a9b0-e6e4542b8f47} 5444 "\\.\pipe\gecko-crash-server-pipe.5444" tab
                    3⤵
                      PID:2016
                • C:\Windows\system32\OpenWith.exe
                  C:\Windows\system32\OpenWith.exe -Embedding
                  1⤵
                  • Modifies registry class
                  • Suspicious use of SetWindowsHookEx
                  PID:1512

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6o52671h.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  18KB

                  MD5

                  7374a48dbb22600ec8cd353e084507a0

                  SHA1

                  3198c6161fb70c2a3537a0acbd8733605d2d0202

                  SHA256

                  d2afd515e652b91b31b02822e229e003fad3b67883b1801c781999cd6b1e976d

                  SHA512

                  44ba623ee286e954e4f3f7508caad791b22db7ed2c4ee607704a901a687e542b60b2bb998cf6858d3966bacd3c5b52709531d2fceac16647abba8270c4728e30

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rpokmht5.qvy.ps1
                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  6KB

                  MD5

                  73e65616500f4457bfd4ee4455218388

                  SHA1

                  978b6a52229a8abcdd605f717634bd6a038f4e54

                  SHA256

                  6d58e8b644b2260c8c2383200cd97736a1ef8060faffd13f9997a0c68a1e8723

                  SHA512

                  886e1ec8069c5be21587576e4e1c932b64f5e2cad92675b96063b4977ed8ddc1ba4d837f4470d5ee04d81ffc4c30efdc068f556bd169362543f267c041b0b1cd

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  5KB

                  MD5

                  5d42ccf647e1bff6b6e41db9f220af7e

                  SHA1

                  ef16fcf617498dad6d68f310783b135d1da4a848

                  SHA256

                  3e8aa594b1d47743ee5075b5cf5490aa83477384366e18ff7ae6bd674fb94d56

                  SHA512

                  dc0a9cfbad5e7cd6a1977a5cfa6724301eaa451670bb3a597671cc628bdbb713560dd222359a3f52e9a3200e4496f64113bfd625b07c26b2b81598a0d297b088

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  6KB

                  MD5

                  612a3adff39efa0c42f4309ab8f7ebd2

                  SHA1

                  e47ef6c1e0566e0d80a8bb45d6b7b44e24daabbb

                  SHA256

                  95760adcb7828fd597e5f8dcb676381957efc3225b9cb25c169d200b762ef620

                  SHA512

                  d21f3db84665e436257abf0fa897d22c4d016e022fd3493b3aef573bd53457af4ae21067d9f0e9961cf9297bcfb05f610a4c2e597da457165f0967a7630c53f0

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\0230ff37-3fa4-4a58-b171-f28ca9891827
                  Filesize

                  671B

                  MD5

                  933694e1562e043eb43896c434a331c4

                  SHA1

                  3b35db7be2a0c3462384487b092650f7b1c7bf0c

                  SHA256

                  88c0019c871f3c6a2a3dab687d41b7370d71ad64c294ad303a2fb88ff26e77a5

                  SHA512

                  1b4976c6200a943600b9c33c5d8d1f9313feaf9b9051ae565902824484691ecfc3300b87a706b97b983f5e10d003d18eea50cebc0aff165155ae4c04ee1a6ee9

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\278a99b4-ab5f-4541-8f1b-11a26fb3fa28
                  Filesize

                  982B

                  MD5

                  e15510b24ef504e7ebffa8ce71f7154a

                  SHA1

                  4fe7ea3b480205abadc88dcfe87706af69141a10

                  SHA256

                  1ce668148f79e32bfa4a6ad99284614b1c7569a398e6b79c225afcab3e762dac

                  SHA512

                  f19000d09dc0d356fd99e9a95ed7283893136164b4b0fdf19aae79d20b3c5d8727dc4eeaa60fe384b1d3f366d7a91daeb8a21338903ac599abf4d2e6acf4b68b

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\98b6cb31-ea92-4549-8ed0-c42273933347
                  Filesize

                  26KB

                  MD5

                  ad43e8070e0ed10ae7afaf48ddfbb9da

                  SHA1

                  4c304159035a6b6a57ac06e89b87cfcfbf09a090

                  SHA256

                  0c3c61eb9743073e915de038d23bec40e5c03235377148327e76b177b1daca87

                  SHA512

                  90eadb7c69ef8a7544c4fe8ff052985a3fd260f78f895858235481c836799e796f02d952643fcc7984db43786b3b506a005f8a92bd1fd752910cb643a7f186f9

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\prefs-1.js
                  Filesize

                  10KB

                  MD5

                  e425cd3b32425ace57d00646ba733fb5

                  SHA1

                  268db713d4db7890eddad923a3573ffcbec2ee92

                  SHA256

                  e08663dbe9d468007478749ea1b8f38b13835c6502f7b86c1f3ffa636b4cd295

                  SHA512

                  1a898ace31fd80accd3524a9f0f7dae9c28f13b7f3b5723f9c54303f24f5dd8423315abe12cb0be7e8be604be09e8634e24cd45d7931dd62ca3e8db7fd5b69e7

                  Download Submit

                • C:\Users\nn1hpz4i-readme.txt
                  Filesize

                  6KB

                  MD5

                  ccb8798c52f41e8085567e5b2de2acfb

                  SHA1

                  30ac2b595a752f79c183ea3e4b99c70d1d30684f

                  SHA256

                  d2017fc22455424f395e4a142fd0673212d6433a8161ae07ab70d6972eecf995

                  SHA512

                  9dfa6f50971fbd157d6827903ea1eeb576542869e87038529cec865fc9dee619674ec1879edb4f9aa4b0eb50e83bf11e5469d516468e9b6b108b086a260004db

                  Download Submit

                • memory/2884-11-0x00007FF944ED0000-0x00007FF945992000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/2884-12-0x00007FF944ED0000-0x00007FF945992000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/2884-15-0x00007FF944ED0000-0x00007FF945992000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/2884-9-0x000001E359E50000-0x000001E359E72000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/2884-0-0x00007FF944ED3000-0x00007FF944ED5000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2884-10-0x00007FF944ED0000-0x00007FF945992000-memory.dmp

                  Filesize

                  10.8MB

                  Download