Overview

overview

10

Static

static

10

c1fcb12f4b...18.exe

windows7-x64

10

c1fcb12f4b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    26-08-2024 01:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1fcb12f4bd35ee741098773f58cb31a_JaffaCakes118.exe

  • Size

    164KB

  • MD5

    c1fcb12f4bd35ee741098773f58cb31a

  • SHA1

    894be87aa90dd634125497f8b8b5e784be1c385f

  • SHA256

    8790c52ea21760fde53f3e8003cd23f896c8c7b12ccdf212a615eece41aa5b97

  • SHA512

    b67a51c7780d72c5957d4379f6887c10337017979dbd847fa49ceff9100450b2e010974051873dc3675502d249ad4189f7a4f7d89953d297493b5017b4af7ca8

  • SSDEEP

    1536:bs2B7p26CaItF5gNHhKWluLpWmRHICS4AH3o/qTneyW7ZZOBml2uBbKbxoVgAy6B:9fg0NBlu9CNTed7/kBazzFbULREgMT

Score
10/10
sodinokibidefense_evasiondiscoveryexecutionimpactransomware

Malware Config

Extracted

Path

C:\Recovery\how to decrypt h3lp55538-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension h3lp55538. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/408C73ED4C715AAE 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/408C73ED4C715AAE Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: s7qVukksxq0VBWfWJkyenb3mVzEM4pHeY6lvct1iLcFAuPciDpk+X0crtsL6gkUO SKQ1/fp/m6H/uMI7/1qZpCieRbb4GEABvgLrIVTMt6hb05dPSbAyEnBTOZvosT3T aOA1YWi/1SWdUum0O03rEm+y+XLt4d3BffeekMVOALH6SKZpYwjIRYIukFl3/bEt CybjpCQBXy2RQ1cKT9k3DJbD9HJKM3jJXIpsZU8qg+i6Vvuq3wy8ImyM4Mpq//Bx 4zfXwM6YPH4dBiqvtAdR5t9HF8X8PDvnQNyrGx0i/9SGBqouKSL+KJ8Q5VVw24Sw +PkcilPguhWg+QHmCJrEtsVEelBUTd0xlaLVEfdrDmeW1SYl7KwLMX+9yILOUXAR C3avbfYsirxV3vIQJ1MVxwwNekHhwRLjv1+5R+KARpPCDjZrL94kEREEVU3yV+Mx zOUWa0i3mD8LavxpSvxVYbeGz83yfAM7xW9tnzLTZ/7L2HjNgXa4q9ADTibA7HD2 G+TcEtKV2J5WitxwA6va8bY3JI96i7rjSLUupuW2kuWncAwl09bI/Dbfrm96tKyy 6i0Pm3b5H5KLs3+z8sJcUcJ2LCQk+o2HtwbvAhlMebyG+gvykO2F+MfU87cC3eKh 1xPlvyL46m3G9k1YEGXXaffY2oa/+nUVKiiczzyuFKrrldCEQ6zp8llSXTN4zRgw TSeF7Oh7XU0jOd1gARr5B4Sq3wxifR45foqGKWGEzMfbXm+wf66D77hZjZPXjeLC dx38/CcFgl5yEnmARh4iV0WOPCQkiqGCp9RGcN8J/+9tK/c8LOrDrfRrYZpzMnFI Pne7FJ/kTsORBTOPWRSSe1PWI4K5C1L6pY9yf4eHtqborj3HRs9b32yY5tAmsLwU 1aNH9Lg/1XXPZ4qVCwLKMqTzezuri0EO5L65zmeQasypcBnx8DJU+DArhoTan4MK EhRuXHoY68XBGZiYB6uR46psit1EOssUDjgzfd64tmm3ogHKXinV+g+8jveUmQ/9 JZV+9Fr8m5T/LjDxQYBEmImcuuRij0GlF4X0oV9icZHEvcqM5b4IGoEdZscX7hb0 mGRtdKSP/DFS4x/OFMx+wJEh2uBRbjd0/oMRXSwtmgXvCGHHtsx8OybJgu5vEXLG R6kClBRRbE3Y655cJEuqIEuyEGziX9GdgIGdbr7tDWgV0oRhGw/ZALDFzUHpfnpQ OfCeGoOz+PHeOAJGayf05NYe Extension name: h3lp55538 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/408C73ED4C715AAE

http://decryptor.top/408C73ED4C715AAE

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 33 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1fcb12f4bd35ee741098773f58cb31a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c1fcb12f4bd35ee741098773f58cb31a_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:1520
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2148
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1232

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\how to decrypt h3lp55538-readme.txt
      Filesize

      6KB

      MD5

      238012dd97234c4c30614792c9ef0883

      SHA1

      36ad812ecda4d73fe3c3e5111566500ded4286e7

      SHA256

      8844998d6883e7e04e28b6555e9da26e389f777e371cd724f5683f5d7f4ea60b

      SHA512

      b8da3a5a6ff3cba5fbf6933ad3130066b0585731b46882e7f981949a52960302687e1bff318416d022190838db073efa633b5ecf6937741a205c648fea959e54

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab9668.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar969A.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Windows\System32\catroot2\dberr.txt
      Filesize

      191KB

      MD5

      32b38b405356e5b5b0bcee10b2093cbd

      SHA1

      a59bd68f29b6f2a3041fddd0350acbd6caaee99e

      SHA256

      12254f0636ec860f84fa15160a66c9a2b5b42fd25e1f491ca927ba4e2aaa17e2

      SHA512

      ee3b2497cad0ee12db3f20efb2306a78740dc7fe91bc760d9143f1b20fa12757ce3118bc5e4ac9995c9c0043b8756ee502e93be358f74990bb16239fdb819810

      Download Submit