Overview

overview

10

Static

static

10

c9c6939cb4...18.exe

windows7-x64

10

c9c6939cb4...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    29-08-2024 22:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe

  • Size

    164KB

  • MD5

    c9c6939cb45bfd22d3b57537839a11ee

  • SHA1

    9ed92175bc2fa9d0e501f9215723a3cf2515b2b0

  • SHA256

    4478337abc2ec1030756e991d7d4633ad1c99574cba2ee34428cbd67f1e50f18

  • SHA512

    ca8ae5c7a96b580aa1b130b543fc82764d09028c0a8ed8ad0a0bb7b0fa891d8f3bdd307868dfb39625af3bbc5818f2d23747d5cc73859df4ecb0443eb4f23dd2

  • SSDEEP

    1536:FYVLroT4ciMeW75jVZF+pWGRjICS4At+GbvF0qcX8opz25maL3SUtNDWyPwop6in:FHixaVZFiOCDJtOicNDWEzZtaobOsB

Score
10/10
sodinokibidiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\Recovery\mfmlw_Wannadie.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension mfmlw. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7EBEC4F643D8397C 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/7EBEC4F643D8397C Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ugVGUq5UdVKSP9LjAHQ7k5fVMgFyeXeuxFVXTIRhEu1vRW6BFLLGgNV/dc9gMiCF /du7X/JxmRKcHRzsGojTU+dXyIJ3eQJKEcBKA+c6LWWB7oVvGlk94JlqVErK2+k4 U0NbMj5I3WxsTeSKb1RfecMx647Kj/Rp56SWKUVVDRX62rnGJNAL2JqkJ9pKCRjR skOVBMtQUhCd7lrJQFMlA5rSmz9RGLmQDwnm4sWBNM8+wLtY0C1JgBdUkNdlOrSb 1HghL79a1LP5eLZjBtW5Uqb8kIpjokT/dE1JGD64cnxvGOtDIU/c76vY3+r+kFAJ ARZOrUzCXwbcm24xmw25gZy27F3NxrhoqG2NS5oCq6GDVEd53eYBf1v5WntfBTnp DdgO6qkkwEkiPwAqVJLjJjzlsyG16duu9Jyl1dNlHgtzr/ocHWh/G0PiOhV0mYQk T0bG1g2Sxd62t3AUYohgOcUg0n4iDrZw9/TnsY6A0iRuhfliLKqAoXgGANWXMhl7 Z5PSB6gIAdzFfRRB79+3QggUfyp3gsVbOg0BdOp7zR7qibSpGRKNWsFUK+4V4pG5 nOLIJMNLODbbUDpzuD3w81hdMb+Gm3Jf6YLQIZxEGs3oVOqETpBiG54ZGSXGpQjg dxTl+pE9Meua9xQKK1ABJo6WfndqKiMZadbX13r9g7uzw7sExesLai9CfDGIyJYj xJAOqfnEgAhIhbHlvb0W7VvlEw3vJaQZK8Scovv7Mf5S3XjX3cYVNOxwYEm6PDbg ngVGvUuzz0QRM7a60wfUlimfU8FFLKQLrSY+CXb0mszm9ZcjbfIrpi3vY2YNEXSB wMW1LcUkV+C+K3YGyAe9ZL0I4K4xFVmq8l4SHA54njnWXi4ppf9tNEQcDYx7/bF7 /+xDBI9Uy+gW3YzsBTk0VZLF9iSfIU0K2dJlWTmRrvbv+x9Ru1uhWUvTT6F49y5t j+oIWyx2HTocfE9GC3E+4UGD4j2yl0dwNiNuJGxLbiyIp9c6Iw5HC1wCXNbPyBe7 1y3iwfabtEY0UBUF6a9FYyl49e00YC+4twlYXlIRFZJo3SIz1t1/BjDyF8Zk8eXG rf82+gG5vR+JOBU+Wl7e+nAJ20Z9LE9xVFO7U9NkOhDvCxy/PEGgLksEQEKWLu/N /GIxfSPaKjpNSX5G889AkxOLQiFoHiROSwC3+nHgr9ByXjQp+HcLu/uJJJztumY6 WTFVdXV8MzWtSQ== Extension name: mfmlw ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7EBEC4F643D8397C

http://decryptor.top/7EBEC4F643D8397C

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2656
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2616
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2504

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\mfmlw_Wannadie.txt
      Filesize

      6KB

      MD5

      282a656d69ba7db533a09b2cffabd6a7

      SHA1

      9844d6f3019167be297b9a4d5ae6dec530513f45

      SHA256

      57280615ae8fb5c9aca4f30b454c0c2109ce55d2e51dd0a3b4bc4dde7466d863

      SHA512

      17a94756a12bc2ae953ccc251f56873b846943b9bc84b2c26f02fac81e90684271933b8464ecf45da71e23d407fcec9909ab1108df0bf8f6bf8c38729de306be

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab1A56.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar1A78.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Windows\System32\catroot2\dberr.txt
      Filesize

      191KB

      MD5

      06c46943106c3f7600d5e6d0f6830a2d

      SHA1

      1461451a805c1098524d8f6d425d99677de2edb5

      SHA256

      928739f9dc5b94311dada30a4010504bb6a30a8f3940662330437cef95c6bf46

      SHA512

      aa2e497c36c6b6089a34bf4c8cb073a1aecda488c6193f499a0fc437406a4fcf0d00a078c76ff2a763889395535c7e17e49fcbdb0c91732a8a24253731360b88

      Download Submit

    • memory/2656-6-0x0000000002290000-0x0000000002298000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2656-10-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2656-9-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2656-11-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2656-12-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2656-8-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2656-4-0x000007FEF662E000-0x000007FEF662F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2656-7-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2656-5-0x000000001B5A0000-0x000000001B882000-memory.dmp

      Filesize

      2.9MB

      Download