Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    134s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/09/2024, 09:21

General

  • Target

    cf36089d8aada316b4188e74ae11dc58_JaffaCakes118.exe

  • Size

    164KB

  • MD5

    cf36089d8aada316b4188e74ae11dc58

  • SHA1

    89270cd7f54b8d386b2a952ff71a934588035da7

  • SHA256

    a27a783e16fda91874b4885fd874c0018b82dec16061d15d8c701b61541d9d86

  • SHA512

    ac6ac6a919cd18b4d0fa7af95b69d180bef5b5aba65a93752bf637465082c00bf74239c5aa41396ed6df2a0a6215ba86d71e1bacd5a05dbd1c89b9a7f458a9c3

  • SSDEEP

    1536:FYVLroT4ciMeW75jVZF+pWGRjICS4At+GbvF0qcX8opz25maL3SUtNDWyPwop6iM:FHixaVZFiOCDJtOicNDWEzZDVrNgB

Malware Config

Extracted

Path

C:\Recovery\how to decrypt x460y8q9z-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension x460y8q9z. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FF05FAD77271711F 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/FF05FAD77271711F Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: K8egcESDQiTHhXu16ResImK9PPwwmJ4mDPC17J17BbErrEmuzSMhigUlhF2XO6VT Olx1bTQAHV0vafF0GbePgzJ3eIin9E4Lq/javxsz1o8qGiNWcKbmccrLlpvmekNS 90w/Xf8xA7bI95YqS/6FEU/4UdhKbBCZMD6BGDplxUcKOkXM1gzhqwngZ2NcnNAj TCywbriDC+/+5Qly5blUKOjzMndWcmfOkJ5u4UN43Est4DjCMvxx0iIHLGOdJE84 nJVU6O03Lcs/vxD5rkV7dLqo/DfoHz+8ztRBLKCGVIXSCMawTleQuhQA30ZKGEVP StnIqcqhcj4TK8I6XQIp+bJ64DPHAGZBhYDmAb5bsFk5fscFIg9jLHf+JfZ01+uL 5TrRHQs9xzviHECW8svhrtQM006GbiLzzSg1U+AzKrJD/FFLJOeYgki8niw24Cdl mlH+kLndiG44m5TZ87uhf7mHcHKylfWL0OX+RD+ELSjWNvU9QpORvJJ2AxsveuQX zGNchaU3aN6hjyl6FfeW5L4RhPmPtmD2uGxdF+Ca/ARa1LGAgmzYsh2eqYh3sE+l 6PZ96LVz3EG5JDgmiLJCiji0AbJZWtoqRDINLMV7orNOFxccm4XjTGDjfDH84IvK 6ScEqiQ/82yS9/5q0pl1J8UU0l5d8aGL/QGTlrBfSOllNGeDlCFfP5Jbw2wrXhUd JLYiy4RW09pMGNW/KiljW2510ioRNTESUiyxntQbw77dTL2m/QwiiGf65hxb5Q2b fBEfxJ82WedSWI3PPGzh6z9RhyK7szJ5fW3vSb8hkqnbpqYLhuPIuMwXTI566riH lTAf0y1XCPin1/bwSKsnaLP/7dT4D4EMqnZOm9nsdKuuy/m8dZ1BksRYYoSqzw0m /YLlD7WbiVSi8ETPw7J0vfc3ks8oeWv3BjfmDu00UMr7OSZMHFDB0zLSXl742TQd 4x/5OUz9bLRl1eSKWCM0ciB2OL0H+Vs0efg2ur/UfkkNp4SEcR3UHCZbeYmpp0np TU8wMZsUZe/Hm9nHkbHsycqucU7qpC/J5wFPisHVKKcvs9j8Hr7CN4sDnjiltYH+ FgmRT3rWMjjWudVPVpoAfq5bV2LB8bTU8rWE5qpXb5uqcX5ORsOGHR5pcwi7nOup lUukf0LNAPNi4vIxGCBrOfYgxIOdZGbHHTm35p70DeHhM66pCAR2w/FqRPC9bBiD A4jNN5wk3Tyey5v3UNE3uewN Extension name: x460y8q9z ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FF05FAD77271711F

http://decryptor.top/FF05FAD77271711F

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 29 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf36089d8aada316b4188e74ae11dc58_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cf36089d8aada316b4188e74ae11dc58_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2784
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1600
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2544

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\how to decrypt x460y8q9z-readme.txt

      Filesize

      6KB

      MD5

      7ebaf6526ee903b2d106697486d2046f

      SHA1

      ae35df61fbc33a4311daf5b75b26701f04199006

      SHA256

      1b189b7948b0643467f1ebafa04c9920515d2c21c8561246c2ae703eae7ac577

      SHA512

      25c4edad5f5bd8a0da3bd9317918ed084c31a75fdf4be85319a078bddeb39ff4bb4e96c1d7eab2b01cfd412afdc08ef11cd918ec19180adaf54bd1b19b199a09

    • C:\Users\Admin\AppData\Local\Temp\Cab7BB7.tmp

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\Local\Temp\Tar7BCA.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • C:\Windows\System32\catroot2\dberr.txt

      Filesize

      191KB

      MD5

      3e87eba63db525ab9ea5648157110db6

      SHA1

      84f8339132e34a03f4f809559c927b81afbd7c0f

      SHA256

      691521d12463ef3e4cbb4af59e8a773e2145bd4f4a873f776657a917d978ce6f

      SHA512

      338b6d9d7750e3f95a7da9d3043668c26882208fe6db71f9c5025be412f4b108d0be1c6e3361cd2c631744566655475a062cbb3ca14b2188a1c70ff5c0e011a1

    • memory/2784-4-0x000007FEF64EE000-0x000007FEF64EF000-memory.dmp

      Filesize

      4KB

    • memory/2784-5-0x000000001B630000-0x000000001B912000-memory.dmp

      Filesize

      2.9MB

    • memory/2784-6-0x0000000001D90000-0x0000000001D98000-memory.dmp

      Filesize

      32KB

    • memory/2784-7-0x000007FEF6230000-0x000007FEF6BCD000-memory.dmp

      Filesize

      9.6MB

    • memory/2784-8-0x000007FEF6230000-0x000007FEF6BCD000-memory.dmp

      Filesize

      9.6MB

    • memory/2784-9-0x000007FEF6230000-0x000007FEF6BCD000-memory.dmp

      Filesize

      9.6MB

    • memory/2784-10-0x000007FEF6230000-0x000007FEF6BCD000-memory.dmp

      Filesize

      9.6MB