Overview

overview

10

Static

static

10

d0190f94e6...18.exe

windows7-x64

10

d0190f94e6...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06-09-2024 17:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe

  • Size

    179KB

  • MD5

    d0190f94e6d05104977c53b55dbc2911

  • SHA1

    c0ff002b0e26b180a741c3cefff15190df7746cc

  • SHA256

    f4e5d7a95681d920dda75fe5dd89be249905e2a7712f9b3b39e19351f5ef5e69

  • SHA512

    d4b1cc032f9d8254ac6035c27948147d8c4c5f60be51e632ba26c6e34ada87515b3113b4bd1cec3cedfa1a73c465a1267681ca05356d8f2f08d81c4fef04d868

  • SSDEEP

    3072:LNKQ4JTBg0Q8F63VETed7/kBazzFbULpC15RM:LNn4FQS63VE6F/M4qE15

Score
10/10
sodinokibidefense_evasiondiscoveryexecutionimpactransomware

Malware Config

Extracted

Path

C:\Users\9jc5qld80-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 9jc5qld80. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1757521EA40659C9 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/1757521EA40659C9 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: zdHPXbdB8l4Qdu1QaoXDCFEbWJWtfCCE6VNx2jwxwjvyg9bgG7OM2EvjCFj2RJxN Is254dkumEwtChzOjNfAQLEHDDw3GFFVcJ1hqsZLCVLzro9xt825MC79lIEE3mBZ KFBmRjkm1Hi5fcGMQgj4Ky9p2XZ1TzfKQifoOomYPU7v6NdFyvkT+MxqFo1oNo+v 8yzqeMxd1+rX4t540IUsaN4Peb9pAvwaiDy0zdEXh1kw9FPQc5n7ce3dN+3ekEbd NCOnPtodvbS7HReCUn+7P6G0TXhPqndRXxNR4RXv7b7N1SKqMw9VrMYl3cNOhIFK IS/D8owsKSfYX1SJ+1XhXhlXEeWQ1Vh/DlZZefbf4rROIpnEu78PRlJnjXT3rdbY CGWsELMeKJJrfRMhAt4wJ7w7BaA0+cqCO59kKqcNJ7ztG0ZBpOauwGKAfeaw969q hc6gZqfN5oxFkEsMOEHo6GPbfwFgErh9LabTM9YlHh4+AuwwQbDvRip0Pm0NGkz9 2SJUAxtGHOkHEgGq3WXgSfRceWFM+PRGHp/88CzMvzTnGyeYW2sf1ge6Aec9VMhe Z3qiFY6FjTG3GMPVFDwfmC5hirCZHy/wzFOcMFGifiVMmD2WYdZJ85QXrjm8arXT hZCDdnKdCUHGEtymOF390BBIgmy+cNOC5fjgewwP1fmldp1kWpLpctXXibTnLWqv B9N5D5m8yS7mnLYWSTZfP6cuDPS06ASgNdMQYBaA6Hlh+sx8V6tAXitKD7dQGSri vYIbWYVMocZuzbE9e3kgf+x6HM9CVT17AsV4KBG7gEsS0cSOcIg0dUhbo+UTIfbq UCeyDOUrFjHi0okdsTvGJwwk1UaMtyu6hBM+BH4cuEnG7eXwu7qtampkCyrA5KJq uN/y5+S9heUIcPhsSlW2EDP079bvIrL1D4bhfJboyGhnlrTsW2g7bhN8kUZV/zE3 QG/P+LKbqXUx/8BeA4RVRBjw41J6YV92q7WzSBjbNWjU26anxMT5poAnQOo9Vteh 7MgadZDN80yD7oHXrW5A8ohO5CqHfeUGCQptbVh5ozGinpd1kNHldXArQZMAYjhO cr4jQkLdv8+ICQPr2C4gBrDdePsWRL/4gjqcm1/1h7V/TpYtrXpPuSvY5mB2zaib NNLLaP6GIc/xM4PiHJFlEaGyEahL96R9XdabGDtch/waIWrbZ2ONnB5qg6cyegGc lumHMAtjig1nXjdhzn0= Extension name: 9jc5qld80 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1757521EA40659C9

http://decryptor.top/1757521EA40659C9

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Drops desktop.ini file(s) 28 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 35 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2728
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:2964
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1920
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:872

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\9jc5qld80-readme.txt
      Filesize

      6KB

      MD5

      ab0b422ffbd4fade9c4ca2f0fc561df4

      SHA1

      af046852cde685c9d597c5011b0c7e23aff0d376

      SHA256

      4016631ee1fcc5cd1f80f583c3c01395205d4a5aaeeea1a7b6289028910c429f

      SHA512

      9094800df7f15b427abe53f9393042df18546e0c9a6f78f13fda1ab3838f0ae94c9428e7fd1d1dc8ff51411b8a03dd31717edaddc37beab65c0d5fa73dcca462

      Download Submit