Overview

overview

10

Static

static

10

d0190f94e6...18.exe

windows7-x64

10

d0190f94e6...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-09-2024 17:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe

  • Size

    179KB

  • MD5

    d0190f94e6d05104977c53b55dbc2911

  • SHA1

    c0ff002b0e26b180a741c3cefff15190df7746cc

  • SHA256

    f4e5d7a95681d920dda75fe5dd89be249905e2a7712f9b3b39e19351f5ef5e69

  • SHA512

    d4b1cc032f9d8254ac6035c27948147d8c4c5f60be51e632ba26c6e34ada87515b3113b4bd1cec3cedfa1a73c465a1267681ca05356d8f2f08d81c4fef04d868

  • SSDEEP

    3072:LNKQ4JTBg0Q8F63VETed7/kBazzFbULpC15RM:LNn4FQS63VE6F/M4qE15

Score
10/10
sodinokibidiscoveryransomware

Malware Config

Extracted

Path

C:\Users\7m7n045-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 7m7n045. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/557D3C3EC7AB7055 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/557D3C3EC7AB7055 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: dA7pdvKB7426yxzvojf3NOgs/72fzWmvRPGm4fy0PDnuvo9Cx69uWtHdrojiJf7V Dj1tG0aDo+pjlaRrNiISnDLHHXHgvw7oWh3Adn0CIRSCk9YcP/Brru+h+0xmPy48 IzYWZz5WUKZZQSOLNCKyNM/2RXIkoluB8IjmThjwhuOpU3GlhkPe4IrenoWrqT9S kI7kJESWH3BqDWnxfpWvkyUpGUZlV/kD7MJHedoqNa2QpoqP8sCDRamto0L3KRN1 GHoWNFAPjfLKoF4f/oktlGAFUJS2DcS5BqQjc12sVSdOJqdj83cmZDRG/eaBFe6+ /eVlSfcK4dovSX9gAvFmqlJnuD/bJVJy2mmABrk6phStKRo6OhsVkB7WlVypMZqb Ii5RyNt2akW5Zv9hWVJ8fcm3/JD+XhXj560Q/Lz2+WTsXcl1XLi5AwGjz7mEz0++ dXGuDpkE2N8eOVCRA6n5ifRcQDQVMbaLa+2sMsWC6N4pMqFFcVB8ZNzTzCaupaSK l9KFXJrgHl4J9my2gR5Asv0YGkJhAG8rr26kUABl80aAj0sUh1SQlIFEQfrnMpP5 /N5BZPhxKtlabyw0oJQsx3uTvptW4yVz6or1OUh0ziKpne1lU7VXjI/IdRu2XEfz V+RFDQjQuew6tUGaQSap25QiVEUzsgt4LcZhPThpdMKeIrZlVSvbv7vOGKRgpITv WmpG4PDQZnLpQCpW7eZv4rX07dtmgfNeIxohGzcadUfjI3bFuDcZj+BKWtrKIC8b P0GZfWqjXcNf68IwMaEca/Fjnpjj2xncnqOxN7iHONsv70T7nmS3WKPwFAk3aDWr tFPKHYR8kn815f3L/0qRvaml+cVXKAn5ZsNKLXv8Y7dXaPAsT0agRogaT3AtkWgh Dsw69xVnOQjDUTiHKgnLHWvVyZWTPKXs0hgqIO+DtVJ77KSTvY7ynmIGhWekCZ83 4IeNV/fbSshUU3xG4J7nS9HD6/6yGehdXRcBXIQzx2a8MAYCSnBLPv//FSanwCMO K+O6Lw6huEUS7Zqp03wBUSySN+NCRFa8Nmq6tLET1zLmvmoeMCYPfPNuftV9VtAZ PQVMn7vaPdTXHJL0uG27UiTmx1Xu0Ffz+4GB91dYyuJN4BYdlcHJ+L2yuBB586RO +hYXcqGdQqzNNVULF1YUIVqNcdadv8sUz60eKDCMPSUvqt9SwGj4aViVl2V2XiQk SfTcNM5Vuv2tq8wA7Su/Vg== Extension name: 7m7n045 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/557D3C3EC7AB7055

http://decryptor.top/557D3C3EC7AB7055

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s) 27 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 36 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d0190f94e6d05104977c53b55dbc2911_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1480
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3552
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1508
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=1288 /prefetch:8
      1⤵
        PID:4160

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\7m7n045-readme.txt
        Filesize

        6KB

        MD5

        e2b0be8292e176f123e908d509a600f9

        SHA1

        8e726f8a76e54a409c15a9d0d6ede1fede442e52

        SHA256

        e5d0b044e0504848674acf2484fa90744a52b6d3f528eeb532853bd5bc31a8e7

        SHA512

        3fc8da1f1c2d929814de0ee9a2e08ccd6e8d5a54c81bba2ea67e57c69e09305e8d155470cd6605ca2def7522810ed3cb7d1ce0662d2829c91ce18b6915745da6

        Download Submit