Overview

overview

10

Static

static

10

d04208e849...18.dll

windows7-x64

10

d04208e849...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06-09-2024 19:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d04208e8499134779820f61c15d2ff37_JaffaCakes118.dll

  • Size

    161KB

  • MD5

    d04208e8499134779820f61c15d2ff37

  • SHA1

    56770b21d974922a42c6dc80e433490d1aba8624

  • SHA256

    d765650f9f566880df22f1dbabcd8da0dc81d6e10ffe3baee3166ac87ab12a91

  • SHA512

    4443dce1f06c9ab3843f50546f4d192e6cceeb483ec8d468574e6d555dc560e4abd7405d058e4d6f21601876f63c8146f167e6d25bd3e1a2c46d75bb4e416d70

  • SSDEEP

    3072:SrVv1LsjovMDkQjKiNLDIFjKbnSEYaQG8uVsR2q:SrRijAi2GIFGHYQ5yR

Score
10/10
sodinokibidefense_evasiondiscoveryexecutionimpactransomware

Malware Config

Extracted

Path

C:\Users\yhhyv-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion yhhyv. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/04AB4409CB516FB4 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/04AB4409CB516FB4 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: hKJa6CjUgjXi9DGunwWJNpbT74AX0ZNm+08gIab/lbaGnTXv2qpTuLiHenCI64j2 73ZLujLkzSfgRhzxhy80eWB9ARvuoC5o+YRYckqnap9xz5nXtlMjmHY/Cldix1qv Fm3BpW+nFzLtIRth+ozIAUheFmQl7/NYSoQznq8NSWa3IMGsf17ZOfg+AldF33jr AFocGAYS5mHXLx9QqQLPzJfBE6Vwn5K7eQmSFeWLeAZB3zJ7/yetwhrIifBeaYMD 0AZyuQYVlhAGZF2e2JtiOQvU8qTLiBEKfHMFUojB96/QDD+yOWtmb434ExkbE+Fj jqenbyS0eRfRlO2LRLIWCCNGMY0rwgYzNaXP6atP0Tygn5P3BOW59i17YUzO27c7 6SrG+0tcaanlm8qpRtDONQ5x20oiTxxhVz9axuSIRKGHOne6Fv9ra7GfayR6t7rn R0etXQIZZlxfivWEPEMGWy5woGO23jyd464rRyLvOHuUaqLctDq18/B5aaWrSolp GAaVr7Lg6+5b2P0vUO9acAclRCNpeQIFoqHNV2NXq4+fz2FUeJGll/ehuQP0Z0ga OD5M4eNnjed3hWWw8w1IQz2hr5YE57EcXqID8cRhzJTtpTuqphlcLt1vTTgFbfLm aJN3f3m1nn8S8sFuQmQLzmwG2Kqif+/V152BfeXyWIihEaNbqU0sqHmooSglOi1t tv5Id45Ao2BbBJ/pFEjPlLzTeQsZKedJlIslF5VzsI2l3MlrhlEcqhyIpKj1ICHt ZYKnbrjR6dG6w9PXdevXCx04M8GiRpLdxKVBwnr0wIVuzhKAu057JkdywrJsa7RN SJAoJMOwc4SPur80mjLadif4uIeGA3dB8TCs5EKaUIdgBZfI0h38L/jHVd89lFM2 gFP2FmjpQoVvgWDaqn/vgiaEctIzI/F8wLCm5YeQvHQQVB/DyrGOYz/KpxubwOI9 eqHjayKeKTY+fsReVeXAnMxoOteo3VkSHn1Cz/CfDDGX5KV2yHdtKHTkR9UBkrXj 1OUU3zerjEYv/ZhvdSocuuHL+S0mJ0GSloEBQ1d54FcVWETd7H9q2/D03HigArTI hIv1bnts5J1paUXB8wHFpt0ff9LIUug3CtlGOP9uSajNlPNLBsZ/t23kGADyNClT l3efkZCEIkB2zvFzNL6NeD3ckp43ZVX9XN+w6Cx4mnIIYX5Netwl14qOkGfu4V0Q HTI4SamH Extension name: yhhyv ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/04AB4409CB516FB4

http://decryptor.top/04AB4409CB516FB4

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Blocklisted process makes network request 7 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 49 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d04208e8499134779820f61c15d2ff37_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\d04208e8499134779820f61c15d2ff37_JaffaCakes118.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2816
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2828
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\yhhyv-readme.txt
    Filesize

    6KB

    MD5

    6963bfc1e7ae43a3948713b9ceb4d0ff

    SHA1

    7800466380b18e6dadb5aa6bba36fddc5d457545

    SHA256

    d7c98cddd365d3ed7dd2cacb62cbdad0400a1f394b32bb98bf5c3cc8a5909e89

    SHA512

    ee4a8c0e8e960e35f8d14160e548d78dc844d5dff53f4d41076f04e4505775c8cd91e5402957faaf5765bfb8cf15fbf3ae192734096991f6e5c51148ae08fad8

    Download Submit