Overview

overview

10

Static

static

10

d170f26847...18.exe

windows7-x64

10

d170f26847...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-09-2024 07:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d170f2684721d33eb1b1db2cca1a764e_JaffaCakes118.exe

  • Size

    164KB

  • MD5

    d170f2684721d33eb1b1db2cca1a764e

  • SHA1

    ace765223486af94ef2e8b2c531cb56b8afa3321

  • SHA256

    399a27b146613d522ca9430ba24215a193a64f816304e4f51615250d98c3294b

  • SHA512

    2ba8d350a0f39d406da4eb27a47e7736d2d83b0387553b98ef7865568aa04127641015141f329dc4a83d0880439d3e7b7b7376fd4801a9fdfa226faeb6f5bf65

  • SSDEEP

    3072:ffYWjswg4fQlt4ndm8jX5IXzs+M9VQHDOmi22:ffYWAw9fcUdmwIXo+M9VQHD77

Score
10/10
sodinokibidiscoveryransomware

Malware Config

Extracted

Path

C:\Users\v2dl9lpf-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion v2dl9lpf. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D1F35214F317A6E7 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/D1F35214F317A6E7 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Oq5QLNqCyP7uR9nQLpHvSqh5fdXtoszmuvQR39k9DouIpC9372J3ifBJ5Ast8Cqe yk/yNgMpRWFXUykijhqr0xPXRRh+w+BbU1SO9hjGOH2MqTKKJK0865BtDarQAQhq 20zJNlNd08riIkRF+VgF4k9nC9/I3LCZrfGIf/FXFKJDtYe7vYbOSAdjQvOxvShS 8XC3kpeGcigAl1Hg6Bkpo0KQjOtEmGV9MdVTMfqHUu2p5EO22wbtqAOAWmhwh3w2 dkg7JKa1IOEo/RS9ZlCliV4kfXqPg6Ev2v2qx2y40iRqY+m33Lxq/m3F2qeyd/UH oW2XTK/6mTebXfHwe9q1SJLYKcFIbs9hpm+I9ZF2An+ONjGRH7TD66iaazopAxEa d/dAv3cvFSqstBwgsDiqNoD8OBZzQ1fcgdWL+5tWFd/IGj22IC8ZlmkDVhwI5HOb 9CVMQjnOiKInS0IykFOnNQa4ffX7oBAb67Cbd+I5IDiGKTNy7oq/08ntzWo7XUbW ikl9dsAWTJYP9fGb02kd8+cq0Q1CwC/gzhI2WtjHIZcIB5V2L2wGHC7tROw8Y4LO Vo9DdcoLhMuD04etw97wGwt8aS/+fe79XrAtBaj7jeQPx+Io74560w/pjEvfzZXu OK0Q5+X0mly8TI6IB9hzit0+gTxdgrA5YFwwBNYMi28qDX93YiTz56n4/zW5EnaF YDaXyIIiiNQegfQdHLXyjtmfRqlTTPwkO2NmYUqUQe8JAlVoQhQV6VkOBULhgkDR Zn0SqwnHUR7c4OOYJidXRb2J2/JwslgsIFCdSNaQTGxsJfoG9RwZiGDfV7abTt6A DyjQYJKwEcRbiT8mI9MKCka4ogspd/ApXZomfPA9Qhqp2LV0baGNe/4CpWFGonMz kQsbbr3HBlpSDIR/2DRyUyHA7FfanGaW6NmEbX2LO707AjmxYY2bjF9ZDg2smXWT kAnm1y9vDfipvGvvCE0Lf3z4JufY/pjC42vLinlJLB5UqBcqjSKR3crvp+fzUpwA zNxILRLoHvU1lzsBbieh/I6R6spjdjPF0OKTbXRV2Q5jkq11w5Vyt046YDj212po cKpQhfr8GKRQ7rfuUjUiKtOgTVZtLQcuE8yZdz76RNivFDD/WKSTP6rBT86g75gf Ef/hA2IpzNvU1d5hLhMyKuibvgyDac+z9A4/DUX+wndFMtWLOO+cNrk74Re77Y9+ oL5AtHODE1dk+U2kYRHuxuFurbw= Extension name: v2dl9lpf ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D1F35214F317A6E7

http://decryptor.top/D1F35214F317A6E7

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 25 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\d170f2684721d33eb1b1db2cca1a764e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d170f2684721d33eb1b1db2cca1a764e_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4372
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1172
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2792
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4068

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ydmnng0.erz.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\v2dl9lpf-readme.txt
      Filesize

      6KB

      MD5

      d51cccb807a931a0be8054c0d01bd0e8

      SHA1

      a5757885c46883d1c0a0e74d7a909bf94aafe8cb

      SHA256

      7f969f3ecac4de57691060986d4caeede246283db3014337da01de2de99dc66f

      SHA512

      5562bebad987fced7b427c345b54fc44f918a85a9f5382bfeabd6c08f51022abc4fe8d83de0bd07c865f543a5d69b0db09a8afc31bde7cf6b60891c73c13df48

      Download Submit

    • memory/1172-0-0x00007FFB995C3000-0x00007FFB995C5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1172-1-0x00000148E11B0000-0x00000148E11D2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1172-11-0x00007FFB995C0000-0x00007FFB9A081000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1172-12-0x00007FFB995C0000-0x00007FFB9A081000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1172-15-0x00007FFB995C0000-0x00007FFB9A081000-memory.dmp

      Filesize

      10.8MB

      Download