Overview

overview

10

Static

static

3

d4d5c9676a...18.exe

windows7-x64

10

d4d5c9676a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-09-2024 16:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d4d5c9676a7b13bdf43d1b8feceeb072_JaffaCakes118.exe

  • Size

    698KB

  • MD5

    d4d5c9676a7b13bdf43d1b8feceeb072

  • SHA1

    dffb8f4a7a903422461db695a955096c52a77994

  • SHA256

    fc224d7b3b799d4d280821570b5abbb8ae876584223e9338f6eaeec1a0e522c1

  • SHA512

    9868ec2ebd8d5f0027cbb704a9096bc8d211c1c26cf2aa1f43262c4f7fd5225d3342392c2921c4611b6db98439c42dbe7ac69ac0e3eec64cffbf8507ce83e9a4

  • SSDEEP

    12288:Vj5QBGxzmsepfA1WswUZyNLKPwSMUMcNyPdScygB0G83zAO+QQMCb246F:4BlsepfAcswUZyNqGMrgBs3zF5Q7b24U

Score
10/10
sodinokibi141045defense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

14

Campaign

1045

Decoy

slotspinner.com

queertube.net

metallbau-hartmann.eu

kristianboennelykke.dk

global-migrate.com

keyboardjournal.com

webforsites.com

kafkacare.com

orchardbrickwork.com

strauchs-wanderlust.info

gaearoyals.com

satoblog.org

thenalpa.com

rino-gmbh.com

humanviruses.org

fridakids.com

dinecorp.com

elex.is

gsconcretecoatings.com

tetameble.pl
Attributes
  • net

    true

  • pid

    14

  • prc

    outlook

    agntsvc

    sqbcoreservice

    winword

    thunderbird

    mydesktopqos

    isqlplussvc

    synctime

    tbirdconfig

    mydesktopservice

    ocomm

    dbeng50

    visio

    steam

    firefox

    xfssvccon

    msaccess

    dbsnmp

    onenote

    sql

    mspub

    ocautoupds

    powerpnt

    encsvc

    oracle

    ocssd

    infopath

    thebat

    wordpa

    excel

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1045

  • svc

    sophos

    svc$

    mepocs

    veeam

    backup

    memtas

    sql

    vss

Extracted

Path

C:\Users\c7hg0t2xxs-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension c7hg0t2xxs. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5AB09E77CE12EBE4 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/5AB09E77CE12EBE4 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: /bB1YVgmBO162fk+1b9XQffFZiLb6tmq7ytePFZ1DEwZDMTONeWUXLKsewoYMXwO E3EOGR1GcC7A5m2O5KzYDndKyVAtdt/uMuLmccjohIPzMBh4vAdQ9wEPVBqoEN6B a3KK7mDWAqZVG413UxUBHn6wO6g1lEo+q8Vc1okWV1qe+7uN1/URpkStZvGJYzh2 L1DCR7Y8WR2ua33Id4Ru0907psTJuNcVxYlOuX+rPOyObf0efE4T5V0laMVl7WJH WRPns2/9Dss358P9TJe9N4p8MwtDCJbrXo1IOMjznlyXNfKQTv9xlmEUG2yB0hmR acgMzA+dKJEmCp6Ia4FQLOG0+HtfII21UdyUFRoRMFil74E8Jkt5XQemQEA5WVUU J4HT/K/R+dSBh2DdY0c4m4fNxYL6QvivrS62LFZoXcDafpGl6qLkCHskWcKZmYqQ uCEcVGcDu6nQn3AKFbrfp18NNElihxgEnmbblEwvGr9llc6TzyQiVd03Iyl1logf /Fws3ALAtHtvqGx5j6UfplXj582JVgb0r4UKt+8l+cOdZ9xp00dSQ20PHWbSOD60 4CfC2P6MjtRVbbzZD74noXSJOe1CeqFtDT+IuOPzl/UY9WOLLM5fsJohptxVlkUj ZLa/b8yGWAYyd7HPtiwfnpC4Qx7pMFoxlsz1tPicnFjXmDeJFPsB0K7R8v7K2w/s YDs6neH54yJE/ntsFmQAOD5miOlplRbQwuMSdp1HzymDbtwKBC6lf+479MkURcez pAmV8Kz/UNZ7tdhL+QEB98JASUEAcvl3w05KkipHo85KbMOaQSawEV+rlgaDODQk D2qTBlnQIw/mzox0X3P7LCgFq9yyL5yzJcWHwRaHUGrBZx6I368pRaGehSZpaBZF 0P6qw7FaDYnr3GiWChq+5rOwMaySQGiHWXEfuc2cWvmvsf/KVkZJefVpGtxWi/s3 2+FuTQOtegtkxei2xLqiTNlhHvcyGYT9Fk4glcSIBeLuVh5E8VPv7MNlkpkuUrse y1rtS6bC44qhXsg7OVusIjNlA6nHamRCabp6KKNBs+2O8ei0UIobXesMszvqS69K p0exzSQ/jb4b5QXagNZoR0Ypxl/Gk4X9+TGUfFZP4C+ATqXp8KZBng7T0qNwEqDn atw7fro8Jdqrkq6i+RNkE/qqQb0qXDUh5xZazhYdxPMwhHST2qoc/oBESC0yyyBB 1scd4xdud7PLXxxboJrvUy12GYE= Extension name: c7hg0t2xxs ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5AB09E77CE12EBE4

http://decryptor.top/5AB09E77CE12EBE4

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 35 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4d5c9676a7b13bdf43d1b8feceeb072_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d4d5c9676a7b13bdf43d1b8feceeb072_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Users\Admin\AppData\Local\Temp\d4d5c9676a7b13bdf43d1b8feceeb072_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\d4d5c9676a7b13bdf43d1b8feceeb072_JaffaCakes118.exe
      2⤵
      • Enumerates connected drives
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2640
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2952
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2688
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2464

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Cab8D73.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar8D85.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\c7hg0t2xxs-readme.txt
      Filesize

      6KB

      MD5

      2af28ec060d1d34eca9620984233f038

      SHA1

      7e6bfe6362b3a1e09e1b69cb1e83bb5df1fd9e68

      SHA256

      96aa4b4611287d0baa3c6baadadd0e5c843cebb52aadb974927860ccede4fd8a

      SHA512

      ae9b445ecb9122cf90473a5050a2001bcc5a5545b085755351f69ccee7ef0db7b69df60ab6221ce9eefee6e00d4a5937338d96a3f8db5793d37dabfbb0952942

      Download Submit

    • C:\Windows\System32\catroot2\dberr.txt
      Filesize

      191KB

      MD5

      04bd5e900b4fc746bf4e62085b310026

      SHA1

      20d0206e365147a396b48359535c405221e5767f

      SHA256

      a7dac0e892fdd1a5cb440a84383e2c61e96b0aa868f962e53082d8ea334328f1

      SHA512

      81e9ad9be737afe265513b681cc996ee061208eab026616dfb219f3e7f095805eee313071fcd7d0ab55967dc8c4548df80d7be29b8a01b7fd977417e864e2de9

      Download Submit

    • memory/1636-12-0x00000000002A0000-0x00000000002A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1636-11-0x00000000002A0000-0x00000000002A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1636-5-0x00000000003B0000-0x00000000003E7000-memory.dmp

      Filesize

      220KB

      Download

    • memory/1636-7-0x00000000002A0000-0x00000000002A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1636-8-0x00000000002A0000-0x00000000002A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1636-9-0x00000000002A0000-0x00000000002A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1636-10-0x00000000002A0000-0x00000000002A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1636-3-0x00000000002A0000-0x00000000002A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1636-0-0x00000000003B0000-0x00000000003E7000-memory.dmp

      Filesize

      220KB

      Download

    • memory/1636-13-0x00000000002A0000-0x00000000002A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1636-14-0x00000000003B0000-0x00000000003E7000-memory.dmp

      Filesize

      220KB

      Download

    • memory/1636-6-0x00000000002A0000-0x00000000002A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1636-4-0x00000000002A0000-0x00000000002A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1636-1-0x00000000002A0000-0x00000000002A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1636-2-0x00000000002A0000-0x00000000002A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2616-15-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2616-449-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2616-455-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2616-448-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2616-446-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2616-445-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2616-519-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2616-520-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download