Overview

overview

10

Static

static

3

d4d5c9676a...18.exe

windows7-x64

10

d4d5c9676a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-09-2024 16:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d4d5c9676a7b13bdf43d1b8feceeb072_JaffaCakes118.exe

  • Size

    698KB

  • MD5

    d4d5c9676a7b13bdf43d1b8feceeb072

  • SHA1

    dffb8f4a7a903422461db695a955096c52a77994

  • SHA256

    fc224d7b3b799d4d280821570b5abbb8ae876584223e9338f6eaeec1a0e522c1

  • SHA512

    9868ec2ebd8d5f0027cbb704a9096bc8d211c1c26cf2aa1f43262c4f7fd5225d3342392c2921c4611b6db98439c42dbe7ac69ac0e3eec64cffbf8507ce83e9a4

  • SSDEEP

    12288:Vj5QBGxzmsepfA1WswUZyNLKPwSMUMcNyPdScygB0G83zAO+QQMCb246F:4BlsepfAcswUZyNqGMrgBs3zF5Q7b24U

Score
10/10
sodinokibi141045discoveryransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

14

Campaign

1045

Decoy

slotspinner.com

queertube.net

metallbau-hartmann.eu

kristianboennelykke.dk

global-migrate.com

keyboardjournal.com

webforsites.com

kafkacare.com

orchardbrickwork.com

strauchs-wanderlust.info

gaearoyals.com

satoblog.org

thenalpa.com

rino-gmbh.com

humanviruses.org

fridakids.com

dinecorp.com

elex.is

gsconcretecoatings.com

tetameble.pl
Attributes
  • net

    true

  • pid

    14

  • prc

    outlook

    agntsvc

    sqbcoreservice

    winword

    thunderbird

    mydesktopqos

    isqlplussvc

    synctime

    tbirdconfig

    mydesktopservice

    ocomm

    dbeng50

    visio

    steam

    firefox

    xfssvccon

    msaccess

    dbsnmp

    onenote

    sql

    mspub

    ocautoupds

    powerpnt

    encsvc

    oracle

    ocssd

    infopath

    thebat

    wordpa

    excel

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1045

  • svc

    sophos

    svc$

    mepocs

    veeam

    backup

    memtas

    sql

    vss

Extracted

Path

C:\Users\71vpqptb4-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 71vpqptb4. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A5671EB3F1DD60FC 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/A5671EB3F1DD60FC Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: SvyIjHLUSRMkAnCfiJ6z9oSV6qa+bIL/8jOOb7k7V/SnyFXfcv2PKjuiI+zsPkEU m7LcMa/wM2/RS3chOIHQKlK5UrCqGN8ME3aFNSbiOzgTJH4vMhe7W5Bdf16naMdo dVUflh2HkQscgX/LS/daX+Z6JDSRFKHDpV3xQbxPY4gq1Xcs9TV+H82/HqhLtKSz TWaPkDN+xEBxvhqM+aPtHmIgLdyMY3QdU0nimfe7JWab4WoIhEkywV+3Ci3bMtrl KyuJbZ3lGQMfHK2IEDq0UXfMSRNHv2KReIIvMP/tIOCVbjw/HTSLfdyHcx00DbTV TEE3Gx2wL+VCyL+5MjFA+zz5hYd/0jDmnhXrICCWSWw96LW+R9AryuxLhykACPmP zPZw7bWmsi6gVbJXlpee8B6aSyVo++f9Ta+0rYSwC/e3UPC5ZhVej9emkJr8f6i4 QtPMd3iL7R2Dwqq+MizMQmvelFfoTa/dCkHvO0lbRquifdonKYEtmQMvU4emMG74 fgkH9Rd+gxxT2/92wHCdT/T/eTViFXqlmPd6dwWd+lcr3cAbkAqu3MZ8i3rmknvp 5cqciGU867TUj4afnuX/wFQ0lFY8tgxjjzCmHsrMjRHEMB6Xayhcb6haz2eTjOid m8Vv7LDH8ehpX+55dAejwAddBVmV87uTR7vKc2lErrfqdG6Ey/gUuwCtEnq5hnWs DMevOzBlaSOoKdYiFqtk+R7X8tUX7K+36GPz4nGqg4DLVhEjNx9UTI/mCoqRQai0 yiuMY/mF9sE4DxYMuWKRMmImoaQresahqUlPMapCkJiqEB1zu/+f6vAV53gOIgxF DxnHMZNFA7uhHWPo51Zz6F9mo0fAf711F0PkyS6VXzhimkgTZD64eRSbyfaVUA80 mV41oeeRS/lii5YzGb69+ER1f+KYXubzlUguO/bRx96D1dQEzzqsH+yePzifkXap I5hUmHkhUlYMI9hY0Dtc1GTRQ/WMiFWohhgfrdmWP6sA/qRN+MAaAIez1jEfEMus Czq1T1FYoXP6uDZ7DTo8ZjCW02wr88g0ptH8gzI+FVhtYNYZ4aiBQ/iJKOq2zuyL u2eVr84y80/l2omldjo16MkpXdyp67aBhlMO9n3dUqQ+e6cWuvKkeH7ginAGbd0T G41ITDvvmQGq755rUwlnIYelDjQfh30trtWvO8Q+BDffxWUeX3AWJXKZuQjndM3h SGK8YSwH/UXm56VYggnDRphGwAiRXSSv Extension name: 71vpqptb4 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A5671EB3F1DD60FC

http://decryptor.top/A5671EB3F1DD60FC

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4d5c9676a7b13bdf43d1b8feceeb072_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d4d5c9676a7b13bdf43d1b8feceeb072_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3624
    • C:\Users\Admin\AppData\Local\Temp\d4d5c9676a7b13bdf43d1b8feceeb072_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\d4d5c9676a7b13bdf43d1b8feceeb072_JaffaCakes118.exe
      2⤵
      • Checks computer location settings
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4328
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2752
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:4548

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\71vpqptb4-readme.txt
      Filesize

      6KB

      MD5

      c373d428e77b88b122cbb3bf1ff1756b

      SHA1

      4119df6a0c4e72b36750cfa92e0db61d220237f6

      SHA256

      75836e27ee16eaa4d6f29fb6f4f6aed0d7376cc17e85870091fe9e624d0d7742

      SHA512

      f6b53574c248774fae69901b31e7563d0ef8954ecd7ea76de0ceb26f2a9dbf955b77187429890de8a30ce578355d5fec08690bb3d6025701146ce77497ed6768

      Download Submit

    • memory/3624-10-0x0000000002B30000-0x0000000002B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3624-3-0x0000000002B30000-0x0000000002B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3624-12-0x0000000002B30000-0x0000000002B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3624-4-0x0000000002B30000-0x0000000002B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3624-5-0x0000000002B30000-0x0000000002B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3624-6-0x0000000002B30000-0x0000000002B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3624-7-0x0000000002B30000-0x0000000002B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3624-8-0x0000000002B30000-0x0000000002B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3624-13-0x0000000002B30000-0x0000000002B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3624-0-0x00000000022A0000-0x00000000022D7000-memory.dmp

      Filesize

      220KB

      Download

    • memory/3624-11-0x0000000002B30000-0x0000000002B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3624-2-0x0000000002B30000-0x0000000002B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3624-9-0x0000000002B30000-0x0000000002B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3624-14-0x0000000002B30000-0x0000000002B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3624-15-0x00000000022A0000-0x00000000022D7000-memory.dmp

      Filesize

      220KB

      Download

    • memory/3624-1-0x0000000002B30000-0x0000000002B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4328-16-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/4328-438-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/4328-441-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/4328-443-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/4328-444-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/4328-447-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download