Overview

overview

10

Static

static

10

da50c8e2ae...18.exe

windows7-x64

10

da50c8e2ae...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-09-2024 12:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe

  • Size

    115KB

  • MD5

    da50c8e2aeeecc39e8ae49cef8271733

  • SHA1

    768d0597775446938114e0b5f1ad74b7c51b2a5b

  • SHA256

    6cff57ed233dd9083464ccc23c0a59df300c8a0aece0d3651e5c9e7984c937fd

  • SHA512

    adf77baf9095cd1be5a9a2639978e9b1150485d08c09d8146645930528e552bb1329467cc4e70901c17faee0b734b849d5ef83feb0da760ef7d636d75e1c4786

  • SSDEEP

    3072:mlnXEXyk7yvh4NKm437uM0IItpaHV6B+:mtqyg34L8tpky+

Score
10/10
sodinokibicredential_accessdiscoverypersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files (x86)\5356k-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 5356k. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D39E69C9F5762EE6 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/D39E69C9F5762EE6 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Tdig2XOZtGYeSF8C9YW4srVdwv/su1qsx+/roGXU7z6q1WfzGvcidX4KPcGjxEk+ JILxNugiDvWYLkzY7B4ckySEqFiTLnzk2AM3POVRGvsnxA//WEcctwz9l2ByJUK/ QUuVLibWB2XRSngOYxKvSKVGWD4qxz5cz5BNKqn71PB5NDM0HYwdAZUpzAckYY3H 81tK/Oz0b8k/nYQDY4r4fA2MkkPjYBMmVn8SqJuIBlzf4TupVOtCi18BeAto2D9r R4vDjNRr549gHLLACSG9fKY1HJWA0jtdxOR9V1s+NVKBPPc0b4iRZQyU3r4l1uMK znnBznH/Xyi2AFdBOxMU70YTd5Mut3Z9V4RH1zLZRQVCr998FzXxaI4QD983cyCg dvwlKsCFBZwU0bLpHDbDJ7HQOB6BQorusNIMwIGUNamM7Jb7xXm9fSyRAJBxWkoS iqAHWXJNVKMLCfbCDP2Nq72Xu1r6jeq+fUMcwS0KOOmu1dm2atskwnkwQzDAam01 49f8fGu73NGsOcqTvDuhXyV9R6KxRQH1/VZuznCr3U4a65K+M/YEhWsVsQKvUikP QWIwktqrX2xFTCUka5Z4IkFr4L2zh6+PuMntr98OeHBNL9DfwysQUijrXBpekhJd MteBZqOXmPY7n6l2cDeweMtdSDvEVBFzJn9MRYWeaGS6prItraYVLYs+9uTnIOkt bF0CF4yDsxTUubCMTM1kIgaW8V7LML22OEX5MZdD/fzVX2GnLTrceoAs8UrQY3Pc EJCA2UqL2nBjVhAFdSl7EZ/nxaqXke+bOayniUdpybObfIOuXDHbcxrnF0KlKdeI wa26+YNx6ZFljQdcbXnZGbLaWcAI/NdT3m7Y0XH/pF0kJrGWeN/ZusUiL4FowoFp 4ti0HRGYSNhUm9rym5ref84rvE9owIbLEQIVoJLvC0QjJ0G3sF28h0l9y1a0ToxU +O9l3ZjDPwrp3xeaeePVtcnn9lvOgocv0V8uYvpRR6nUQv+Y5x9FJylc6+eEhyEg FbOQZzWxsZVHm3VfOBVvA2COhF2VX7PVG7VfDJF/hZMKKziKGoepmCzulDe8YXtG +2bTGhIEl0R4uqhquRoHudySNUCGQc4ndbLJ+DxwmQgxpdt2LX6J9HMST0RlwW8/ 0tKX/wHazHXMxeYxgZO4Ff/Ws9T1e6b/DX16ipPC0Qosu6df2+8ukvIEaONSZrTF kpSoQqpdJQw6UW66PDztl0NK1MIYWdbM9zuz1JA7Ci3ESxV+fJUs5kRFbtH8WGtI yBt5gnZHZbsOK4E8+ToqKOvvdflM9Dm4SaI3oxLorXUOqR3iobHKl57z0nAkXH72 yVMtqtwvFa7danzMTLippttvvE7Doh5oNwL9xua0 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D39E69C9F5762EE6

http://decryptor.cc/D39E69C9F5762EE6

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 27 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\da50c8e2aeeecc39e8ae49cef8271733_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\5356k-readme.txt
    Filesize

    6KB

    MD5

    09ae8ac847ada30a67ed7c6e791484c8

    SHA1

    bf10e00f27301af03a7372e4ac58fcfd543b1e1d

    SHA256

    7ebeca33a961c457a616103daef5cf8df42a75579aa9b070b9201291c1cd48d5

    SHA512

    fc61c6ef34f284c31720532a7505a4950952b69cec4f47cd17f9cd0ca58c44b68a0b2ead3ada0bf4779c0141e46d5199203fbbfb53562aa36f134a23c2955b4a

    Download Submit