Overview

overview

10

Static

static

3

e82686fa55...18.exe

windows7-x64

10

e82686fa55...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-09-2024 02:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e82686fa553545a9b3ffc1225f0bc5fa_JaffaCakes118.exe

  • Size

    313KB

  • MD5

    e82686fa553545a9b3ffc1225f0bc5fa

  • SHA1

    9bfc63f18069b03e4cbbc3248d71d70cd2d0e80e

  • SHA256

    5dde3386e0ce769bfd1880175168a71931d1ffb881b5050760c19f46a318efc9

  • SHA512

    8d483e01cc6940e5f45543dd1ed39e4e8aa930370ec4b4eff5dcaa029f2ca5067f041c4e3a16310dc8f7e5be94a7296c11da828e228a59ea1c6435af1fef698e

  • SSDEEP

    6144:GRMb3yPooZC0aVJmV0haDF9HUPGSllA8D9:GRO3yPozaDFRUuSz

Score
10/10
sodinokibi27215defense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

27

Campaign

215

Decoy

5thactors.com

matthieupetel.fr

opt4cdi.com

catchup-mag.com

nykfdyrehospital.dk

luvbec.com

billscars.net

sbit.ag

neonodi.be

poems-for-the-soul.ch

lashandbrowenvy.com

amyandzac.com

schlagbohrmaschinetests.com

bcabattoirs.org

agrifarm.dk

ox-home.com

gatlinburgcottage.com

sycamoregreenapts.com

nepressurecleaning.com

awaisghauri.com
Attributes
  • net

    true

  • pid

    27

  • prc

    winword.exe

    sqlservr.exe

    msaccess.exe

    sqbcoreservice.exe

    wordpad.exe

    encsvc.exe

    isqlplussvc.exe

    steam.exe

    excel.exe

    ocssd.exe

    sqlwriter.exe

    powerpnt.exe

    firefoxconfig.exe

    oracle.exe

    outlook.exe

    sqlbrowser.exe

    onenote.exe

    tbirdconfig.exe

    synctime.exe

    msftesql.exe

    visio.exe

    thunderbird.exe

    mysqld.exe

    dbsnmp.exe

    thebat.exe

    ocomm.exe

    agntsvc.exe

    mysqld_nt.exe

    mspub.exe

    mydesktopservice.exe

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    215

Extracted

Path

C:\Users\3561ia61-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 3561ia61. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9DD72A4AD166151F 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/9DD72A4AD166151F Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: lw8I5POqiObyWxFcevAjNlMbOWI9eojTYvxxoY1oFt7IcNf9Vtecz431SlFM3QWA /14oPC9b7liuvS6N6LmHOwwbxRj9v6am+N7N0qswzEeqhkWpunmUclA0wsSNvFpm q/VkEBx84cYWq2ZJzSz2hYM9nA5ttL6Jg7JygvjxYNKocR2RBNbmxw3TPeF87UER 7eIh/hyprJGOUoljOoYQBxozfdD+BJWpMRYTsNB+pc/tf927+WPtan0TROCvQWYi 9bqbJ4Xy6BV9x1uYs1Je/cjp30z4EI3fE631MgOepjMEiJt11O/Ft0jx2yRYTzLD XQ46FOqfE4T4QTzN3XmjOzsd0lYhhfHGxKNT5dio4mmIpBJC5FDOV0TwcNODFDYg MvpAy7JRbfjJMeb9sdZfZSs0goEv6Ha4df0iShZW+TsIs+JFTzHN+xiwcbqvt0XL ARd3LAMusHjIuC6Z2FHuCN3pFZ62U/NDvdudSD1RBo4tH1/+p3K47dYDreaoKR2h eBot15+cF7gx1+uwhVqYm/06MFqoSR5ET6D26t0s2nbwi4P6VctT9y7aBJz2ei3E zkYyiaxXPQleFgWpwcXr/6ylw5WZ5aWJAaU1rtqLvP5aE4OPVyQ+IGfdzYaeMc2S y1sbQNJ+zg+ZB6EaQXA9ZGG/mYE24fQ6mLuN/G51GjmIEIMLIHMSNfwLYgWCEJ65 NcJ5w2+cGRfCETDDaVV5XBG0Rcw4G3VZqvRpFQD7/HdMEQErUzHDjBOYG41wzZmc Pj68jdb0cQQWp1mYS9tvSV/f5HJvAZLmRY4uPQ3BDpdS3wzUl1Zz57ruv7lEq4hU L/L2r4N78kPXav22LtmT7e+XqeOes3oze2txu2ku8UPI1w4FlAAoIE8pNKizgbca HSO7fKxshKa4DWm6Ws+pxX3gd7wgFkUEmd7GYPwAfSzQBOvfyJu8bZvEM/+BK9Tf 6rHbQfI/kyQRO3TZunLgsm0fEUyl5CQkz9elVNyazS82kSXPbEaqxD8WzgSciPpF B5mObQO2ycbCKKt1ujv4o2b8YGWNweqAUxJRPF5ches+ppbiTnbLQXEPi9x0Yhnd rdjwiG8hWlID1k63PVYMbFsBnFfkgwOPiMymHyWYN4Syd9SeqTEqmyzWNyeoGjE4 e7hpR5k+2YCGyVDkRYV9CPCuzQBIGP8GCjfxp5NmDGdm2whovnN0FgwsvF6JQtp/ 5mltmD+ck6i+ZsgThzw= Extension name: 3561ia61 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9DD72A4AD166151F

http://decryptor.top/9DD72A4AD166151F

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 23 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\e82686fa553545a9b3ffc1225f0bc5fa_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e82686fa553545a9b3ffc1225f0bc5fa_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:316
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:2080
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\3561ia61-readme.txt
    Filesize

    6KB

    MD5

    a38ab796e67c8926b19507a3565bea2a

    SHA1

    5e6cba4dbf0e60490f34a7f04fdea4f99080c354

    SHA256

    090e600e563c8f3f382031a36f9a4bc37c50db9d64cf783db01d85ab0af1fb1a

    SHA512

    e8877cfcbc06d43cb3ba282eb777c1a6fa8b24e7ac800da2db85a8f2773c4f7b13c42aa59efd6008336c4274c2e0584e98d2db3a7d1e32f4fed27a713d7584ff

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabD53C.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarD55E.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • memory/2448-496-0x0000000000400000-0x000000000054C000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2448-504-0x0000000000400000-0x000000000054C000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2448-5-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2448-493-0x0000000000400000-0x000000000054C000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2448-495-0x0000000000400000-0x000000000054C000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2448-1-0x0000000000690000-0x0000000000790000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2448-499-0x0000000000400000-0x000000000054C000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2448-4-0x0000000000400000-0x000000000054C000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2448-505-0x0000000000400000-0x000000000054C000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2448-507-0x0000000000400000-0x000000000054C000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2448-3-0x0000000000690000-0x0000000000790000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2448-2-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2448-560-0x0000000000400000-0x000000000054C000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2448-561-0x0000000000400000-0x000000000054C000-memory.dmp

    Filesize

    1.3MB

    Download