Overview

overview

10

Static

static

10

ee2ffb5c60...18.exe

windows7-x64

10

ee2ffb5c60...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2024 18:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee2ffb5c60f9963a1551871a392ed0d0_JaffaCakes118.exe

  • Size

    160KB

  • MD5

    ee2ffb5c60f9963a1551871a392ed0d0

  • SHA1

    97ac4115665ee440bdf4f6f171337cc4bc3e07d3

  • SHA256

    b6e27e49d83f82f0feaa1b41d7b8906b9237e08968bb2cd5ae6f4f97b4c9f5c8

  • SHA512

    0eed7a60c0322f19bff85489a972f1a15cacf43391d2f497f0a161bdda0c42ac4e86fe4468ee396079db90414e2aa39c8c6758fabca4d856fe935c88c0f10133

  • SSDEEP

    3072:Kt38mD9P3ILbi4eTMlwDCnumJ+2JzmJTfmWL:KdNBPAbnWJmcfmWL

Score
10/10
sodinokibidefense_evasiondiscoveryexecutionimpactransomware

Malware Config

Extracted

Path

C:\Users\h0f28a66k-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion h0f28a66k. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1596C868AA21A8DA 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/1596C868AA21A8DA Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ptPbijaeFGqk9WXRpxAjZeP6t5xH9wa2J8dVMb6u1rZxVlvZSUWCLcrI4+hhiWWs FTWYP6LxUDPkBPGyEq8+qoPJ1oqwg8o8Q2I4nGLZre0fboQMXSEHlGcAWui8GlPu JyGCWXlpV+377Uvqm+G7mK/6pM4Otuu32Uu2uaHxosvWeYR88/iehFEPCJpyjPP8 MozpgPaQD8RkxWWhOTy0SREw4ErBC3RJSeqKhsXC5paMIR41VdiqR+Gz522sN/Da OzYki8cJeydhoZHW53/AaBFXp7/Rulm7WsY3OnD1zTqozAf11KYJoSFdWIDmcy2C c3xXdwtuNOBqvwChPRGLOmTjwJ4FEZ1fcq3EtNyG7HG7TBpaKi6zTZAQgjG4GOBb +mP/Vy66k09M3ipdVXuBvVafKqbbS++TCH6Zsjsu66RxBbosvBZzwUB/NjvKGGJ5 AHiUOvZVK+hkaAldGLLf2ku7ys7tCGMjHnGwu77s779SItQrPl2ADO19WUxR5AoA e/TJP23BzLfrJt+dnw7U0L1i/W4r0MsS2JRFbTtD3zrZCMyaTyN1LMkb7GeYBIRI jJrAvnTcDLaj4wp4MX3hMVd8NJLNWTo7EhwbuU2AWg3YRU962XrL62Jca6OrVuNF Q41v5/6kDqAd6QkPCDXb2J4uE1wUV4Ub3RlAbHwjmPDTG2QDQ27so1VXLZnSZzwF D6OCkmBRWjieMZsrf3ilbgQG9FPfIroJE7v3ofvULqHa+dUM2gsPoPSBi2QhFpzz 6YUlxVlOBztYz9Xj4sr9vkEj3oNjAbuf793XZFI1GapMc0xqdgDMkOxPTiW8jzoy d47LhdQwCnvPaYuEyJQLPChE5AXzyvxA9sjent274oXt+sH9VQir1XcONiK4JBbg p9bFNgtm33yHxtFUuaTsnW2p0QkwzewTkSxhDJsbyiP6cfQVeAU/gcmzvkf2ZYpG 6m3DZeaer8cFijPkf74ZoXhP9tF054YHJatRr76AGwOtCYs5QdUansYKfzVoOdAp jmXObFcVZ2VZrPwd/mI9PBVtcPX4ExQG+Y5HIGQ+9V3hae91lBfRmZF20IvvyouJ uY/5WyIRRinV4seMHYY5QzQC4BF55bTlfjypGo1TQiQhR04c6YaLYH94DsF9Dl+W bWN0UAhrFc2NiSjdOCsgiV6FhTwAGuhtH07HN3pu3bK2pSglruTQDDM9cXWDvUvv OgzVBhd4X3yndcXxRNk= Extension name: h0f28a66k ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1596C868AA21A8DA

http://decryptor.top/1596C868AA21A8DA

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 28 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee2ffb5c60f9963a1551871a392ed0d0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ee2ffb5c60f9963a1551871a392ed0d0_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2404
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:2856
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1420

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CabFA96.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\h0f28a66k-readme.txt
    Filesize

    6KB

    MD5

    b3972a38d38ec975ce2f17c638288c41

    SHA1

    3e09881520466a4ff911733df259f4deff513d55

    SHA256

    1428232297cb2b1296c1bd32b252d20e9debfa791e4e7e8ec94be00a882a01cf

    SHA512

    9ec4dbb18b41738c9dcf9b57a94ea90176d8b3a4a17d130c7592bac8fcea3e7e136be511b5b06f95b0d2cf58e4265c5e003704bc12a44881f849bd268cad4ab7

    Download Submit