Analysis

  • max time kernel
    93s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-09-2024 20:23

General

  • Target

    f6cb21f0df5dbb445d8c6692ffd3838a_JaffaCakes118.dll

  • Size

    116KB

  • MD5

    f6cb21f0df5dbb445d8c6692ffd3838a

  • SHA1

    80cf9b5dda4c3c9e85c32b7b1fe06e7f7dff42c7

  • SHA256

    f67864421d6271aa65d39cb68bb836d2838c681aedade4c77ca198d3e78c70fb

  • SHA512

    1fb84fa9c7b8c3f19c8114a51cda62a1d1a3bd5f9d1182bb9a0dd1bcf9b1811c9deb9ce062a953c0fc72553150d136d8efe8866fcb5bafac98de2c2f34302d82

  • SSDEEP

    1536:CPp8kFF4+utlznGEvCrUmUYwGOmpX2yaICS4Aa7AgIiF1NlwSJlzUki+p/34:8vnuGqfGOqVB6Fl17Lz/I

Malware Config

Extracted

Path

C:\Users\61rls155-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. sml.com ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 61rls155. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B6A3C96171C6CFD6 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/B6A3C96171C6CFD6 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 7kNpuxzEjumDAV+NYOb2DgCqFSbg2W38/Zdn8EqDLRYSu7b4dZgn3CWXKerZLY2S kwgV5jE4B8iHlpCBaDE+s928IgWUijw/ZU0jssz16BLl09ftRVmDB2TK4XAxi/Em D+AIKBmLoLprD4cTbzYlHf7gvCZfJ9a9aLfSytEoC19ebMJSOknhUJnit8pTbIZY jUtjwyhPWUjgDBQkNg2SojgyWLkcOCCuGm55Y7EJMCk3HJaWErGgEknU8zA79F0w KG0rQvgdfwHsGRp+J3vPK4E/uzomm/gsMJHQ43ZBhFZqgAMCQnvM0iWJWJC9eLib 8DeuYUIJ0lGx7mMyZM+/W6yE6f2Cx403oItbjUSIXReQpp/Ok+99y+4N9HBb4GEQ sMSQI1xK9Ts42DixpDz5s4IJc72QVznydTP3Ux+GM43YBnQ/itzhcGor0NISy2ef LL4gT5Ogn3bAul7hWRFhHyR/Jk5j7XRNOR84B/EZiVp0/aMY2ml9a4BWbvpfTmCD eDBs6Su4yO/geF2W6Znk/oPRFERSUVtmlnyMdnTpiH5agI+FmMU9LV8NpYaghtVv VyIIH9Xq1hn4shB8aE+RReTVsIVOtZbTWZF0t3dUpMINE2mF54VyzYAupINsbjNJ qKnbpge94jkwcUD9EPqADJZlnBoAaQiHxljgNIoKpnNa60NMluzsJgSG2Ujb02h/ EkoF2peOJTyR6Fk6DUJvL6FATrM5aBP1kob3oTYO9S8qyAVkpoS1hMWx6+i4at9o 1xWQBQcn7EIawPtS6uvRzfuC+NY3pX+16bng1nIcQ7s6bYn8bH0bX24oyKudJQWQ YU8BaxJw7Sn3EMb9vSRPlXC18jn7v3NGDq4idCcGnqDCZa5JubFgM8VWP5j5zo6p G0Y7NWlsE6dz7v4F8XKYiN+S8FLH780lIiLTW9+s36YIQUqwU5aKB2cZK5eBYuWs yY6jr+gIGeVlVd5RM4ohEHp4vISHYX+UmNgqhonzQYDDDPuhogBQxNw6tZoRewph NUS74fW9bG5QpENl/u9r71+kub9Te45LveKI+2zr4W60wDKTiBi84RO8fmsPNNRr zbrYZXkPmqTszAyYrBvpqslCAnEppI6xzS+1unlhYCXGCailnvwbmCvhwPgakMAz 2XmVKq58E7P3XJoNGAMLodDtprzlb7J7N4ygsxHPmzk/0xhOKTPm+qU0Lf9cQehT kegj9P1HZ51Mp81YrtPhNHzPiNo+QmEX38tujdl1BE/H0ljx4qOb3egOE+jVsUbV K+FDJ7YjR3JTiEYqVEw1C9PxJ+tVc+0zvnJrRJSM1vcFCI225EGK3QNBIuBcVdgH RViemd7iJWwTHD1olFTproNRXqTwGNW9Xxjg358kUiF0JYoqm5n3gFtM ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! !!!WARING!!! also, if you do not contact us, we will start to contact your partners, notifying them about the leak and hacking
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B6A3C96171C6CFD6

http://decryptor.cc/B6A3C96171C6CFD6

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 27 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f6cb21f0df5dbb445d8c6692ffd3838a_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1428
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f6cb21f0df5dbb445d8c6692ffd3838a_JaffaCakes118.dll,#1
      2⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4424
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3524
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:940

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\61rls155-readme.txt

      Filesize

      7KB

      MD5

      c4c42b166d9a57622e44d495ff17b8d2

      SHA1

      d0f67f09e0ae277b82c1257aa9a95de157ca6673

      SHA256

      4bcfcd15dd3fa134e14ed53ce6b262e42a56577d874f915177f69cbe78d2d077

      SHA512

      0a93331950ad1173cdf53c75e192a91f53eb8ae7750a4ceee6f82b76611ece6493c7f9e2c5904a9b8180e1d64acc84767c8a73d45e078d7df10a3ee96bf2976b