Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 06:28

General

  • Target

    JaffaCakes118_7c6fc2ad6eab5a3b5fce9f19f4863840680d2710447c0acfdbc338ecadf88837.exe

  • Size

    1.6MB

  • MD5

    3f5808852f9a24162404b4fcff319a3f

  • SHA1

    36b17224dc6008e7967cd55fcb3e673b4182f8dc

  • SHA256

    7c6fc2ad6eab5a3b5fce9f19f4863840680d2710447c0acfdbc338ecadf88837

  • SHA512

    4e2563fef4e21de42ce192901198cc3bc9ccb95f9b6dcdeed49ba33c1c975b9a95e91aecd100b9bb9d53d9b6a7dbfebc9bb4b67923c5383c290fca8395d4e3f0

  • SSDEEP

    24576:yIUuDpLjyfIY1RUqIIttF7T4KVvojxqk0+/2IaU/VsGRRkKKQBsxG0RkpXA:yIUuDdjJInttFh2wALTFBEgA

Malware Config

Extracted

Path

C:\Users\Default\vk8j9i-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion vk8j9i. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6A50A7E162ED6530 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/6A50A7E162ED6530 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: zOjidxjXEYz6wfWgcrz/f6yirAI6XDburzgVKVZ/iHEIVQMncMVv7kS7a/taz+zO UH9z1EzLpju2fOG4T9hvXbWLxbxWO3klvEysp7lLpSedyu7aNbLj80X7nKZ3qeU9 iKW6jO29yMk9P5FxGl5N5JPfbxw5WUW7xCH+Kbzr3BbecTVjyv5thRRTtYkQ8X3c I/set3+rpbw/KWgEQL7clVrkK0LgBIVhHkJnm6fMNf5+zhnbFdImIN7QM/tQA6WB qpPmAdcsTOOJVwsr/Crbi+mN38//+v9uN8ExooUlnClT75MeQwrc0fO1g+pYVuQ4 p6bu5uJhzY3+ToyH2w8uDSHWWmKTNpYhGZ0Uh79Dt3fS2oEJtSgnK3u1nQkhQkBm aoAVken5WpxTwvXOtSkYloi+U9W1GNcuBI1hnNPc1X+bO23xBCbaxsho5I2bvz5U rHNIBRH5ZVmZX//y+SVMSNsutYWcDTkIDxx2kXRQq/AmEoDeMnABHGC+8MXaLwtZ bEWFPnaAdMsXBB4Ks8Ab0LPe/mF9VTUIQKpaiIilVwniy3V4Iw/ELjXN8NVIyp/5 TWeijuw0c8flIcwe5zfd4OYkn3XL4l7zou9FimovaCwW0KbVcxWm5HIFwN8R7nCK PjxeGKh7Ywmhf9PBkVrSbb3U7/VH/VZHrTXW7NIGzE4cYYlnQQ9+cbhLfDGxkwiR BO9GioOw6tG5FfdwnyEpbbM6NreQQcr/UjKYRMk202l9ZgbV2ynR17qNwNhS7OcF HxHf3za80oittRvUXCQtzjNLyhpDaH0JASppwHIdX+PxWAJn2I+iHOc4h4TW0FO9 LnRkIBOw4Sc1rJK25DPOlBM1MPeyDGqMFRpd9hwSr03acKPEFNxkZYpJd/bxOLLb ATggDWjijxoonSuMb+/XPI+U+O/KUrD0BqED8GZJGOagk+/bDkirIlcaqaVY9kii vIaATijsozE6jUdUrBEDXZCKcnI1AW7YXKgPQZQRGj1O0WzOUW9Q6OLD32wavvX7 JjSeOS9F5xzVadpOefcUGA+jv4CLgQDQvDhhwt4bLr4xgK38jX+2JU40MWpJevI3 gZUO/PT8DXEgbHh4FtDtMwtUjAgvzvlWjsfqvNTJSyAJizyayin4nyWeTChmpf39 /R5BWz5yRHV04rdX43rtOYFPkSiTkeYbqzAE4JSEJ9c= Extension name: vk8j9i ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6A50A7E162ED6530

http://decryptor.top/6A50A7E162ED6530

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Sodinokibi family
  • Renames multiple (148) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c6fc2ad6eab5a3b5fce9f19f4863840680d2710447c0acfdbc338ecadf88837.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c6fc2ad6eab5a3b5fce9f19f4863840680d2710447c0acfdbc338ecadf88837.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4080
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • System Location Discovery: System Language Discovery
      PID:740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Default\vk8j9i-readme.txt

    Filesize

    6KB

    MD5

    130b63034f7208d5e8ac55d66295c6af

    SHA1

    44185d2f3918955672285c5a53a34d95fb56184a

    SHA256

    958b67faa2f6699ad58002cd874ee88ddf4fb1176faa2af27febdd545124c0f3

    SHA512

    71ccde5b0be8c1ec685348b2f5d30a916b3626b15026f7b4d16c5fb2077ebdebaefdcb2c132d8367042f6771ebd0b6295bcfad78a4ad703d32e588e62a208017