Analysis

  • max time kernel
    138s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 11:05

General

  • Target

    JaffaCakes118_6c1245be0cacd3a2c296aeac93bd3a95debfe1497fd23f91d6a2179bf8e1a32a.exe

  • Size

    561KB

  • MD5

    ea5d24b9bdfb7ea892b4ff16bc2c9d42

  • SHA1

    40717d8266cf429ddc7df3a29248ef3bc8678a44

  • SHA256

    6c1245be0cacd3a2c296aeac93bd3a95debfe1497fd23f91d6a2179bf8e1a32a

  • SHA512

    fef1c194135b4341da580de14d66d1cfb5b0207f5c57aa8bedb5f2f677c1dc913fb450a89de424d093da8a60c422af4aa4f189a95aa825e6e7c84e28b859f547

  • SSDEEP

    12288:PIUykkZ3UdvReTV6dtXyLkzjF+4AYdvReTV6dtXyLkzjF+4AWLkzjF+4Ay:PIUWOZcLkzjF+4XZcLkzjF+4LLkzjF+s

Malware Config

Extracted

Path

C:\Users\Default\7ssxt7l5ts-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 7ssxt7l5ts. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0F9383DA77A7063A 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/0F9383DA77A7063A Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 2+eiLF8DmJ5y8LH5Dl1F0uszW15+RKd+uThtWM6vMdVi0KGLRYyuyspkmi3Gju79 wziajhkuD+7AJbXSs4fdONGf/jHPSmEvMvFHFnxUUzuapIY7o0WT9MH00gDYjO60 NmEy/fWYJpxqRDvjhBB5SdErNFpqdV03lcjwBnCe9rm5Q2QvfDSIgQFLkcEx4iLH K1bMQgyJZDwQHwBnSmgM5BXgWxFhG7kuHQPugBWKQ5rWQjVywq78wcKV6Xo+DZnJ xoW2BvYx/eog5lFWBkl9O9uVql4CwUM7H7uu/CeZaC8H4CsoOynS75d7YICs3tKS 8+nawDhMLiCUuO18S23HYH0NZhKN4UNS/U8o8poAXVt8Ny5lZ2m85o90ode3AVQp rm2YY28i6Hup5NmJup5mU/WBb2gfJAvW6lb3oJIcgBGwQNsTkqMIhEbqyH8JxYPa HxtQX7zmKDn+qWes9IaNSJ5CzMnYCyiy7sRdDfipc0SCgM3etWeIOnXfZv+GZWXY 3RNG9cZGDd7jdeBf9N6x010UibdBJPIaV6ewWba7juWOmh285XtjMfHGa8skSj56 WQy1DqFJ034t+ecL9PQWEm5acN1hCEjAfVmbu1TJ0vaJ3EOMMLVwCoy/nTfLulxZ H+DExbAe7KYI3N0hZKkLC2uk+hYBzom4QHGNa5oNOFGB6PN3zz6/yBSl9lqeaM63 boxslRMfubfHCruSm8Lk+1iHRuNGviHvCtjq4tMfF31iyF7W+3FLPHfwfF4x68t9 RAXvlJk89vHs8LQAxuukmLAf6aDxpI7A9Z95VVi6rTmUYwkDaciAlQx1dEkfw6GN XdgHK03cvhZFSB/CWkB03eKSwZqZm8lGwn0IsH2Wzd1oeDOSXzHcAadB2s7uwszX P83ko7x6nRn0rqu+tc5o0Has/kSMp8OzUx1sFCyhZrrtYK0rhmYLriO4KW6tkbol nMF6r7Zxr+n7Pq480uHE5oKDhs9uSzyPDMMo27h0Bt4xjxvqohyJoWmAHTZw02Fw blgA5oSGxvk7zZkIHinzcPB7Jx7XUJ5yQrRRSB7aLP1SpLnNGPqCJAQtH1eQzUa0 jZQi10MQJlBC+WYtVx7ecy4pZK6C+7lzFQydPDdNdf9HFX7tGl3CwblyIU58y1c4 2enqI2oj2rqfwRBftEKNjj0PbITyrlyS73LbRZZBj6k= Extension name: 7ssxt7l5ts ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0F9383DA77A7063A

http://decryptor.top/0F9383DA77A7063A

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Sodinokibi family
  • Renames multiple (172) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c1245be0cacd3a2c296aeac93bd3a95debfe1497fd23f91d6a2179bf8e1a32a.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c1245be0cacd3a2c296aeac93bd3a95debfe1497fd23f91d6a2179bf8e1a32a.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1132
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Default\7ssxt7l5ts-readme.txt

    Filesize

    6KB

    MD5

    ae6efdb81deeac69a219825c97552c8f

    SHA1

    ce633abae12495889dc3cae277e69309958c42ec

    SHA256

    6c9219f03d8b9b4ee21ea5bb7368df4fca9f2cba90f9bcb480f7ca8c87636488

    SHA512

    6ee93d172d286519da8b4b7b9610d908b7760cb8c358e3a7e65a5e20c27b20f1cae27305bd2d07c6b6b09f5b3cffc5d281f1a811df9b3cd58329b707cf4944ae