Overview

overview

10

Static

static

1

JaffaCakes...19.exe

windows7-x64

3

JaffaCakes...19.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2024 19:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_22ced8b16c6dc02cb7556a95112a3cd070983f455688039e0a65a88d1053d319.exe

  • Size

    787KB

  • MD5

    b3193c102b6c328b8fea5889da929d5a

  • SHA1

    ff87d1921436f849a95d9b0d9f7956e82e400882

  • SHA256

    22ced8b16c6dc02cb7556a95112a3cd070983f455688039e0a65a88d1053d319

  • SHA512

    1471931bec9a8ff2c0fb1b15841af639519e99e33d59bad7eb46edd57ed05204371329e448185b81824e473dd3358862e8626176b69f7ae32251c61dffd25592

  • SSDEEP

    24576:lXRd5ZZ0WeqLkzjF+4LZ0WelLkzjF+4MLkzjF+4jZ9:JRd5ZZ0WeqLkzjF5Z0WelLkzjFCLkzjn

Score
10/10
sodinokibidiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Default\0uvcq6984-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 0uvcq6984. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/91E500EC13E99128 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/91E500EC13E99128 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: wGohlV4m6drRZ8lMYJFFR3xVbptRJwaQHamM5QD8vTdfGehEg/0Th8F9jb+HdkzU oRksUvg6oAZzVq8cyu2rld293043jjgKoWO7MyhM+y8HxwOJgE5vKeXhsX+mtu7i AwT2kbKhnpgxo9ZwMkfh3euq3wC0nLtm89MDO+WaqDOsNA6fd1frizHJx3H3V4j+ 41efsXJatUe+DZBv05ARv6/ZRGff9c9LNDEpd6fI/uhiIVplRRRFG49OWWHY3i01 KiLGd/CveW7vNcnKzvBWsGztreKiRQN1aubUNqsrKcr14nkgB24xBdpjlFWQhG42 kYaLJEYca9D7fYKbo1HHiNv9gkeNyOrz8y8WSXrHBAweDd7/EwU8eVvrUIMCBTUw SksGSqUHz1zlb/Wb/rxsGHACg1TCyOhhifrwcmN5Yw0YQBnsjT9DXbX78/wv0r7A frsu31+8YclsIBRsb9fqfX81lzrRDToRDFTNjuM0CuBjroIFX6NpYn1dYoQijwhy 4b1viiWVlgrltEHenXGpqzBCC0GdZktqb7qg0mILWsZaM9hwC7pOjMaKpuNZYgVJ 1MRIEMrWEFaC2zrootJGKQWCZTlJvadct+NUDYLS2jMykI26UbxxJGK2kDa8MKkF k1k6ko2We/Mdb+f/lHn7Ml8L9Km9JH/ljJPOcaE7Wav60gUSg2ZR/EZZbDDlbyTt NX7FWCspzkAKakOMjigHDu2p4A7DtOdFE82r8/PQNf/td6T3fAq/Vx7R5am9FJFS SkTGYnpklv1fbhO9+kP5UcrsQj4R2lfYHBcjSfqN3uLylGre91UlzPFNkb0GcZ6U wFsIB7y5VXOuXIif/qRHfcWA1pbtw1efnMG0sEttfRXgcii0qV+ODFoG7tEYYTw/ LTG/2EwIk5wDetaVkasJNsrURd/4AMzPJRE0j8ka4Iwp5xl2khjhVOxiAFdLoecf aaGw8zi2KN0zv0/OUHHhEvV8Zs7rEeNFmCr/bB8GabtoPx5+w/jeImtDgta642u/ fR+PERboIIIsMChp2WkoHI9wYTeSesYjXcxdVSZOguBppqT8hjuGxSREDATpNISQ AFK4mLabFPZxVldOv6gw89d6x6/Eeg8nM14eLUMoIy/0lBQIXdaOEkTkvBnz+FOF 7Cp6O4CzxtHS8H9aDZOm7KF4qOc737xixWhydTJTon4= Extension name: 0uvcq6984 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/91E500EC13E99128

http://decryptor.top/91E500EC13E99128

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi family
    sodinokibi
  • Renames multiple (149) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22ced8b16c6dc02cb7556a95112a3cd070983f455688039e0a65a88d1053d319.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22ced8b16c6dc02cb7556a95112a3cd070983f455688039e0a65a88d1053d319.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:968
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4056
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 1064
      2⤵
      • Program crash
      PID:4932
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 968 -ip 968
    1⤵
      PID:4784

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Default\0uvcq6984-readme.txt
      Filesize

      6KB

      MD5

      852c154106cca22fcb4e222341c56df3

      SHA1

      5178693ad566f3013a749b7edd61702410ddbf97

      SHA256

      6da1dfdecb44b93bdece45bb8e5f204b0a8843d53fe3778f09e9ec122056bc71

      SHA512

      bd200f2b05e1bcfee42c0c401503ce86d2d82cf6535c6b87ff59b82af7854f0ec0c0585808c58634ed1ddb954ddccc11272dd7b7b408c2989f5b429bd96426be

      Download Submit

    • memory/968-0-0x0000000000401000-0x000000000040B000-memory.dmp

      Filesize

      40KB

      Download