Overview

overview

10

Static

static

10

JaffaCakes...a8.exe

windows7-x64

10

JaffaCakes...a8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-12-2024 01:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_c1bd164d64f45a036ef5fa99bef568119d5b4e90bfe9dcc8b89a4019cce61da8.exe

  • Size

    2.0MB

  • MD5

    9628bd785e93046d488fac58f8eff877

  • SHA1

    906f09b48ef0190db2af394c712d8e4fbe6e6ea0

  • SHA256

    c1bd164d64f45a036ef5fa99bef568119d5b4e90bfe9dcc8b89a4019cce61da8

  • SHA512

    56867952350c277aecbd0c4a9d47700d082a8fd4cbad7e260c0bb4cf49a98d36720e16bcd6098043254c48f060e1a37ba594770b1a7a1246d5047b007414c5cf

  • SSDEEP

    49152:2IUWUa9oVgzjFNZ0Weda9oVgzjF5LkzjFF:OWleL

Score
10/10
sodinokibidiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Default\2013g94-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 2013g94. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6C7EFFF2385B9BF4 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/6C7EFFF2385B9BF4 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: G4qaDgo69NnyBjivSea4XXEHIKZZMahJ168EIMGPsagkWA7gjvdtdAzJ1Kg8Gd7t y1GF5kzvO4Lb3j/ogyVJ/giOpp2IPjvG9885bobUN7bvD406uQhsK6Zz7KIV+yvO ryQb6VJKvoVQszqMheIpVgsXdU0GlVQShgiv1b5m7qVQLJodDjijt6fdzJ1J6TiM BHak3qu9BN5ol7PKdOFAmGiyB2UncLJfCn/lIEvWMob5wKJ6HiaI3OY4UI+ZlDTN F6hjFj/Hu3RBC/BVDPi2A/GcSE2aHYYTcdP6J3T+GYCrVJwQWcwHwA83qr+8oUTL 5Sdpw4jwTWWG7g6tfwmKhb3BvM1xODknydZf82oDvXBNL3jDHp9ZHvQPMXctQ9DV qbMDjRvP7sU3snWF8H/SGrg4N43k/oEhVTjhFMmhflRZL7//8V3S6YHUnza+GVAj 0qXFQzHbeW8+sWCo9KhgrtgXvM6OeSiNed/CjZZOjS5+gFlQGYX9QiTwy7sv06+/ MqetA07o2078x54I/Jac9CanAicDPjhkRCli1xFnZz8geu7eC9NiRCdU+1R2oYFp 9H8YuczvsTSZCwemThMcxsu0780LDlygpa8xY2zzW85oUTCZ5vSWfbSHImIimg4Y 7VR9qVhtki+mXXZRlKSP4oiiADYGALfK2RkxSDZJNK0d+Tf3Few/sdW7QDmWF/Dj s7wS4UbUJCiDCmR5jchdbKrcnaeQlpyKFJTj+MQFboFAaycaBPDqbPY3pThW83rs 3ilK7zF8QuRlarg62qGNnmUst1c4eCjJ0pxTOyNBZfRyP1lIp37I6VHq+v7bRs5U 2cy2tI3A0nRzvFiKcZIEDsr7TgXN4Hjn4GpOU0Gslp2eRyLONZigSfACFTtBr5lw +kMmvFxQzkUnLVEQzQU1heVUQthdvuHqDYw8IxW2Qqae62YVatj08DwY1ar1clsb qu+ESfgROpLOgzWaZGGw9qyrNuJjClvCgwnaaCoupBJT/hGyd0Ov7SES7CNu1GwK 81IfJqJgraFT4ezuZ/ouHFnnHE6FJy1dAWTfajk4ii4aTyJDQ7IHKwmVojiUxnSh C63kPS1toVHpJyB5aP839xJMz0rkl6AWoT4JoFtst//czjKvlNxh7PyItWI2INwv MUHTDIhTKhLE58JQ1Wwv9+3bM3tTZTUZQkiTfk4nDHo= Extension name: 2013g94 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6C7EFFF2385B9BF4

http://decryptor.top/6C7EFFF2385B9BF4

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi family
    sodinokibi
  • Renames multiple (157) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c1bd164d64f45a036ef5fa99bef568119d5b4e90bfe9dcc8b89a4019cce61da8.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c1bd164d64f45a036ef5fa99bef568119d5b4e90bfe9dcc8b89a4019cce61da8.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4268
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • System Location Discovery: System Language Discovery
      PID:216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Default\2013g94-readme.txt
    Filesize

    6KB

    MD5

    a56d09f19b2988f0b509aec2a6b359af

    SHA1

    6fa878bca6fcfc35f6e30f55c4329bbc1f6ad445

    SHA256

    17975d2df21276fcc7b32e811cd6a7e44b19d835e6b762866a9420256c6625a3

    SHA512

    3f54e640f1e06382e619c285f85f59ff3164a1c9e5129efecde8aa6009231a7a233e65f2727cdbbb3c81394dbff7caf67e7055fda92e3e81562bdce6b801cb0f

    Download Submit