Overview

overview

10

Static

static

10

aad705e43f...18.exe

windows7-x64

10

aad705e43f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2024 17:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe

  • Size

    164KB

  • MD5

    aad705e43f95a736d120d1a8cda30519

  • SHA1

    be7106e9066e12276d0e1c3504eb5d46a6edb296

  • SHA256

    a801a78613cbf86186b524c19f7631a5e4571e94a63df867635602624643d362

  • SHA512

    455ce98a3e3c5c4be3a1c5fc0239467e0447049e218eb3175814246cedc042bebf4bf66bd90393f544d22e75975fadca17bceb7985af7c7591a8936be1c713f4

  • SSDEEP

    1536:bs2B7p26CaItF5gNHhKWluLpWmRHICS4AH3o/qTneyW7ZZOBml2uBbKbxoVgAy6o:9fg0NBlu9CNTed7/kBazzFbULA90kY8

Score
10/10
sodinokibiransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\34583-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 34583. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9C7DCFE39887C281 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/9C7DCFE39887C281 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: JzWyOWeZncxCY3y53sLpLcGb2qbvlp0cUxYtlC2rkLMUsXibuS1yibCrEek64YCc saXk6s0LxcjR7gyi4j6pd/oBDO50RWBbHh0UZoqvI+R8TmfpUylCYFw2D6MiNcFS 2e+pjJCdbtd58P1+Kdg/zbaotH/a2xfMywhWqXTIQBzkI5ka/3msO3Iz3uof+auA 8/DiTWOXqmOyNsfcVWq3UwXKtH3F8ubabSU4EOSrJA07PNYR+ja2yKF0mMeodFy5 49xKgEfcjMWQcUShm8EjOGDZQa+ELtIN+rr1O6MANKWuuSUr4iaKzQ8v1PUKtTIJ ZHnOuPv6pRpTF41Eqa9qr2pNJFdXi3Y4X9stjslq8n5C3MLVQziWgp3fisWdesPh ucM137wEYb2Ndc7BFNlkQ0WMM08SbOTkaUGaf1qrgAM57eTXfjHJRnXIlxT5vj+M 7IrtPfvj54wUPOLMwqD82oFG5FgYEuJA+uOgxpoR42ziYvYFHqPzxIKgcICkvyZZ HpN7BP53Ky5P5fFAL7BUhHA5HHm37L6adW7MNfPx4E8Ryh60fDndVy7c+CoA+gCZ +b/Pto6PnSMG0DOnX43m7XLiGu2oWzADTEqvgo05B1yRpaw5jRNnvekOecUOS+kg Hcp73DyQCet0kkU4TEpsmuEuKNuv/Um9/5jlzYjHJxFKRCq2Iv0maU+QfMLNz9WQ Sv0XHpnh2k3B6jBnONeiQWaSCVja8IL17o19d6aJVSBop/Bm+I0BFFXMDwpq5Ws0 2h0RVaOWfeRwU9r0S5PPh44mxFnWEHYlHU11paeXJ/hfLwPc+fP3p+QWPXpZOdEh UKtjcq1mPDDCTAqXYLRKgbaHHDsa+BvCzTtLYBkIS4U7Fbcya80rM4VJ8uDoFG1b Y7bg/FXu1xDucxCKO/QhYp+x7tnxv0qUaDaTGhOLkKIR2dculd3J0np+wI991/9q HrMBBikQuVYPAq8KoQUm/URLw9KhXjR0zOlQ8JQSJFKZUwpIVPbNwlPsv/omKDaC zzT+c2D9qx7Zx0BFDNTaFsQkE5U5Rm1wiuXrKgvgMVbzsy0D3MWxPvZ/UAQZsTVX uIx697o3YsRz5TLnj9fL5cNClLcEbD9UQ5RiBF95EGYPZXX+juiqG6KysJgkF5Fj TsZCbODzCAKhSWfW8fcSMoeDMn3WcHzE01XjhKummRY01roNl8+rWRLMofRGqa2i Hq9t+frV4EQnN6G3 Extension name: 34583 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9C7DCFE39887C281

http://decryptor.top/9C7DCFE39887C281

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 29 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\aad705e43f95a736d120d1a8cda30519_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4544
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
        PID:1432
    • C:\Windows\system32\wbem\unsecapp.exe
      C:\Windows\system32\wbem\unsecapp.exe -Embedding
      1⤵
        PID:972

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      3
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Defacement

      1
      T1491

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\34583-readme.txt
        Filesize

        6KB

        MD5

        d6c1f20dc0618c5b4d781b0d2dbc86ce

        SHA1

        871aea1b27a2ded05e4a1bfffe5e9ea87b732c1b

        SHA256

        c0cdfcc77f096014f634b4e9afc481a864fa21b66f2a7165e7ec380303fb663e

        SHA512

        fbaf96e30c18e26fd9d3b45fec2dd9123a15673e2b962409463c8bfa749b64bcf6a0e639c2452f2e88e6f0b35e5cf6dc299dd14e2ca371edeb1ed48a1585bc56

        Download Submit