Overview

overview

10

Static

static

10

8d7eaf2d46...18.exe

windows7-x64

10

8d7eaf2d46...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8d7eaf2d466b138f7d3a12d17a1e3126_JaffaCakes118

  • Size

    166KB

  • Sample

    240602-km899agd6t

  • MD5

    8d7eaf2d466b138f7d3a12d17a1e3126

  • SHA1

    f75aee8361cfff77fdd045c32769e385d3e8f5df

  • SHA256

    64f3d2db7a782fef79f46763d4ee2f83de2d656ba5813e3b3d873c17dae3ca2e

  • SHA512

    eb28b302f0a858e636aca5a37897102af085cda436f15ead69761edcaa9275d6372ce1cf1164a45bebaeb68b8022202e0290d8cd0ef1b195f518fada6d2ce18b

  • SSDEEP

    3072:EJMawtnGqtWoKeZC62aoNUSnc6udZxnXa1:+w9vteQJYUocFdZF

Score
10/10
sodinokibi$2a$10$pxmsb7o4y7cqhm8g9kehfo6n.ramztif7bamssn0o6npdvyhm96ro255persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$pXMSB7o4y7CqHM8G9kEHFO6N.RAMZtIF7BamSSn0o6NpdVYHM96RO

Campaign

255

Decoy

lubetkinmediacompanies.com

andersongilmour.co.uk

hkr-reise.de

cortec-neuro.com

abogados-en-alicante.es

satyayoga.de

osterberg.fi

penco.ie

sloverse.com

wolf-glas-und-kunst.de

stopilhan.com

vermoote.de

skiltogprint.no

sairaku.net

restaurantesszimmer.de

qlog.de

miraclediet.fun

makeitcount.at

ouryoungminds.wordpress.com

mirkoreisser.de
Attributes
  • net

    true

  • pid

    $2a$10$pXMSB7o4y7CqHM8G9kEHFO6N.RAMZtIF7BamSSn0o6NpdVYHM96RO

  • prc

    excel

    mysqld

    synctime

    powerpnt

    mysqld_opt

    thunderbird

    wordpad

    msftesql

    tbirdconfig

    sqbcoreservice

    infopath

    mydesktopservice

    steam

    visio

    isqlplussvc

    sqlbrowser

    oracle

    ocomm

    mydesktopqos

    thebat64

    ocautoupds

    dbeng50

    agntsvc

    mysqld_nt

    mspub

    outlook

    sqlwriter

    encsvc

    thebat

    onenote

    xfssvccon

    firefoxconfig

    sqlservr

    msaccess

    winword

    ocssd

    sqlagent

    dbsnmp

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    255

  • svc

    sql

    backup

    memtas

    veeam

    vss

    svc$

    mepocs

    sophos

Extracted

Path

C:\Users\u82yk1-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion u82yk1. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2502FDC5F027FAF1 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/2502FDC5F027FAF1 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 7j8E10IhTiC6moPO4nOMZGeeKIfWyDO0lfiL756QqZy4PxfU5odWTYgIUxGeVQVN BC5rqeHkAkHk7k4whcyeBLJ/LsM95t10NABv/iOEeN8/mhFZN7IfeyjB/UB2FRW6 Q0XZojlBThZju7VSNQGoMx9GnbMKx++P2OjiuM5FbnmtnQoSexQG5Ir4whwMEv/v oAeuWxcjLA7dJOE/qTvAmMLQlbuLoSnwxR32g4aMAciT6CHS7VJ0oomVq6n6nyt5 zIBt1Lw2cge1KtIi3bdEfhnwtubEYLl4BQgmDI2dHsTZL/k2jNS9zXMXOzI9gzhg MlJFVhZJoFk+uQCOgIfQOM1aMspBblQiQeiLw53EdZc7oSpodeJkQJZlVN1dFi7H A03NbldOFDYN63JbVESvqkYNN6YDWA7d9xFzB4VV2CP0jcYG8EtTYo0TZ2e3UszG OHYjFn3eswWzzsJacw52mmSdvLJpWXQyZwK8moty0JKQL0aIQ5neuKRWE1GvwtkG 0ysegIsZnRMNdlIGwJN2opPK014t3yZgsSyA3ZDIK4V1Gap3tRD4n9YvaWQdokvL u3eJmZLxw39xUZ8qGWtileREGJIFIZOtYj1I0Eo6kytvtu+ZM7qHvw+TEQ8WJslW YfJiax9HKcihvbi7xCw4GenyM+J3Rfwwm/GEvz0mYUXO6i4oGIw7Kfnl35eedWgc 8873SLCIZOzIX1UvAYzrtL3Apdy9iSzDqELdtMCIjN23vPV0DXX6Dhmux/5pOOpz jnR6GcSJzlRTmlAyMD3g+0eIGS8qE//pFEs7VKMT1kh5unA8/uxgqcGqxx2S3HGm LmiAYDK0YJEyduMiyx4/LeTFBshdzLL7SnaReGiJ1YY0AUi0ClCZ4seqjmODPrac ENdS2AhSawkU4t/xeABP4g3gL3nSFcQT2aADz6HJyptEldOkECPwVRjKZAhFVSID 89iRI1DjiwRwymWeD0XAjJLjynugguSSSztJpAX41gYs8GoWoDkz60i3GJ1KSFtn DZ0gidj0vYvvAKlD8VKjvPotMam+Y4QJxuX7WYvUw8nXlA04RGmWVydmTDHXd/YJ Yw5G+QyYHyZj05u0DONlSyEUBuAXasgCzNtWqhLleks2XlhVMWMnZlgDgfbjRIeA IPk5xqTXad2cpcrnEuR/W+f52p/gmbU/o1icjQCLphL/mHq9h9NYm7SAzCl1oB3R pNWgVaadgwTK1/kNVkjqub/AaRC6+U2vkKizVb/J2RTP0Bx6rRkIpKEIGRB6EHig UvrTjhXULDXx3CNKVZr8RTFBHK8dP5jL/loOUKPRoltsKMPUNzXclbXtcsj6FjJb VCFptvV8SDtkc1FlzGl2U0cfpR1Cdg9zb7h99NRD Extension name: u82yk1 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2502FDC5F027FAF1

http://decryptor.cc/2502FDC5F027FAF1

Extracted

Path

C:\Users\2a1d2c-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 2a1d2c. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3757EB65624F59B7 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/3757EB65624F59B7 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: JH5p/u3TOwIYME768rT48pQcRqDDeL9uEgJPMv0QOpaOXvPN/igIGuNPC9PV8GwW BGFvr+HGLkqhwZ0xRPHNJlopvO35aPOMS9msmNvQlnrBwE7MuoigWE6iy5Uc77qi l7iz77aEMhMiFvtSeYkj4E9RodTzj3MnrFy63iai51Q3qfVGdyTR83y4xvl85znf ztai3h0DIZOxW/uOYkIMH4drrfEBLL4zNqIQQ3uyQEkMmiF5xBweMfOKHmNuHc/t Pb8lUYJrQd3AT2+X7svcThO9bxjjk4h2N1rQYgO40wGt2AWbq0m4A8G9ixzsdyfK FozYHZp/POdzMWJSFgvNSC1fBgxH85/bkdvheViaqOfhN51NZxzF7SUptu7WQKl4 Fzqhm5HpcOkIQqANGeQuk+2D1hfBi3FJvXpz6qNzA1LRo5ZqfisZoYGEhcIFCS0y kTvOWkYJG3SaNgRlSmKEzvZ/GGIcl2vAqTUvbfhYVBFlZt1H+k/OodnFflcKMNtT /6lquXy5NVfEZkd9gZMHgFWRVPSig3HcXd3tAeOwzo9f13/wC/gR6HDh4TYRUNbd vMne9/I3hwR3idWDBz0CBfL3hyFkC+KZGdxShc3iH2/Jxbo2M1zxjP1JhaFRzriM nmro9SBSAS3Eih72kug3rFEAxCwgXYrTWbq/x/jdvNND1op/AxbFvjdPC+Eiy0FE msHPZiUpLSsaSuVWkmMkVZAMnKskVcEW+e21WUM/ctDoI/XE0umEtHTQw3Cosyvu thNQh88X6IbCpvrNkywoy/w4eZHGJZA3Ikr9rauaZugl7+t64fM9FFB0XYGRctip YVbgmNm9iwwy1cw9YjD7C3pzdfH5WaWAgHml82pfaA/k/X6GJeMsBVO1DSggPVtK zYITQ10DB6yQwmUlZJBi25yFGyPQG+XYl8AKM5O3zPBM62qN/vekqy1ZftBTUvFy DcFga8WbFXa/F/0M2LHcrB7jKxLK5NqL06iyOKcViCOEayU/yHB4BqK1Q+ud85bZ I/rYAG84NvPd4km99/1x7Oewk/yv1MNPFTBtttCGXYWfnnWKZt6tEWRq+M62xc/r PXKg07Rr126GAy9yuEtQynC9l+eclVzU7jVMAH2KtIVDuYg7ckJnbFGnLWA7pPWh dxIIYuWBWWbubRv0+bL5Sb1IgOHi00GIxrbY2xxPgywmq2B8i0OldeTLsAXWAJZG V8PlMRZ/och4Z1WwAWBnszRr+HQzvApAXq8/JfXBKza+aq5wZ8j6KJ5cjApOcXrA RJiJ1c7Rk4DlbCKVh7dNT5dUnPUjuTJfOHmZj1DpIuteW+Uwd98zMGzr6qZvIJI4 fzcQSSZewqHRr2c6osamLwKvNpt3xccvPuKT6CSU70ol7+b+ Extension name: 2a1d2c ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3757EB65624F59B7

http://decryptor.cc/3757EB65624F59B7

Targets

    • Target

      8d7eaf2d466b138f7d3a12d17a1e3126_JaffaCakes118

    • Size

      166KB

    • MD5

      8d7eaf2d466b138f7d3a12d17a1e3126

    • SHA1

      f75aee8361cfff77fdd045c32769e385d3e8f5df

    • SHA256

      64f3d2db7a782fef79f46763d4ee2f83de2d656ba5813e3b3d873c17dae3ca2e

    • SHA512

      eb28b302f0a858e636aca5a37897102af085cda436f15ead69761edcaa9275d6372ce1cf1164a45bebaeb68b8022202e0290d8cd0ef1b195f518fada6d2ce18b

    • SSDEEP

      3072:EJMawtnGqtWoKeZC62aoNUSnc6udZxnXa1:+w9vteQJYUocFdZF

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks