Overview

overview

10

Static

static

10

a055246b0e...18.exe

windows7-x64

10

a055246b0e...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a055246b0e804eb3a1dda52937f556ef_JaffaCakes118

  • Size

    166KB

  • Sample

    240612-mknlwa1elb

  • MD5

    a055246b0e804eb3a1dda52937f556ef

  • SHA1

    6807425e1252f1154664fc8072dde03558ed35fe

  • SHA256

    a29f63484f53d2cf832b2bc70d6b66378b87b86221f885d0f43166503d631ef3

  • SHA512

    18b2308905d95dff7a2a3e2cd3559325d6e3cfdeb45c48e3fd6df0fdbaee27ea3e191cc344505ad2e32f4136de6c8d2b2bbbac121486002707f1a617e2a49a95

  • SSDEEP

    3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3Q/5iK9kPV/0:ZJ0BXScFy2RsQJ8zg/o9

Score
10/10
sodinokibi$2a$10$ewjspd.r6sati4bgjbsw9er8okv3v7/qblfqixtpzay2hzbncquva3178persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$EWjSpd.R6SAti4bgJBSw9er8oKv3V7/QblFqIXtPzaY2HzBNCquva

Campaign

3178

Decoy

tinyagency.com

oldschoolfun.net

anthonystreetrimming.com

botanicinnovations.com

thefixhut.com

polymedia.dk

reddysbakery.com

kindersitze-vergleich.de

theapifactory.com

partnertaxi.sk

deschl.net

gw2guilds.org

smartypractice.com

restaurantesszimmer.de

vitavia.lt

advizewealth.com

edelman.jp

fibrofolliculoma.info

zweerscreatives.nl

almosthomedogrescue.dog
Attributes
  • net

    true

  • pid

    $2a$10$EWjSpd.R6SAti4bgJBSw9er8oKv3V7/QblFqIXtPzaY2HzBNCquva

  • prc

    winword

    excel

    visio

    oracle

    isqlplussvc

    firefox

    dbeng50

    mspub

    xfssvccon

    encsvc

    dbsnmp

    thebat

    mydesktopservice

    sql

    steam

    wordpad

    infopath

    agntsvc

    synctime

    outlook

    ocautoupds

    onenote

    sqbcoreservice

    ocomm

    tbirdconfig

    thunderbird

    msaccess

    powerpnt

    ocssd

    mydesktopqos

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3178

  • svc

    memtas

    mepocs

    backup

    sophos

    sql

    svc$

    vss

    veeam

Extracted

Path

C:\Users\8m50n8o412-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 8m50n8o412. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F9BAD188ABA94200 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/F9BAD188ABA94200 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: lh2mtYU15b66Ld01YUClaNgNouQikUEQK0zlDH5fP10u/0/BPwhnfDWjBt5eoj6A WWbybSrio/VHVzZAaR6LCwrzL7vN6jxZPlJ/igzZGPR53i+kHSUcijJDV9PMYy2W CG0dp+vdpr+cJywWXxPwTeiaM4WXwSZh5bxpJysdFHOLg3EMw3HexmI5ck1sEtie 1bn9Yv8uELglaP3UL1QiP3F2J4XJu5pz1jjT89ipUuXfzYF7K1J3KzGA72IyPTe3 LcTSXJlIUMi6tgqohUtOidL30fyWdhZQXDmvThFKHVl9+0ul2r0E930Lj5QyYwBg s9pcyzvGMNzokc9L8qfQaPELo08K+PkOPB9gv9uwOw+nSnyZxFTuDarJ9D7ouzzg FoHXroCCAZULIX9r1yKiRKaOaukRn+LsH+vKspuDmkRzdlo/+DtYn+kSeDynI3sx ayVAK0tryUuxRVIsHh/bwRJzLx3rGGD5WZqjoExmZSiWq88W5NV6vNpwS2qW47TZ LfM7uOku15uFscnVrdPK+88YzUqh90/6HekO/rVgcH4Jn1zh3KwymAJVg5W+9x3Y DyoLLQZUMuiTD58sf6tV9CyuPo/JJJMcccOl2UOxBDRfsp9fCe4hT4/OUPH6aCat HWMv0N9BDK5gaWxmzNhzsIGCe+ZijJa+T2sMjYljzBijKc8Dc45ItNC71s35/5DV 0ClA4ZVYGTWmIQHeZH0xnCueTYalBJS2MnTzPRMMi/M5ODV7yrIcSifmSRAX7c1X vo1iMzSpJLyl0aUYXcQ0nIstvODnGl2VvfDi9LOTd0rFOCGVOT+v6jFZaTvijmMV pTIOwctuYuVu2ndtr8/fDyrHYqlCU/sUsFpTmtWt3eRr9UskuRP52wbokc6OHcH6 J1lIuHbVTT8/RqQYdLchnCFI8tgbs3UMJGvp5SE++a/tfMHiAgu/KbGqEjsZmlUw MHBeufQwrHZIjzBv7wS/UkeksaBMfCh5MTArJB7K82UEqBFYXcniSHR8fbexjy8O rEpzSOJQDUonn6/V079UdiS4iutjgubocm+p73iiSaKKhZD5+GEERdL/w1k32GDi qC+TE2qkCRADcKR1+TroYOYwJ/EerEMPhxUN29vuUYIBL4kfET7+C8ZXmpgyWo1T UIvcuMgWN8dh8Z2Mhms99hCty7q4LwUjTPEJ2FNDe6+/O9JkkSQkfrx5wzwXKhwH 9PZT2x15aNTshoAACaxkin8vvT+K5+n9QD3TJnqbamjSsKYCZj3GDJjKiaEpPaGo ORICVuy9UA0UocwBYgywOtME3ZWcl4GNmScBmcBHEjMQfdIkapyAzqi/LuTA8SKt GcbJsXzOZYYQGqMf0DRbMQebmDi9+ALnCTATYkWl9QYT/STUU0bmUg== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F9BAD188ABA94200

http://decryptor.cc/F9BAD188ABA94200

Extracted

Path

C:\Users\h81rf8i99c-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension h81rf8i99c. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E8B8A0C30378DFF8 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/E8B8A0C30378DFF8 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: wx9vNJ/bPIoKyk1wCRNwf7zwXGe6L/x+LVx3m/KdRvQSTu1eIUuedDtHN3AjR6GK +Qd6MzzUn/rvNYCpxkARYrM0zbnPVPmM/DPYmokYcjsICq1iIOhboDj1Gx06cL6w YLHEqz8LkXVNSuV3FrO2BwuADTOAt/Qfiar9pCRwADqlpJ1xa6UDkz6tREPtpol1 qF3bc8KIIsDH+SaXwH641XOPk3qcT2dUvYjjCX8/N/sxJwXHLpcXiDVAyE6XYlef 6MwKFL5qwLwfg9TJEQNbGcqN6W7fLG5Ka3AKerlryyr9fw+wMnzE+ZiD5gk7y5/W T5vlocKIaQ91YT5wY4kvC0zWF6E96u3nWCh04aabLs4UhN8dp2nDvy3oQV789d4O qh0A5ewAjOz+CC2dtjdX1d/ogGc1HzIiNeUgXzLPl9+y5rX45v5kNyb74fI3Vze1 PxLy233toUAe9wsGc5nxUtFKZINNq8EFaYcN0LwVEwASc2SadCUJL2M72SgGURaX pUjYhES9Y+dTvWcXbTraDNwsyrMrIGXxdL5VtLYmPHvq8ueZ7vR4VeFGI3PTgXov nk9SsgkKHrvmVihSvqKfH4uZr+MlG2WLZBuEAEmAUReh8vXK2opzCqfQtgaZtSO6 MvmXtzfovmfFKcwHIDt8QU/QJmsLtr3AgblYO1PlUKHw7RU0z3hDc2fUmOnIi0D8 waBaH6RaE8NdfhBwinXuBJB29M9VwWZy7HwTpOweobs5GLINJJk56i3MCAvTwyjj ZGwXvofdkTVE+RuT3KaChC2vg+QhhtBorhLp6xOaAuCaTU/rJcS8Oh1099nVMHJc URrMvRw54Q4ttt5ArLIHmrwLXUnz27aa9rAn6s6ZcpTtUX7au81HUv1AVPauqMWJ KSpgjppsJtqJZlA0J7NmpCsUJnBnVwXffYNrC20tuHkxQ9LTmPts5+gtRgK5+wOq PbNDauFxs/zgJ6q1wxWrdlZvawDbvuXA1l5o83jk4WECtFQyu4yKdsPWBhz5sHWb B2qAyidTM3BmOTwTEB0b9PaqObQDrwkp8WgGrX1c2Y6Mdu2YGxSGK1xdeW4uiOyu gXSAkQF1QKytABRqtrEVCcVM+BhacJZkD+l+QIiQpYQaDZbWpVOrDY50+ZKOfXPl RN4dKOCHr5t/lM6bJ1uz11f9ZO3PWxWSP0K9Ss9ptAoRdmy4iNBAMztbzrS2z6Re RveR0WkfX+SVF/lrWo7f94VZfgKIFI3bDm55XHPjN3seasGhKe4fPchYrE5LItuC zDJcAgUqm/LABg30bEaroWIf90sqPwpBbkT3cbHw0bY987k+wf2QFBKN2k8UoRdf 2RLWyu/27hOdao5soNkUSij4jq5X3qD9k2McUOIKKD7lagd6l3b3c9FQRzBLxg== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E8B8A0C30378DFF8

http://decryptor.cc/E8B8A0C30378DFF8

Targets

    • Target

      a055246b0e804eb3a1dda52937f556ef_JaffaCakes118

    • Size

      166KB

    • MD5

      a055246b0e804eb3a1dda52937f556ef

    • SHA1

      6807425e1252f1154664fc8072dde03558ed35fe

    • SHA256

      a29f63484f53d2cf832b2bc70d6b66378b87b86221f885d0f43166503d631ef3

    • SHA512

      18b2308905d95dff7a2a3e2cd3559325d6e3cfdeb45c48e3fd6df0fdbaee27ea3e191cc344505ad2e32f4136de6c8d2b2bbbac121486002707f1a617e2a49a95

    • SSDEEP

      3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3Q/5iK9kPV/0:ZJ0BXScFy2RsQJ8zg/o9

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks