Overview

overview

10

Static

static

10

ab8f4c4066...18.dll

windows7-x64

10

ab8f4c4066...18.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ab8f4c4066dd0eaa61d6a1e32d0312d9_JaffaCakes118

  • Size

    166KB

  • Sample

    240614-1dv92a1ajn

  • MD5

    ab8f4c4066dd0eaa61d6a1e32d0312d9

  • SHA1

    d649f611ede50ab27e1856e17c0555158113fab4

  • SHA256

    d72293344521c9740801788c0155ce0ad33e89cda85776554a88f73aa9ae200a

  • SHA512

    dd1901a904c40a81922880f2a34c622d8dc0558ecea3a6f3520d87b26172cd784a0e3953d34948a9fe6b7ff46115be6fddd086655b4e76dea536dd8fcd0f5ace

  • SSDEEP

    3072:MJMawtnGqtWoKeZ9fh1CgnNto6jfP0rTNIBSV:Ww9vteqJggn7oUfPku

Score
10/10
sodinokibi$2a$10$oudkslofgrvkf5ibjc.5j.xysafweqjjz5b2wk2v4djfoqzitmoh.3754ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$oUdKsLOfGrvKf5iBJc.5j.xySAfweqjJz5B2WK2v4dJFOQZItmOH.

Campaign

3754

Decoy

durganews.com

waynela.com

strategicstatements.com

dirittosanitario.biz

dramagickcom.wordpress.com

edgewoodestates.org

the-virtualizer.com

bee4win.com

platformier.com

berlin-bamboo-bikes.org

zervicethai.co.th

body-armour.online

stampagrafica.es

geisterradler.de

ikads.org

zimmerei-fl.de

bbsmobler.se

turkcaparbariatrics.com

besttechie.com

parkstreetauto.net
Attributes
  • net

    true

  • pid

    $2a$10$oUdKsLOfGrvKf5iBJc.5j.xySAfweqjJz5B2WK2v4dJFOQZItmOH.

  • prc

    mydesktopservice

    xfssvccon

    encsvc

    outlook

    mydesktopqos

    powerpnt

    ocautoupds

    isqlplussvc

    sqbcoreservice

    sql

    steam

    dbeng50

    ocomm

    msaccess

    thebat

    wordpad

    excel

    thunderbird

    oracle

    winword

    mspub

    onenote

    tbirdconfig

    infopath

    dbsnmp

    ocssd

    firefox

    agntsvc

    visio

    synctime

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3754

  • svc

    veeam

    sql

    backup

    vss

    mepocs

    sophos

    memtas

    svc$

Extracted

Path

C:\Users\b0729a-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension b0729a. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/037DF09FE86CC872 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/037DF09FE86CC872 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 93jkpLXjKDNvR69Km9vFdXwfOlokEjOlifQCInB+YUc7Ax16qkb/kwHvCylO9zUs gS70qq8rDiSjO3FIKJm7VXKzbAm/nOnnN0ErIpvOH2Dy8ojsJROJbiVXO/aNJQ88 TYVBfUxlDkczHx+FmH0DRX5n9Q+kN9NaNL8y2ypmnL7oLWVB9+nrB8W507WqL4lS RfGo8avyocL0SZyQOonO88KxDDCLiEXj11N2lYh4GmKByZW07pbqMMl5TzL8Mbno hd+NS7yBtGxwV0HDIV8HdOf3n7JPd568iAOBhVwv2HNLAQ2j3nJ2FRHQi5TzKwve qITAXUZRalb9StqorPhdZ3PpGncZuTtkd3zhycp/3V4ylpEmQKY4uiSX3LCh6lky EOJFQ8BzMFjlSPdB1otq+7vhghX4U75Bf6mQRe39oR+3CjAWdF04kUJPqHEW+h4v 8LkA7Irl6DbXcf4afnN/Aqa7KBbCtnDWmpRdnteHKsQlNueCh43zhBbZ69DEfWP1 CmBHaqyoYLuwQhROAySj3FU3kwhPUCZ+op4g8oUJVTTUmIgeN+vCUMsB8g8M3Afr V5GWik2d9RlnWRztBYNcTkpUdtt2WV16xjMjtPxxMPhbj2HvpXNoAOYdMd/qqFhv pRTKQGpvjXDb6tmBV2/yerpMWgpX/Lj51bjr0WJGj0m4wdHGab53iJVPG4y6w0vt r+NjvJ8Uj/gc6mpbBbMuT0AnyOGxRyVwPtJRg0+xYVJ/8v82vXC3zP1QSCVU6Nfo o5YylNz+aJujxNU1g6HRbvHlhw3rliaFC6w8pumKMWZ+qwAome5NJUcIXRcAr7Rm pmpvO11q9g3RLPMYi2W7MJsFjmWsbC0g+nmhMzhCIop5Xs1hp/aiMm8mY4Nh8c/I dBURIsG0FNslBAKLxWwMm5FOsSAwwXieuHWOmsXLZXgXZkIjdGl8xPQe9zmQPJQj IFsB/oXWWiJQG3IHUye4+x4Y+mfUMPmj8SFnloq6O3cq6zyvIYoi6OqOI46ilcLs aiN0XtaBBXGSFP9U3yazNj/iIREVL2Ti0Wr2nTAJ7mPmtwh8/Z6ihQnitMKynPDb u/WXs5tx6KNMLQi8Avn9n8JKdvwacyfCZJgkItH+rOGz7CVEKGcR4Y8VkZQ3sicI yTAh+7GJlLaIB0pD6IXjbCKCOFkSIGnqpRWV9gpVQuVPy4jfgTs+MQpekngHR3HI i+Qfrtna/0ELzVJhdsJG37mkQRe/2SNdjnN2TWb8qIgVJmBME2CpFbwgRdWtu3p0 8uQ+gc1a3nA4WEcdkXCNpJrdOEBMd27vhv4DyrzNN0F47XzG+gl116/uw5HC4ZRd /euOXxk+0GDcHq8YmCm2YN0pcr38a58AEPYcRZhH7sk= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/037DF09FE86CC872

http://decryptor.cc/037DF09FE86CC872

Extracted

Path

C:\Users\k8g31t-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension k8g31t. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/04A8BF3770A9366F 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/04A8BF3770A9366F Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: HvUZPoed+5xsXGP0dWj5rQpo17e2/9bRe7WjzI5GvsgYg36rD3rQQPQgHOsgAL7M BGycqzeX1bYhlBb43+vXA2ykOZF2Q9Y3fr+DQr9BcqIQ+BG6tyQrzVlk3NBdPBCD SN9sKlJOqNA/gN/N4bvXmIG9opNIqXPE7vQ9E2yoy0vyeH4kjTOv8DksxaxPnRze tfe7/bDlOlVLaaqthUg5rMXSqTapssFp6/996FbAWTxe7CmqwwBUdH5xjlvuLZMy E5md61xIJt0+W5vjVN7Pu1lsvqphM68PIjpgrjLyDS2FJkdVBKjdpQAYi5xen1DE WOTsLQaWd2+bn94hEHBEnMAt2M0O5eTyTxstyXexTGRwCLTvFaa2HzHIEtnha+PC 0jlcbLucKrJ+iYIom2b8a3ajPrg2gIv2l2tCkVkFOOT4ChQw2HVvJivHuhFkNt7+ g9YqTPFQpop9YAkwxjIiDgm2IiuLa4rkteJ71KDWuwP9iiAWV75Gn7DlJkYv47Mf sHfNspEG0Uv3+GnHKEiKp1UUP4XUmSdF8yLCOneFXmb4IRLwOze0Lt8akMNwfK7O oj+XgHQV0qj5LqXSDofBSWXXnKWLUrE53+iHQmxZc5lRnLtJHlupi3hmsBDtrRz2 opOa4Eyk/il7B9V9nBhcTEe3ddNMfF5K3WpWLlkY+peTAYWiqgLKRIqT2S7XdL89 XAUphmKu6IUR5K1787UaUQ2pucGzsY8c/BSozShO+VkUqn67C7Ke2SW6lthUu+0i CHOtW1pnKlvJo5fUGosPZ6k0cCZB6FYwDD10R5XgS0PNAbvAsSr2573vRXh47UMm GCy9Mj0W9lZLUHoIruuZKtyvIt5+XK3A83eGJ5cUg72ZnYwjRne4xfGvcgfvKlqe prGaCH6rkIF63xPn7xNFH7vn8EEddrvjPFzzm8LUI4lgOpLjdQwuPEBqQH5lf2XD nJwoEoGG0RDac+ZAdHFbVMXgUokQz/YYhyKIsMyeu+VxWHxL/AEr5pgIXd8kLEo8 oAvPwA+IALa1umcQZmiFhZyM6oDXhjKBhNeUWfI9oRONDIv5GnRACTK+0nhTlO1L sRedg6WljUZ1rrXwJq9/6yhRIiqsGg/aDcxoQCwC/33zGCIKPQccJM2wQ8gS7Pr6 NTLD7OUqQuWQQcwXP+MqjI1VpYHXUgwzffnGpKMYgs4OdSd8ej/keFbNvQ4tYc02 l4Rv4ur7XhBhdh7x+tKYXH2FD1WlU4N6eD+vnNz0B/I7ElA9jcfvTSzKhSaxIeq2 JDJ9M4mOyYlVxaVsRJOrhRdN4IRczNX24IlKkgTCJlY5fm3eVDfpZfNywsQrJNBU cs9MHVx18QRI+8R568Fq6VpBQpWVnBxKDwdpdThK0xmi4fvXUIs= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/04A8BF3770A9366F

http://decryptor.cc/04A8BF3770A9366F

Targets

    • Target

      ab8f4c4066dd0eaa61d6a1e32d0312d9_JaffaCakes118

    • Size

      166KB

    • MD5

      ab8f4c4066dd0eaa61d6a1e32d0312d9

    • SHA1

      d649f611ede50ab27e1856e17c0555158113fab4

    • SHA256

      d72293344521c9740801788c0155ce0ad33e89cda85776554a88f73aa9ae200a

    • SHA512

      dd1901a904c40a81922880f2a34c622d8dc0558ecea3a6f3520d87b26172cd784a0e3953d34948a9fe6b7ff46115be6fddd086655b4e76dea536dd8fcd0f5ace

    • SSDEEP

      3072:MJMawtnGqtWoKeZ9fh1CgnNto6jfP0rTNIBSV:Ww9vteqJggn7oUfPku

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks