Overview

overview

10

Static

static

10

b0d6817c4b...18.dll

windows7-x64

10

b0d6817c4b...18.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b0d6817c4bcd8df8703a0aa8d2ba08e3_JaffaCakes118

  • Size

    114KB

  • Sample

    240616-ahevqsvcml

  • MD5

    b0d6817c4bcd8df8703a0aa8d2ba08e3

  • SHA1

    29c4c5e9c180c4c1241b69dd72ebdf5234628cbc

  • SHA256

    f4f27a8d8607db742cdc40a1bffe2384f2a3bdeaa4f10c86d0e339f746a00036

  • SHA512

    cbe7efb0bded61d4745783e482fcb4332d238855d175f3d15775ab3f8faa25151898611d46a44c38cd1b5b374eee6b892dd1feb03021031041cb444b0e55f69b

  • SSDEEP

    1536:6Q2auIslFGhFtuAp75WeNMYLoRGp+K6fHICS4Ad1vdhC9fhHNPMf:3sI/hqsMYLoRK7b1TafHW

Score
10/10
sodinokibi$2a$10$xoupvr6ykxc/5c3qix/qmoebnpb/lqdgzamrgzowujlrshl/hgtrm3571ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$XouPvR6yKXC/5C3QiX/qmOEBNPb/lqDGZaMrgZoWuJlrShL/HgTRm

Campaign

3571

Decoy

onlybacklink.com

ulyssemarketing.com

blood-sports.net

vannesteconstruct.be

parkcf.nl

maxadams.london

theshungiteexperience.com.au

narcert.com

rebeccarisher.com

xoabigail.com

reddysbakery.com

bordercollie-nim.nl

ino-professional.ru

shhealthlaw.com

igorbarbosa.com

boosthybrid.com.au

eco-southafrica.com

coastalbridgeadvisors.com

miriamgrimm.de

knowledgemuseumbd.com
Attributes
  • net

    true

  • pid

    $2a$10$XouPvR6yKXC/5C3QiX/qmOEBNPb/lqDGZaMrgZoWuJlrShL/HgTRm

  • prc

    outlook

    isqlplussvc

    mydesktopqos

    firefox

    encsvc

    synctime

    ocautoupds

    msaccess

    oracle

    dbeng50

    tbirdconfig

    dbsnmp

    thunderbird

    thebat

    steam

    xfssvccon

    agntsvc

    infopath

    wordpad

    winword

    sql

    mydesktopservice

    powerpnt

    ocssd

    onenote

    visio

    mspub

    sqbcoreservice

    ocomm

    excel

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3571

  • svc

    vss

    sql

    memtas

    veeam

    mepocs

    backup

    svc$

    sophos

Extracted

Path

C:\Users\3hl1vetq7-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 3hl1vetq7. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EB42678C7DF80537 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/EB42678C7DF80537 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: gfssW5jIQLR9DMTHeY8kazH6nyGfVeOg+o58D/D9aNT4X+0XG86wNeOTnqpr4mtv HOfSCDNUOWDmywoPyBm8/jy9t2LQNUjCfY3Wjaronqj3IpzEC7GvB/USColiFp8o Cnk1wH6CTAWUQcVw5ivw8jEBGA5oj3SmAwfxdMthXOeMNOLqyHvlVRZwG8nhCJu1 YcgdQwsRa/MPXYM+impsu4OHmW03vpH6DKCBITvp7PlO3O16OOpgtmqlt7BcFb7W GlEgVeLnuboOLO1LrJGmSx7JGnCSGHon+U5F9qqgjRbFIuMVDwqGoiDBAxRJmEMG uf4b9jKkOigXJBky77KS7LxLwgZmYdFwJaUyqvomKwQHClm7iDsPl2V8GJFpBQHt 5Lw2FgJV5b8TnzqKDi1JPiuY1Fm517o4JJ2iWHG6dAMMkyEITXVUH5q8NA/rCAav HhJd+BwtTRdMIiakasW/EL4/e+gY1NsR947shjv3yzl2FkUYBrmC3iJSii2f2p09 OHgwYQpDb7mocvykT0AHnpwOq8OvlA+kEmgLd77gSWxyD1ySDYXy4xyrN1Sjmy/S HrjdLU4BPnOC3I5hh2B5QOwJUkbmzVwVcwsF6ZXM33DxxWLrBEg9kOL6TVzpm/gh hrys97rTSpwVzKxuCjhvOkSFnwyOm+FTfjAJbK+HEv6ELxmlhf9Q68g/1w3PNsx/ /fTozar1SdhB/RXH8Psc8T36m+xPN0bffgfZ5UAXlkj2M/8U+OEDB1G+EvUbMidS h/fUoS0uBJXtEqzgCah8VWpwxs1k6uaKOrBNw6TOg6f3ZTr33HPyb1kDE64hujVH ua4236A0xLYGNAuebDmDjCC0slTxqkn8H9mVKtrvIDt3scCPQMavVRU8QPGJU6e2 3Wy1b/G7Elw8LREhCkRznho4gkIRQ1tr5v62zdC3gKF0mui2GoykmwesK07+BeJd taJh6JMmuKIQvbBspf+bWpHPgip11jn5dPc0CZq4uS+5qjoYI1+/wHz1MuAp6Huw IxKiSvIIR++E5BKqc9nOQKVaeuuq3Wvo48Sm9GR2vGHShhDo4wz1J0HBmz/PgFic 9ErFaarHNh3zEgq3xXtuxWRlI7NFAJHLGv9JM2eyq8vZwqjWCAKJgICd9Oz0OE3r vocw+nxnp9PB2LFYfCe/E+Qj+8/Ma38fFihLLm/jpY925yd5htiX+i5zKmDIYjbu LdW3VEUZyUrhvQqLzhXsJ76UIXVGW7wA6NEJbqICglEiPXe33eewflxP2RMK8jqg ns8d+ebUCbjTIMw0VJsotkzmacuq12Z5C/550Ich/PiYx9kPBVlfFKLR3swKcCWk wPFYML0BdfqA4Vz+mtKYM4gjqX+HVWwQrFvw1YUo6HNeFre4p6I= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EB42678C7DF80537

http://decryptor.cc/EB42678C7DF80537

Extracted

Path

C:\Users\333k96-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 333k96. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2A923E9CE5B93D00 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/2A923E9CE5B93D00 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: CZmimPsrMFpDsHPz7Eq+eU3q/M2XniojJiaykdSeYRNIpXB+RKJWxHyP4cxxzyBr Np5MUeIp9cgKLk5FrFCdgT5MABiaRti1mJagCQE2WUFr25wYnqdS7jiLAVG+fOhP 965jgz+NO7EmdWNX2DALxmzc+8GN4n4BjTT1v5E7rJFWAsmhKkgktksJhDslHGrf BMvbDaLIDU3FBLxluy0wQt6Uz82VEFf0C7uKimx++qbfjTlkfa4ng4epqxA2IrH2 hzJQUVSV25NTbh4e8gWhhpPlJaDht5oaLNMvp7fzzuhg1U7BcsdmpvOe6eRkuuDo ymp090LmMp6PIl7KmC5Gj+x+bYs7lZwdbzVzqx/o2X0zge4iNGZZmwlREwwot0at vFMyONnjFvS0k/JMxJmyhFm6byqW+fSqbmJXi+wuXC4h9yHrNG/88wG86ZfGKTXv X2XEkB1B3O4GR4aMc4m8LsMmzQnPHFydSWcarTYY7Cnz/aoqtG0axs+wVNr67Y3T X+MbEhjq0+qNEnL3Y/EvIsD4cubt2BUgrjSWQ+91V0pbVwIRQNqRuiFkxPVI6RK7 nzmgYB3stWXEIzzZKbj7Y6V/ALm0nyTcVwNUuCCdKQw7jSbcUF8dGqVdoaArUe5q auqLtBzj6FcwhgBYzQ9gsvsbeQAfwhNRN2dRfnO4JZBSblmC+z6uU6iHLG86hd8I mmMVvQFkFuNocF3u78rp+D9ZLMf5HrCL9V4kUqJnIBJvFhpcrjsWvoHHBuePdb7Z 8TvMdAGdSaiF3s7DmLt056Qd/Q8cTXbMj/gsxZ2bQcJ4dYLOybfp/wkEaem8ZxVn 3TFzATKB+Z+rtyVUkwVJUtw56kFirHzEFfxVr6EKEnE7mRjFk3sjtOKd2BkAPb6H A8fvgv5riVkuUh4BWcyNObird8qxQDRj7cs9g59bxD32CmIpKs4d07V/2WCHr4Ik dyJFgNqd466+/pM+XgIbVVaeyOh+iPuwGUo4zZO1T3lWN9Y8K+IL+bdLAVBjRpBK IG5pIE2FR6fePMZU2wDWwBuoIHNblN5Bdd8u7IB8HvU4JHckR1yeKBjcU9VTCCos M0inhBnHDD1BI7FqgDowk9DlX6l87UKSsVQt1U7feAq7ANQqxKJ942QUR3vh7TXP SWJ1bgBAmtQTHrDZ1O2/5Jqw8+ZVpclVZKFWiu0MY5YOcYBSuqACLY2ZvtF4g7b3 sDF+UClr+8DGQd9MT2fRBhGICt8xoGATZKJ7kpAINoxhf0DJVy4EGyqMelqdVOfe 3+ajN5l8Hup5xHBBQH+Qm9jF5JuF93GyyMclAvoiCM+ARmr3xKLHiNsoBmcsj9f+ vvYJBqjKars/T2tKPbM91ywMUk2mtoFR/FlYfJgpTz/MlVoYZfQ= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2A923E9CE5B93D00

http://decryptor.cc/2A923E9CE5B93D00

Targets

    • Target

      b0d6817c4bcd8df8703a0aa8d2ba08e3_JaffaCakes118

    • Size

      114KB

    • MD5

      b0d6817c4bcd8df8703a0aa8d2ba08e3

    • SHA1

      29c4c5e9c180c4c1241b69dd72ebdf5234628cbc

    • SHA256

      f4f27a8d8607db742cdc40a1bffe2384f2a3bdeaa4f10c86d0e339f746a00036

    • SHA512

      cbe7efb0bded61d4745783e482fcb4332d238855d175f3d15775ab3f8faa25151898611d46a44c38cd1b5b374eee6b892dd1feb03021031041cb444b0e55f69b

    • SSDEEP

      1536:6Q2auIslFGhFtuAp75WeNMYLoRGp+K6fHICS4Ad1vdhC9fhHNPMf:3sI/hqsMYLoRK7b1TafHW

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks