General

  • Target

    a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e

  • Size

    157KB

  • Sample

    220124-btgn5shef8

  • MD5

    cc9c544f73038237dbf2dae6e5495fd4

  • SHA1

    8145c598cd55255bdb426e33d703bc7a325bb509

  • SHA256

    a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e

  • SHA512

    7678fd20db791aaed53c7353657af7281e47bf7aa0bc3e4999b8b58742a7fe81ab790db1e377fa71028ca1a5938f92e1d579a37a26e0b869c187c78bc7a8df7e

Malware Config

Extracted

Family

sodinokibi

Botnet

20

Campaign

45

C2

jalkapuu.net

cincinnatiphotocompany.org

malevannye.ru

inewsstar.com

arearugcleaningnyc.com

purepreprod4.com

kiraribeaute-nani.com

ygallerysalonsoho.com:443

andreaskildegaard.dk

miscbo.it

glende-pflanzenparadies.de

goodherbalhealth.com

fluzfluzrewards.com

wallflowersandrakes.com

keuken-prijs.nl

11.in.ua

selected-minds.de

mindfuelers.com

skinkeeper.li

hekecrm.com

Attributes
  • net

    true

  • pid

    20

  • prc

    sqlservr.exe

    mysql.exe

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    45

Extracted

Path

C:\Program Files\ssf707bc5-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion ssf707bc5. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B37CF639EC5642FE 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/B37CF639EC5642FE Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: qEaIm5terFRmfu13Icrrlu4RHNqk504jsdsszSWT7VVO4hf7fxez15ca65ZBipKg zrrxf01aq/ilPPWHDriD3nD4CAJPWRUlTahpwpFWGdPgWo5uWjeo9DQjycTwrM0J IBxOYKJVh6qIii5t4SRW0njEuiu+bUuNJ/FELGLJTabptW6vVQzfVVw3yxvMItyI 0OhFCgakkWHheRz/+lQPBVmXYsMGXeaId8iL1NwS0jaoFle9pTCc2Ol0NY1Ks6ML Lf4G7wITZRBj0uLAjC1lLS0QE1tP55NuNzulxI8v/XBDXi+1fxBEBP2KadV7Adsp v0Nv5ZhPrcYLrVi0fUVNAU1yo2Kno94JEljFT1n++UyRFjufRofzJO6zG2tzNL3+ uoeBEfv0WfTAzVBNpWThcrYbSeY0TCjq5jY7ZboUitzlgC5O2B6NV3h3sXkV4JJ/ Dbyt938ZAkGA6rRazlt6nvLazjv+eVzdcGjeL2+xQa7s0jxwjw7Ux+mlNOIgnWpt Rz9Mrrflh/ETI7Mp69A6R5z6KbyUj0Vj2qnBWTAEqKiMzK7ZXoDj0doSwVII9VYq XdjVQOv7MNm/r0XZbzio+QYuYd0Mfqm1wd5FFjRu0eaf4ckJbwKDTNzv6VgRs73y 8+MaxaEi95543vTsg850X4v3Xn27KfHEUmWOtHpvCtc9bSXlu2R6pYouFOIQ8zoo gPKz9OpRorcVjM12ZwdPTxNefCg/u16d1jm0pNVXbl0bweCQWilICiDz/gDPijn8 ZUTG43B/dk3Mnz8pVjKdjaFQbbNy7pwP7aWJaAECZnvR7byjqQLapafNUgxdgJnU d8icW9fXIvjSvs5PFJmPOwvDkQTA58SrJpKdp1+xwouiN93tvWNYN+a3V4omfLtb vj3M2oR4ZspbU1PX1AwktJcAr0EE9Ng6Y/OWyaB9H5OBxdK1osSxaO/Y0FZxvwrb tbn3thhoI/+QMDHdYzyH7DjlOLsRnmTW3lEAUoF0maoFgZtPhCd++JaE3U+4LF5L 2ojriKijQi5zAtblArH6PsRV/1k2+zLVbTVvflGn62HBOquPEeUyizB7QAH6J1xA B0loVWZ5pMGo2/bvWzlmIh5g Extension name: ssf707bc5 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B37CF639EC5642FE

http://decryptor.top/B37CF639EC5642FE

Extracted

Path

C:\odt\h04u1-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion h04u1. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/68EBC3C33802385F 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/68EBC3C33802385F Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: h86OcHS5lBa5oXc9JwxVN1b7G+jBf7ExRN2s54wJl04R+d0ckU5BfSf3XXbVKZGV 1xFejh4AqA9LrXDngcss8PuOAkgvDYCv30xH9UIvltLxiKjFfVhPoMMpmubxj2aM 5aunxk/D+VDjv5PuSfzP/kxl9Ftdv/nGOYFESV9lJJ6DNaGHtuUwV/cgAcDK/Lws vz74AdW1gXMHrekxFy4LapalNcwycOUupN7xOkbGykcE4xBccdJyFYLmRfsvsCAp jIEli4NVijbAla5KAdowBWYjDhRLgnFCYf5bwT/y1VWy2NH+dhczAEu5e+RGZA37 ikzXvMUSHN9wiA3jDfPERonAV9Wsb9yiX42BJANHpk0BUyOya0sjroSqVttkSKwS IIykJyA6ZFE3NyPDMz1vNfkNiej5TaYCCShIoe8qPcR+eMyvfxXxXqRneWz8L5SA m1DW8as/GajUnfROYnFYqc3SDq7YPNvreFyIIXQ4E+r1lBTP3e/sktfMbL6KZmZi mbvPMmzxNrR3rp+wn6nglvCLl6Eukue9rJvdJ1hrVxlg0ZZDXC93DTf6D89BZ/r3 RdRl3mevrb0JgegV0UH2Pd+rAluh7h90/YdZWXUboYteUnEWGWObUOgNgU1lEuFR 3+vgUpy9NaUyR7g0hbChVqYmrb07+PjF81NoO3kM4vbJJtUGcf5o8f7gZQ7xczZZ Q9PStnoU5nFwSFGQkrFSO6O1US3qjsS5gKPoxqRQgBm1NrabSbsrX5HF5tdswzEh J7K7e1u9Ok4tWjIqE9fjBm8qQutOS5an9uHsjxbKM2Yxljyl+f7kd4/u7RxX1lPp lp2WJWZLzc2jYcBN5rwWKN5gXBuIRvn43GH2t5aArlnAKDkd+1Ulztp8992/HHvy dnLSamNwSwakopt2lM5Rgnst3ScAjBxvG1tIrAfBev8E7Mo1+294XJmMGEkJP6fo 5m9Y3XgsdHxNZm5IX4fyYc22KWpCfnvjc6pi4J71Fj1Sukc3q9BQCVlUuRSIY4BZ MXmRp4FLbXq8bCRtAmhntWb/0665c221fuwUDx4EV3N4tn7RV0/6slGF48eiWyZx MsjBKS5VYCprYQ== Extension name: h04u1 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/68EBC3C33802385F

http://decryptor.top/68EBC3C33802385F

Targets

    • Target

      a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e

    • Size

      157KB

    • MD5

      cc9c544f73038237dbf2dae6e5495fd4

    • SHA1

      8145c598cd55255bdb426e33d703bc7a325bb509

    • SHA256

      a2fbf151010d614ac772d2232e94faf278f2ad9f650197987a0e2a4df2cc892e

    • SHA512

      7678fd20db791aaed53c7353657af7281e47bf7aa0bc3e4999b8b58742a7fe81ab790db1e377fa71028ca1a5938f92e1d579a37a26e0b869c187c78bc7a8df7e

    Score
    10/10
    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v6

Tasks