General

  • Target

    0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118

  • Size

    164KB

  • Sample

    240502-mc95xagh57

  • MD5

    0e3a73d5941bbe2e577bbf9910e422da

  • SHA1

    9a82c12a54cdf85063ebfe9eb97444f49aa68f51

  • SHA256

    8efde1792c83d66d2bf46cdfc695bb5f70edeefd951b70c403960ebcf2ca712c

  • SHA512

    7780e7b1aee337c2d9440ac6f9997cad698cf633118872edd3daa565a8de5330350f2a61cb0b35889e518871c840075f68b39e9c92624783bc7cbb8f88a49ecd

  • SSDEEP

    3072:WGYFrOdhfkQv9jrAprhFmyvEjQDKaUznxQacKt1Cilb:QadFkMGhFjED39b

Malware Config

Extracted

Family

sodinokibi

Botnet

28

Campaign

1893

Decoy

colored-shelves.com

edvestors.org

ikadomus.com

ownidentity.com

cookinn.nl

hekecrm.com

fixx-repair.com

denhaagfoodie.nl

optigas.com

lovcase.com

hospitalitytrainingsolutions.co.uk

cascinarosa33.it

guohedd.com

jdscenter.com

slotspinner.com

abulanov.com

switch-made.com

billyoart.com

dentallabor-luenen.de

theintellect.edu.pk

Attributes
  • net

    true

  • pid

    28

  • prc

    msaccess

    isqlplussvc

    visio

    firefox

    dbeng50

    dbsnmp

    mydesktopservice

    ocomm

    wordpa

    sqbcoreservice

    agntsvc

    mspub

    infopath

    tbirdconfig

    excel

    thunderbird

    steam

    sql$

    ocssd

    xfssvccon

    oracle

    ocautoupds

    encsvc

    powerpnt

    winword

    onenote

    mydesktopqos

    thebat

    synctime

    veeam

  • ransom_oneliner

    Sir, its just a business. Just read and follow all instructions and you get your data back. Find {EXT}-readme.txt and follow instructions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} -------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1893

  • svc

    veeam

    memtas

    vss

    backup

    sql

    mepocs

    svc$

    altaro

    sophos

Extracted

Path

C:\Recovery\b198b300-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension b198b300. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/721F9F5999A7D493 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/721F9F5999A7D493 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: kFPskfsOGbbLn1qGBw3r/uH6XqEl0uPd8KJ7h6M1Gfhv2ktH7kJUEbmQCEOItER3 QTZfYiWQ6VFTTY0bPJZcIzoqYsHly7CUuZd53mYz3JyIFIrooTPUP9ZIwVujo8eX a0LgKAGtovxNy5YYhu7s1N9TgZ4ZE+5QF3OwhbXqPnm+/sDzPakF6byyru+7u7oj DLE3+BMpqb80Sk790Orsy8fhiZeUH7O6U9ij2uYXZRkst+B0Uz/nMo3T2N70IaLH rY3OHAaRDki2uYs58pni6rY/a6ohMGgjBTeIqfd2J9QQlVhMhv0AS1XtOH8nqq2M Oe3wSYhqk4et7Hr5X7RhWWR2nOKC7thuQmUZMoMEr+cc25GAvv8MaIS1TSJ3s63A iDSa+uJb1DNQMHd2u//WJck6TvIeCnjRS/CwtkNUqls6PFqWgWt4Hr1wYBskqJya ozRZYVVm1zDBHmm7dXokwbSpvWwiKBGg2JXaLxfijL4Ke3gQZGBqwd8mFeWC0+fX 9EgrV+PeUwlkECmkx9zmzwBW9D7fq+baD/toqk9/H2LHkczHoAnIbwuSVfIvvHB2 9tgk3X4KBoTHwkUp1Xzp2oLiULlzCp3zIeF4dFJW+B9JW6hihYt7BneVBSWKm2IV XvnM4oV5R+XrlJd77aTOEPSUSjcau0AqOW4uFjWQ8zQObPiM9YsYrmR9ZbpOhoI0 G3UmacGiiaBdWMQ4+aZumo5OTuPkEZw5Pr72jeldFs4h7bOqnFEjrSUGZtbX9+5Y GONcuj5bPO1YkWDmvjEz1zhpSbVF1ofwVpbOnVVBQzDOuaPMBCWxabg02twNhYu5 Zm640upNo9ZIg9zbNImNVXCHk+GKsy47ZMJwuw5spd5biyWX1MUkwcZ/e0kRhHwv EPijOBxuCDp173UZEGWYDaoJBzJzdMNELnv84y413SCDwBB8ma2fXG5+Vu6voezo 73Zgl/EqNTsRz8qBYxchHhmKQZKvpEtO0bB+TdL3hTa7kMZI3qE1pU9MNtfCgKqq zkwz26OARxTagWbW3RwDtWOHQaf1JVSMty5SgOfKZrMKUUXtQu6l+bMEM5tC3WcD JsYfgxkNPex5MOX0nPt61oZY41iQjzhavtbWD/ZZBRF6OcUsU3YfLa1Ot2PpJhqN BPNw+GCflvogAOZvAQ9trWlT+KpmnWm4lBM+mn86K4mk1CozmmK42hKLB2jkDN7H dBsirgRb5hGc5ifOFmL0OA== Extension name: b198b300 -------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/721F9F5999A7D493

http://decryptor.top/721F9F5999A7D493

Extracted

Path

C:\Recovery\019t694e-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 019t694e. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2313D28C11E016D6 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/2313D28C11E016D6 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: BMza+jRL1YwODHAY8HSOap2bHTuxyz8SievMcBytvO3qoPXDMvNLK4lo42kIBKir RssyFnMHmeqWqQ6Xb2X1cdyLao53U9zg52XMuHRFNRwdQXF46HlmkQgubztFvfaj pWItMrajdrxTL/1vPQCvMDJSleUVIX14//iboL6CigPVODjXj+X9jzsNrgbpWA2E ai4KuupO1IZyPESXtLen6YPcwnDhSwrV8w7/dkFXXdY+LNt4aaOiQ87GHGR9jW9I d74caWJjJWcUhhs2DsnADrulVUiShJ0GABqMKS2LdmlYe6C1tO/UPG5AhXNSpheh JAt2Z9LZqGjDZj1hJCgofQOFFrSfa50gB3e8bALaobseUsuoP6Nq7YxEUAI9I1Mr qNOiOk5tGUgOMx8FA3l4BtwiUEzRp0MqRdnFCbl0H12euI3dGRj3u+2UiSBXJ461 ZIhBB6ZV1Bc1q7JLh8jTI6idVo6f83c0y6p2eqX9ebt8d9zaSRN6Pzp5pEiT46H9 9aQ3wtWdKHBL40kbPlERTAMX5jyBSKCWLHxTifuo22dnfQ01m2VD8l3ArcuFsJ1H AiIg5xsm+jpsIPgaPiz5tSCCs3p+CkUl48M9gmJb47KZy2P9/uId7evHv290At/r 7gABAA8ZQvATHjzoxXx7MQg5jJpD2SavxyfQDCeZu15LQ79xSzIUs9OsR6KGyGbV oea02IemR2as7gL2AJClA9wVCfVJkgNTJ/kmL3Zwytzu31NxwbRzMK+o3PE/aDgy MHNIITilt4c54Nm9YB5mBojDNio5HBgWRffmrtwPNrLT1y4Le1LVCb0dj3VvVY75 tElE9aLzJBUHnD8gZVFDtHLFkSdq+ZEUNiSoHIc1Bi277sx82/SWiUR4iR18Jqk1 b4KTlIlbVWPnyMqhg8jEROSDd2GnT2n13xWWCTHq/w9OSQwtvRexDEqr5JMGuwXL HWRuH8WqwSLg+769HeD0o7Mu18Ecu+3tp3e8TfKWM9lNXMfLixNiIhaErgfMJD2k 6riQBJIDDaf/HOfnYB7Ly+soGvSkzA08y5c7qnXxvwiC2xmpIaZEVf6E4lFlsHu+ dsgl14A30g3kYdNza4mSn0AGNfYSWGe7Uf8MjO9r1A223uW43nKgpGOTOerLr5gU VjuMzCuwxSpn0PVufo1S6IaFNUMjKKb7owPca/76abd7nw4ju+LPAxNOj4PAmhdY 3GPOfTiDeC+D9DjyTECynHbTjYVYQA== Extension name: 019t694e -------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2313D28C11E016D6

http://decryptor.top/2313D28C11E016D6

Targets

    • Target

      0e3a73d5941bbe2e577bbf9910e422da_JaffaCakes118

    • Size

      164KB

    • MD5

      0e3a73d5941bbe2e577bbf9910e422da

    • SHA1

      9a82c12a54cdf85063ebfe9eb97444f49aa68f51

    • SHA256

      8efde1792c83d66d2bf46cdfc695bb5f70edeefd951b70c403960ebcf2ca712c

    • SHA512

      7780e7b1aee337c2d9440ac6f9997cad698cf633118872edd3daa565a8de5330350f2a61cb0b35889e518871c840075f68b39e9c92624783bc7cbb8f88a49ecd

    • SSDEEP

      3072:WGYFrOdhfkQv9jrAprhFmyvEjQDKaUznxQacKt1Cilb:QadFkMGhFjED39b

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks