Overview

overview

10

Static

static

10

12d60944c5...18.exe

windows7-x64

10

12d60944c5...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    12d60944c52bcc294d5c55bc20860ec7_JaffaCakes118

  • Size

    164KB

  • Sample

    240504-p679hsef4t

  • MD5

    12d60944c52bcc294d5c55bc20860ec7

  • SHA1

    37563cca9ff0ed0f4f4bed5e831d845cae3597c0

  • SHA256

    2ca519d47ac0ab709cabe70a89504d134475d68be47081be4ccd758d371619a4

  • SHA512

    16a2d8b9a6d592c822131fa94b3160af6a6a7ddba06934dd60b6dab97f2bd9e9e4fd2338aa45e458b33e5a1f612bed36cd7a848f9bf5788e51f9f3636275270d

  • SSDEEP

    3072:ffYWjswg4fQlt4ndm8jX5IXzs+M9VQHDOoOarvil:ffYWAw9fcUdmwIXo+M9VQHDZOAi

Score
10/10
sodinokibi161390ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

16

Campaign

1390

Decoy

innovationgames-brabant.nl

ravage-webzine.nl

auberives-sur-vareze.fr

leatherjees.com

patriotcleaning.net

toranjtuition.org

charlottelhanna.com

wasnederland.nl

bridalcave.com

bodymindchallenger.com

moira-cristescu.com

ced-elec.com

hutchstyle.co.uk

chainofhopeeurope.eu

bilius.dk

skyboundnutrition.co.uk

watchsale.biz

banukumbak.com

ingresosextras.online

jefersonalessandro.com
Attributes
  • net

    false

  • pid

    16

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1390

Extracted

Path

C:\Users\wy36fc-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension wy36fc. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6C3D83F5201C8948 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/6C3D83F5201C8948 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: M2SfOMxooP9jo5wH5MIfFnOGd9kzvMlhmav9lQHPc+Ieti8YSpLOh8213OjlO/71 NBY/SsSIYFA/F7RqrQPl0C1iOtl4JF8b4pe/2ekaYPhgXniJd9uE/ckBTCRqY//s YEiz88I6h7F1RCrxGwsvzEUgBZIJuXpx7CVTEYhRFeZ8fZytBvfg+MJ8Kn7o9tSv fdqM9trAy9e2Bedg5zMcPRct9cfCbPSTS79gopqOhSx0bvasahzLPyXv98Q2IROM rvrV7w3Spc+3Q7CnnojVpDFW3DoOMKjC8aDklRfxTbqmCGIe7HiBT3z0pfHuNPWj qHZx8jUNTeZwSvv57pWdRpdLAtTkTRzG017NbtMw3uogTd0HJEqATackhS5jW+8L c8y929kj6eoPgApKbF9DET3LheOHHPNmJTZkKwkONms2mzu95tHsSpjZP/kwoKRc q8or7u4+IOcb+4rgHpKsxjpSzEKd9YrpTJMJFeMeuajDYifpI+zSZNOdCqcRLJmT PrQ1/+Im6uNNyQrWGwr3nTWYnrmyC3XJorSyG4I7RaQn8LWJqzhdPrtAkbQf7Ah0 WJ/+HMgoAKrSumoGHNmoqupJSO1Er4bfjEKNjIYfzDkKsyG2ZrcXp4+q2K67/MSK RY3x/4FFE1blbiUp79Y2bnhroIZhmZ20VOa6bIvn49L4TD6HUioYI2MB74u98zv8 FNkoguvSSAfhB1BNlypQFatIwSCGaCIzs9+9oc0mgubpbb4n/ZLcPyWT+/nBXKND RxWj+kRAQccmRW17X9yBQqTTJO21lJJwmhOLsT+5kG8Pu3t1Bv4YupB60rnhdc9U PQYmJlEWjL1GYSKKOtSQr1QovfMMkvYXXXWDnAh60fCgMMCNssRxVPPu541nAsK8 TkVCpq2isYZOexYdWWFZglqfUz0c7D/4zqlVsUhfIEjWK5VE2NcX3E9FjpLOaIrU ZEKshDpRGnzYFdsgxDzx9e2DCys0HpvQStkZqsnhmHv+Ym0rVbehkajBfArRnMD0 amq6wUGO5zQ5XpStXbIBzNfSawasXJUAZ1qjiwVi7u3qQjbN/i1mgQprZvuuHD9T 10inhKTXYCSX9uHE4K/Yq2Kys1t3VzB/XGOHKhsjBQ8KURbX8Fq7/bXiklpltlAO ciX/mGO6XcMLmtVxMWOFb/AUEnDAT7efo8X6U9aMo7i30mO/JAKVCAYEB8n0tL42 j4ha4nHiwR3gANR4 Extension name: wy36fc ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6C3D83F5201C8948

http://decryptor.top/6C3D83F5201C8948

Extracted

Path

C:\Recovery\t4jbvr9-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension t4jbvr9. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EC0EE6A17F515D06 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/EC0EE6A17F515D06 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Ojf8P+MGCqSwpgKM75P7hvHlwU3U7Gj0g22qOXu2eZaxzDiqzdt51wXoHMQKv6NL uIWwYnchEKWZj1VflcICjKuK2/wFE2W7gXPw4la+aEZhAnvME0AA1FZSn/fCKK3W /pTDGPx/mr7BXGCIKXZILRM91IcThoq4ESI0qh/HC+1caslIZ4Qnq9IAC3DOBy8t r2+cu+i38O3UZIW8ZyBTREh96GmYIpb/kZB3cC3j/yk0j2fZaww+n+fCtEol+jqL srhAJJ7iWUA+3IEmPv1qG1RvxDxzFlOsWZhaXuvHUhZ7+ltHNDoBkKVtmp6UNkEx gV5lWswED9LPdKLiKymNHnKM4vTuD9rQtMi9osKn36PmCT/YbVQveNZB0WGUyVvv twcNaQ10+ldMegiNNtUOfQOzKXEBpRkaexXG3s6TcVjz2arrqHer5Jq31IFCORl3 YplgokL3M7ohE3/QEBXDEcL6Oh22o53i9VIMVGsVaVgW8ZZhmgVtQex0VZ+ZUFrR U560zLNnDqbZvBLhZEB1JR3pk3mbmsemkB/dNOOwHx8PtILpkSyKBU4035P0G9ab rauTQycO4MNagTEmeVOJF7oVQEbN4eFBKGY+KYbtrpaxw4uyR1oxw3NLCf1QRRHM Bi6fY81WKzuFboTp3duf6Cc6US8FicuXvt6beHbDglKiMMSh2cOumB7TWpw7AE/h nqQWm6JAGF+6xwelYhbf5R/KXnh1ZdZUQMpPTYkyZjfoyMazfBJvXUYIh/PZvVLx T/3NgUz2eQshepnCfyAj971NNA5UiYuqE89qBiks5CUAdgm9gW2VXvUIztInik/M 0Xbjg9Xj076mxwpOBaDVuuyaVeWANIXLT3SYqLX8+QdxmEeIYNl8Mqdlv7E3/it9 fjJFhOHQLYSei0R9A5cfXCQvFLNLz4YdzetL7vROwPh8AtZW/Q+8F5GK4mQ0q5DQ RmlxW9LokwUrlW1m91vEd/3aUmCdF96mU1qm2vSvZFZng9mWthga1gufx8MZf+w3 AseuLTY72GonLD22dsiAqqoju/iWr2TF4yMmQs9hQQAnoVFCRmLuSdgJ22XE1qcE PYU71xNqCu40r2blfRJvWY+tcmSZGQ6vukwzIeIsjWv2OVkE1KYyeZTiZWzDZ63u rjiTcDKLTf6Z/2XKbmSY7b5rr/XaCZqx8I0P0FXbAtxBQ5nCi4/GsKBkcmpmy10c qub0oU6shDS6o7c/YxuYSFaYPPU= Extension name: t4jbvr9 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EC0EE6A17F515D06

http://decryptor.top/EC0EE6A17F515D06

Targets

    • Target

      12d60944c52bcc294d5c55bc20860ec7_JaffaCakes118

    • Size

      164KB

    • MD5

      12d60944c52bcc294d5c55bc20860ec7

    • SHA1

      37563cca9ff0ed0f4f4bed5e831d845cae3597c0

    • SHA256

      2ca519d47ac0ab709cabe70a89504d134475d68be47081be4ccd758d371619a4

    • SHA512

      16a2d8b9a6d592c822131fa94b3160af6a6a7ddba06934dd60b6dab97f2bd9e9e4fd2338aa45e458b33e5a1f612bed36cd7a848f9bf5788e51f9f3636275270d

    • SSDEEP

      3072:ffYWjswg4fQlt4ndm8jX5IXzs+M9VQHDOoOarvil:ffYWAw9fcUdmwIXo+M9VQHDZOAi

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks