Overview

overview

10

Static

static

10

13577e7b34...18.exe

windows7-x64

10

13577e7b34...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118

  • Size

    166KB

  • Sample

    240504-sxkzeahg7y

  • MD5

    13577e7b34a4c62a7a0944121ff84c70

  • SHA1

    06f3daf23dd391ad7e8b8aef613f58cb9baadc11

  • SHA256

    3a6a69d72b533a2e5051973c85a7be5d25f661df01111e17e439126241c9ea39

  • SHA512

    2fcf381f1424336701de4fe631f015eccf8b65ac58909401efb1986f80672571713b0b818b26f2cadb44de8d4e5918ce3865346c42546b8e94286be595879bd1

  • SSDEEP

    3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3Qfexg3759um6C6lg:ZJ0BXScFy2RsQJ8zgWxI759fbSg

Score
10/10
sodinokibi$2a$10$ltffjwuikhdiyvh0vwtaiunuhxk9.thaptgh1lg0849cmtw1etcny3458persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$LTffjwuikHdiYVH0VwTAiuNuHxk9.THaPtgh1LG0849cmtW1ETCny

Campaign

3458

Decoy

pay4essays.net

exenberger.at

figura.team

hihaho.com

insigniapmg.com

body-guards.it

creamery201.com

xn--rumung-bua.online

dubnew.com

polzine.net

urclan.net

charlottepoudroux-photographie.fr

turkcaparbariatrics.com

tstaffing.nl

jsfg.com

aglend.com.au

lachofikschiet.nl

kampotpepper.gives

stopilhan.com

campus2day.de
Attributes
  • net

    true

  • pid

    $2a$10$LTffjwuikHdiYVH0VwTAiuNuHxk9.THaPtgh1LG0849cmtW1ETCny

  • prc

    powerpnt

    ocomm

    outlook

    steam

    infopath

    msaccess

    dbsnmp

    agntsvc

    ocssd

    mydesktopqos

    synctime

    thunderbird

    wordpad

    firefox

    winword

    ocautoupds

    onenote

    sqbcoreservice

    sql

    visio

    thebat

    tbirdconfig

    mydesktopservice

    excel

    encsvc

    dbeng50

    xfssvccon

    isqlplussvc

    mspub

    oracle

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3458

  • svc

    mepocs

    memtas

    vss

    svc$

    sql

    backup

    sophos

    veeam

Extracted

Path

C:\Users\7zr2x39k-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 7zr2x39k. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/24088A9F2C6B4CB1 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/24088A9F2C6B4CB1 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: QtHynPNlIgvozIkmNpTa6fVqf1sJu+22+T10TW8IasIcl0u7q9l+YLXHXutFBa3I PjZBQLchTYC6abfIoGP8aZd9Ibw6jh+fRLQx5hhEQpJc7O0mszcwri5+VtjmEHs+ MMNdsyWnQwmMI/nvPAVX02Ssql2eZ42jwiarUQrzd70XoFEEAaTLi//8rdpPD2vU kNDBv4Fqr6GLUGR+PuwoVHbY6lAgNUeIQQLlaatIik86RajSVaAThXEJ21eQQRNY k4+Qaq6xe1hl0Y4cgyz+BJtjDOtFEL2PJKAnVs4TteKKFnZj+k1rPwV2x0FVrmmx BfjhwJgBez+Z+6Ozs8XpcPHjKN/xIL/l0U13tPyIMNlhWODqO2KfA7AJTDql53Lz f4C4E+P1lmRrDPgeIs3Tn0mc0Bgax+h7BtLL5jBH9o3A7T+vQDNEqzvru7oNXH8D +tqZ9yV9Zmi+LX5XCv2KSKS7dQQ//wkUYIgqIR9nYno/rFvoGXRDZBYOONDpY/aJ xqEwSwM057Jf7BZw48Rv5O4MOXLkUtMzcGqUGx2gWV6sUkDb91l7qJ+zsC5FTtYz TxqK17DClUGILVylqnFcN2lLpwU3SuVqEmZCsE3/ErsWb0zLcqB8p4s1MVDNKjLm 2iwXGH7BRV9/BeryQPrj6nsanT1MPlx2fPnkL+yXQ+PZVs1QboLP8JBtyv4FaGj6 o57dgcTBT1Ev4XOlIEwJaur3Jm79AJgnAlXcAxh7I16Tltb9EPXTTRuMn3fogMBA YGK2FgHx/vSAXnJ2tY579aqDZNj4O0Y/uJoXAgGgWnFO56GpkHwWwYUb2uWumDUj xqBRKKAa8ES/efYVqDWi/D1qyUH7lGmnx9fh8UglKFpqrXVlCgT1+mw3CAwU/VvG TQp0ckrd2zoZ5AqtU4+qfCSXsxp2D9DA3pyUVf36GstgwKqyMqlOWAbxKyaJklm8 IaRAJYTeL4wITAbyH3dAWCFvE3uAKKRMrCrMMyChtMx5i+3sslKQg0ZDzqFx522H s4khkCKxZQaLTh2Uj/ry+NVCW1Yrh03NG3TuvCQ2a8ct2rWD5H8G/2/UBUQAxsdm Cvezw6mhQaOg3AkFwNy1K6RgtUOquczLCZzwG9hsqIn9eJ33AMzLw2I3Z0+3E6NM wZ4RgLWQoydj9p3jyNgJJwSIoVH7zJulmsRRM6Hj3779/Hsp8UeCRFRE4Y7Yp2wn hxxNJJtvW0mG7GOHS9i3YRQeDrluQ75LVXEWCy88q2vJeUtzT0UkxkxjVPm41M+i NUMkZC5fPEpxn1D5KYMt3xmzRgygjukjFCjF44dgMqvtml2tlVTw7pTGIzlaxhhX ST5cggHkDB9tJKCxRQnKA2XTxulHgUC4GWND34B5vBdXLKIS Extension name: 7zr2x39k ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/24088A9F2C6B4CB1

http://decryptor.cc/24088A9F2C6B4CB1

Extracted

Path

C:\Users\8ueb7mez-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 8ueb7mez. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EB9BC747A366F9C6 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/EB9BC747A366F9C6 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 8wMk5E6/vp4/R048IhaXftqAUvLFpusku+bM/9kowSa6rFwO7WJojOJvMnyiplfW SpDRHSAeHQrXtEqEVnn7bKFgEjeJ9mfQ0tfvnbwBnPuIk6yb8t2Za8m7qcilo35j ZCokfnqFfJEDaaepipNAvUjoqs8UtXiLSEwnbBErTVI6l7frEYQeCCe8dURzTdLP NyUXFLsZJRjhFd1JXLAU+Q3rlQlJpQyZSlVbM1p3RogBbLXibjYkGmrP3pn6FXhQ BaoWQ0tIC3H1YIXRF7QanbQ4+30eu31LkuWBhFRK4hb9IXTKeaB8MCc9ycu1gI8s 8lE/1uyZHjcGDKpPPwUmsvdFDqf4j1nRMIjn4Fk7++T16X1GRUPktH3tOTe0tik2 mWqNt7HkYsax584tiwKeMRK9RX4tlwlN86h5BEKQR7fZX4HtJ4PKgEOgg73UJ6gU yMUr8MCq9yavKvRjx+VXGfeq184AL7kSsRrzFHc5+lpHrZjGwIwxi1RO1SuGM0nZ g+2vaT4PycwI7fp4UKlBrS/be9M9WQkFHQg83+sOQBNiLiaJoW7AZgrGHgkfKw5L 9R2clW7SiBE6cJu9LHvnBgLXip5KrbmcrAXKaFqpPrI4+NO3NEMcmVMe4PpkPIe/ C0RCdlLCcOOlJCemaXDaReS12QzbsMOg7StFF49IwR8HCu4BbkQ/1+/Vi8wYjB4w 0fGQDY7iIMpdkrWDSIpuRRs1traabJK9QvGsCxdcbNin3IVCVCinqLhG1cUQuISW QfgnBpNaUfS8z1aoake5KT9YqVbmWsC5pjNEYtOX9sYfpdwIoPPmYnz5tTcb2xWq 2yQglJGZm5vN4HF/6RlEHMF2T0LSWPV6YxdcnVc1YDLPQlsDJn+d2LrTQj1oTsIs K8GeyOrsbUN/kacperAMxmzOOK9YmxbG0+HV7iLqIPNavrc5s1BK83k6nDnsi0sj JgjH3i8kd8fOKtZQ1UnOtChoXT6NyG16AUIOfR4XQVyYqntVXQnOE/pxA5MLi7BY oF4GE5cCb13DdssPwL6C5dWy5KgihktpVdZ7LAUQJ2z0eVkdAg8anQZXgOVWM03m 11UmPV6OI879AieM6GxWuTMkRLpbt7mr87fmlz1lB7AHQ+dhAsJ0qjst8zz0faKP 5ZNjqmS2kdI2k1OHnd4VhFy73Ib1ILGqG0yDmG3+NX5+VnM8mIN8zaDucI5mXce4 xZlO0EOj/yETRDasII8ZGmwThNNxZQRNhcYxlnlL3gMOor0SCC+nQix9ssalKAQe d1afgabhEVbZjTwBxzgCpFeZgO50uSSOelrbx8csuPz8qCt2+nU3i429+AtzBJjN t4K1iIKdF+KrTuzhuBN58oGfJboIFV6FXtCwyZCqvvrstb1Zk1J4NsIJ Extension name: 8ueb7mez ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EB9BC747A366F9C6

http://decryptor.cc/EB9BC747A366F9C6

Targets

    • Target

      13577e7b34a4c62a7a0944121ff84c70_JaffaCakes118

    • Size

      166KB

    • MD5

      13577e7b34a4c62a7a0944121ff84c70

    • SHA1

      06f3daf23dd391ad7e8b8aef613f58cb9baadc11

    • SHA256

      3a6a69d72b533a2e5051973c85a7be5d25f661df01111e17e439126241c9ea39

    • SHA512

      2fcf381f1424336701de4fe631f015eccf8b65ac58909401efb1986f80672571713b0b818b26f2cadb44de8d4e5918ce3865346c42546b8e94286be595879bd1

    • SSDEEP

      3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3Qfexg3759um6C6lg:ZJ0BXScFy2RsQJ8zgWxI759fbSg

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks