Overview

overview

10

Static

static

10

1a578c9055...18.dll

windows7-x64

10

1a578c9055...18.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1a578c9055a1451622017cd253d238f2_JaffaCakes118

  • Size

    161KB

  • Sample

    240506-cyz7qaha87

  • MD5

    1a578c9055a1451622017cd253d238f2

  • SHA1

    a1b72de550c0012a1c556697ce1d371440fcbc2b

  • SHA256

    337fe8b50b6db4e741246ca76f27a8dd4e505cceebf9a9577be2d03dd5c5810a

  • SHA512

    f095c5d8e2ec70ce38de23be00c9dc364b24d85506d205832d225c33fb1cae2b8555cc1b52f055d7b69df7ee42c96d9d80699033cecbc06e4fe65334af720d29

  • SSDEEP

    1536:7mseS0rh3UharM4WHMnEA0tepkq8e7Pbi4eTMluxtXDCntTnICS4ADEq5tsMzYqV:tsM4oA0tCHLbi4eTMlwDCnuSq7OR

Score
10/10
sodinokibi37346defense_evasionexecutionimpactransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

37

Campaign

346

Decoy

subquercy.fr

dreamvoiceclub.org

jglconsultancy.com

awaisghauri.com

supercarhire.co.uk

karmeliterviertel.com

dennisverschuur.com

hospitalitytrainingsolutions.co.uk

bonitabeachassociation.com

xn--80abehgab4ak0ddz.xn--p1ai

ntinasfiloxenia.gr

ziliak.com

hotjapaneselesbian.com

wineandgo.hu

reputation-medical.online

ncn.nl

the5thquestion.com

chatterchatterchatter.com

rvside.com

christianscholz.de
Attributes
  • net

    true

  • pid

    37

  • prc

    agntsvc.exe

    tbirdconfig.exe

    infopath.exe

    mydesktopqos.exe

    msaccess.exe

    powerpnt.exe

    onenote.exe

    mysqld_opt.exe

    sqlagent.exe

    isqlplussvc.exe

    sqlservr.exe

    thunderbird.exe

    dbsnmp.exe

    sqlwriter.exe

    synctime.exe

    wordpad.exe

    visio.exe

    thebat64.exe

    dbeng50.exe

    mysqld_nt.exe

    mspub.exe

    excel.exe

    winword.exe

    encsvc.exe

    steam.exe

    sqbcoreservice.exe

    mydesktopservice.exe

    ocssd.exe

    thebat.exe

    oracle.exe

    sqlbrowser.exe

    xfssvccon.exe

    outlook.exe

    msftesql.exe

    ocomm.exe

    ocautoupds.exe

    firefoxconfig.exe

    mysqld.exe

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    346

Extracted

Path

C:\Users\2zs2s5r-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 2zs2s5r. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4968BBA9040DFE66 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/4968BBA9040DFE66 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ZI30EKP8+hBmXgnSUjyzVwEkVmcJgqT9tKBsGid9TQGDMesnPfYDFWOZBjaZH2eO J1RzMx6B8mHahateGpwhu1gBjZ6G9DajLs3pxYT73SM0/qEpCTD7Bjv/nzF3kUDo fb1b5favrnu1V/0jdkCQmlJTUV+Kh4IFpvrk+iXf582erl95k1QdJ1ChacWCNicX O+UwV+eXzuUbqvmDbrH/hU41v+31ToxwKYghzCSx6IeKH96NPQhqtqDRQGET/o8B pnZv0+EtNEmf6rUvyGJAe8UeP+PIzpqAqLMUCupXCLVOOcQzQx6mFk2pRb9OVn5M HGh8XifihAOURKWjgEic96V2n4aXmD7X1k4JlyPZva/IOWMygfVGTFVobF11HPXG bZ8VmeaB5wKL7wLgl6Ah+FIlwjzD7Wdt2oqGZwrAISevESrxirXM1OgcOFRMt8Nu yLIFo7MxlgxdWOG7kz2vEMHw7HVbYHb6wWE6hI1UcBggsuzIRxIYcUMq46PkjJYx K/qmLCM2GIA3Ak7YsMXHg9q0RNmWWKV71JN522qOFK5td76J2YtfxYRJ+t+Wb0MO eaeXNZJO/BT8u6O7+ic3gWYlX3KMIL6yKCg8Y3K/Z3TBpc7mxa2OfaLy+gR76eXy nISwy8fE8WF58AFieEvgxELxDKsDNNbj790Q2KbevNA9p00hHoY0l4Nkc5xWX1A1 wyvgbrv1ozUpl1ch6X+5WxuwMCHDWJdQsdHbwFme8KUdu5dw4OGZYVM95NzlV3Sj hD88kHgAReB+XqDVKZDKgtYoDWAM4Mm+nHmSHWM0uiAgt5sPuIp9GZOY2u6/fi0f kdCJ1xeqN2ha0uxMKcw856gc5wz5KaLn5IOPJ06CPhK8/t7+nfdVzX82RHLRPX5x hayPonF3cRdYvupTgjyjHgsOKXN4YGadWWbJ2vmLZN4FgR1xutm+bTG1odHxUMcX gxgN/3V0TjZAuTlW4kj8K8N/mAPjTnk494V4ItInhPWW5KfeWeXrIuj1QKjt0LdQ DmETe9e21yHPB+6ImdNevBUT9BJ07v+TTAtkRIsoJKE5CCqi4vhlH25nUIkNm6b2 UxNaccHC67akcCBjGWUMOmCsMUgDJrcT1hdGh3n2uMKszEkgml97BsK414aLeSdJ Rqt3ZlzoNDSoXAR/7T9vAytFoTnhpn5IaM3GJFKuPEPT09C5tFCPYO2O1lKRaQ2t 5MVOT3UIJnmIvlT7 Extension name: 2zs2s5r ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4968BBA9040DFE66

http://decryptor.top/4968BBA9040DFE66

Extracted

Path

C:\Users\sdyp4c4f-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion sdyp4c4f. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EA0AA6A76DB1E7CC 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/EA0AA6A76DB1E7CC Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: HQa419ozY+85LZcPmEAIkT5Y60vilgYYV3ghNmA504+FpSuS9WJW8vOz57JLnWIU pg+earXKHrJoBQIeUIzxdTmSKubYKeTxhsKDiP4yADqT4Okqch7Evj9J963h5ayj brCamuG5Y98caIMpY8V/gZfKYiZBfiDMw7iDcxyl1bFSSJXLpyDnQyH2zaYX9m/Q SnczV84Qk8QqNt3cQViSawFU6KKkgeBFViDFmZcd70sPp/ppd7RXyym31nntRgVT aNebQGk7jTLaeVf2gq5nJ6c6m3H3esh67DdxX4074nPOMOgYBgktPxRoWbvJY7T/ lgcjO3vqSzJJEdkJkL4RupcMgNvaZwALi3icymS1SVw5rGiO4GmqedFvlkpBNvBB NJKAotnME2qdEaaSv/kia1IPMuzAP9dPEXYJOcB89BOwt58RQS8NVdSHtIY/710j 3iEVtAvQb6VKW7LHvNP8eoKj7Po4YeM3Ry5I0F6pEfcOW3vcCyREwZvUauebqxZK pKGF8pa5nq0FoJ2bNYapMmy+SyrCTCxQIPMh9XxDyWtezVyVQvee1EIhIyHQ/iKI 10BydTE1Q2ZN8I6SmZUIKKxLjOw5EOpctRo63WzBThJ34q9wnGltA2vzTzqoqbce +q+19GqHLLOp0V9HvEeLk+V1YceiZan1Fvx7slKHQ7oyyDTctrYRJkIccSdUJYqF W1iC0XmNcYEXuxkryoUsQNCHw7uKeW3pd9zmQetHRsqUlpNpS8OTeL+b2Y1cHSSS E27f/IHY+RziJ1mxDi0EHqg6WIfaGksEOXxFihm1cPs+t0kUcjh4ooiPtJbxP3nD 4r/qMx/9Y09494ytp9h5j50gpdP7pmOc9Vdydyj3NX/jKcud1VWwix+P7x58PiZT tcZahoz7RQwkTzTAdYR7KGO70Yl4rEbZ/Wc6WOkcbfU7W6fXLLL1dzlUAgY4hjJS +zxletVkJYVMTPol4GOM6nfxaKD4wXjbmrqI7zkruZClgN1ljFOIsMoVbp/Yn7Bc qdZQJX7ic5FNb9clrkDY99UsfzWZMM7CuHij604E9TTCIZQBiCdG/u65UR5ZmXAW CE9eeULxSP1/TP/KQDg2ficGPgzitM399oPWJZmrB+qLCAiv38VoOAu2/M+PFJvi kFBav9vcPeDP89a69a2F7dBB8lRiXpOIe/WWtcpIztO4PTlury/Ind38vmKPGYE6 pIDg3cgDwevILsYEXPFBqWXl2FQ= Extension name: sdyp4c4f ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EA0AA6A76DB1E7CC

http://decryptor.top/EA0AA6A76DB1E7CC

Targets

    • Target

      1a578c9055a1451622017cd253d238f2_JaffaCakes118

    • Size

      161KB

    • MD5

      1a578c9055a1451622017cd253d238f2

    • SHA1

      a1b72de550c0012a1c556697ce1d371440fcbc2b

    • SHA256

      337fe8b50b6db4e741246ca76f27a8dd4e505cceebf9a9577be2d03dd5c5810a

    • SHA512

      f095c5d8e2ec70ce38de23be00c9dc364b24d85506d205832d225c33fb1cae2b8555cc1b52f055d7b69df7ee42c96d9d80699033cecbc06e4fe65334af720d29

    • SSDEEP

      1536:7mseS0rh3UharM4WHMnEA0tepkq8e7Pbi4eTMluxtXDCntTnICS4ADEq5tsMzYqV:tsM4oA0tCHLbi4eTMlwDCnuSq7OR

    Score
    10/10
    sodinokibidefense_evasionexecutionimpactransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks