Overview

overview

10

Static

static

10

2d5012a0dc...18.dll

windows7-x64

10

2d5012a0dc...18.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2d5012a0dcdb72409842b4606ec0ac48_JaffaCakes118

  • Size

    166KB

  • Sample

    240510-eyzmasag3x

  • MD5

    2d5012a0dcdb72409842b4606ec0ac48

  • SHA1

    c6044b3b1d6b65be9fbec84846efa25cd8c30242

  • SHA256

    7aaf4b2e40306cbb65edd0aed85a61ef4bbe538837684f48eafefebbdb871c11

  • SHA512

    3f837cee85d9136cbbfce1cb13fd855d10893b8d898123930c46b99ebb4ed4a5c2d0a4f653e403b1f5f0b26601f330ac1d9c95766dc7e1483e393ee1919eb64b

  • SSDEEP

    3072:MJMawtnGqtWoKeZ9fh1CgnNto6jfRWQwOy8CwvD:Ww9vteqJggn7oUfRWoyBwv

Score
10/10
sodinokibi$2a$10$572ywolyuzkq/e0byj8gboeg3eg.ppb4g1/mi/tr55m7vxard4ejq110ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$572YwOLYUZKq/e0bYj8GBOEG3EG.Ppb4g1/Mi/Tr55m7vXARD4eJq

Campaign

110

Decoy

deprobatehelp.com

bockamp.com

mountaintoptinyhomes.com

stefanpasch.me

dinslips.se

4net.guru

schutting-info.nl

gw2guilds.org

exenberger.at

jasonbaileystudio.com

friendsandbrgrs.com

biortaggivaldelsa.com

pier40forall.org

sanaia.com

n1-headache.com

precisionbevel.com

foryourhealth.live

crosspointefellowship.church

morawe-krueger.de

americafirstcommittee.org
Attributes
  • net

    true

  • pid

    $2a$10$572YwOLYUZKq/e0bYj8GBOEG3EG.Ppb4g1/Mi/Tr55m7vXARD4eJq

  • prc

    steam

    sqlbrowser

    thebat

    firefoxconfig

    agntsvc

    mydesktopqos

    winword

    mydesktopservice

    tbirdconfig

    infopath

    synctime

    isqlplussvc

    visio

    powerpnt

    thunderbird

    wordpad

    oracle

    mysqld

    dbeng50

    mspub

    sqbcoreservice

    onenote

    encsvc

    ocomm

    msaccess

    msftesql

    xfssvccon

    ocssd

    thebat64

    sqlagent

    mysqld_opt

    mysqld_nt

    dbsnmp

    outlook

    sqlservr

    sqlwriter

    ocautoupds

    excel

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    110

  • svc

    memtas

    svc$

    sophos

    veeam

    sql

    mepocs

    backup

    vss

Extracted

Path

C:\Recovery\98cewz97v5-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 98cewz97v5. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/322748F3E378EF88 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/322748F3E378EF88 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: +Y0DFsETFsJOLMPLpBP6sgANjeSVr4xeHLdh737DnrNhDs2WXhKH2cUr5kFxmHo3 ymxdAguT6dJpz6M7QOEJvFmUGwXBkdbO+JGuuH2jP4EO5giOTIFRn2c2pQyGdlQw cVeiiAqv2eOaW4v33qVMLwaWNfV5YFDG8El8HpBBH0t2yucTBrEsyknuLnZuGd8O /fG25t8h8znLwvclK6RivuceDt4e/DAjs7w2/nwLXAO1gHA51NUDh4UT82J+rL+v x0t9OpYwVJGgt0/5IdTwkhxWJ4eS44BU8husxqpxZ2GP5ynvZVjRJje04poqXU8x vVsQOXt5Ze3SfF+AZTe84A3hsS4uGHSIcwiX7IIW6dhqJyedjeu7wH3ugJ/6z5rR 46j6oRgNAv3InwR0Z4M+I+t5zJmuHo3TZZUbCarSNGb7Iw6HMwwbCdPY11DQ6FZj X1+XwtQ5ylgU7Fc1pENwVPmrYIvpvhka+Gie4UKYPHRK83U6mhppVmpDJR12IQ+j Tc52Dy5BT+GgP+3t90BDEP4KAemKDpCRn38epuFdL6xLi6WNbDkKryXht2gUtbTF tdSeW9C/8cJn1bTumDqZ2rBnqt+5CiM7M4kGeJYSd5+W2MjfIC5kZCBWgtvDDwxA SwayuL8isaQVYRnfirW22/+rFsBS5ElSinf1M3wP+zlDayCly71OJwNZk7dAUAlW T60sLGeOM7mvjOKg7NGjcG6+iptMg8hku86r1mUtnnc8QN7rcDxtvzgUP5vjKuJJ wy2DfCgxM1X+pC81Y2Y1xZOy4WDYNqQFvV6xpsUpn1uaquB6+xbfx+NF4YJIoGBS LWLF/PSkkTa5EY2uueBWASFhYvswSYvLUc5TshlIixHau5C7qwZ9jw67NB+EjIVB 79irL7QklH+Pf8+1TQ+tJJP4Dfjvb+Wwrl0n43pQkoGXMgxpG1yutKts3kmTTrLW xVDO24/7bMcufn7+FqKOmcMWVP8qGoPkpLDxmSOpPxmFdVK03+XwsRuaaLNg/Osq 4G6JOt0yo3hRMF9y2lk8AfmIhMuCwKBlT+qCAoKK7FpkWVB7fVWga8udmwnkMCsJ wNbGylnxS01bcDxOUQvbzi1p7cNdnn4lA2gSULGYrYvarwAsfEVduONyLaUyXNhL jPGOz/OvI7QYWekdXMQtbhUuLJnJCgT4GmqLFdXjXzd51GFmIXR/AKzphjaTyYva /JGkFf75i84dAOSQHuJS3mQkZzB9pLATEGv2Wz12gGQk+ppurH7F7OAmHw/i/wjO 4AQArfD6WvEJz9vifWirqMT3zKMslWsL0pudQEvdkUMIIMY0KN8FrcPq4ztKPTwC 3PGUlDWZlg1CreeAqXaWSnJIxMGo+L9s22AkJ9IOdTmP9CVq0Gw= Extension name: 98cewz97v5 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/322748F3E378EF88

http://decryptor.cc/322748F3E378EF88

Extracted

Path

C:\Recovery\ra00n-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion ra00n. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EE30A8064FA7386E 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/EE30A8064FA7386E Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: NmV/AbxAPv88s8XsZYWfWZzosLeLaKFyoy7OK/UE/UlBrh3gKdtxZqxFI8Y0vg/D WNB8uyS3edGfwcDUPJhE4P78j9C7/B2ZzyvtAsDofE2agA2Py9grq1VRYgF/1ODq NDBK3cAy1NZxLmjzzhaNOVx8R6mO9BxUkikWpVqiWpb1Pue3i48yydA3rkSFHf88 i+1TdYdJ/mzTZcen/1Kl499/4fXjMmJf8lzWgnaKu0n5aMK0WcqCPcOjYYR3EiQY N2qjk4N2IkqHe5ilIVo25bHBWsdtJyC5DwGHT1+bsifMogRGuFHpYsyDOdEj6RJF wpZL+z0XpNzKWU3CteidU6Vy6yg+AmkPycdkMQZCiMMd7orfe/h7OK9EfxGCYGkI RYRZVwALDE7vUBeTv+IWnyhSi73rCjRbw562Do5D8saXQVHq1mGVqOksHa1cAH/v 8il72ZQxUZwsbQ9pUytri0L58Yw/ByHTNvmAXTBYdurlnWs8R9b3y+29pkeG2I5Y B7HEjN0CaV0Mem5Z7v+lFqd7J3ThxGa4Ds7RfKuOKNrgSlUAKFb1Qq1YKtzmGiHi c1Rludw/QeMHpyGXJBF2SaXxWFFPGrfn/8iOS6HORwiSy05gB86+jXW0JTT8ecAk +OM4Jbyl08rVc3S1ABkIvAWGrmNEf6fuBnKVUe8fchIxqadLauFiYYZ+EKeeBXAa Wphcg71Ywo+zbmEwE2QKUqHXHhSGFuxa8Zo2bhcFX34rBpym9BmGr3kmwI9jd632 gSkFqecgwEkBeeAR5UL2i5AfUuNOk2x10Rv/iMtgyoLEhJ2vRIhScKPWAuR8UjNQ rwP1ZLZHNUobc9vQ3dZC3m9KqDQVLnXrSzwsU4fPeQUkh4DtoMGOIHm8oFhm8aNx iTJgUJgepCAPLYujL2VqP0u7Ff99fSQ9wlyuR/CwBNn1KH+kGSpvGYLweke0AWXd eFhdFkuH8AS6g4r9NETkE40VariXK1m/6qyLqyaPAR46rDHWWENHDVlCchzkCdlY la5bRLKXzrr6tGgHqPna2pjrz8TGuRthjEm8CZmRNuu6/6609PWstgcwnGu44jE5 d9nPbYoDQATSricvoxZaO7KElrrQwxDGSfHnrLALMDmtGj1hEbhhqIBZYebTJ41b d1ZnedAKr2h2coCtNz9G0MRlJTEtE1Hg26afU/9B87fRR60ZhM/sDu7OSAveLDPL YlwfHlCyxj1pa0lnUf1+KFjee5s7CjPpMxVU/c58+bLNuoqxv29FrKUC1xY139wT /04prxP2nKlxrfRtHaIxQHsmd27M8lRX12P1yG7hfdNN4V0G6tRthfq/V+DIAg9P OC6kY2fV86JGhckJmBPYq2SAEIQPs29FBCfLhybcqGU86g== Extension name: ra00n ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EE30A8064FA7386E

http://decryptor.cc/EE30A8064FA7386E

Targets

    • Target

      2d5012a0dcdb72409842b4606ec0ac48_JaffaCakes118

    • Size

      166KB

    • MD5

      2d5012a0dcdb72409842b4606ec0ac48

    • SHA1

      c6044b3b1d6b65be9fbec84846efa25cd8c30242

    • SHA256

      7aaf4b2e40306cbb65edd0aed85a61ef4bbe538837684f48eafefebbdb871c11

    • SHA512

      3f837cee85d9136cbbfce1cb13fd855d10893b8d898123930c46b99ebb4ed4a5c2d0a4f653e403b1f5f0b26601f330ac1d9c95766dc7e1483e393ee1919eb64b

    • SSDEEP

      3072:MJMawtnGqtWoKeZ9fh1CgnNto6jfRWQwOy8CwvD:Ww9vteqJggn7oUfRWoyBwv

    Score
    10/10
    sodinokibiransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks