General

  • Target

    355e7899e9b1c032865ce0e2b98a257a_JaffaCakes118

  • Size

    204KB

  • Sample

    240511-tbyttahb72

  • MD5

    355e7899e9b1c032865ce0e2b98a257a

  • SHA1

    cb96abf6a6172feb9e95fb08981a44332cd06ea5

  • SHA256

    a207ef339a7b12a825bd9f5fc6349e6c1ec130dbcb48d663d0d1fc91a534aa0d

  • SHA512

    18bb8f91153fcac63881e189f0e40301f49b21018b66b6b560e80fd8b843c27610bf59bfbfb804cea98b07a32f4bc7cf31c562589307ba6f938531addc9e9d21

  • SSDEEP

    3072:sr85C3oFiWjmfb+HP+rnRfUqW1Am5T+8WCdHwJK3Bc:k934jmfCHWtUP1Am5T+LCNwE3G

Malware Config

Extracted

Family

sodinokibi

Botnet

19

Campaign

35

Decoy

latableacrepes-meaux.fr

deziplan.ru

citydogslife.com

karmeliterviertel.com

mundo-pieces-auto.fr

sveneulberg.de

avisioninthedesert.com

pureelements.nl

aidanpublishing.co.uk

gavelmasters.com

biblica.com

baita.ac

innovationgames-brabant.nl

production-stills.co.uk

xn--ziinoapte-6ld.ro

reygroup.pt

apogeeconseils.fr

kristianboennelykke.dk

andrealuchesi.it

efficiencyconsulting.es

Attributes
  • net

    true

  • pid

    19

  • prc

    winword

    encsvc

    steam

    tbirdconfig

    oracle

    sqbcoreservice

    mydesktopservice

    mspub

    ocautoupds

    wordpad

    ocssd

    firefoxconfig

    mysqld

    thebat

    excel

    isqlplussvc

    thunderbird

    mysqld_opt

    outlook

    visio

    onenote

    synctime

    agntsvc

    thebat64

    sqlservr

    dbsnmp

    msftesql

    mysqld_nt

    ocomm

    infopath

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    35

  • svc

    vss

    veeam

    svc$

    memtas

    backup

    sql

    sophos

    mepocs

Extracted

Path

C:\Users\8zpm7q9169-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 8zpm7q9169. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2C13A27D21BA5AEF 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/2C13A27D21BA5AEF Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 8Q+gJbPKQid258inKMP65fQxjSLAfC9hs8Hq7okle3iG/mzboSfRC3nz6r1Y84U1 0f37sXnxy3hAq3MoyV0zTJLB6oNOYRjHBFh3tEiYe7xst9EvlbHPmOUsG6h2ev54 KAUStI8rQXd/QjQde0qTvJ9ebFdPbbPM2DQJ5pgdhTmJT1Imo0mGyND6eSZc897x 6CNlxXbP6qiXAmPyqrVakGVsXAstX4LjUQRhOttYTQHhsxViE8YJuQpDlc190Prw tJnE1/yUAtMWEWswKGcPGMJQtlFhA5amWWxUivSFdlaXI6nh2ATP+PFQ3nvoFwoi ZJGypiTDhG1cpz5WfwqyXpmEmUmR3DcEAwGZbuRh7GQRvw+Bmk86xma1HkeSb7dF YVLMD4BjKYOAwMShDojktKnelif38YkW01wVBOOyJFclhIEIb85Y9igCXm/I8jit 8PMyIkIf28w+ZSJY0uRC4AiS/g1fVW4fRXXLmlYPs/Ar2xlf1nBkwruzQTLguGK6 unAfP6z6z4sKeIFOfDIGDmfA+DSkd/ASOloZePMi/+zTQ1EigMmV6CN8OwqnGGwb 0xdpR9rKpDpnEpFZiXz3Wdz1gRdyXs7Zf9a1qWT3CB30IemYUXt7O2cqogWOimYs +HHAix3egQXeCdrmFSahIbdsA2I1p2oZI9PuvAPB9gcqYrYKgEAidoHiePpU8Sk+ B5sxv4YXYywgz8/Min5oP8DNN8Wa7qtK9hhat53npw2P4EE4wOIN06CUewRlTUJS sw9UXohyhQLBaE/O5LRO1jGrdExHRnsUppJ6/y2ZEHPAzERjrGuCp2/Rjtf+MQgP hn/2kTLyxdgE2touDpt/BYZjQazn4lm9J2I2qFjw2qqvuQG2SdiEA2OBeNkMrA79 dEr1hJyDpzENApZw9QDW8S68/LT+W65ifFsuiQkWZka9HL9n3QudBQevUfrssQLn JkV6z+uYaisykx33Y3R7cRd43u4jP1t7ojBZBm4okDGUnqchbDf4NemhVkdILKk0 BK8TBKzWFlRMTqJ8tlO6Ahm0xCI5bXxqTWhpMmi8E0SRcZLwvzwDmhjM6OjmgfTu QOnNITXcJbfB2fp4UazMcZGHuxa1TCE3OHbmz+TSg7W/JHFOGd3M78MdGwUfKHZb txUmym5p0sN9vpHpBzyGvr3JgM6YKMildljL9u/ccdW+DE52Lw1jEbgCs1R0c4ak /ZV8gRl6Mo9BdlGg1GIicA== Extension name: 8zpm7q9169 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2C13A27D21BA5AEF

http://decryptor.top/2C13A27D21BA5AEF

Extracted

Path

C:\Users\j9gm95x-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion j9gm95x. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4718CCCC021282C7 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/4718CCCC021282C7 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: GIkzBLcIJIOESXN3P3rD407q+OgyKnf1FjTwqOj9/gycQRovgMca/eekmTA77Xoy qeM4doYQBnNVO/VSVl9AqfnZ/z+eiWuRVd/UYAnbIb5ZIknla4D4fjpkNjsPJp4V 5eE3Amk+8SRONihzTipjdOmbIhjNjSoNGTtn/jK1QqFz2j91Gk1EGv86DNWgK7H6 K56daTS1jrJbyZzKADEeB4PeN5lFsoKlW8UfMKJrb4WFrRja/me2dlJda4OzDxF4 tKIetVtQj//3Lpdt12eXmjwUT2vY7V5DqSroMjIlYmg8l0zZHfJTEIaQP0NnPd4G TCcJ7oezedWrCnnm8YoGLbwpZYMxr0vngGTwRIsBjg8oPBEcDsK/wrPPrHqFUxoY hdeUtea3FH/2xpeZjio6/M7QzOsZ2rxZuaPZP1tfizz7XPNX5eYbNw3PQm7x+BvO EeHJc2iMHWTdE1w4yGbnoiVeE7dtlx7ddNhqmrqhekak5PfzI0QjonElUHoorTTq VJLOo88KvNPsq9o1J8R+zPqQQBt3j0/B444ThBvqg/wYIagkTaLReWWHYKsmxbKd 03hBW5+e8dMFQMQKWOUa7KzAreZWId5lxF0e/4/zdhnilaGfBP+C9t4Qf+ucK1p3 xQAUOBaGJthoQvd0IdvN7F7x9VcMeX/s7aEa0OFeejVF2XdeJqPZT1hUrh4xTRxD SlnunuueIEThEatV4faM+IvOQ2qPGj1XyoigJKBSoNdTTM4/UWSXMXYsFFWEj60X urZMNAk1Ljae+ywtkTEtV+PeUgCdlSnCkSnUWXzSjQnyjz0VJfaJJTPIzqnoz5h1 fP2ZrjJpG61z/xPOv04zi5YVhyb560KHi/BSgJim9gbLs6QUP3hSO5GZcgeFeSfz +8Nz/ZZlop5oFakw1f0FpnfykvrAP5oDxy0Ht1DrV5G2yiuQ8Q7vjONtpFO8sSm4 6Xa4QBot5gGYIXZGmUYWtqJMlG+J/bVlbHNCjqueZ/bHU8sWTxGKrUoLBx4iFXX2 EKAb/iBYjtyq2WoTOBriXzEpdD9KtnPYNwAp3HtB345Gt5AXDpfku+Nctu/b+bYi VuxLuG8Gi3mlhzU55UeAkE0MeesCQalcvAmdj5PyiXZt4gqU6en2ZtmDYViqvw+K HUzOsco/vRbDvUUbzues0PcBOOFlHwvs12zYKkuUzwsD5a5PQ9zmnQbsITQ3LUnm AoP2t+PufpW2PWL3WIhf8g== Extension name: j9gm95x ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4718CCCC021282C7

http://decryptor.top/4718CCCC021282C7

Targets

    • Target

      355e7899e9b1c032865ce0e2b98a257a_JaffaCakes118

    • Size

      204KB

    • MD5

      355e7899e9b1c032865ce0e2b98a257a

    • SHA1

      cb96abf6a6172feb9e95fb08981a44332cd06ea5

    • SHA256

      a207ef339a7b12a825bd9f5fc6349e6c1ec130dbcb48d663d0d1fc91a534aa0d

    • SHA512

      18bb8f91153fcac63881e189f0e40301f49b21018b66b6b560e80fd8b843c27610bf59bfbfb804cea98b07a32f4bc7cf31c562589307ba6f938531addc9e9d21

    • SSDEEP

      3072:sr85C3oFiWjmfb+HP+rnRfUqW1Am5T+8WCdHwJK3Bc:k934jmfCHWtUP1Am5T+LCNwE3G

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

    • Sodinokibi/Revil sample

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks