General

  • Target

    366809d2d9ed25f5cc201660542fa9db_JaffaCakes118

  • Size

    166KB

  • Sample

    240511-y8j45sfg6y

  • MD5

    366809d2d9ed25f5cc201660542fa9db

  • SHA1

    9ee1d0ed426c36a0cd5df47d954ca39c892ede35

  • SHA256

    f860a3c27f44b98d953d05da28a474945b308a1b83d83ae7e6d4c20d1c06b30b

  • SHA512

    04cc3fe1b01b760c8f7f28ecfbb704989252346768656c11fa28878e0738ffcea50c4d023290f8cf61d9e944b3a4312275b34ede0dc8a39c67eb316c40d54592

  • SSDEEP

    3072:JLFrb30BRtBZZg+i2ayyYOCWGPyLydrkxMT3QlGLMlPso:NJ0BXScFyfC3Hd4ygMS0

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$Kux3Skw.N6myiH75OVCb4ubqk6aVez11hFcuSuO6ezijQTRtviwde

Campaign

3434

Decoy

centrospgolega.com

plantag.de

julis-lsa.de

slimani.net

modamilyon.com

sagadc.com

crediacces.com

ihr-news.jp

creamery201.com

samnewbyjax.com

ecopro-kanto.com

ulyssemarketing.com

sporthamper.com

collaborativeclassroom.org

myteamgenius.com

expandet.dk

x-ray.ca

blumenhof-wegleitner.at

igorbarbosa.com

officehymy.com

Attributes
  • net

    true

  • pid

    $2a$10$Kux3Skw.N6myiH75OVCb4ubqk6aVez11hFcuSuO6ezijQTRtviwde

  • prc

    visio

    wordpad

    onenote

    infopath

    sqbcoreservice

    msaccess

    mspub

    sql

    oracle

    thunderbird

    outlook

    excel

    dbsnmp

    ocssd

    ocomm

    dbeng50

    winword

    tbirdconfig

    powerpnt

    mydesktopqos

    ocautoupds

    steam

    firefox

    xfssvccon

    encsvc

    thebat

    synctime

    isqlplussvc

    mydesktopservice

    agntsvc

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3434

  • svc

    sophos

    memtas

    sql

    vss

    backup

    svc$

    mepocs

    veeam

Extracted

Path

C:\Users\vxc5y43-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension vxc5y43. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/488A02A80B01158F 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/488A02A80B01158F Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: PtqhptXa30P52Ly6InmGp1Mu5ONx2+SqYJjudLFIpMJ3IRCHOnjdAdhyl5TK8M9K 2BR3WnZi59+zlmSotrsm5+VWo4zv+j9fh010+Ap09Hq6qowBwpUVkQs3VHYDa7qL MWb55+szPOXUq4ZWpFlid31xsVCVNbTQySdTUp7I1XODZzb4C6MHku221NVXQKI1 lcJejm5zbWmPV262PkOkG0Uza58iCbay58vcI09Kxids7cXpKGf38yruq+tK40GT 9Z5ijbrW6tvUWW+VJP3cr9c+J2sXI14f+q6qlZ6FTqNASusssHNSIcv9vD7h2BH8 CEnMjXxsYiKegV5qMU7nU2oAT3U5khKLRb28bMPUVcDqhxJr6b+EbFQB2l9d6Ufc sVlndGqm+9+aMXYY1x4ZQrvp8srCVRLN7MmX/JFxKNxnj5j/jp5hrYne+K5FEKHv tyjGTHMa5N7F36J2Bkbhw+88ewI4tTqAuj9W4NkYc+Fy5NAAhfTkFlwubI74oVR+ VblISEqB7o1ddqm/WppQXntqK8QSUCTAJS5ftke46zEWu50lY4VCX4qnp/E3/XUP BpLmiRyI4YsqXkhvkIOb9lfNXzg3Q/43GSnFNO+2R1dkJwJh1FbfxT2b0USEMxSa ipJxYkJW9p2zBIS44HYfIM4HuHyvTIKoXzrHVfJHLSsMgfkeefG7OcwnhL8nUWdQ ItSWP+nkfWrDabeLPHYolQWis2gDknAebJ+T+WX5bupPxpyccN1kbthXUtZPF89u f2U+g6ujAaKNOrzBxWMq6LcbMjmgRkG7cXYPjNnEvLbvY7TDqoXvGtDpDjVWcoLr Yt3CaKGzsHEW9uBSUECc/gveZzOQ9ak6BvIK6SX+fNHY0j30kqO1k0usU3JFbPIa bkxIbnWpov6OujL5iMm3TAIcELN1xEJwfGyaOEp29VkmHlWViEm0OvJIiWpxGC84 eoB73o0I/879QA5qqy98ToxsVUUKUotCCx7DLO5h9lmdGSJldp2nNi/qFpHUSLCt OKg051zLV0I/BZBd81YMB4+ye+8jAVc7j7smfmG689aQZNTqhTcVHq237yoMofiJ AlbPIOOLjz60oHQW5Ty7tb2vPnyzSrjF02n9cttp3TyOpaHc8XZ7/mUR1PRbDQO4 t2g2Chic1KSgWFaaSqejYsVnNILyDZwSZK6NJ1WVE26OeJy0kOlXV4eSn7pCLREV DzQWOMjROuTSITnZTSu9E3jotWn+VLsCWwid4ML99f0rgCRHOeMdLcOtx6vkVQUa rLJotVFhiGPtX+TH/INs1mABYPgRl0e7AqpNiiQ+q2mKhHZ2k/eOaFDGVMA1LOHw uJYW/6KfqPLS5zNEgVeG0Jb8CB7Xv7lcBWb316uuPVKYDA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/488A02A80B01158F

http://decryptor.cc/488A02A80B01158F

Extracted

Path

C:\Users\d4q8h-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension d4q8h. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3822E06E9D7CAEBA 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/3822E06E9D7CAEBA Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: b0Qh5hwgs0n9wh5VEYpnn0dJfe7B5hZ4U/N6PJMKXKlDeINRM/Lnm7P/wgevb2Xs 2BT+BU2g5nquK4+UPT7wuWPow3weoeT04ALJRN7vzn5RRyECIsVlakdP5UX56uiF iw8bxIk5IaHHvjGulpcTrPLEx5Dh5f04xWuk09uGBGiTl26nsz/CLUNbotQ/LKx6 pIo/RLw/tXpQtwBMdX1vqufNboVnUBVod+07EXcb5o3dWd0HgWw26V4GYzjmANoR FgvlmuX3Pjtptj6u+pkMpj8U0SdjfXSUh8gFplJSjuPFHA53Ow4ujSyZIvJLH0Nu hmX2MuhhnzqH6ZONGNjG+j/GT4wMuWTCJ1b+SOeXPVZEZifE78Lrz0NXWjqCOfY8 SWqHV5eJ7WbXZ9wI6a08Uu6rGOLC5sux3PINeNZ3Xp0Shha4mUdizpkvjt6GxBhX FJP0XsdjuSNYtBQbJLdsbA0IlfA4OpfdgKYtuR214N5gXeavHnfmolJhvgx0qmAe 0MHLAc96OGUvrh9K1v7sOOX5tuBSLTgio8B/h8tmhAeefHKhlCYgLaeB/JZCSN91 UJfjNFq9T8vFfjR9Ury4DOtxl9WqJFVOIPkHwO8W6Pu524oPuGojn0mc+WWLX8An yIzluuH+s4VR81fYm7Q3vcTf2Q9vswtAA9wSJt8mEO2Exfurm4WGt+BtVL1y0HfT 6sCUsrrO3AFCNL1hcHAeLTtbXj7JhM28MlTveJ9N3aFet3jwKG5mIyb+AiXnXAoN ArfTFMER8NXHCgJNYxyij1qlLsPej7LFHpzN6S3//nDrjDkBYOBwK2RVcCBBA1LX asKOQBSQTwC1X+NkQh91+QiifVRQMxDmrvoyhPFm5byF9eY9UY3cNXUW8wLrF4y+ M7/nvxvFhamqyOe3EBpmG6QQn0umkB+iRoVbccppK5BuN6wk9c/cnrcVLki4G6Da J6xAHh/TA/xMHYax+24MD1+KV45gOW7rSNZE3ieyGIL13GUXAL0PDI1T/QWikxKL J5qrvIa9dFj35ytBJbh+gt6aMuyHHIlbOmo5yE8KvEJcdZflU/d87+FCZntmY8Nn RcgF5WQmSj6ejVeGJFG6tM3Wj1yKdxAM/kEfqvSb+UcUv10YC/BgScxQXfTbWf9Q ohUKf0hqwzdM7P2+TIyVaceByp9lW9ons/zzRAoUdId3EprzxWZUACmnHmaL6pHB OXpAWeksmBJxD8O5+buea5CSDNfzS+y/8mQUR/C4nK6L0DfUe1CFb+5fXBkk/mZy BlMDSkz6Bt3jXgbJgqh7ksCBp4GodH2Ug1MGn9CTbG61+A9s/GgaQt4ruh2WzbHE WuZe8KY/NlUZjvtqxgexZwf2L0ajKsJH++sGQ1FNWfj3ZdRL ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3822E06E9D7CAEBA

http://decryptor.cc/3822E06E9D7CAEBA

Targets

    • Target

      366809d2d9ed25f5cc201660542fa9db_JaffaCakes118

    • Size

      166KB

    • MD5

      366809d2d9ed25f5cc201660542fa9db

    • SHA1

      9ee1d0ed426c36a0cd5df47d954ca39c892ede35

    • SHA256

      f860a3c27f44b98d953d05da28a474945b308a1b83d83ae7e6d4c20d1c06b30b

    • SHA512

      04cc3fe1b01b760c8f7f28ecfbb704989252346768656c11fa28878e0738ffcea50c4d023290f8cf61d9e944b3a4312275b34ede0dc8a39c67eb316c40d54592

    • SSDEEP

      3072:JLFrb30BRtBZZg+i2ayyYOCWGPyLydrkxMT3QlGLMlPso:NJ0BXScFyfC3Hd4ygMS0

    Score
    10/10
    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix ATT&CK v13

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Tasks