Overview

overview

10

Static

static

10

42a2e208bc...18.exe

windows7-x64

10

42a2e208bc...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    42a2e208bc7721348699212bc5cf50e5_JaffaCakes118

  • Size

    222KB

  • Sample

    240514-xs5v8sbf3v

  • MD5

    42a2e208bc7721348699212bc5cf50e5

  • SHA1

    15934add1f6f10bc50daa707bf8d02bb62edbdf7

  • SHA256

    d186adf9bf8ae0b9759a2836f94597d6832f076bd03de9886181be53183d25de

  • SHA512

    2549f5273ea6120dc18a97c1f59324e6e5696b15bf7f56a5c22c4d1c461fd6da200272aa58529b42a8e2ce6e8c8b1298030b38298bed9194b26882be8cb8cebb

  • SSDEEP

    3072:sr85CIyyTsnAdu5tjgn/RRKwkwvMT3QE4f07YouoFhiLFrb30BRtBZZg+i2T:k9nyTsnXToKJw4gEWpoFuJ0BXScT

Score
10/10
neshtasodinokibi$2a$10$sllr2wwgioxrdqlqdhya/or5zeu.wnumgc5rn/hhriobc1ekkciza3181persistenceransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$SlLR2WWgiOxrDQLqdHYA/Or5zeu.wNuMGc5rN/HHrIObc1EkKCIZa

Campaign

3181

Decoy

vannesteconstruct.be

irishmachineryauctions.com

zervicethai.co.th

ymca-cw.org.uk

trystana.com

smessier.com

beautychance.se

sabel-bf.com

kafu.ch

aselbermachen.com

first-2-aid-u.com

finediningweek.pl

berlin-bamboo-bikes.org

lbcframingelectrical.com

augenta.com

abitur-undwieweiter.de

digi-talents.com

wellplast.se

conasmanagement.de

simpkinsedwards.co.uk
Attributes
  • net

    true

  • pid

    $2a$10$SlLR2WWgiOxrDQLqdHYA/Or5zeu.wNuMGc5rN/HHrIObc1EkKCIZa

  • prc

    agntsvc

    wordpad

    onenote

    mydesktopqos

    mydesktopservice

    thunderbird

    winword

    excel

    visio

    isqlplussvc

    dbeng50

    encsvc

    steam

    mspub

    firefox

    outlook

    dbsnmp

    ocautoupds

    xfssvccon

    tbirdconfig

    msaccess

    ocomm

    sqbcoreservice

    sql

    ocssd

    oracle

    infopath

    synctime

    thebat

    powerpnt

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3181

  • svc

    svc$

    backup

    vss

    sophos

    memtas

    sql

    mepocs

    veeam

Extracted

Path

C:\Users\69r5t5847-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 69r5t5847. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0E049F2593381959 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/0E049F2593381959 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: WagjeJS1focIfZecMPkqi0yz+a30S6HEHF55ez6iWPhuOxa5Xhk6JeFoDqbHYrj4 ksV4e6UR5m3rDv0vNJU1VHbGke+zrWJNi7U6KoVotuDbe3ORjrfDkhOJGWeXQrcZ o8hNI45q+serV/KGTUoHItEhBCLau/S+x7524rxSWzUBW/a2vKtsFdtcGAm9/4Xu N7FpAbZU9hOY0h+fCrxuAz0ttQ0Z4jxn0QAnnaq6bxE3G9zo+/LS3wx5sVwPNnNs Co0+uXM6saQ85i9NTzuE8O7bA/M+7UIqaplRlT94M1uHeCLnEpKUcMRGxXGmJuc9 k+NMiiQozg230AOE48sELhe76wql6VQcl2oZ0Vp0FI7Ma2muZwqo6lB3Xlncaowt oTcoraiFVNK1ippx08qZtbUl8Uv5Zm4o9YLuqeivHbOWd5t6yPpblmrSN6OjPCET 2SFn5W8s9d4szmQlqhwtxNVz3ef7H6rvyCRbVCSuL+fqotKGzBCzz0siZW58wsKB 9e1/2yVzVo9IU54zdz/4d8HF6wDhfgzs3X2jnXNLt4YLNC3u2Ah78cEb0FZGh4PN HQGWY8SKd8MIIY9PZVklh584B2zH01VBpsTxqz8EwGR8lygYffylFCvyR8mTfa9M BxHlAzv52QwvDUcYQ7MDxTI1ZsS10E+b1cYiyXTCViOwkBmZc+Xf3kap9PHEPP3w LiTQYFh3tle56/0+epJY46/mFAuVJhPzBGkzKi1w+oP5npcFvGDWHfh8iQ4f+oaO C6F4wNRlw6MggJEiSnO4kMRKB3OWvKx24sgJVlmZlIAi5gD4wioxmCt2kW/bGQkL o7BJcoCs/wQQnaxv5+lC6RTGodk9HKaqiTPq1K1Uq7hGOsNMvjRv57Hoi0/eJuqK OqmETtNn6xrk0x8fbRsih4FrEzbH9XIMuBn3ysVeEhXpi7i2BAc5cT0ZUGHtdaP9 qfm7fCbRigEueeW71Plt7BnW2S4H8Aem/U8Z6/NUCJxT0uvXKtN+4fLmcyIZVZi2 bzI6YOmR4NW0Yn/+nMYbxk5Es84XbsXaj90vYSGOPS3ncWuylxfu5BofgqHNpfqb Tp6gby3FlT2uvRinzimkKAVkMf25uvBVyQ4vVZ/lPTBN9xW/sQZjtvq4aIzL1DYi 6wL9i7HIL0EIk9eYVls1cbc+W8ohRuFDOoOMWkYWIfEEFFdAPhPnZiJN/Xd+eXMl GNMOoPGra17Gef7p5C5PYTRvcejfKM7Ojyxm0lCY4+walswlNwEk5UyqKDKFOgxy w5gq630//pJ2eZxIbZOfCQ/xwKzeBNGb+i5zHnJEXQ5suEHscRyyn8NrDaz/MIpb MZi7WJEKCmg9X4YbViyqj7xOR3ycG3Wg81e+ekMI54oaHaKfaVE= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0E049F2593381959

http://decryptor.cc/0E049F2593381959

Extracted

Path

C:\Users\324r52k7-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 324r52k7. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/082B4BBB7D859F3D 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/082B4BBB7D859F3D Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: jxHYy0qdR51909MTKFUXvf0xpB5WBg7BZqkGbtHD8r/0r2IFWhqVPm1e9MBgu6BC pz2JKf45Rw6tvtzsGyKQ99ooKdZvHfdNiDtH4NSjpy+oPYc6EoTx5ActWvlVsfcE 9vnFQCiCxkOD/r9NVZL85wrI48MhgeIIioHix2Hbbu5lbynuqDHmnyO36BaMJiGr DCzDaQlal4fNi+zUId9V1FIE4vq3gGrbhPl00FTN5viAr0TohcdXyYZVTrqmJeva e1nw2x2X88gY0YqkXLJfg3txgJ0k04lgQe2UVOAiNgqWmj8i0Jpg/z8iIAtcmuoE Ntt6mrEkqJnrszGPoSxABBg3jZKh6bjhN22+PGJy6vCedHkcqdln5/RlU6pr91H2 9YsHURA4Ne7f7d2sS0MUlulq8Guxa/r7WSekSTo91yZebrNlWaz0QLtUKkNvzmxu febUs5tADz1QW4uN25mN48pxpTFaAKffwSdju3lsHbluVz3w0AlYSrf0rYzePhRT ch2OqxfLZxu+t3DGEj/e/nf3gunzcIHKrrHt96QqyrepECOqF8c3E68yQG01pgmO oPug7oW3UsaZEj01NdCxdVM3Lr1PxCxlx3AaNURMlj5pycVDPRaoYwU7imIrOHnb 71PwW2IawyJfo6+sLOw2yLY4opEllSuEQ0Xcz47Mkw/dFRFkyhsIhPMO+VUNzEXh /eF1fxE5JBlfqYTqvZL9IyUJAvIzo/GsJZ+E1tcGAq+lKaTx3pWQsrZJ/xOzZhW/ ib/XJXcR5BJ5w8rCowcBqDoQ68vfJCG+uY3tSe7lS0xde6WW1mJIRssuBT7oNDfX E+qT+AiC072F+gByXUgTv1MRIAohr9DahlWbikOsC2+tWZ4htWlxczikh205DK+w pg/CA7jUH2655mMfm8JfcRiuGMocMvalp+qeFgLuYhd5Xl1DgPE0DF+gixk305bK 4+wQ2fF6dJrd6fBAdxSJqRLniA6N+lql65cXsvofUN4XDnkVR47yCCq9yGBd3eRB awM3u6b3dw5cNlbjPiQXSHaWfujbiTS8DsvrV9iL781GbYvXtSGG/Qf1wyUzP/ce NC3EeixuII+CkuadNK2DQgH1iDOjh6VKPpKaTwb+AfxVX87Q6eIv7Hy/ZLWEwLRw vuz2y9Ym/ZuC0/OmIe5/OpUMgR55fVa5LgtuEuHsoNG/Guq4W0a7xBXGjBBQubfs k6rsVGjmWsnMhNnIB4z3U1ugxHa3NIsFhLjXEIxGqMAWqwpk2i8mE9a47mCHwSo6 ck4zArJ7jv9IVe4x24zQuR7x7STnV8VmelrLDctr9gS7AmwqlgA1Wa3nJrLmNnPl iD9zgGGfR8P0QVQk7ZmmqbVcWMQRcTywNgXAfogw2QSs6nbME80HP031 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/082B4BBB7D859F3D

http://decryptor.cc/082B4BBB7D859F3D

Targets

    • Target

      42a2e208bc7721348699212bc5cf50e5_JaffaCakes118

    • Size

      222KB

    • MD5

      42a2e208bc7721348699212bc5cf50e5

    • SHA1

      15934add1f6f10bc50daa707bf8d02bb62edbdf7

    • SHA256

      d186adf9bf8ae0b9759a2836f94597d6832f076bd03de9886181be53183d25de

    • SHA512

      2549f5273ea6120dc18a97c1f59324e6e5696b15bf7f56a5c22c4d1c461fd6da200272aa58529b42a8e2ce6e8c8b1298030b38298bed9194b26882be8cb8cebb

    • SSDEEP

      3072:sr85CIyyTsnAdu5tjgn/RRKwkwvMT3QE4f07YouoFhiLFrb30BRtBZZg+i2T:k9nyTsnXToKJw4gEWpoFuJ0BXScT

    Score
    10/10
    neshtasodinokibi$2a$10$sllr2wwgioxrdqlqdhya/or5zeu.wnumgc5rn/hhriobc1ekkciza3181persistenceransomwarespywarestealer

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks