Overview

overview

10

Static

static

10

443a365311...18.exe

windows7-x64

10

443a365311...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    443a3653113457b08fa41ce46eb3b677_JaffaCakes118

  • Size

    207KB

  • Sample

    240515-c81agadh88

  • MD5

    443a3653113457b08fa41ce46eb3b677

  • SHA1

    c6ebcf8ed468511153c741d8d58fad07beab7048

  • SHA256

    486a7dd8a65128960ef6c89c4143f0edbf7fab0f8f07045328ad6675cd1d870f

  • SHA512

    bd7ca0759441b3168d78039962f76f5fd61fb9ef985d328f58dbe56b73a949004182fe9dcd1103766198498b4349e7160e8f875d12a40dce81926484bd31bfc4

  • SSDEEP

    3072:sr85CIyy2RjLTuVyu7CJDgoMT3QG9BEJfMt0HzLFrb30BRtBZZg+i2v:k9ny2RsQJ8zgG9jt0HJ0BXScv

Score
10/10
neshtasodinokibi193134persistenceransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

19

Campaign

3134

Decoy

mank.de

work2live.de

triggi.de

innote.fi

iwelt.de

mdacares.com

celularity.com

wychowanieprzedszkolne.pl

bildungsunderlebnis.haus

urmasiimariiuniri.ro

devlaur.com

philippedebroca.com

kaminscy.com

boompinoy.com

webcodingstudio.com

onlybacklink.com

victoriousfestival.co.uk

levdittliv.se

rosavalamedahr.com

DupontSellsHomes.com
Attributes
  • net

    true

  • pid

    19

  • prc

    visio

    ocautoupds

    synctime

    dbeng50

    infopath

    tbirdconfig

    oracle

    winword

    firefox

    dbsnmp

    mydesktopservice

    msaccess

    xfssvccon

    sqbcoreservice

    mydesktopqos

    sql

    onenote

    outlook

    ocomm

    steam

    excel

    ocssd

    thebat

    agntsvc

    powerpnt

    thunderbird

    mspub

    isqlplussvc

    encsvc

    wordpad

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3134

  • svc

    vss

    sophos

    mepocs

    veeam

    sql

    backup

    svc$

    memtas

Extracted

Path

C:\Users\q9ox0053h-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension q9ox0053h. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B751597EA850569A 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/B751597EA850569A Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: mfX3tjwlXq72ZorF8I9Vj3YIlUBlP5iiT14ilSLspGSZpEtAViVW/FnR/ljKFp6X 0rRzMFa4J9RpWRafCdWoIn+1fOrvrr5w4Gu8PPi+Mq1XXyKoUt57fYux703wYSuF M1yLSTm2zglxuFVASM3bpiiga5AaNsI0ctaLI6yMjzaRcs2qHsofal+GXxZD7yk4 USrpoBUbCgMnBUSAJESc8IoWms4f9rK0Oxy70whKABsqIrU0wbvlOiWHi+P8zScq VUdGnsnwpFDH0xRtuHKeXpG5a9dwzpgHZfZ06jALVZmMrE0ZLVZEpW1qGHN+Vgy/ Bds2E5DDkbZVzWL/vRZAjt2kEpIDeK9eCTgKD81jP+4R08ZOeqyU2zv7rMlcI/GW CyJGH4uiKSeylL7R7igijUKpF6z2dR3igFjuMWNa404dV3BIJQWSwvcfBhB0n+wX kXQhNVeFV2bP4c8bq2LajFDgCRXmI9T38aQhYqfK9SQvWqnfcX4uDFhXVi94LJPb VhaqnTDaM0Po//r0uG/wIdVzBOCmJL3f4uCFKpngSiImyQNLMzSOlcH2/Lo8v1cw mhAs/hs+MPf6NteG3hrGqjcdzyiTl1gZgag3mNppzniU/N6gUnCHQj+YTYtLrUiL 98cw9ZXRSzeXHWYgG1hI1KmfnDVGsPLCzW0JYwiqNeraS5iuDzWX6YiXCz3hTz4b Kk9FLUmmUgzD137b8IP3I5y5z7gJ9d9wl6xmq+uPM5ww/sdoXHZ0iHof4O9RBNNi IOIEVOq12s3yjX814rdHe2sk6Yd4gyisZT4bwWUtsNgJ23+0c6TZgfs7Rmmq8g+X Zs6hqC6MnTZ54QohaRUGpUVYm60B3Zhgvze92dyUbphIFHtAzLdy6XGoNIYV3A7c +vi6K97ZfRoQ5l4e6QQDJ/vUmXMstV23jzc7lEky3wW7ALXLblgPf21wOHfJ0Zvo Z18p3essSFBe/Foh84UoXGm1Kqx9HSN8bJjp9dz/nU5S+h9x/D6uxCuIXXUWHtSy 1hFD/17vi1+saDO+dm3KjbqCkaTmRxHrHfa7iba7P848LvVlR3i4dyQ40d68tidu kqy59TrNo1V5qU6SW0wFeAZYxwe13BoMUJIXITow4ryTnaik0ELXZ2eFPEdGdFcK SL0EZq1MRrTeXvJnzvCH0t9fNcMGdG8wNaVF5jEp9keR4Mn7zJPTanQ8KdR2NPq5 kGVqVMKq8mOdUSoNmrj9ayno ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B751597EA850569A

http://decryptor.cc/B751597EA850569A

Extracted

Path

C:\Recovery\1d28m93q-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 1d28m93q. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/922332A1456CFA86 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/922332A1456CFA86 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ZceL4ire24gWjrdNwMf+ACHTOOc5eVBf+eveplkUD+4/+jg325V4dRjOBSyfMjrA rRP46NKBF8caPeNMkwlegG9bQVlkxhJx5WOIkgXorpPgabnqBXhxTNI7rpNhCK6l vNqPu7NJhIo5WZ/HJq0dYX7/IAhsxf9lBUkh+9rrRrEGPQCZ+t0LQkbmsdHtzbKV 5DDepSomG4tf5oGoUPEOZwpS3pWtW8zT+fn+PTPwha2cWsT/In9Bthw+qPdvcXQu I2xorSrTMTIB//fPLeF2h6+3aQvFR2YvUV21F7600cyd0d6xSgfPrmJmhQKP4GiC 4Gn9bE26C1OHEeI3Y+kPDFHDLMfVU6w9N6teQ7KsTuh4EE0Ilqz6bLHOXF3NOLH+ IfxpEuNtOTz4XqGBdxZmnaeS3l9270hObcJB+7LKu34UONsfxNfLxcVqmylb3mTD a68iKQe6K8CY0cWRsCBslbD20cPcQwH1N750miHtEmezmE/81AKH+B1tUN85ERFr c/jZEQaN9N6LvvpJLxaeDPrXiptwRFFRo0B7JbfVBeHbCyi6YT1/p+bgDe5kQZsJ ZqY0v50UET0yYpbZNhwLuiDggIzsY/AkCe2bgqY0trlukE+uKExuAuEZAbZqUGuB 9TCslR7NAn3N+FW4Weh4sfzBJGzqQ93lEqJdHatlyyenQxYQ2jekTWblauLHTshm ZE2QBBBGGtegN8LCh8fQdMz7KdpEf7t6VIZo63Nrof4hPNlwOnDXsgSR838KyNdW rDk2/kTZ0Va5cXHMJwTjS3zkHTl4fa8QvXuU/70dXnusclM9gfoA8MWDRFQDHOiz XpzTUWutoLZv6o9H5GLSp1GT7JyzJXPdkNDYx06cVp1HS4BPwXpQgNZOmGf6rot5 XDvPG+pPFZMuvQ51k0o6xfB1f1xUUaHR5rn8Lpl4oI3s36u8cJwxF2XvL2qhzddb nMlANJtRJL33DmPnShEikTCTAat++D96Nux5mYC0UJ935+ZqaEGVQEfn3aRHUG3W qxyjiRE+eUtgozDehLYW22B5IWsHkSNII0uQ4baANzBRCACtH3g86TmPeDly8ooq tREBOk3a0tcLggn9X+pWi9zMph269hPBNhh3r/UEM1vmrl8cEVES8dB2N378Cpa8 WnWL+jOESWLnG/gMDfxTWHkh5MJVLkrrY8Uwoou3MEM9AUNf1Fus71H8Nr10hW1v ezDdb3FGch15Uj4ssiTMukIkCogjRA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/922332A1456CFA86

http://decryptor.cc/922332A1456CFA86

Targets

    • Target

      443a3653113457b08fa41ce46eb3b677_JaffaCakes118

    • Size

      207KB

    • MD5

      443a3653113457b08fa41ce46eb3b677

    • SHA1

      c6ebcf8ed468511153c741d8d58fad07beab7048

    • SHA256

      486a7dd8a65128960ef6c89c4143f0edbf7fab0f8f07045328ad6675cd1d870f

    • SHA512

      bd7ca0759441b3168d78039962f76f5fd61fb9ef985d328f58dbe56b73a949004182fe9dcd1103766198498b4349e7160e8f875d12a40dce81926484bd31bfc4

    • SSDEEP

      3072:sr85CIyy2RjLTuVyu7CJDgoMT3QG9BEJfMt0HzLFrb30BRtBZZg+i2v:k9ny2RsQJ8zgG9jt0HJ0BXScv

    Score
    10/10
    neshtasodinokibi193134persistenceransomwarespywarestealer

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks