Overview

overview

10

Static

static

10

5200743e7e...18.exe

windows7-x64

10

5200743e7e...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5200743e7e5ca0ffa5fae8b9b15a4f06_JaffaCakes118

  • Size

    180KB

  • Sample

    240517-3b3bnsgd5v

  • MD5

    5200743e7e5ca0ffa5fae8b9b15a4f06

  • SHA1

    492cc1dd555bd88bf469b15d952405bed86c24fb

  • SHA256

    a8309e454d9177a8fe2c84c79925fa800282f9fde2413f219dbf60fc77dd37a1

  • SHA512

    dd834e3bf4cda789175ef55ce4752ba263cbccc120182c3d5a64eb738d3908a71774f8beb6c28d102a248691060d3e536baf04ee769fb733c9f8e44829bb9d50

  • SSDEEP

    3072:MVQfC8Kz+L/LxAV7Y9doh7O79siUs/NaNm/vzuNlOXq:DBKzoTx8si7O93NnvzElOa

Score
10/10
sodinokibi19312persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

19

Campaign

312

Decoy

activeterroristwarningcompany.com

letterscan.de

jmmartinezilustrador.com

web865.com

thenalpa.com

hepishopping.com

donau-guides.eu

bajova.sk

rino-gmbh.com

bluelakevision.com

thegrinningmanmusical.com

tzn.nu

thesilkroadny.com

photographycreativity.co.uk

atelierkomon.com

basindentistry.com

belofloripa.be

rechtenplicht.be

hawaiisteelbuilding.com

oncarrot.com
Attributes
  • net

    true

  • pid

    19

  • prc

    msftesql

    steam

    powerpnt

    wordpad

    dbsnmp

    infopath

    sqlagent

    oracle

    tbirdconfig

    sqlservr

    outlook

    thunderbird

    excel

    sqbcoreservice

    thebat64

    thebat

    xfssvccon

    mysqld

    winword

    sqlwriter

    visio

    ocssd

    mysqld_opt

    synctime

    sqlbrowser

    mydesktopservice

    firefoxconfig

    msaccess

    mysqld_nt

    ocautoupds

    mydesktopqos

    encsvc

    veeam

    agntsvc

    mspub

    onenote

    isqlplussvc

    ocomm

    dbeng50

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    312

  • svc

    veeam

    mepocs

    sophos

    backup

    sql

    memtas

    vss

    svc$

Extracted

Path

C:\Users\017iq-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 017iq. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4EA32C7CA419822F 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/4EA32C7CA419822F Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: LPLq1sZytuaxO3otpcXiOfL90QRRWs8deMuEN6zQfKRFX135pF6draLuPgP+CbSI eRFN/VVPED3E4CByadhP5IFBwO3Djq0uU8U549RvGhZfqNLHC5iWXMOWfPwe9Rlw Ztdz/b6nKCyEp1BCFCYb3wSEVyYBcEYvyVcZwhRfnBpomPN1p32Ww8wbWLvqQXC+ tIEIRxwcYMN2wqW8UcVxCYNjZdwvVvBeM6YJpSszcSWNBMUNXUULr2eUpN/5EIlH TTczM4GaRuMp0rQFHF63Qw48dkhdOEoJKKqH95fbgUtzSh3BiGLz125dAY0PDz1M QQ8Q5v7e0kUt3IcsThuflKymzRQaTJ6H+3ep0N43dwS16OdtEEjp4FfbFDNd32WB OZLntqw29j4NTkhdbENZpSchiVRHX1NOO9XWgROaiSGiN1MG1Bu/lh8s4Jh0CLkX nedxJAbojJ5SFmvaXQbLhnCLHlSIK6qOcgejPamMHFmu0ALW53xGJ6JiBtz5hwRa nPzaPaU3S+LJ2H1PGOi5s+TQ22bPnmf/FGJmXrQ2XybkKx+YPwknyBnmMQFRkKIq hjvNJFeLQ6ONEOQ23EF4xQwgSzI/ABNDPA4pmsxbl66oUUJB+JlHu2O2HW+ybIwT Vu6Kk7qxma+ycLJ2QgWqKneju4J2xXk6sP1XrXEwhV1M3qeHSykKhDdO8VkgoRfy Af1EcQExlgdgi7QoNR/c5rIuAtBTFAwtP0Gjt1ThzwVzWJZh4zkkmuzx/WUb1XhX y7vr93eoYoNzdxr2XDMXq7UCT6gX0uWkld3Uom5rGhKX2gKjxOLz8oT58D2b8uxS KEKqhr8aQN52WmeyRNWBCXRAOdjoxeshyRzros8W9z0V7ZNJY19YJEa6p0/blQRC SBr5r6IkeY6IHBZwK8B5//UqpDSLSn43gcRL/AIS/Be3xE0ZY1DZE2M7c2C4PdP0 +UCUUnBcuuiDWI/r2qZqVzV2ckm0Vu6C0k6B+WJF/HyQ1LO/Nka7YaKc9tsnYMl+ xd2HZVuKghxMR+HS2kQrX4OXWsSy5c4aVeLw2bHiq4a554WL2oeR0szRJTCE4rOh Jx8ZoQA9fKe1F4krdDTk6YBDiOfDxjx7S9+JNwvG57ycJdkeMZqDNYmenQ4fTGRC hD8x08t5P0k0jBuuafvVeL60qYwKSa43VV8uPodfVkkkuasPumrXJrx512mAYvHf JwtA0r99fw8= Extension name: 017iq ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4EA32C7CA419822F

http://decryptor.top/4EA32C7CA419822F

Extracted

Path

C:\Users\20o6uvshu-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 20o6uvshu. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/907E6A6BB2C7447B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/907E6A6BB2C7447B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: tGGOuK2+Dqe+dPOWurQeRL3oeaGGd9V2iRYPjdGGLx16rtqJ0lPsL6ua/+ceoqHR RajfyKdvUHV7S7VKKwZSJ9QmLCa6qHMJKdVXoGxI9AuEAGQPLgLPh9nSGBNW2fSu luUsDoVf05uLk1JSUQJm1fQBDSyDdSCFdPcWQGMwzRoIAPfN/CisN3y0MFoezU7O 4m4/WXHAT2TaMfwta/963Qhp8r1ZLZ4fbjIBXoEG+r1NtWIwrFUw8uVP+oVWn9Pm 6bj7MeuEnMEMfJnpW7ZiodHU8odA3FhNhxn5SpwZb+90TNCmKAmXo324kGsFqYde OqHTpslEMtbFzU9cs9mTv6NcgOMqLw+QTEz0qwiof3c3ZH4xcHxU8/8xU/8rFI2I FREI99Ln/NQvPWsjg1/kdacYQnW5HXFBUXk8bg5K9P99WbIT+E83GpycSJTGctQ4 gj658UzEYgaAX8xNt+0KLSSviZMNp32mQqMkaI1f+6CIzuf2ZVmj4Dwu0pZCFHs8 83oDlmX7HL9Y5rROs6jYzohZ/viX/+Gou9SWUjkClHyh9PR9RHlvxoPeZ0BuFfuD VqMuJG2ckrKKmh+Dty0D4VdL1C40glvv7MBqMnfe6HRELekuxtraEV9MSO7D8178 +qB8pv6emcJL89kAmFUmtYRFM3Fv0ZNgH8Mdy4Hpf7D1SNk8fJBiG0DKoERU4L0b wx9+pZK9pAWkhxIhA3dpuDEMwluRvhnJynXcRjrThQx1V5EmBufzdP27M/AtYrXI 9okNL9xiW0PfBRjoCrm/4R/4W9osbevPnuvGkuXbpKNz8RzfyBIeTzFwf6SzDF9s GLGipIdwze+Y2OXPcUnCfWn4Qhws4aGiaj7BhK9UR970vHbiPlvvoG3Y5cnMfP35 FY97cQul7SgKGPxw3i8RMotav09tNwZaioIdhtpgIDKBQ5VR9L8UJVJ8QV+f60bq 6B3P4NclVg3JeM26UzmKdWdOst31tLIvdHkglDADAYHnue+IvG8Vuo6tqcDyi+RS EBAPah9iYc7mzgny/CMd2JCHxUu8eSlCSZ2375ScRp601dN6AcT2i+Zdp4bK5lvz ivVWDxaNOaXwf4uaEty1GhEisv8ShrC2+H1C3MpOBo+oUauag/PqvwUXAkvTwXPi XiStxXiYSDxV7YYoIY1KIBQB3n3n9LA2N4vzjKPOspYexCc0qgAam8IKAk1cAee1 6iyKZODQLqGdTVZ8er76hz3usbUFyQ== Extension name: 20o6uvshu ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/907E6A6BB2C7447B

http://decryptor.top/907E6A6BB2C7447B

Targets

    • Target

      5200743e7e5ca0ffa5fae8b9b15a4f06_JaffaCakes118

    • Size

      180KB

    • MD5

      5200743e7e5ca0ffa5fae8b9b15a4f06

    • SHA1

      492cc1dd555bd88bf469b15d952405bed86c24fb

    • SHA256

      a8309e454d9177a8fe2c84c79925fa800282f9fde2413f219dbf60fc77dd37a1

    • SHA512

      dd834e3bf4cda789175ef55ce4752ba263cbccc120182c3d5a64eb738d3908a71774f8beb6c28d102a248691060d3e536baf04ee769fb733c9f8e44829bb9d50

    • SSDEEP

      3072:MVQfC8Kz+L/LxAV7Y9doh7O79siUs/NaNm/vzuNlOXq:DBKzoTx8si7O93NnvzElOa

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks