General

  • Target

    586c80559a50dc4a431d36caaf3c2694_JaffaCakes118

  • Size

    116KB

  • Sample

    240519-ef5etshb31

  • MD5

    586c80559a50dc4a431d36caaf3c2694

  • SHA1

    f59dc0c154de3f02804f643047db9beb2f3a579a

  • SHA256

    83002399482a30115e37cea0222fdb265cc6d57101ca7ce4591374acd6b8a371

  • SHA512

    b79e1a4a28011ab62d8a86c8ceaa3d8dc8959b76fbe7744e9290e8c9d89dc8afaaf3e59a9b80c12885301fcfbc2b4045c65562470e3fde06cf7ed7e9c860594d

  • SSDEEP

    1536:CPp8kFF4+utlznGEvCrUmUYwGOmpX2yaICS4Aa7AimHm3VXxF7I2Gc40oTtK:8vnuGqfGOqVBiXg2Gc9

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$fQWl8g9iqu3WXq2Z9hV8/OxYhXd2cd2kOkObREREE9qFi87XyizHW

Campaign

5414

Decoy

wsoil.com.sg

punchbaby.com

qualitus.com

revezlimage.com

minipara.com

innote.fi

healthyyworkout.com

pasivect.co.uk

chavesdoareeiro.com

klusbeter.nl

radaradvies.nl

imadarchid.com

plantag.de

ruralarcoiris.com

jandaonline.com

connectedace.com

hebkft.hu

peterstrobos.com

mariposapropaneaz.com

ausbeverage.com.au

Attributes
  • net

    true

  • pid

    $2a$10$fQWl8g9iqu3WXq2Z9hV8/OxYhXd2cd2kOkObREREE9qFi87XyizHW

  • prc

    agntsvc

    ocssd

    ocautoupds

    isqlplussvc

    steam

    wordpad

    infopath

    visio

    excel

    mspub

    msaccess

    thunderbird

    dbeng50

    encsvc

    thebat

    sqbcoreservice

    tbirdconfig

    ocomm

    oracle

    winword

    powerpnt

    dbsnmp

    firefox

    outlook

    xfssvccon

    sql

    synctime

    mydesktopqos

    onenote

    mydesktopservice

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    5414

  • svc

    memtas

    sql

    veeam

    vss

    sophos

    backup

    svc$

    mepocs

Extracted

Path

C:\Users\sh5e4mk2-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension sh5e4mk2. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F44709FECFF195DF 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/F44709FECFF195DF Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: tEX5h+jLdUyQKAbEJ/05nOxZ7FIKkYs9SYX6QNSHiD0ihPXSnEPRRnqkNd2qMaLR VBJJDU8k7m8gTE3iCPgnJ/nX8QAT5xUwI2Txid+SIubyT3uVk8cyqRW8Oi1oevPb Qb/WXqFee2sWhhkqQe+xSnIH4x30GmBF+tQqt2u0bYhCnv2jQpzqrHcC5R5BGoLy rXHZK8FJ4bxhwOXrziqjoehZAmlBAicJUddgHKS6GQN6evc1e4RHvzmIXSTYtSqJ s5j/JMwFmX1Hp0pNWQCjo/8+1KlWZ/96z0dGa+JbH4DJeG2ylyKKBwrD8JY92T9b fTRhwogL7PDONZcS3cfRuZ1rqgqkMFA2aMeKI09Y+OaO0+1bRpegAQ1zjp2MYFUo fVsTdqXCzqKTLl9EKHoOHTJy4xg/Liwpet0+RIwRMYkJI0fzP2O6oEIkql/TGTpo pQvCykpzkaidb3ErWmj3UG3NRJ4ePAaLif6zhJcnQBdhXWdemGt+fLlSzuML3UtX EVODGXbw5YQv3MkpsPXPyQwTwRLYgIcQrn7KOUazZhJGtSvpOHF/emXWznUI8Eq5 NTpds3d2/4qUd95yfhFmP+lzizCftN5ytqThTjI+oSk1xKzDBgU676hbxjGDIxgi Il8vVzm14LZ5wjhrLH67DaVFedRZlfkWYHsZ1KwQxbxByCfas2KxihAmRmSszxYF lWZB0Z+VNE7BLNMWBwQ3MbWuNuave55FDPG/un7V7Cn6kNkFFYIQHrs62u2ecFpL 2uvDk2rWjLGI4kaZ64osWLSMP2eOtWpfiNTRJk8cgYQdF37IVoxXonPFSv3Tkl4i aSFrMRGu3eEHiYcVb5pG5Lgmfw/DoxTpJXEbqL18H5xCHqEGdHBFgC9oGpkvNbUt NnEivX83I8OX596GsxvBFOD9LRATCnMHnZNC0SRbXzSM/gh69AfdwKyyv2EkHJlV LZSQP3bSqKihKgKV0kjFMzKMYLXgWzjUdciCGU/FJstVFlIGOEPQoCj2tKGty/OB 8wyNhzpr9tCgdgf/JyggWGgZ9rg8oGjvMJE85aexrVEzLykZxnKPFIA4k9QCsKWT mcD+XdrWrkvOB+sBuNtHPs/wxZR6GJVkoWbRxf1stnnBK4TqAMHm+Yv4wpAT/uan wceFAAQqqSoCTeQ+tv1B5q/paYTWNQLrxgprTOSmw++2EpgfANOhxvfB6TJupRco lyptKzDbS6ydDN2YzHV7bzrkeSfv1s1eYBt8RWztt0VdOI2WBzF/FjK6D+09Y84d JnCZ+2OqtrfXP68a7BCJ9QZothAy2ws/N8trQ1lvf9Yjk4BKlDDV82w9ekIW5cJb FZkOaTJ/a3we4xpKmfsPHMGe33VZL0WUOP8AYEw7JMD38L3l ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F44709FECFF195DF

http://decryptor.cc/F44709FECFF195DF

Extracted

Path

C:\Users\xl7n62b2-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension xl7n62b2. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7C6E1CD560A3B683 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/7C6E1CD560A3B683 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: O5rd2D0LlF9EYFacbg9NLrfjEpVCZleGUPpAfziqVtUrMiXqxejNtTdxx1NOrGJN mXENNiwFcy0+b2zAkFeafUYeYh0ajpU3kJuZRaXH6/Bp9EvJsXSR7RLrrbul0OfS 4MdhceuocM/w0wHsFKpIZ89j1OCK5Judw0itwYzrRLzjxt9j0syL+xd0GVf/kSJh oGRdi8ofA7FXsrBdtSX6ffKzyGMlWq2mG0z5HMvPHNTv7MeMzASxjdCSmDLhBQ0x uQexA2Vp7wBmOKzAcO+56xMXO2wsQAh0awFjjKIf6iAksnF6CE0+i4xlmqzGStXj 4HFRzixZj3M8YIFjVqijUFuNpaFwNbVJuqGKtTAQcxG44e4PSJ4vbk3iYbg48PeX hEP2W+d1KmIJdw00i4D+bwtQwvU+X9l7zlVTQ7zAMxQA5dUPpAlO9MP1Ij1pQgHy fMmpGmL9tzfU2Bin0rC9SMYZfpq032fiuxp1JAb/bIFakK6flCKyBg3oXw+KJ2G9 uvzwtn3ha9MvnCV49WbQuxtGkhfkYb+5KZAF1GP2Lu6zzioA7+CYcakXCinfjucb wxxOG+x3qwRulo5YsVvNVAJWU7lAOvFyKAHScmuOiBtIspJtJG1L5hiRrpwXjbaL 45EAbVaSGtVSx1Cnu01IsLnWOZO3Fzl4Ly8Js7zM0SHpR1hmNfUSUTHyIdETDUUD HI8nrjo3eNxM/UZ3KmOLQEMbRhwCJHMQcbtr8hm5/LzcoXEO4M5mdf0qq6+5EeWU IuxYNcKh3Akm6i7cdEly+XkR1oqy1CSx9tadatHvRV3JELQXwdbWyIZi4/pm4B+z VjEdGsuE+XTXSEels037d6+fa+STQhnYnvulM2a0layCf87kwWxHU+HBavzCNIyI pLPbYoi2SmnlthhceMjVDFObTyEEFc4sU9Egelma1Bzcxq6mQy9UM+3uy+8WotZv clzMHCfr2ve6DJZ11pu8WygXlkti5g4H3OlXGC6o/JP3SHd5thsy5Wt3yI9Gizlu 7WCXPjDkfFtbsTLXcTGaUBFSEVWen1npkX1Up0IUz/izujvbhCX5Gr4nUWKWqUo1 gAvYWYXDV834k0TooHnk1BnJfvIYABlJeor7PXgvsureOMep+l/JAXWgZ7++dTJh SfeSUistBBQEDZVAFoMdog9yiEhN6VFvcfOlLJqRXHhS25ss31SopQB9qZ/+mcad qCH1F3cuvMamOqnsojOSlajQHdjxSD4xk5EFqjkbfOuPgfsICPtx/a1ZGYtFm0aM Y4PObY/NI4kN+5xTqop614KmWN2xryXfaalFt1BMmxoWA6lU+/sqMRlJPMMGs/Id S1hVh52KcyEf6bFgjUByDqvlT7VzF7oAjwrkwNLU6OIeFb396GHl1kd0 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7C6E1CD560A3B683

http://decryptor.cc/7C6E1CD560A3B683

Targets

    • Target

      586c80559a50dc4a431d36caaf3c2694_JaffaCakes118

    • Size

      116KB

    • MD5

      586c80559a50dc4a431d36caaf3c2694

    • SHA1

      f59dc0c154de3f02804f643047db9beb2f3a579a

    • SHA256

      83002399482a30115e37cea0222fdb265cc6d57101ca7ce4591374acd6b8a371

    • SHA512

      b79e1a4a28011ab62d8a86c8ceaa3d8dc8959b76fbe7744e9290e8c9d89dc8afaaf3e59a9b80c12885301fcfbc2b4045c65562470e3fde06cf7ed7e9c860594d

    • SSDEEP

      1536:CPp8kFF4+utlznGEvCrUmUYwGOmpX2yaICS4Aa7AimHm3VXxF7I2Gc40oTtK:8vnuGqfGOqVBiXg2Gc9

    Score
    10/10
    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix ATT&CK v13

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Tasks