sodinokibi | 619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118

General

Target

619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118
Size

157KB
MD5

619bcc16546e3d7ddea8045fa88f65fc
SHA1

bab813d5a45552978bba9a413089222c3f225a6c
SHA256

5fe8e804cc0e7d211019bf37dbb18e4a00af24be11cc9407fac6d648c01716fb
SHA512

22997dc1a27b3ee620ab248336dd7a373d7a5217c30135a36943555e605ae7ea81fe55b5c0b596bc14748831144ae91b4272dd6a319cc3d69bea2fa7caccdded
SSDEEP

3072:Fi8Iy8EytSLbi4eTMlwDCnuZ3jmOaqGpeT3:U8IUykbnWJZ3jmOaqFT3

Score

10^/10

8 10 sodinokibi

Malware Config

Extracted

Family

sodinokibi

Botnet

8

Campaign

10

Decoy

fbmagazine.ru

palmenhaus-erfurt.de

jacquesgarcianoto.com

vapiano.fr

pureelements.nl

efficiencyconsulting.es

schroederschoembs.com

wallflowersandrakes.com

irizar.com

kiraribeaute-nani.com

ketomealprep.academy

imaginekithomes.co.nz

andermattswisswatches.ch

imagine-entertainment.com

rhino-turf.com

the-beauty-guides.com

adedesign.com

phukienbepthanhdat.com

smartworkplaza.com

chatterchatterchatter.com

Attributes

net
true
pid
8
prc
mysql.exe
ransom_oneliner
Your computer have been infected! Read the {EXT}-readme.txt file for more information.
ransom_template
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got {EXT} extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/{UID} Page will ask you for the key and extension name: {EXT}. Your key code: {KEY}
sub
10

Signatures

Sodinokibi family
sodinokibi

Sodinokibi/Revil sample 1 IoCs

resource	yara_rule
sample	family_sodinokobi

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118

Files

619bcc16546e3d7ddea8045fa88f65fc_JaffaCakes118
.exe windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 38KB - Virtual size: 38KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 62KB - Virtual size: 61KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.grrr
Size: 50KB - Virtual size: 50KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 38KB - Virtual size: 38KB

.rdata Size: 62KB - Virtual size: 61KB

.data Size: 4KB - Virtual size: 4KB

.grrr Size: 50KB - Virtual size: 50KB

.reloc Size: 1KB - Virtual size: 1KB

.text
Size: 38KB - Virtual size: 38KB

.rdata
Size: 62KB - Virtual size: 61KB

.data
Size: 4KB - Virtual size: 4KB

.grrr
Size: 50KB - Virtual size: 50KB

.reloc
Size: 1KB - Virtual size: 1KB