General

  • Target

    63ae6ca6853552716571555546833d99_JaffaCakes118

  • Size

    166KB

  • Sample

    240521-r733ashf39

  • MD5

    63ae6ca6853552716571555546833d99

  • SHA1

    09e37e98a74ec8edb36b22a4eb51dbed4390544a

  • SHA256

    9d3a482d9441876096e0cee429fedf7b9f7e1c6a50b3e4b2009884019627d879

  • SHA512

    087baf5fbf764f480f384cbdee878d3dfb8b3880f378b4597d5e292f392341e5da196ee2232a441c6268b7760afffdde293f35f536ee55cff4992b4b45238f86

  • SSDEEP

    1536:EOYMGzUt2Z+tRvSKGNkR87Kk9VWvDtwVQKeDZz0TDsTR6wss+oJ27b5EIBNUup7E:EJMawtnGqtWoKeZC62aoNUSncZUw+S3

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$QV..IaQ6B9QV724W3myufeRDO8uuVgVqGSa6eDWdTrsJ1a32XBdh.

Campaign

4402

Decoy

employeesurveys.com

izzi360.com

centromarysalud.com

coding-machine.com

schutting-info.nl

ceid.info.tr

eglectonk.online

tulsawaterheaterinstallation.com

rumahminangberdaya.com

buroludo.nl

labobit.it

steampluscarpetandfloors.com

andersongilmour.co.uk

satyayoga.de

sotsioloogia.ee

oceanastudios.com

cactusthebrand.com

danielblum.info

cursoporcelanatoliquido.online

stefanpasch.me

Attributes
  • net

    true

  • pid

    $2a$10$QV..IaQ6B9QV724W3myufeRDO8uuVgVqGSa6eDWdTrsJ1a32XBdh.

  • prc

    firefox

    sql

    outlook

    ocomm

    dbeng50

    ocautoupds

    mydesktopservice

    sqbcoreservice

    steam

    thebat

    isqlplussvc

    oracle

    onenote

    mydesktopqos

    tbirdconfig

    visio

    msaccess

    excel

    synctime

    xfssvccon

    thunderbird

    wordpad

    dbsnmp

    powerpnt

    infopath

    mspub

    agntsvc

    winword

    ocssd

    encsvc

  • ransom_oneliner

    Soon you may lose your files FOREVER Find: "readme-{EXT}-NOW.txt" in folders or on your desktop! YOU HAVE A FEW DAYS OR A FILE WILL BE LOST FOREVER !!!

  • ransom_template

    Your files are locked due to a vulnerability in your system by "{EXT}" extension. You will not be able to decrypt the files yourself, in the worst case you can destroy the data irreversibly. The only way to unlock your data is to buy the decryption program. Go to the link written below to more details. If you cannot do this yourself, find a data recovery company in internet. They cannot help you unlock your data, because only we have decryption key, but will help you make a payment and provide you guarantees. ATTENTION! DATA RECOVERY AGENCIES WORK AND DURING THE CORONOVIRUS QUARANTINE, THEY WILL HELP YOU REMOTE. Also, I ask you to note, you have no long time, if you do not make payment soon, the price for the decryptor will double. So I recommend you dont waste time and move! Go to the page through the browser: http://decryptor.cc/{UID} If your site does not open, then download the "TOR Browser" (https://torproject.org/). If you cannot access the download page of the "TOR Browser", then download the VPN! After installing "TOR Browser", open it and follow the link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} After going to the site, enter the following code: {KEY}

  • sub

    4402

  • svc

    svc$

    mepocs

    memtas

    backup

    sql

    veeam

    vss

    sophos

Extracted

Path

C:\Users\readme-j008b4a42n-NOW.txt

Ransom Note
Your files are locked due to a vulnerability in your system by "j008b4a42n" extension. You will not be able to decrypt the files yourself, in the worst case you can destroy the data irreversibly. The only way to unlock your data is to buy the decryption program. Go to the link written below to more details. If you cannot do this yourself, find a data recovery company in internet. They cannot help you unlock your data, because only we have decryption key, but will help you make a payment and provide you guarantees. ATTENTION! DATA RECOVERY AGENCIES WORK AND DURING THE CORONOVIRUS QUARANTINE, THEY WILL HELP YOU REMOTE. Also, I ask you to note, you have no long time, if you do not make payment soon, the price for the decryptor will double. So I recommend you dont waste time and move! Go to the page through the browser: http://decryptor.cc/71639715C427C907 If your site does not open, then download the "TOR Browser" (https://torproject.org/). If you cannot access the download page of the "TOR Browser", then download the VPN! After installing "TOR Browser", open it and follow the link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/71639715C427C907 After going to the site, enter the following code: idmdCliYdIk8qzMNaIAyUig7awNVXJ7Wp8u3mXxdums80evXBfM8NISECrZCyt8t NjGj6JPSGX3HHGp9zMPmmcusMdIyL1+XkMGBsBwQR9SAD1oAqN9Eg1Fy42PDmCzu j6YFwhm6IxkZnRo+WoU6YnG3rD9NV5QxPQyDBHQXAqvTiHuw6mQR+Gr1kWJP/VzB bdLsp5djmA8RVLap/oh63Xb0LfZYH0jSHGnEH9dTgpcZg9v2oG+t+bglmM8Ct0WL lR/oq4MxLkqBlTDo8Nqz++tBAp3tKKBnBt4Tf7HPeqs0p+3J22jD1e2ZCk+sK/RL D3HrhTJBCAjn7tSkl7jZeZzrjP306oZe58+qP2s4Q9Ld2bygsTGqHE4Tz8dDVI+V 3FmkJUJ9PB9NnGzoK5HFY6pUKv7p/CYtQ1wbst+Y6EOCIzQfnuGXH8ECUWu1srhC abVx9KG9TDqeB2v8wQmM1aOa+Q1w7j5/x6UpTDorsYCWjJLDRfX8/8GuU1RkQtRr cek9WoYi3C8cLgLi8JmTMnTh1vh4/b84TnwEwrBvcTh0IZvd4vF2RvHCI4ywgeu1 jXeDhGDisjlft/MhMv7GD4ZhmcojX9+2EBZqRpxuaApsftS4bNGDf0zO8SfKJJQt 4XEtaL9ufgmKHM/Pa6/eEMS7y8mM2B7ucvdtWybZcrvTtCogYyZxf9QsSOTSfSFf DuCiHVxvGvP/lnm7JSNew0c9Anj+E7RRGDq/k2475379kyh3tFMNyty5oUujK+7D ndptqaSynNfD6o5ATtVVQ3TrLmz2884lBe7raEj+RjuwI4y9HxDERGafDevMYOhE DbiistXgwNSkJ4sAO3DEE7hqnglywOMm/+h/2hGATbtUH7LTUfp2p8oJmF5OVxvJ RjJDLDEFfs6WALEiD/4L4YhGPhNycwYagz+oqFj7kpLfduWpha4ddce2aqk81a8/ /vK+3cwvB81HFn9tqTV//6ZoRnYHfFcWoqtmzZwfsUhbVmuY2AHJRyb+dtBRT4sc XEIjc5z26AzhRBh2gH+nAmxYRZvIOEvezCA7mIaOIX9dCzgUQ5lDpTNzTCVGCWgz 4yiJx7WCR8gC6mAEZqiCJLKms0L4W6zgabksK9Ifq/jeuKS9tYIAWvpI9QAyRfbW WOPXaqMg7AIB3Q8vWGLMggiqwwLJJkcNjIx7o2xWOUks6nM9lY9yd+bzG933s6xm jcvFxMbmWFvymi23Oaldy0QgE+ZI0OfTkgVv4jTfI2ay1+nmp13soGBckBNyKAOd lzOL5fzYWcBj4kxARNkImkEeVhXRTw8H9/lEr98dGjN8J/IqA2GYA7lGWpmcymj4 hYxoJyEJu3fZoRhlg5hdFOEE4mDZpOmcCPnJaSE/6MtkTv8GaJgiuQ==
URLs

http://decryptor.cc/71639715C427C907

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/71639715C427C907

Extracted

Path

C:\Users\readme-o331102-NOW.txt

Ransom Note
Your files are locked due to a vulnerability in your system by "o331102" extension. You will not be able to decrypt the files yourself, in the worst case you can destroy the data irreversibly. The only way to unlock your data is to buy the decryption program. Go to the link written below to more details. If you cannot do this yourself, find a data recovery company in internet. They cannot help you unlock your data, because only we have decryption key, but will help you make a payment and provide you guarantees. ATTENTION! DATA RECOVERY AGENCIES WORK AND DURING THE CORONOVIRUS QUARANTINE, THEY WILL HELP YOU REMOTE. Also, I ask you to note, you have no long time, if you do not make payment soon, the price for the decryptor will double. So I recommend you dont waste time and move! Go to the page through the browser: http://decryptor.cc/F16494BF17DAA819 If your site does not open, then download the "TOR Browser" (https://torproject.org/). If you cannot access the download page of the "TOR Browser", then download the VPN! After installing "TOR Browser", open it and follow the link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F16494BF17DAA819 After going to the site, enter the following code: q14/nTzDsD7DAvOaeiWFUm9RaZm7G5ZqA3rgz/ERvfFCoZoG7R4sECQo+fl2aROA IbrV59Y0FmMrX24jxuCSAbonrUKhprClTHkcaF/QIzhFBtGMCK3Hkjr1VOpmWBJG VQcpG3PCQp6vB9VjrrJ//53uJw79AztnpWRgJGAeR579LzQEnVSTmH+JcYATto9X IaFYJ+lyf54/0TzIuFmknOLNCvgx4zpSwbQ/UgfyudZ2SiOTjMKZeG2h4YjG73nJ zoFuNZMFQbLF6hS/RGMx7yMJ62XQW6U7P2HzDjD01NbFxVVbFoK/SmNngRxFPH7m 3ySn+EoobkqiQtZPqVk/xFyy6tyc41keufNQbeytJtdE/n0BOedThv63sAoA2zAC NvvnBK04aGSKrcwMQ/0QnGHdyFRR58ULUTA+epoPKcRHML6GbK4gELs6YLJTd+UH uE6h6Jlroq0oYtUCR4Cq5seG4CvIXSeAu1kNOR/0CsXK/bF4klNn9aQPV1HlCqcV l0nsYZQKvVWMkoJlm1gijQYuU3LmlEg1B9TZgJROmLqc40jZT4Zw0HGZmDTgMWyO ljEAmL5F2mAWzbzqXlhjuowNM3VQAFzFlgM3oaALB2fqagF5AdS9x+Cf0MWVyF2c e9aA+FoHIbLdQvLfdr8i8zwKWNi55JoC1vpT5FhJQANXnNOzdRhdzY95stuFReHw ZR3Cg63sO28CmRoNC/5Kn73iGIa0gukZJ1wts2OiX/qQQPtnCyD99FaSKqjNlrDs A4qJKeHuWhmpo+K8v7DV7N55Cw7Ve+xznqh67fdta4zlbdfXmS0ttQwlt9xdL2Xw mINBN8dbBXNI5U8bye0cebuzXzRtRFbP+Hb2KRYogrtPe7chyt1J83ybsZ2emcCn wjOk7EEAZ4zKsK9qDVVFHB6dW121Yn7nDwOwF+62wZcCZb6G3x1cCc3agWxcxh88 cd8vqcuzU5i9jX9Igp1nXao56IHAVrGKWAJqqNi+wMPFxAVXPRd7S4HWRXmhgDHB P6P2Vva/hxPGqIKuwWsVjlA33me3cB9FsVwUFWzn35zkzRczfT2z6Gy+6U08erut MMkZDtpnATWHHEa7JixgFtNlTTzRRT+xIarjgbK0uUq22vdtWCdfw4eJm8b8uHF7 h8bkprZLFV6FCfSElvhDNzOOIMGb3PAy7F5fOsAHUYv3IiFVMjcU2jAcC//SntEV KaIhRRPs/eej+P8ihjTKs0ls28cSLRaB2V98hCQTn4crEvGjo0RvWgLaXDaBoBTy /AL5DDwEsgBzqK5VmcczpTJiTJGphZiiLFF+ASxmg+ddibh5wmUEko0sC1rhjkJ/ 9GkTquvAFEyKju2pQNY+mi7el36byrHzgVQHlr6jki8G5NB5NMflCw==
URLs

http://decryptor.cc/F16494BF17DAA819

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F16494BF17DAA819

Targets

    • Target

      63ae6ca6853552716571555546833d99_JaffaCakes118

    • Size

      166KB

    • MD5

      63ae6ca6853552716571555546833d99

    • SHA1

      09e37e98a74ec8edb36b22a4eb51dbed4390544a

    • SHA256

      9d3a482d9441876096e0cee429fedf7b9f7e1c6a50b3e4b2009884019627d879

    • SHA512

      087baf5fbf764f480f384cbdee878d3dfb8b3880f378b4597d5e292f392341e5da196ee2232a441c6268b7760afffdde293f35f536ee55cff4992b4b45238f86

    • SSDEEP

      1536:EOYMGzUt2Z+tRvSKGNkR87Kk9VWvDtwVQKeDZz0TDsTR6wss+oJ27b5EIBNUup7E:EJMawtnGqtWoKeZC62aoNUSncZUw+S3

    Score
    10/10
    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Impact

Defacement

1
T1491

Tasks