sodinokibi | 63ae6ca6853552716571555546833d99_JaffaCakes118

General

Target

63ae6ca6853552716571555546833d99_JaffaCakes118
Size

166KB
MD5

63ae6ca6853552716571555546833d99
SHA1

09e37e98a74ec8edb36b22a4eb51dbed4390544a
SHA256

9d3a482d9441876096e0cee429fedf7b9f7e1c6a50b3e4b2009884019627d879
SHA512

087baf5fbf764f480f384cbdee878d3dfb8b3880f378b4597d5e292f392341e5da196ee2232a441c6268b7760afffdde293f35f536ee55cff4992b4b45238f86
SSDEEP

1536:EOYMGzUt2Z+tRvSKGNkR87Kk9VWvDtwVQKeDZz0TDsTR6wss+oJ27b5EIBNUup7E:EJMawtnGqtWoKeZC62aoNUSncZUw+S3

Score

10^/10

$2a$10$qv..iaq6b9qv724w3myuferdo8uuvgvqgsa6edwdtrsj1a32xbdh.4402 sodinokibi

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$QV..IaQ6B9QV724W3myufeRDO8uuVgVqGSa6eDWdTrsJ1a32XBdh.

Campaign

4402

Decoy

employeesurveys.com

izzi360.com

centromarysalud.com

coding-machine.com

schutting-info.nl

ceid.info.tr

eglectonk.online

tulsawaterheaterinstallation.com

rumahminangberdaya.com

buroludo.nl

labobit.it

steampluscarpetandfloors.com

andersongilmour.co.uk

satyayoga.de

sotsioloogia.ee

oceanastudios.com

cactusthebrand.com

danielblum.info

cursoporcelanatoliquido.online

stefanpasch.me

Attributes

net
true
pid
$2a$10$QV..IaQ6B9QV724W3myufeRDO8uuVgVqGSa6eDWdTrsJ1a32XBdh.
prc
firefox
sql
outlook
ocomm
dbeng50
ocautoupds
mydesktopservice
sqbcoreservice
steam
thebat
isqlplussvc
oracle
onenote
mydesktopqos
tbirdconfig
visio
msaccess
excel
synctime
xfssvccon
thunderbird
wordpad
dbsnmp
powerpnt
infopath
mspub
agntsvc
winword
ocssd
encsvc
ransom_oneliner
Soon you may lose your files FOREVER Find: "readme-{EXT}-NOW.txt" in folders or on your desktop! YOU HAVE A FEW DAYS OR A FILE WILL BE LOST FOREVER !!!
ransom_template
Your files are locked due to a vulnerability in your system by "{EXT}" extension. You will not be able to decrypt the files yourself, in the worst case you can destroy the data irreversibly. The only way to unlock your data is to buy the decryption program. Go to the link written below to more details. If you cannot do this yourself, find a data recovery company in internet. They cannot help you unlock your data, because only we have decryption key, but will help you make a payment and provide you guarantees. ATTENTION! DATA RECOVERY AGENCIES WORK AND DURING THE CORONOVIRUS QUARANTINE, THEY WILL HELP YOU REMOTE. Also, I ask you to note, you have no long time, if you do not make payment soon, the price for the decryptor will double. So I recommend you dont waste time and move! Go to the page through the browser: http://decryptor.cc/{UID} If your site does not open, then download the "TOR Browser" (https://torproject.org/). If you cannot access the download page of the "TOR Browser", then download the VPN! After installing "TOR Browser", open it and follow the link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} After going to the site, enter the following code: {KEY}
sub
4402
svc
svc$
mepocs
memtas
backup
sql
veeam
vss
sophos

Signatures

Sodinokibi family
sodinokibi

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
63ae6ca6853552716571555546833d99_JaffaCakes118

Files

63ae6ca6853552716571555546833d99_JaffaCakes118
.exe windows:5 windows x86 arch:x86

7ecacfc6f1d64067e0047425ad885408

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

lstrlenW
SetErrorMode

Sections

.text
Size: 95KB - Virtual size: 94KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.iyaw
Size: 50KB - Virtual size: 50KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

7ecacfc6f1d64067e0047425ad885408

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

Sections

.text Size: 95KB - Virtual size: 94KB

.rdata Size: 11KB - Virtual size: 10KB

.data Size: 7KB - Virtual size: 8KB

.iyaw Size: 50KB - Virtual size: 50KB

.reloc Size: 2KB - Virtual size: 1KB

.text
Size: 95KB - Virtual size: 94KB

.rdata
Size: 11KB - Virtual size: 10KB

.data
Size: 7KB - Virtual size: 8KB

.iyaw
Size: 50KB - Virtual size: 50KB

.reloc
Size: 2KB - Virtual size: 1KB