Overview

overview

10

Static

static

10

6844bdb8fc...18.exe

windows7-x64

10

6844bdb8fc...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6844bdb8fc61ede9a4ad6122721c8c71_JaffaCakes118

  • Size

    166KB

  • Sample

    240522-xjj76scf8y

  • MD5

    6844bdb8fc61ede9a4ad6122721c8c71

  • SHA1

    19f0c1511b39be9951a2e9180721748cb3ccd389

  • SHA256

    926a003f4877c7a6388cf753dd4c392902fb1fe9c1ce17151446e8056b55b0d1

  • SHA512

    6f1a36e723a2d280458beabd77b7377796bfaf8059019b0160af1ecce190adbed8e991e5f8016a5c2ed92d26f6b6132149f1412a5c3216e6b7a8756b2c8c88e6

  • SSDEEP

    3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3QuDHQdCer:ZJ0BXScFy2RsQJ8zguDHP

Score
10/10
sodinokibi$2a$10$5kaqayois3cgudrh8d6raumvxbhzjqhxxengozzwhlezrud4szcxq3181persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$5KaQAyoiS3CGUdrH8D6rAumvxBhzJQHXxeNGOzzwHleZRUD4sZCXq

Campaign

3181

Decoy

euro-trend.pl

gopackapp.com

paradicepacks.com

stemenstilte.nl

humanityplus.org

thaysa.com

milltimber.aberdeen.sch.uk

bouldercafe-wuppertal.de

ledmes.ru

tetinfo.in

homecomingstudio.com

charlesreger.com

plotlinecreative.com

alvinschwartz.wordpress.com

fibrofolliculoma.info

stormwall.se

aurum-juweliere.de

ikads.org

stefanpasch.me

id-vet.com
Attributes
  • net

    true

  • pid

    $2a$10$5KaQAyoiS3CGUdrH8D6rAumvxBhzJQHXxeNGOzzwHleZRUD4sZCXq

  • prc

    winword

    firefox

    ocssd

    thunderbird

    infopath

    agntsvc

    encsvc

    dbeng50

    visio

    mydesktopqos

    msaccess

    mydesktopservice

    excel

    sqbcoreservice

    xfssvccon

    synctime

    steam

    onenote

    dbsnmp

    isqlplussvc

    tbirdconfig

    outlook

    ocomm

    sql

    thebat

    ocautoupds

    mspub

    oracle

    wordpad

    powerpnt

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3181

  • svc

    mepocs

    backup

    vss

    sophos

    svc$

    veeam

    sql

    memtas

Extracted

Path

C:\Users\udhysn-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension udhysn. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3DE8D5A4C0868953 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/3DE8D5A4C0868953 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: F5Wtk2+NKg8iL3FG7s4691zjYIm8inQhfx0Mgz8+sIEbyZtS1On7TPoyG9Kj+8kN Ze8be//8LjRvzUZcAfOW6kZC715vZvUSpnWsUXQELIYzJXITEvGFl1uSBwaGzvz5 HXpjX4BluTXPuplXayL9/5VuVucDzxcxx9nTB8Fbc/xtVFhZUIcfE5fAjO83GNDA qdCioPYc5ucyMltFvG8/d9g1t8VuJUH0dmVCxKMv8kW8GtICZRfe0qHolPlj0b/F CA/NWbY2b+8E7kKjBIS7oJZKTbJkvZsqnDW4fvMp7asflKp+pCSkbwyf612AHj2Q /sRMbaLP7KxG2ddqSgaifYBmb7//9LBRbd1PLVnnJ8fh7hzUZUfL2O+/XKCsCQmo X/NcgvvWyKOEsw2XCQ+VFY2pvZnZssUoYSHgQPeex6IXLiiRS5zchCuM6EBvNBrz +pAGNG0rNTVLAd7vuIOCQjwABGsKDHRBmut/WX/wqxPCtGhRkh2pNLHg07E4z63s VootE5vhQjf56VEzmb/AviPt1Pmk62rayXzSNti/r2E38dO3HukU0jmSxajazUSR YHEHvxO7U61c8/yqpQN8GFpy29ROSOd5RYijxEnoqzM21bDeL5hxpRjPM+pf70zY xnz3ZliGeKyz3/CgmMWPDSpKlDNDxg5N4mliNyEujwE47Mf2sroSlKVtAaTepupx 8vVc+TBqHEFAUzXUGKkA8Rje4dbWdO7SyYuCrrd+osdjTZ7PIjL/H/Shzfypz1u0 vdf6pVl5FwXvoT7LwVXEdHaLOSCZRh0k3CwVyuqhOkkhEblhw38oybNZ/ciedjxY ypT35txqhTgCkL1CORDZw2MmKkQF6R492eOvCs3I+ioMneCniCTcvGEeUmgmxz6O pLtGY8JXy2lJ2C57/c5+lHvEaPEWGuhi16RZ2eBWfhMkTELwj0tPxfz+sLgTnFtM 5kAtwZayUYJBing6YfuLvu2vo7AiHNsv7IodSdG2vP2/8velu3/Baozi2YIiNqvk DL6NCej4rj2k9JQHqnS5PTOhQAXTaQ44jNKs1gYsNxgOjhpJ+JdDO15KL6d8+HxW 7/jr2JcBDM0Cr0eFEwYT3JaztPkJAgvEMUjYNaLKFG50lLF7siDceNG71ASbQ67a vYErjg8vi499pisth9KzE6m1z5fMIJcjcu8Clow1yyLE872c6o9xUZzyZQ75+NHH H98wFPF8LmGmrn08LCG0MwNzOkwdhWAZ7FIyt7eiq0Nem6Rz9iYZRCTp8Oq4LkGh /l3uYza4QJCszGt2H1H8Hq+M0sKL/VY7g8ND1aEYX+bD1EOAWOeYekdReFIuDOfb IJig5hvd2JNbBpVQgulMshYCbhJ8nCL5ldLODnUEnHs= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3DE8D5A4C0868953

http://decryptor.cc/3DE8D5A4C0868953

Extracted

Path

C:\Users\qt6p17-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension qt6p17. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D795CAAFADA2BEB2 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/D795CAAFADA2BEB2 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: K8Sf4solvicGr5EC9+HpJ0YlZhW8PhNrx4eZd1JQQapzcer2aqtytz/z+7epMXR5 G5bIOLudJZCmhILxvQlMeu5TtCxTWzdo41UINyYcRU8b6HQJzvfasr5aAlLlkCR4 O36/fD0plodFaNfaF7gVmrfeZDI2yP/aHuUGGlqZyYCAi9Z0wutjJkeNTxFnJfWP zzC3C0V2bdRccYNghLsXfmUdVSUQOkUG3DjIx/r/AKVSE56iSni/T+xyNjYOrAsv qbVcF8n9w7Jlq18L+wRcUnxAxGFRe9WNJuctvdxPA+uDy0z8JRe1psw0y4hKIdR7 lSBQF6ollY9dgn5uu6S21YNUaHjYOSBTMsju5VgYWz2BxpnYi7eUO2Tmx5Vs0w+R l8gnfuGG5F9QXJmmqCTyVg/AE+bKaDJph9G1lTedsbgBONUSerap+HpMj4wjT7CA 4KerUdmmr8JZvqLoxyMcPrqSnutrp8iC3EsLNn804i7sb9DC6qUpOAKoXf7W9Ny7 0eCwkt04mjmYVxQEvrBv1VB4WRj1O22XLcT+7yh7fHiZcS+gF9O7ott6csXKS2Hq /436DUWSJFH7eZd3ozVW1v5q0GSGV/eSzClPjJm4zdb9AXcYSdG49U1Ukld+mmTh FW86gbXeABI3RQT3hO26JEy7mFtlMnoMLXXjDmJWR1Oqed/KhX7JyE7xg4K2IAyb hrnJIxvpLV+duC4UsP52QpGbGh0NUekmzwQ3noLuSyoP4Yhf5RM7UqwDQXhiU7R3 bSRwvASElJruIxwG/nrokeD2mPmSHFmLM5pS7N9YNXNGfxOfTs/abEKcC+2YWDb+ IDcQ5RIO2EWdyB5moceCZCeEO1zeg/n02GPJjyhv7eJGLThhTsfdLObpl5OaXDW4 CiLSiEyGslNU/47PNFlbriQqhqLxS7LSdfBZJl7rqRkKCrO6DRcVYHN2t1j4UbhJ +X1Wy9RRdOlSLKSxF8zhjyYb+aT01NWd/Cvfl4+q9HCNBAoaBErvjvaYiTy/AYuJ uiziWuiL+ErwiUmwUi6Xpm3P48uYp+IMi1oey7emQ3fJ6HA0Gzpiw6H0pmQ4eI5D BU2MNzL2L0FE4lWaTTuayGDCsIwyXr2rx+GsKswMB03SvrF/41jGBmiEgf583lF/ wp4kocW5aL7I25ViUvl9c1TU5S2hzKkWhbYdjUxbQwczfoPsCHCBfy3oXwD6GaxP FwAWROfXQmvS3oFVNAfSrTwIE0G72s74yNB6oT2V9bOw1/+e+zvA+VhnAp1WhtaD Udx9odX709Z7tlmGsdwqb1Li67xJYURQYm4vGzmgmX9VO6lDCGnaIXFBp/NZvbAy 969Xqey3bGtZ9Tj7NYv01RMj6cHYLGEj/tLehsoc4LSnYtSJAag= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D795CAAFADA2BEB2

http://decryptor.cc/D795CAAFADA2BEB2

Targets

    • Target

      6844bdb8fc61ede9a4ad6122721c8c71_JaffaCakes118

    • Size

      166KB

    • MD5

      6844bdb8fc61ede9a4ad6122721c8c71

    • SHA1

      19f0c1511b39be9951a2e9180721748cb3ccd389

    • SHA256

      926a003f4877c7a6388cf753dd4c392902fb1fe9c1ce17151446e8056b55b0d1

    • SHA512

      6f1a36e723a2d280458beabd77b7377796bfaf8059019b0160af1ecce190adbed8e991e5f8016a5c2ed92d26f6b6132149f1412a5c3216e6b7a8756b2c8c88e6

    • SSDEEP

      3072:1LFrb30BRtBZZg+i2ayy2RjLTuVyu7CJDgoMT3QuDHQdCer:ZJ0BXScFy2RsQJ8zguDHP

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks