Overview

overview

10

Static

static

10

b6fcb19eb3...18.exe

windows7-x64

10

b6fcb19eb3...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b6fcb19eb3bcbf3eaf16c7bf3f134d61_JaffaCakes118

  • Size

    165KB

  • Sample

    240617-f7xdza1akj

  • MD5

    b6fcb19eb3bcbf3eaf16c7bf3f134d61

  • SHA1

    6211ba0a1160b344c1740654b636a8fdd775fbd8

  • SHA256

    58cf92a67428816faa2f2ff2778ecfd8b129deb94b1a2ef1cbb3c13f665ffdac

  • SHA512

    8f6ed156e2d55dabc35a6012f5bbc8ce0bc031c7430e814d21f0d6d8d2ccf53e6ae4408c604359e2e4a37ca830d9a61efdf9422e9f4f3183c7c466b00d2bd020

  • SSDEEP

    3072:eCEq0R0nZ5ys5n4Y9doh7O79siUs/NadXHX0Fq:lw02sJPi7O93NwHX0Fq

Score
10/10
sodinokibi371719persistenceransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

37

Campaign

1719

Decoy

powershell.su

wordpress.idium.no

osn.ro

brighthillgroup.com

rokthetalk.com

finsahome.co.uk

lovetzuchia.com

towelroot.co

latteswithleslie.com

terraflair.de

aoyama.ac

uci-france.fr

tzn.nu

sealgrinderpt.com

frameshift.it

mslp.org

eafx.pro

adabible.org

domaine-des-pothiers.com

ijsselbeton.nl
Attributes
  • net

    true

  • pid

    37

  • prc

    encsvc

    excel

    tbirdconfig

    ocssd

    msaccess

    wordpa

    steam

    powerpnt

    visio

    isqlplussvc

    mydesktopqos

    sqbcoreservice

    thebat

    sql

    mspub

    outlook

    infopath

    dbsnmp

    oracle

    ocomm

    mydesktopservice

    synctime

    thunderbird

    vss

    winword

    agntsvc

    xfssvccon

    firefox

    ocautoupds

    onenote

  • ransom_oneliner

    All of your files are encrypted! Find how to decrypt {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1719

  • svc

    svc$

    sophos

    vss

    veeam

    backup

    mepocs

    memtas

    sql

Extracted

Path

C:\Recovery\How to decrypt sa5n92qybx-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension sa5n92qybx. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5E8DE5371A38494D 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/5E8DE5371A38494D Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: +agFUEyAMzoZ8Sc1/Nr2P0I9EX2DHf+zMWlnj7VMC+gMLXLsvdjfIDOnbtyOMf5O hgLJxhUKiVAhGLeHQM5ilpzxKec0565L8E2b9FCwVSP5vHZhOMe1HBvOsode5kt8 PGS6KQSqBIWBUqNuT+xc/hGpsnZPcrw7CODcg1gpvf7jeskXPZT3YgWTtzeXgXeN nPwFZ29xKxI12Dy6cDZ6YPuCxjNSJCDtPl9eeOneogg5qx80qZbHtCsTXjE7IoRC W+db6wVsxGYenll1CoSkTVT8q3zTLQqip76zpZCD4tF4aTniQBATuME+UZ1C/dK+ st8Tt2o1SmA/9SOJN2Ijm8TVBWZTaFVYWy/UwfktYz5pwdVihOAswSNhos7bo5W0 yJtC7MnnY2931BELyI6+GUgclmtIG0v/6dX0q/mE8jyvGr8QOq/z2IcsbGkSEqq4 NOm36byRKBmXZeCa8bbVL7WoF+6WDc9t4DBtVONfUckpDMYs9Si6zW8qEe9wHQDM mUSz+4bhzaVuFpF2sOFr8Fz8GElE7T9FI3m+/F8C067xC0f1nPKr38AFdAd4TBcA UbPwGYBt1GWXX8LTap9zBdl9GHQFW+Cn5Me5+EI/gsDhJJElSOq4YW5LqgrvBoWe ni1P3EUhwm4qQNTXNtyLZmNCotg7lKLbqQMHG6vzVnnCp/jT8B75qBmpzJqxrJfe QOpMoYII7B6LKuhgFPjYmqQ+1/nvFzrzHecRT58OUr1gqkZHEffuDHep1DytbNyB /F8QJppO4yBDDSAf6bqGthh7uTrST1wyk8ecsH2qs96V12OcqM19sGgpA1JRtkZP xJ+JX9qMLr+AnhcxqnkTIHzbxTpthkZPkAcmAgWu2LVHr0n4V1A4y3gRQ4F4VV/u 2Eua+/AYP9AlKpn/oRHsN3CbQe42rx+N8cx2KZFeLMY2b45aGVotQOsP612Znjbv 9Q3ebRNNhiYGtF+g3AA3YAWjYlotM3oEs/FM8e/8cXqasivhiBdrn20jXRGXIYGb 5B4PEZIZP7+8n/RP0DsQz0tGUGtN+H87Q1dTOjTEAuJ1NFaQfr9cxYvcYEq9lEVp y06fM1RuZ5obtX2nGlQPq9lyRb99h2R7uDQNX3UT4My3ptXTAh1So9X3VKqzyG+b sY2A1wV7m3ZBxBAv09xk863p+dXsZaBcPwbAHTngaG5aeIW4r1lnYTeJu5SnpJAM 3KWU6mzomRlP+bt0mO/ROyVsSJE= Extension name: sa5n92qybx ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5E8DE5371A38494D

http://decryptor.top/5E8DE5371A38494D

Extracted

Path

C:\Users\How to decrypt 0b11bm229-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 0b11bm229. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DE648EE015A5A3AA 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/DE648EE015A5A3AA Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: eHszxbVt5PLZMN/Ip0kTCgJnS0y9zsXydR//LQT45BNhhfxtl0RdHZ1VFxn2lX6u rlEwfo7nK8MIHp269WRKnfP+motRvO7vtJpPJRfEWq4zRDgUgexH/z5VzjW5lqMV X4LgxyVbqRgRMYScLYZsX/PHzub5EmUA15Y9zSdeEg+4TXSUUMR76e8GK3ru5ciq qC8B0ER0P0ybFp7L62GQShky1z9ut4cn/skzEqx/75tlbyGB7d+AAyUdGdOU9RYf DlO1lS2M+OfvGGx8O+6S1I38IC9zR8S3IFTXOzlSYHLzeukFA1P9Pdo9v/5MF0Ms K3Rdt4+ggTSnrVkk1hTPp+Yvt+qC448fStAAArSybbiFO2nyijB7s9KyE6mfDoWM 3lIMzG8I72Pn0GtwrPNtjD00UwihOLeIhb/8P+4KH0DLK0ivOKN2SChzGe60dXXP 6Cd/iGhVJli83pteEcMvuNKej9YPkcalcLF5zgGUkiLu2mYSSE8BZEkitshiVJcr 816ViPL8TyK32MXllAYovqIGfT9vJGn/Ru+zmcaJJ6tzrxnuDwE5WKkvZfR6Ku+P 8YhOtxdgIRMamQh4rJGIbKVG18jQvDi08H3QVaq3qyHtN/EWN+cJNXma9HwfGuIy kMa+upbMO3416ndQT9pmbd0eu+APzQL6oQpOxRCpCRSbs9TKR/mOskoW3vQk9J60 zvscxkSuBXP6ehMCcsoCVRjhWWkXmf6uAqI2kCxXxBUzVCTf0MZRGWm5kB1vXM6T OHVSpnzbqsAggJmQVVoA0hWPbSoU0Clgzzpp5pC79+3RZ0b+ZwYh7RFxPj19w6mO 9gx/zb7HcdjEEiDcOC/rsufXIvHXq7eMr5A4mxNF6IWIG0EPdSTkacfaswHHq1VI QMfYIDPO125bg7AtBxZF0V6Ba9BHjzyBnM96CaBKbNdVcUaa7WY2fXpjxzHlmsiU ArCLYd4PlV+w2H/brS/niO9vBJGKSTJrJSfWPWsHgZgaI2rBO51jL4FKoexMXGMc LnhCIki3EXm5etjsBn3uF5snd5ce7BDP12JpggO+J5+lTAekvHK0VzaHt5yMcA9j NPpqs66j2AdE0OHuOm19VnVXljcWY7feX1C9NLv468uoopa5e63/747DOH7E0RxG qyqO8PmwFqUX5Z58UJc65mxN/MMh26mIZ8nZV4W1iBnJPm4oZT5GmyANUYPIlTG3 OTK5AP4mXvreodDns8AWfYMlVtAm8H1s Extension name: 0b11bm229 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DE648EE015A5A3AA

http://decryptor.top/DE648EE015A5A3AA

Targets

    • Target

      b6fcb19eb3bcbf3eaf16c7bf3f134d61_JaffaCakes118

    • Size

      165KB

    • MD5

      b6fcb19eb3bcbf3eaf16c7bf3f134d61

    • SHA1

      6211ba0a1160b344c1740654b636a8fdd775fbd8

    • SHA256

      58cf92a67428816faa2f2ff2778ecfd8b129deb94b1a2ef1cbb3c13f665ffdac

    • SHA512

      8f6ed156e2d55dabc35a6012f5bbc8ce0bc031c7430e814d21f0d6d8d2ccf53e6ae4408c604359e2e4a37ca830d9a61efdf9422e9f4f3183c7c466b00d2bd020

    • SSDEEP

      3072:eCEq0R0nZ5ys5n4Y9doh7O79siUs/NadXHX0Fq:lw02sJPi7O93NwHX0Fq

    Score
    10/10
    sodinokibipersistenceransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks