Overview

overview

10

Static

static

1

ccfde14922...18.exe

windows7-x64

10

ccfde14922...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ccfde149220e87e97198c23fb8115d5a_JaffaCakes118

  • Size

    292KB

  • Sample

    240831-rzwcgsycnk

  • MD5

    ccfde149220e87e97198c23fb8115d5a

  • SHA1

    d514d08571ecd8cece8d704adc8d0c4fa87665ca

  • SHA256

    34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160

  • SHA512

    392a14c9a0c3a98c46e15b873919bdae13f5306a937fd8c869b2a2b435d236433a1eb78d6a953a1722d5b43cb69b4028459d6ea2387a904b4c0f2ec5bc36992e

  • SSDEEP

    6144:qGZamLIoveyefyOrA80qE1lHJv3loPHVb6L:qEsomyef5k8k3Sby

Score
10/10
sodinokibi73defense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

7

Campaign

3

Decoy

sochi-okna23.ru

www.blavait.fr

kamin-somnium.de

geoweb.software

www.drbrianhweeks.com

kombi-dress.com

johnkoen.com

prodentalblue.com

transifer.fr

matteoruzzaofficial.com

jax-interim-and-projectmanagement.com

hawaiisteelbuilding.com

www.kausette.com

www.galaniuklaw.com

www.atma.nl

www.piestar.com

www.kerstliedjeszingen.nl

biodentify.ai

endlessrealms.net

condormobile.fr
Attributes
  • net

    false

  • pid

    7

  • prc

    mysql.exe

  • ransom_oneliner

    Image text

  • ransom_template

    Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got {EXT} extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/{UID} Page will ask you for the key, here it is: {KEY}

  • sub

    3

Extracted

Path

C:\Users\Default\j4xg27p-readme.txt

Family

sodinokibi

Ransom Note
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got j4xg27p extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E7A5BF92BB389A48 Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/E7A5BF92BB389A48 Page will ask you for the key, here it is: X+/OhohqssfsR9rQ2Bl79BeNIsCqBLGNePFsnkWG2Fhs7joAO+kqPrls7NFsoR7y rWNwfhTvfJH9twzwhtQKWvHDtLzXLetepxcQhFW4mFUVr7Tuiu/QIWmZr5vqrAdB bQAF1ygJNEOGKuWVMs/C9ICDrUJ33a92qObX3t1gSHDpKL+DHe97t3b49owthmsl xmZF/Mfw/aUCfxfHtu92KSqUwsTdA7p2SsgFzvU4XAFyfl7XrM+m0sxdSTqpRNE4 GV5yt/LoNGx1+Nan6HA/VmlGI+rxV40DAKoEP8Jjg+UYSd68FFsH230IWBBVK6uq t+tdd5nm+EWihzziHwJ0lRlfydogRWlx49e3jESuAnI0kOSel6rudEzwPEjbT5BK 6PyHEiUF0Zf3tYZbVKUPnt/sS0n943jGnJPQzaY0DXGncB+2NHAFb2fKc0u5mr2M GBy7+wm21JidKpVSt0xJ/D5YtRahfZhhRgf4mjpY0fiagG7wI4WCS0OPFvR8ZW0o JPzp1FyGiRVgiI3oaI3MBMVJrRAXjR9YbzuMw/bLBwHhyFa5soVPCwjikxO07af8 6c7XV2dlyzneNKTT6FXkkqiYZlqi50Vrr49lghy6py2Q0Dk0k+Kc4Yj5vITk3uOD uPdWyTrWrT7bEKGIbzGMN2e72mX5ia8RcnFDy375lzNnVbdabqmPd3SHCAgsOyvE EAg9ITOyh7o2wlyuUw3EDTVwrxnSlbYWkQ7xfvcegUWJC0x1mfKkWF/AvGo3E83s hq7P9MQXdFOg7xtpVD3Q+RFSrBniDxgWWIErSq80vxcUlIEfimQMuqGpk8m+ndF8 YMhd9b1vq8EyNbXzrdmhBURldRT5CU3sA0hWeyTcc1s8lPXSSdnrC9zM/kwZHNhA vEGT55HsFceHMEr188J7NsHpfegrsPKkFzSYZqf6pcNzIyWZgMataEwA11++eCKq srMr6t9roSSg5EEoT8XMAvhohFBxIqLgWK85T0QhPVi2nyvI9yzvDqGmAEjloBpP ucs8enLsUSnuTUhfJK27wQEhEfgutfX0Snq+SNfZcSIAc7/PlvfmB0BgpZrt60/V TvbqotK07EJ8p0aMOERj9L8UOCvCovxmtNl/jjiQHPIsKDV67Qg0cLVuXq/NmTUw uAIjBa6CDmH+m8hCK4FtKcFN2eXMdg==
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E7A5BF92BB389A48

http://decryptor.top/E7A5BF92BB389A48

Extracted

Path

C:\Users\Default\21x75d7i3-readme.txt

Family

sodinokibi

Ransom Note
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got 21x75d7i3 extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4CFECFDC36A9209F Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/4CFECFDC36A9209F Page will ask you for the key, here it is: +dIAUEyMbA5+bgfa3xnD1jk2eBPiKktuFEeiK3RE8ilXTvGYuX0P2Diizy2rVjkf kOQvgYrSjn75v2NXWW/SYZclgPCFvfnT2JNYPpZ120agi52BM5/dNPZIdNyzjSOm 0PF5HJZMYkewh8bT6ktZ66+dYkHsEEVwpg36yxtUeXT0XQYoYGxY0qMnH/Lld7K4 wlRMHpzsiq/rfiOVSp3vUhwCl92B0A25BqMaboAnwb+9rob95WEsGrfEi41eUDkI W26aEeI79Yv+CTutDytQJC9pxITKm8HKfCdu14BbsSZE7u5tEc1/TmmN3hlPfd35 ujWj74ek3YPzIqaUVsA2Yx8p6W2c649gDHkCKgcdGqKEqaTFuUq3zpxjq+zukp11 5ZP3uVCvLIV5XasvIlJHatJ7VuMPMldRRCFWqiSzmGAGjWNzoEvFIzxUG6AGpFeq gC/aQOeNnrPZgMMO1sleEOEZfipAaai+24+UGnP2YcVXuzzj8cpR5UGLlVgQEJKG KfPqawiShjhwVYqFa2kgXLv/EncM2PSIE6US6bK9DwdotfzSVj13iJeYB6eyPUuk 1Fb8W7P+KSBDGrZghcCLgqRhYQUorvCIRtxZDzEfLLxWHFTViEBUiIfc2/etqYat cs8O0Xx/oNtgO7QffcFHHWr7ueyf5T6gxDv+XAY1ZR5MFxONuWmZW7DHR1mCTNfV G5pEu3opzji+diS4BiyBHf9c4Zb1BlT3ymH21B7xdquz9/vD4cJPlihIXVztn8+7 Qs2efBx9+fbpj5RLwGYRwrXMmaYtYOR/X9ykecL+3S/9C374/te01+9sBn+We2bC qjEg5HkXkm6sGVZFcVSXoB0ppTGdIMwy2r5bPW/3vKBMxQLlH2kyANYYfpZ7a0WL 8UGE1Ze3h/tTSu6kDVEa62r0Auf92/VFx14aEh67Be/kJ8pXV7ZeOGlDEQOKz/Jd xEZAdfJ1fjn49Ow7ku2/UwRo4DrWZB1jjWaX54iQtq+WmuTop1gYVjnUvOltG3Xc jJlFXdGoqK/OzMjorr1JgabfzmoDx3or+exxwyxVaR3ShGVEYhU+S7jG6D0BMVqx ikctmxhkIa4snNbyyI0cSoCjIrGkFQdpH8ql4LzaiyrxevlWv8cq8zNNx8VPkFBp q7TQkDNkbT36pZTU/gHRbG+yi7ys051yxlR/bQ==
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4CFECFDC36A9209F

http://decryptor.top/4CFECFDC36A9209F

Targets

    • Target

      ccfde149220e87e97198c23fb8115d5a_JaffaCakes118

    • Size

      292KB

    • MD5

      ccfde149220e87e97198c23fb8115d5a

    • SHA1

      d514d08571ecd8cece8d704adc8d0c4fa87665ca

    • SHA256

      34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160

    • SHA512

      392a14c9a0c3a98c46e15b873919bdae13f5306a937fd8c869b2a2b435d236433a1eb78d6a953a1722d5b43cb69b4028459d6ea2387a904b4c0f2ec5bc36992e

    • SSDEEP

      6144:qGZamLIoveyefyOrA80qE1lHJv3loPHVb6L:qEsomyef5k8k3Sby

    Score
    10/10
    sodinokibi73defense_evasiondiscoveryexecutionimpactransomwarespywarestealer

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (202) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks