Overview

overview

10

Static

static

10

d170f26847...18.exe

windows7-x64

10

d170f26847...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d170f2684721d33eb1b1db2cca1a764e_JaffaCakes118

  • Size

    164KB

  • Sample

    240907-jtcn7atdjh

  • MD5

    d170f2684721d33eb1b1db2cca1a764e

  • SHA1

    ace765223486af94ef2e8b2c531cb56b8afa3321

  • SHA256

    399a27b146613d522ca9430ba24215a193a64f816304e4f51615250d98c3294b

  • SHA512

    2ba8d350a0f39d406da4eb27a47e7736d2d83b0387553b98ef7865568aa04127641015141f329dc4a83d0880439d3e7b7b7376fd4801a9fdfa226faeb6f5bf65

  • SSDEEP

    3072:ffYWjswg4fQlt4ndm8jX5IXzs+M9VQHDOmi22:ffYWAw9fcUdmwIXo+M9VQHD77

Score
10/10
sodinokibi34254discoveryransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

34

Campaign

254

Decoy

carsten.sparen-it.de

o90.dk

nvisionsigns.com

cssp-mediation.org

putzen-reinigen.com

gatlinburgcottage.com

finnergo.eu

fla.se

purepreprod4.com

khtrx.com

cuadc.org

prodentalblue.com

modamarfil.com

bellesiniacademy.org

pansionatblago.ru

sololibrerie.it

skyscanner.ro

mazzaropi.com.br

metriplica.academy

larchwoodmarketing.com
Attributes
  • net

    true

  • pid

    34

  • prc

    agntsvc

    excel

    mydesktopqos

    powerpnt

    thebat

    sqlbrowser

    sqlservr

    synctime

    sqlagent

    outlook

    mysqld_opt

    msftesql

    tbirdconfig

    infopath

    ocomm

    steam

    mydesktopservice

    isqlplussvc

    firefoxconfig

    encsvc

    visio

    mspub

    thunderbird

    dbsnmp

    dbeng50

    winword

    msaccess

    onenote

    sqlwriter

    wordpad

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    254

  • svc

    svc$

    memtas

    vss

    sophos

    mepocs

    sql

    backup

    veeam

Extracted

Path

C:\Users\2klvn5o-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 2klvn5o. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/33004BB5F5171963 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/33004BB5F5171963 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: izsnE4Njnfz812G5uUfMl1p7MDHjQFSIADdiYj9GmGq7qQbUvghCU+KKgqztbZqo yHV6hDPgscn08hUrIazjM4OgRDy++CJRux+iL2k9O9Xv7n7rUcK91EwyK9RXk3dq igP2be2BMp1h3SpjfdEtGMBCfbP+nD7NXEo5xo88N0L8RDQzibnG/w87Dcby1cxn 0PUyGksUthfwPdB2aS38IG5q2eZ8BE2MWY2hlaYxlQN/IO8XQDy+zTq5WdVlDgvx KYrGH+rMi57HMxFpX5L2NLCVVUbPTtn+mLmkkB/+c8TeJ4c5wtZTILtNu1ojeeRb uy6VtDFA5RfeZw9/DxWQ6BV5hWnQ+lUE8tkt0wIrYAOArHYbQ/rDPJpIj66/33kS VXDy5k0orhOhAvgS1YlSeUhs6Gk9ta0NzfbFrnnk2Cx3SUmu4qwQdV15bgV0DBYY PwH79Xq+r+T8sSQXwqbhM76uOh7wTl0Iig3zl2XchP9FKkcaMo9j3sk/qBPBwWI+ wm8b+xtNSC+UEVGbg7+VOyGxF6YZA5hAblxxPS0HzHRAK7968yJpGcHIlRrIpyvO u5qx3zzlehA/f3ocMfkbZj98VxTOzJychZR4Lzg3VXNIAtf8wayPLh1Hu2pb3mUi C/HPhT28H7eNbKJyi25zEFyCIdPEcFzTn5PySqyl7fM+n2eWq1dd/OFTNG3w13f/ ONGOaTwWOYPQHAP7r5g4rPf9rHa9bMeUVdFGy4cZgSC75AvHDNdZcp0q5KTYF4nE 1hyl9xOL9+HDwCtUoGIaEJbL/Ayy+pZfeEzAn22bAzBBwQl/dnJ+ZkHZY8Y3FPd6 EHr2wh0lEJQcRHhIltWMFuSek6mm7Nf0J3HEo4hzKWxP+C9WDSNFSDlpOgOQwYa3 SJYPJi6qsqyrVlGU8HgfqYWTKxIFXFzCMYtpmk54MBK2xXTcoeG+LI/h084vMksj ja3c0TcyPIrTDqveHWN1ghwnAooIBfoLwmVvW0bttPNuFUc6f2lCSQxKBoDS8f8x G8+X58oljSnXGvqNStHS3jmcTVeUnZB5dMg24SJwKlJe1nG/aONj/Mjt3XQMO9LR JS7Wud/mXcII5caNf4yfy8bu0FAuqJ9wZPIzyEVoYsEQe5IyjSSOn6oMjEzHyVq7 4XWoqdYfOtE27zXQCzm6tx9d9XvzzA8Yq9OOEl7Xbw+qJlBKS0oeNfItGCdceMZr BujKhg+Z+5QT7NmW Extension name: 2klvn5o ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/33004BB5F5171963

http://decryptor.top/33004BB5F5171963

Extracted

Path

C:\Users\v2dl9lpf-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion v2dl9lpf. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D1F35214F317A6E7 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/D1F35214F317A6E7 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Oq5QLNqCyP7uR9nQLpHvSqh5fdXtoszmuvQR39k9DouIpC9372J3ifBJ5Ast8Cqe yk/yNgMpRWFXUykijhqr0xPXRRh+w+BbU1SO9hjGOH2MqTKKJK0865BtDarQAQhq 20zJNlNd08riIkRF+VgF4k9nC9/I3LCZrfGIf/FXFKJDtYe7vYbOSAdjQvOxvShS 8XC3kpeGcigAl1Hg6Bkpo0KQjOtEmGV9MdVTMfqHUu2p5EO22wbtqAOAWmhwh3w2 dkg7JKa1IOEo/RS9ZlCliV4kfXqPg6Ev2v2qx2y40iRqY+m33Lxq/m3F2qeyd/UH oW2XTK/6mTebXfHwe9q1SJLYKcFIbs9hpm+I9ZF2An+ONjGRH7TD66iaazopAxEa d/dAv3cvFSqstBwgsDiqNoD8OBZzQ1fcgdWL+5tWFd/IGj22IC8ZlmkDVhwI5HOb 9CVMQjnOiKInS0IykFOnNQa4ffX7oBAb67Cbd+I5IDiGKTNy7oq/08ntzWo7XUbW ikl9dsAWTJYP9fGb02kd8+cq0Q1CwC/gzhI2WtjHIZcIB5V2L2wGHC7tROw8Y4LO Vo9DdcoLhMuD04etw97wGwt8aS/+fe79XrAtBaj7jeQPx+Io74560w/pjEvfzZXu OK0Q5+X0mly8TI6IB9hzit0+gTxdgrA5YFwwBNYMi28qDX93YiTz56n4/zW5EnaF YDaXyIIiiNQegfQdHLXyjtmfRqlTTPwkO2NmYUqUQe8JAlVoQhQV6VkOBULhgkDR Zn0SqwnHUR7c4OOYJidXRb2J2/JwslgsIFCdSNaQTGxsJfoG9RwZiGDfV7abTt6A DyjQYJKwEcRbiT8mI9MKCka4ogspd/ApXZomfPA9Qhqp2LV0baGNe/4CpWFGonMz kQsbbr3HBlpSDIR/2DRyUyHA7FfanGaW6NmEbX2LO707AjmxYY2bjF9ZDg2smXWT kAnm1y9vDfipvGvvCE0Lf3z4JufY/pjC42vLinlJLB5UqBcqjSKR3crvp+fzUpwA zNxILRLoHvU1lzsBbieh/I6R6spjdjPF0OKTbXRV2Q5jkq11w5Vyt046YDj212po cKpQhfr8GKRQ7rfuUjUiKtOgTVZtLQcuE8yZdz76RNivFDD/WKSTP6rBT86g75gf Ef/hA2IpzNvU1d5hLhMyKuibvgyDac+z9A4/DUX+wndFMtWLOO+cNrk74Re77Y9+ oL5AtHODE1dk+U2kYRHuxuFurbw= Extension name: v2dl9lpf ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D1F35214F317A6E7

http://decryptor.top/D1F35214F317A6E7

Targets

    • Target

      d170f2684721d33eb1b1db2cca1a764e_JaffaCakes118

    • Size

      164KB

    • MD5

      d170f2684721d33eb1b1db2cca1a764e

    • SHA1

      ace765223486af94ef2e8b2c531cb56b8afa3321

    • SHA256

      399a27b146613d522ca9430ba24215a193a64f816304e4f51615250d98c3294b

    • SHA512

      2ba8d350a0f39d406da4eb27a47e7736d2d83b0387553b98ef7865568aa04127641015141f329dc4a83d0880439d3e7b7b7376fd4801a9fdfa226faeb6f5bf65

    • SSDEEP

      3072:ffYWjswg4fQlt4ndm8jX5IXzs+M9VQHDOmi22:ffYWAw9fcUdmwIXo+M9VQHD77

    Score
    10/10
    sodinokibidiscoveryransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks