Overview

overview

10

Static

static

10

d3e026324b...18.exe

windows7-x64

10

d3e026324b...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d3e026324b81c755f9058d7a42e96c75_JaffaCakes118

  • Size

    165KB

  • Sample

    240908-jmdb5sthqr

  • MD5

    d3e026324b81c755f9058d7a42e96c75

  • SHA1

    35d30a689c4b826e43d9255574fa09965c0a6ba7

  • SHA256

    f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3

  • SHA512

    e9eb060168da1db8dafac357835ffc2272dc3fdbae31c77d810c188299657c824255cc1f337ac25420c57ebe821a838f4e92e5fdf7778a4a6692e777305b3913

  • SSDEEP

    3072:eCEq0R0nZ5ys5n4Y9doh7O79siUs/Na/CUtnBr8rl2a:lw02sJPi7O93NSnBkl

Score
10/10
sodinokibi482036discoveryransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

48

Campaign

2036

Decoy

arearugcleaningnyc.com

jacquesgarcianoto.com

dogsunlimitedguide.com

gurutechnologies.net

pajagus.fr

belinda.af

bundan.com

go.labibini.ch

professionetata.com

bcabattoirs.org

descargandoprogramas.com

piestar.com

neolaiamedispa.com

bellesiniacademy.org

cotton-avenue.co.il

boloria.de

loysonbryan.com

vedsegaard.dk

encounter-p.net

thestudio.academy
Attributes
  • net

    false

  • pid

    48

  • prc

    onenote

    infopath

    sql

    ocssd

    visio

    ocautoupds

    mspub

    thebat

    isqlplussvc

    synctime

    outlook

    excel

    firefox

    steam

    powerpnt

    dbsnmp

    mydesktopqos

    msaccess

    encsvc

    agntsvc

    winword

    tbirdconfig

    mydesktopservice

    xfssvccon

    sqbcoreservice

    oracle

    wordpa

    dbeng50

    thunderbird

    ocomm

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. CDHFUND. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    2036

  • svc

    veeam

    sql

    memtas

    vss

    sophos

    svc$

    mepocs

    backup

Extracted

Path

C:\Users\fme92-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. CDHFUND. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension fme92. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F04BCE0F12281737 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/F04BCE0F12281737 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: f963x1EimsibPhLjGacvKOx8xAkCGQzhVNOYDaiosZlwAUJsIDuIjU1okvkbqfaP c278D2AEG04yS4WrSdEAf9gONANMsj9ThBgtYr7yiB0dx+de04+k0VqkvttO8UsQ VW6fRHv0IOya9oWLE97vrkDkrzaeaWC7M6gV6YZWpnLuJRsdJqU2EEXHTwGacvRE ZwGnjiOryqdyg5aaDXVc5Uq08VDxBSEp+CUsYIR6X3XgKg/FhkR8MUBGnYC+RkvS LsOd9dml9DbzvShPvz8jDI0FRCO7i9IrXgvvDZVCuXJuhV+WlAFBjarQwHPgV+VJ GpW1zuaUUBFFNRx7NWEqzQ/Fp8ILo3u1nW3v/4PD04KT0eBCdfALQhMck51Xrm8h 6Zr2EjWvauq9qIIfsi8iABD/xmCsI51Shuqzt4lBbpBTzVLQy88+C7DG4TBnWUrz PROs9E+XvLMzvEdj/Lc+p400VKLFqW1sr4G9/fhxGv322quH+89PXMqtLm1XkAq1 ulm4BpiwY7VTZO2weKGTlHXRvLNSoaYLJ+v2LptNFSIj5oQGRu/Z4J+ZMt4sdrVY OIYNbfSqNHu2uAqLxBvyWN8IRLY97Gc0juJbkTyWFkuPi9MFAEYFqimHmr9TP/wO dWIkJYd5FOm2AAPTcpMLBtfh0ADczaisWooi5PTnUa88lAvvi6YE3TqPVXKGdElS +iK5E5NkbvgKf7hpULQ9D6ZkODOGzCxj8vOOnDqU+D819FBJBGNaPIjDZz1ufEym FYzTUp7P7IP22qRz6E0Q0/fsjG9HcM3+4FsWIZTnW4WccjCt4HhRqN3adCcQrZsh RSePIqOuGm9FNgWd9wfqVq9ctWPUth8cjpawKeCANlFYoakqShZC1A106DVCu5hL RD9GcYJ9e61qlkNPwa/sALM5+EgoYa7WvF8DYDX86N8M/bwh/04iFIvUYRD5+h/Q NB2jdGNFq0bt6A+6I/Ioh+fi4jHik0Rk7UZtb7nr3tHbvyj1QmIK+yUk/sq6zqre ljPW49WbYghZlFYlNcVWl9EuflLChCO28cj2IuhDRh2XzLQJ0kG/Qgr7qg6AkCBy j57DXXEHdmCGuJwex6vNsoLzEq0UmYHGnJxVjhaBpvB/EMk2qPUbmnwpwPe+jJKV Q1bZYnWxbBsqlU67qhb2Kw3uHj6K+tvo/6EYGFE3pd4b9zLmygKQTpCiQAyjRK88 5SeQnhVTuwYgyA== Extension name: fme92 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F04BCE0F12281737

http://decryptor.top/F04BCE0F12281737

Extracted

Path

C:\Users\v2264g4-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. CDHFUND. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension v2264g4. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A064A2D02E6C7F51 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/A064A2D02E6C7F51 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Xfwt/du9tm4sw5/1XlCi8i7p0XDMrFBNHZjmBSTPi/IzsfXpA9JwpS/QJXiz/QhY i00Gamx7udAIMdwpy50QWrZOPK72xBQb8zd1Ja8b1Fij0N0pk6uOyrbwOFnVS72u g1MITnWpsLvlhP0IhBKnV9LlHFoRAVWJeKDMJRHszdBFChIr5NaC2sV+yVMMu2qb MdVUN3l7zygLfEXKT+Q7GD+GKuybNt+M2zud+V8eWAEvujZ8mF5I53bjQ0W7D+pJ ouOlsUfhpaMwfp4fELJ912giuUQPJfYDTs+EQqXKDiRCn9AVu4TC4Qo34OLwb86r 7jHiRYKOKRPZJ9k7cUGXHnA2rvTdSz/5DfqkmEJK7fPTnwx5FtPLFnYAPPWm3fBh xlWtZSPlzs3NDdineBY0cQqHMRxGnwi+oUFFNFpDyo2z1yBRc7+1dUGvB3nqDoIu wmqrIIoFWW8F9X2mMWpkoqt8B3h2u3BrRqvG5OqvR8VkHVkcLQ/SN8G950WhM3C8 t6nZNqJKcNK3E56ZGgOOxE2KI1mFkuq+yruRUJZCL8GgUNAvICPtMPSNmKrjZTwd A+G+3cKAxP4a7jtBZmCa2PVEvq65MQxr2/lMxIhzi91kvAl7ipfcyQhWmbul8Iix i9OFPBlZ7QsJHTtAY9uFffG2vWUebk+BuO6MbbT3S/p8bfjEUuWte2x2IFGZ4OuU m6BM3QBCkTfScmM4NcV92hlJ/coiNzGTZkew7qbNpRSfpM1rR7sZeQtEZi46dSi8 IDSR70ACZZt9jveZaJ7fFX/StHIdZJ6bwSoRUGMf+1yiOac/14UIUjNPu+gDeYUo Z77KGw8BnF1nqoJ0JO2iluuNqhuyikEfjxnIdVkieF6N2FhGyfVx70qJ3KTqruOA 0bokfBG63Agvio0QKA/pqTqKGPglbc5nHtpVHQbMCAMuPswSbP0vaXJ1AWMOBMLr 7RsgaTDObk7P6Wa9kmZSbLkt2UllKufRe9iv2PamnrImKzDIxJQDTHDe80WZbTP4 BBkSmmpIuraIyJ8JlhbhGYCxpjRAk/TKsOm52Yo0803HkmPyMOhnOyqvzAyesh9w o9p+7UYrDImXSq8pRpyE6au8duuVLTJaVV5e+GjYDd+kRrOOSk5gI+NaWtF/fr1A RB/lB5n1a3upl+G70FVtxR0XBf7xoLBEtHoNZNRtPVDBSv493IZi1Bdt9d7sFGl9 krCPh/Hh1WYpwn7sMiEFiREWZL4= Extension name: v2264g4 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A064A2D02E6C7F51

http://decryptor.top/A064A2D02E6C7F51

Targets

    • Target

      d3e026324b81c755f9058d7a42e96c75_JaffaCakes118

    • Size

      165KB

    • MD5

      d3e026324b81c755f9058d7a42e96c75

    • SHA1

      35d30a689c4b826e43d9255574fa09965c0a6ba7

    • SHA256

      f7c922293637486c307b6d1f05da1eb686a330c527981e0b0f079602e9cfd3d3

    • SHA512

      e9eb060168da1db8dafac357835ffc2272dc3fdbae31c77d810c188299657c824255cc1f337ac25420c57ebe821a838f4e92e5fdf7778a4a6692e777305b3913

    • SSDEEP

      3072:eCEq0R0nZ5ys5n4Y9doh7O79siUs/Na/CUtnBr8rl2a:lw02sJPi7O93NSnBkl

    Score
    10/10
    sodinokibidiscoveryransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks