Overview

overview

10

Static

static

10

e2708d3c57...18.exe

windows7-x64

10

e2708d3c57...18.exe

windows10-2004-x64

10

Resubmissions

18-09-2024 11:32

240918-nnmz7azakp 10

15-09-2024 12:50

240915-p21c4svflm 10

15-09-2024 12:44

240915-pysh4atflf 10

15-09-2024 12:04

240915-n83ldatdpl 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e2708d3c57b562b01da42f9e7549781f_JaffaCakes118

  • Size

    165KB

  • Sample

    240915-n83ldatdpl

  • MD5

    e2708d3c57b562b01da42f9e7549781f

  • SHA1

    3d82951dbfab5629187b26ecb7388b7a05597f67

  • SHA256

    d976a41f366fb1e3a0a5d15878d84e24704949973d9e0ccead9a779dee03ef0f

  • SHA512

    c483968f981e64021025bf4f42424df3cfb88a55bd4cb7f2aa904515eccb85e239c3d44812b28d5b617b6b8476dcc3f4258465a211ae6e6725adbf1850234619

  • SSDEEP

    3072:eCEq0R0nZ5ys5n4Y9doh7O79siUs/NaxohzDKMlt:lw02sJPi7O93N3FHlt

Score
10/10
sodinokibi482047discoveryransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

48

Campaign

2047

Decoy

mrkluttz.com

subyard.com

fire-space.com

verbouwingsdouche.nl

cincinnatiphotocompany.org

promus.ca

ygallerysalonsoho.com:443

olry-cloisons.fr

parseport.com

mind2muscle.nl

lesyeuxbleus.net

rishigangoly.com

lifeinbreaths.com

kenmccallum.com

sochi-okna23.ru

ledyoucan.com

littlesaints.academy

from02pro.com

innersurrection.com

azloans.com
Attributes
  • net

    false

  • pid

    48

  • prc

    excel

    outlook

    powerpnt

    dbsnmp

    synctime

    mydesktopqos

    dbeng50

    winword

    mspub

    xfssvccon

    wordpa

    encsvc

    isqlplussvc

    msaccess

    thunderbird

    sql

    thebat

    tbirdconfig

    ocssd

    oracle

    infopath

    steam

    visio

    ocomm

    mydesktopservice

    sqbcoreservice

    ocautoupds

    onenote

    firefox

    agntsvc

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. CDHFUND. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    2047

  • svc

    memtas

    sophos

    vss

    svc$

    mepocs

    backup

    veeam

    sql

Extracted

Path

C:\Users\s7k82s16-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. CDHFUND. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension s7k82s16. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D761E04F4E92FC72 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/D761E04F4E92FC72 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 6iV3MEj0WMEDH2Ef419MB7nLo1O+G89Wdx6FgIvunDdGxSJ+pnt030vqGYjrqb0n 3KvVpy4Yl9xEFytrR2DjCjy2aju+PGDrbJg6URVNd1hO4DwBBOfgSdm/dpPwvuWp FN4/TsH1WG0NXTHjFkGQpl1gnGbFxIi6cfnfD2ZOL5SW3D//JIyutJ3CLJENHDKb szr0rPGqYCc6+mqZaWPQ5PONI72qjYKAeK1srMreZqTwIQHR3ESbBkUN0IUWu0h8 IoNYlTHntSJo39ZoES58piTO6Duaob9XidQNLzsVu8Id8A73duWPCqzY9vQegMYB pchfVUB3IM8uXOS8GsR9xURv8+t1a5RoDkBewODBJcNkZO/YKxPygkyL5wjavHJh dQc+mEkA8i2aWFpktsckpsXCxCWrtg0kAqY2+xxUKpgXvTCoYm/2UrPnQ31izZ5u J9KOjVS22psuctunBEN8UcaCurD0HJD/M//l4Eo+UHy3u8d1l7QhPvPyw8BoFmNT sQCp4sxVNL9FeSyU7Tidg99nDQmlHo5XfDQYv0QjEekYNUXS2yH8/cVX4VR/OLz0 mgZM4Ds2L8T+/Rzw44lyAyfTREjBQSfF1ltvKawmKX2QCv/9H2l9HAQLD5LwFEIL 18woFja8Q2IivvGxJJ3lSuyUndztHBG7ae17YQKpnXqJa0nV/tOooJcmssAx4yf4 CJVYKYpTm7IAJ5m/2UntCKqYox/lLqe2E9ILyAGKc6MKrf33e5kUkJWRr1X8rFKk y4SGIccXwh1S/SjBBs8AVoVkRC+wq7CyIVisY0EmfG8XPGolyzburo6Y7VQY9n4H fa2akFEej9+OuZ+w86iYV2xQIhEb7Kl31fmc0B+d4FdEGWMToemWsL0NCHh60gj2 W8x9LxAjhhs2ycVH4yiHtmLCzbrrg9sDqNwfjfMuwpinUkzPwuEii8wumC8EGMC+ PUD/OzepvqGWKGCuUFY3QnCx4tf/u3wFQOl/5cd3d0H0U9xyv3WEHmFTCCt0AGy3 AJ7IxicKMbzdeYRj/d0PhY3zyUBm0gVHAYzALMxfzAOQuvOQUo7FzVYSx2W3Ejh1 4PBgahbMMZwdp/KR5vMEDc7G9yNuwFUJ3w88STiAOq2QJf9iPKu+egu0eR4fyo+c N2FDATNcMPNmt2dVD/5HBy/XX7Pqv2Tv+1qGVKmYJW2rT43TUCpzRM6neiF859aR nDFMQf3nVWlsem/HhOnpVw== Extension name: s7k82s16 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D761E04F4E92FC72

http://decryptor.top/D761E04F4E92FC72

Extracted

Path

C:\Users\7q34gu5t-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. CDHFUND. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 7q34gu5t. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FFE4F6EDD585EA0D 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/FFE4F6EDD585EA0D Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: avbAV2JzqlDM9E7fVE7ktK4TAv6pFqHGC7aNF9rt5QkZudJ6j6gpUtp4sGjQFhO6 NyjZx8GCeg07cKQVKzvEieyRloYjV1rPB6iJFoshXG+iVR4BqaFYkYUOUvMmypus ptGpvdo0QNp0W9CzZ6QQWbDKsaKz7bD1ydilkwCdjn4eEKjxUTal61s+4r+6k8mQ WonMZd53GVczjZriNZjGjweIA6yijAiz5FniSFoGRwF26tfKv4j/PlwoMzBeIkfy JE4ztDS4HiNzU1Jn+rpVyg3yPEnt4IcLnHRGIcufK2XsWqAc1TtKgSBudDGTghIp nYXqI8mo4H8y1Y7d3fkozqlAyGeElwEqv1NWqVZJvM7G1sSDxboRvVOKNsCSInen V64fy3cMBJpmGxke8Og3tBqoCTIR2nWYRPfEX7/qbEFrJeiAfJGWyxITlhJpmFsX WxOcehbyFa23B0dLlMeTFdKpoLh7/VZGyg1NE3KTKCAGqy98Bxjumns77qEDvWGm CbT19yaf75RQ0wbUtGNsfCJVmyWX1v6nR54q6n7Y60s6VO27pN+3kA09p+Z3K5yP iTKH5lzchBjhC4+s6wvQ+Kk5RuLBBiv4+jfM2V7L8gpiFXyRnlB33AjVXd/MrFI8 N4pqQcL0lhJ87hS+btJuRas2com8qDB/NbfQRIVEs8No/VBfu349cHtm6X8eEVAG zBnNh6Hpwx6HV0P84AmaRR+i2S0lk5xRYJgdTZsUw88+ilECq32pRRxxyGdLPWn0 zuc+z/cNvmkvZzXrm0q62YFSAlT6oolAiE7tr74cT//PYNYEAlNtTIRw5SIAAYec no22P+mK5ZMtX6ZqUXVX+dgudzCY/nXOn9LG4/3MHuMn1Wu24e97cVenWKpoM7lc Qn7F3mu47+3o4dQJjSuL2wGRygtl1I2GRpcGln6bchDgYWEyH7CdLfqFgItWGmht 2hlfT51vxLEu/OkuKkhivKKuIoV9IHlxhj9Vh382aXZ6225Wf8bOSveip3IXZPHe nGMlckRxg4hT4YFwSR8g0PmUs6pxjetI4YMCmNeYzj6CHOyD0txPVeTBvA9eQE+R iyqkddo8LyWHE6kkFR2g79OMsKfTyMRjsZyZPzUNY6cic4RukO/E6L+4YGGhnsLj p5Jp6E7MUOWiBvBGPDffdjkPSpdvBkfpaKMuJ9SFyJMcA+poWP1dSf/ZFVEkalaM 3zj+RwIApV8PUg8LdKDWl/k0EVcTNg== Extension name: 7q34gu5t ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FFE4F6EDD585EA0D

http://decryptor.top/FFE4F6EDD585EA0D

Targets

    • Target

      e2708d3c57b562b01da42f9e7549781f_JaffaCakes118

    • Size

      165KB

    • MD5

      e2708d3c57b562b01da42f9e7549781f

    • SHA1

      3d82951dbfab5629187b26ecb7388b7a05597f67

    • SHA256

      d976a41f366fb1e3a0a5d15878d84e24704949973d9e0ccead9a779dee03ef0f

    • SHA512

      c483968f981e64021025bf4f42424df3cfb88a55bd4cb7f2aa904515eccb85e239c3d44812b28d5b617b6b8476dcc3f4258465a211ae6e6725adbf1850234619

    • SSDEEP

      3072:eCEq0R0nZ5ys5n4Y9doh7O79siUs/NaxohzDKMlt:lw02sJPi7O93N3FHlt

    Score
    10/10
    sodinokibidiscoveryransomware

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks