General

  • Target

    JaffaCakes118_28cfcdbe185abf8176d62b11287495989424bac090b573ecc319162f814fc523

  • Size

    70KB

  • Sample

    241221-2gmyha1rhw

  • MD5

    fc443f1397d0e85b707030fda0ffd368

  • SHA1

    fe97b3847240993bfef3cbe3a6917f858068c04e

  • SHA256

    28cfcdbe185abf8176d62b11287495989424bac090b573ecc319162f814fc523

  • SHA512

    4d3014848f90c10db591b2f54a769fcdd3bdfcb181d6108eb0184eb4ee2b7274cd49c080d27ba2fcacda8a49a646f5c7459617560556959784754464057dd068

  • SSDEEP

    1536:tXdpFkbR6wUPjTkOxGWaTqxv++nUkAXvzSPe0+WMp92pq0hHk:3pF+ub4OxGFELUrAa

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$gMHdtu094GE7DD46JvCH6.bPoHnpKjInjjdxBtPaRwAEY6gOWGKYG

Campaign

3721

Decoy

quemargrasa.net

wraithco.com

dubnew.com

zweerscreatives.nl

eaglemeetstiger.de

highimpactoutdoors.net

vesinhnha.com.vn

rocketccw.com

div-vertriebsforschung.de

rieed.de

ulyssemarketing.com

jbbjw.com

moveonnews.com

em-gmbh.ch

deepsouthclothingcompany.com

2ekeus.nl

vdberg-autoimport.nl

deschl.net

teknoz.net

micahkoleoso.de

Attributes
  • net

    true

  • pid

    $2a$10$gMHdtu094GE7DD46JvCH6.bPoHnpKjInjjdxBtPaRwAEY6gOWGKYG

  • prc

    firefox

    agntsvc

    tbirdconfig

    ocomm

    visio

    oracle

    outlook

    winword

    isqlplussvc

    mydesktopservice

    steam

    thunderbird

    ocautoupds

    synctime

    infopath

    thebat

    onenote

    excel

    encsvc

    mspub

    dbeng50

    sql

    sqbcoreservice

    xfssvccon

    msaccess

    powerpnt

    ocssd

    wordpad

    dbsnmp

    mydesktopqos

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3721

  • svc

    vss

    veeam

    sophos

    mepocs

    svc$

    backup

    sql

    memtas

Extracted

Path

C:\Users\39241-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 39241. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F98A1D2AB659188B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/F98A1D2AB659188B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: zI4UaZLJnPN0LTtSR+PcOAu58njQ4YF6iPq/Y6yHzJu7nzTPupmOgfLNjOfKQFYP kRiYTRfiCoS2Pcz8GRhYArovjHRxHrlvw1QVK4aA2drcrWa43GHxDg6TIi/5DpUl E/c4n5DuMVwVcbpPdI37nJ+7wO9QREaKN5U+5nxseodihrAYbANGiWmc8EaUGoUo 8blxH/UJtaKBTNHdeuVGmfykJ8t0GL1sg5hoFRBwVnG3PmnGw87pRvWJBzKayE2V CBHFEcUQwDExOSKJ2JVCTe2HNxGNQ41p2rO9L+pMQdft4v786CekXUg5wsi2VYBV P3lX6aAf05IOlOFsBwtPhK+nQI9lnPJhQo26HHQ8TK5XKGMqfup9DaOyrAYE5D2K rPestknKIktzjWqkhV1UX22t/ejBThDIv2Htc88HkbZMoUW0VGYqYgJHgL++0BhB wspaH09Ef1HshjAcmCiYn8fa8t+72BZoFbnx6G7SIlwNKsBrCCS4Ao31XKMnX48m cD0KtTpayT/ujuVzSoM9Sm+sCPXvNKI7L7C1N6jvmYHL4bNubqdMOKExP0QfFsrb TziwQ3rXrLYtD2bklvIvw1ZGyTzBjtO1i/WGHr2a7sA31SQm3f4CAnClchY5KhLg EwGdGzoPeERDNbvpgkTFfxIqdYX3SzbyNT5kvzWPse2J7B/VSvRpQyXuseN7vq9j G0lPnO7R9s8lWcCJgtm6/YJrk4m6flZwzqHuMZxPwwrsMv1ZONCft1gHj5XCU85X iOXyKCd46XcWLMqtceJaWZQUKyiXa7jEYx/xPRurjr9toV7BKWsI4WGmf3ULB0Lr ctyMFMlugvfoHUmQ8cjFSWtGbfsov+qC9aU0I5q8JAfIP4kqlyxpVToDq8mMbK4T npfGbf5phr4RHYl/RRlqotdNgJyLr9joNBKsKUMJmeUEJLkV4GtWxfq270X1AoBe eSaRCmfBzanw1asM0LCxLm9hN0vK6bkRFcL2gz2MWaEgviA6MNEeY2vB1h6ASyE2 IdFoxFZFg98sZwKCOOVUuoEcR5DEZFeDgMoyQb8ZsVkp6e+RFSGJf3j8PaQCggLw 3mkhi6kzlcqTcMnT0l3TEHw0ZZXvoDEqvRL7+c/2+E/CbgVC7o/eCp5XQOirp/FS 9py6it+HgNPjThD8m8JIDaLJ9IfN4AwajrvKO3CcSWSnIhtYREWarseaW9FKnJvA WNB7Oj9hIAQ0TU8f7tLqKfeoPIr5qOAKblKkR05iopf/P+OMZirNpV5IGv3JcZRG LLyMN2lRbKW+Mrm3qovGYU5bcqUzDRB0Qs0uXWqjr3qqceNhEDwkpcr7RpErhVdQ RhXNyQflJmSbfa30kFJHLJH/eaO71yo3zkGPz9rR ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F98A1D2AB659188B

http://decoder.re/F98A1D2AB659188B

Extracted

Path

C:\Users\ov4ed-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension ov4ed. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/57D32A2674287429 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/57D32A2674287429 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Jtf76pnLsH8K+8JS9kMLouDGRNqkKU+jv68729KKmJyLXc2C4V+N26t7VixMmIw/ i15R9emq00Xsf7JPF9lLZT+fdrLR13IcwcErzK58hOUwfwaDugxH/7b/cAHD708B JnTfAkogPG/kjE9WFRpe9qOSGSOs4AlpckZpyrefMEsR71/3AFAHv0wh5fUbUWWa n10QhYYmgB/+j/5C8MrYf/xyTpBgzAoHsh2hvafevZ01FeKOfayxMiKLzh1pZReK bJy/HzeaRopiyouRVHHVUzximL8aJ8ARk5Ojoz3117SW19uQYL2vaCR5Ch+RvLSI 6IxAMc8Uye5aP92KwwwbV9vpY0z27vGk58junqzFViR/BKBhQ3ZpCvmfPUpWD8cT OM4gAB4FcQNm5b8PnI5oZx5hJXCyIrsv3HraaydLQvL5dJfEOooolAPQgl8K+M1r HHGF7hBR9d1sAA+4Y8P/3jygplpOp+OBjUW8e8gz0pUfAYKvKievDHYQsc6rL242 jW+zQKrJWd1w+VfDXf5gcSEHs1gKWCCFxMCiG44fGhuPomE4P7JouXm+pA5FustJ E55QqjBRy806g/catuUGjOi00d7vZw3Vcgwpsn1YVq7wVIAEmBWsxbdJzVNSVEYW RhkWd7Ceh3Qc1tvyeIIv8DXhBCICIxa45ia3/VrqqBtHLb8k+qlcFaMHTEX72YF/ F6qhrh/UredpKUAuBpdgr0vFOjooF4ZkY2J4VwBxIFgc1/pLtAplj3O4oRIs48ad uUg7TxVYu1MyzYyAEIsxInZWL1BUx2KK466qOCfOnY4hOSQN71/Rld5/KyJo3aXm sO+DLwFDclks2zxtkegdWctgu/nGMtqaEB75ffNRNepRt32CZ7ov12ui4BQcxQir C9DSOa7IC42fATCikpv+7fAw2Ewr6l/u0fP7RbRCtghbuF1LCDTpBL0d0v9QhM77 hY1pxBHaZ6SqztHRgeNQfOSbjcgTBBKKecmJHLxqjR6q/fsJtg4w+ek5an7TTvnV lgTMSQVuAT45/VNKAatL8dEjnKTzHOO/fTb9N9+nVvtrx4amXMwxzJI7KIBqNUp8 9/8WOsKR9a0dgMa3okGk3A5G9KhLbW0tA/7xrETVoGfouNYtH1/3Ep/RRgXA8rpr EXvur4v3/OJzUsjFvvKa/M2VgB3JMshEkYim82KoVwigLq71Q8UtuZBt42PQp3AJ Ejq3e/lptY3XBl5fg6yegDeCb7Pi69xsGd9rIoJoxhqXX4nynKTzHFyECFV9Brs9 lQ8cBZB4TTbtloCSXDkTj9X30bxmIt4zwnw4vw9tmWpJTPKh1Kxo33vWRhab84lp arCNlzUQQUMlJO1SN7a/fQjXl+lzPTaK7Av9JkfN4Wa+5nnK ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/57D32A2674287429

http://decoder.re/57D32A2674287429

Extracted

Path

C:\Users\s102e1i-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension s102e1i. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/30CE13B6D81D3151 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/30CE13B6D81D3151 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 4KBTjkDOU6gIdkUbmij5ivGOw2TEwFKWGScTYuzC9OKlqNZ80iKG4i309ndEkvwC Imcn1PMukSQNVZz1DfvMrfEYq/LlYPzR0AaUQc867BiTq48kCi2CONADvmtaSX3S OggaUoTukZrMWio+Lj68eldfas/DI9owRJGtu83zUA/plAaySOI7nKUX1iVwn8g0 eHTBcAdZ9+wRGikVIMGMeEj6YBZKKkvj88GbZrFhgYvpFwFan8S07C5pVZunT3De N01Mn1gSHle4MNgvHo3uF6h6MWnM8BXzrHJLHpqcF2cy82ZDoOWMZ621Ebj/ZU9+ SOnq82LQsPI3NvvPUdrysYtPd8u7ycbNPaghb3Zp4TQU6ngr74foT2RXQjYY652q /BDfxX2P3jR3DJgGom+7gGuESOIfg0EqHvdoKerqL30Vk+OUw9XXfVEs1PZNybwF aEngR6TKyyNm3pH3ZGi4eVMsnc1kAV7JnKeChsNZbNRIkjKuYzdsIGESeuRL34qd E6ig6SGy0J8LiLiXL5LZqalRO9R6RWtEXd/lbvC3JfklrbxKH10vGNL3xAb/cZXK Grrm1srG1eWvXVGKXefyrhepD22pLipQho8aO1Zb1+oHYxvDcXWZ0G8Kdu3tX0qC /A5dj+mKKDNEj0I73V5erAZed7DokP+9tdE0kG5lgBQfzogzQ2N/VFJvA0+OX226 fdheJu90UlFvogXtjR9C8y+dsWwj3EEiNsyaHnEVX1mmYDU++BszBV9iCGg2kq9L Mfn+aJ/y26qdXrbb+uKCYMn52T4wvWIGe/iUIdRVyidNchtGIWWOeLdwqLZDiIu0 Bj9NAmcu4+asH0zGGUWG/lbwRg+G2aFVHxPl+/7+pd7AadsUk1BRH5XFUz4p8HgF wFoFEJor8zu4ZpVXsbRxXBFGhJao2m7Bo7mY2CG6RZ4yH84iEzuO1s4bul6+A3yf iZXwvMVZJXHKfer2BDU3p64w1B5RaO17uWNqVdbhZHwHLTBVUhZZ7MzyEXKFtlyw /CoV3j753pM45P/dWnakejiNIzFSyaMoaNyJYmoqt44pXjHq8Sj+df6dnBw6+OxJ CL7IOdPOqq+hPEwUXTxqaG5jzQO7MNM2TGEOz1AYEoTAd3Z/FcD1FsvYlbvsDj4h lqZS2it4mHWWRVylzMC5Q/LGFOJ/Yl4FJ0i9bAy+bJQSp1hFNF5JxxxkPh35wKn+ iVLbaAFIAB0NUBsabfzXi5j0k9n/ikl6H9xi36xqvFJQd5VHntb1l97tnOi9FGl+ Qjl0MhzTT06KQIKn7rOFMArd1BhGFxhWAit7yE4hZWBc3ilnYlCvqHG2TEnL4hZF 9E9nZRJqLt/ouYZFoAZFIKbo766OUIqXpJFHuIaPlXVU4w== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/30CE13B6D81D3151

http://decoder.re/30CE13B6D81D3151

Extracted

Path

C:\Users\dlqoj-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension dlqoj. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/425D415C9C564E5B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/425D415C9C564E5B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: B2yOYOtQsl0YaHKfUHR1SkIyY6tbpwtzx/dG2uGQ5I47zkysk6UKn+b38gcNWGG6 hrr+CeqjvLGFGJpeh4CCgMj3M4uuKn6pDzjfLZlLUIlhilrn/ArReU+HPhQQa3yW 8b7Q23+sYmJXM4n6FOfAUCeb2cmkHWe3NQIauV797PNCjqV6Qi4JqOabdCHwnN64 cpRxUmsYUXCOAvQ7ZISLwp5LVNCHP8x7a5v6yXm3Om1Nd25X5k6Bid7wKf5SvuBe hwF4n9bLPqkYXGUe3kkFdnFfhW9/IC/7GfwEzYitaBwgBzgj2Xv1uKAZwHjfL8IJ ekWyG23FMBggyiFVMcO89riWKz6oEr5k1rgpWevVm3zr85/9nv/MPzFwIGd1aNKG VohC0nrba3mA3b72NyPwVweFA6W32xnUQ8+nobuKN1OaREYPbTAHelD859rr02X3 wjF2idxluQYrRPwEED3y0pfdBwb9AhzzNM7zKa3fEf/PN+pMJIdV94JX3mhdhlyg bcm2F7aMVB1BrRqQ0Gvr/iZbCMJGKm7gWRTJs+skucW6ZKSZOWizYgolMR+uz7Yc GOW1yjm9h8HZIwMcU8ls8UKUn4/4N3SCkrimOLDDdL4pXnN1pYWwa5M5VeeYA83Y nrNNip5w2v5Tp8dBmd9aEwgV7GAxjlllBxuG8Qxnt7W+bQKV1gEOv9R6D4opUa96 S4M0AJNMfusNs4YdQl9g6RGu+2I25N2dZCTw0pHfrKbbLn1lVyqYQKQ0jLTG01gC qNV+T2dU/fYzQXgiVFVaVRfD5kZFaOUmJy6TwLPCS7m0mbIgMB6oVJCgZYsUrCLh CPbfrnQ2cy6vb7V/Gk+K1nchAeltA/YjjyYFoInm/pgQbg+Om39T5o1sd+rxxcTs 8RxTtRbaZd91qOQxmaZyblhQpdGcTvCG7T9n9Mze3PceM5wJT2cIadHwTBsrqbCW 9i77E2oNMhCYTtZJQnaWY589hCq2Qhz3qw936TC+xnZShYsSNP5i4uF0Ml29DZS1 O8fPSqey/rYEsw5Ckxb9CJWr661+LnEeo461COIVAY6eYH2X6JL6EUQYGX5Q0El3 aAgF2p/8exy7iXC8mabfISPyPwBVGWnOmV8MzumfbkvxKIuofSZW4WzbSfwtoZb6 L/Lx6/daSgbf9jQ8Pik6mQr/FD+cjOoVIYWE8xhuTB9zVusYWAKwuRZKnCmPwAcD f3iLRjpQD/aPasgGonPrt51eaLpZnnLITNLaeO+MxTOjoeFvdOZ3Di/g/QaBwqTg PdGpV3//y1l7S0HeiM//WNNJTNKho+hTm9mLUX7E2JGKJWyifO7QxNnJWvvMOUG7 kJDpIhl7YiwwIXDgCAZBQadFj7tl13ZcTDqVC4TV0IkzkIqj ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/425D415C9C564E5B

http://decoder.re/425D415C9C564E5B

Targets

    • Target

      6c5ddbe058da35b2731fe10234520a6bb78604f860ed4188a1bd07e62fe4ec11.exe

    • Size

      116KB

    • MD5

      c647b2da83ef8e1a790d1e0e25898780

    • SHA1

      02871c02e581ad345f1c438b6c8c730cf2d2f534

    • SHA256

      6c5ddbe058da35b2731fe10234520a6bb78604f860ed4188a1bd07e62fe4ec11

    • SHA512

      f169ebc4ffbb3d0cf8f526e0cde89706b4521086ccb0f7653cd881b595aae2727891e8ea3eb6bace263d704b0ef9a0151094c03b7c1800cb5d4e54eaaf3453e7

    • SSDEEP

      1536:/Ilhrm++mJ0eYjT7LUrACph77pS2i/ICS4Anv++nUSAXvzSPe0+WMpi1NjJiBty:bfcrh7tJFLUdAj11Ji

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

    • Sodinokibi family

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Target

      run_revil.bat

    • Size

      120B

    • MD5

      0d0877a920cc13d77e89e72fd098d238

    • SHA1

      3af65d1f0ff34ce90c289b1201a489575dd225e4

    • SHA256

      41e9c846ad4099da47e7baa5ebfd51bc53a10716cd00130d843bb33e53440120

    • SHA512

      b189fc8d21678926b7d79cdeb0ec44a63519cd7a7c85ce659b78ff7d2f526e2e92a2b308cf791c331cdc5cd5ed1d0fb482996a9587c3ee8c3741307dd9b4b572

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

    • Sodinokibi family

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks