General

  • Target

    JaffaCakes118_ea13726399250935413444d0b7ed952064e970de7dc0cdca4fac7e0997245013

  • Size

    1.4MB

  • Sample

    241224-1f183ayjdp

  • MD5

    3dbd0686d98164f0c48c38a1ef529637

  • SHA1

    2ce3be2dbb48a9a192419086884f0236bfbffb2f

  • SHA256

    ea13726399250935413444d0b7ed952064e970de7dc0cdca4fac7e0997245013

  • SHA512

    aed27cfe4e7e68a8f9de60907059f24d07f7f011bba717bb3b17e52adbef3fae5df8b1dc92288240db77f72adc92382b9e28dbc707b3e37e2f981bbdbf705f82

  • SSDEEP

    24576:QVnq97HbnzYGNgT1y8NELsMtMJpn6l13twdVuom9ytFmWydxYflCrvuY6Gd:QVsv5NgBy8KxM69wdK4Hy/YflU

Malware Config

Extracted

Family

sodinokibi

Botnet

19

Campaign

29

Decoy

schluesseldienste-hannover.de

alpesiberie.com

bratek-immobilien.de

bcmets.info

log-barn.co.uk

diverfiestas.com.es

nexstagefinancial.com

mundo-pieces-auto.fr

marmarabasin.com

walterman.es

juergenblaetz.de

centuryvisionglobal.com

witraz.pl

aslog.fr

qandmmusiccenter.com

awag-blog.de

domilivefurniture.com

penumbuhrambutkeiskei.com

from02pro.com

teamsegeln.ch

Attributes
  • net

    true

  • pid

    19

  • prc

    mysql.exe

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    29

Extracted

Path

C:\Users\Default\98p1n9-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 98p1n9. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/49866294956E6488 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/49866294956E6488 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: FBjmrMwUieaxtFqooQx31LBoNMMA7IHvcZrtfQRbyWyOyDwTwuvHDBDyFcl6yCYY Kr0FjpPfOVbd7w60d6lW+AEVPq7SDHneWdroKPVazHRDjAUduzskxraZhVBYaoSh cIN1HScvIai3NH3E3WkVQEkjj9QEez41X5f8tE2l0gEijNSkQu5L8WYEVYNbdIN5 rK9+McZFUxRm4ZEa/oUQ66RrKw6W2VPKaqPyvfg4tZY1asSpJeRnP4/GngLUBEhr eyUgpuH6928NqPTkdRqeB1rLmCa8fTRMUcIxMB8Tvro0S3n5MVJd/hmknRg72Yuo /7MNgkeiNEEpucCMGfeMQNmxFRggvoEezDcf3OAXykknBjZUFFIcg4+COE35joHo V7p64YkTbIgUA47Po3YCbDaa+Aae8psfX9/YpBWOIT/V9QPH3Wn5yCMCavSdMxUz XAqG3M8aK9evka9yLdTJuZHq2SGvz0RAB4Xn6KXwSy0UQfZQ18UMxA9xDmS+wQ9q mY7Hlk3xpzZ1Z1VyWTfOu16kcxG21lwGx1X6hECZfKUbYPy+fPPxrGvDyxmMog3y C6AH3ic4a3z0ugivEuw1tMnBbegXUWvJhtKv8ph29FTMbdSoUx2Ap3aJVZKNN0Bx zt1sL3P4159CXBMmJOYS5qX94pNO3h34MA3KrthuJlNRLwTWMVRdTm1hHCLUCV0I nVDtu6HbWObS5w08y22dT0aXGgGPnCH3eU8bOtX00Ti6m8LLTG6c/OZGK7TDvCux eG0sIWAAYTEygwV00Zb4FqvY1n06Pw10vTM6an9BKE6y9q0100vHIpi93722SmW6 Oy4nZyBHpRQG7IvyQa19wac8xLV/KPE3hQOZrLft+x7BUkqw2AY8J4CmurXsjhli KH19mK95Ay+OmkDf+jXki/N9ko61Z5KBNIR5iGWJkLyBY9T/gnELzmzGhCrTo2Ix CbhC0yyAsfEninrFYMRWtQlDbS3ee45HXeb+cSlirNjfOIZs4j3U/8OW3VUxx1US n4FjnSnjIzJN3HIrhmPjBjCWa92I8Ns1y0YDaGzgqgNsEPVdLSEpfSWvJAxU+t+E rVxEmcrfl2o2TSocuy6p9FF0BYyni2JnVYiu+NSlnp4j0fW2qq3IjVjIQVRAZ8em Tvq2jH0fVQrnTgci4LpxPVBc1u3y0Dst1Cs= Extension name: 98p1n9 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/49866294956E6488

http://decryptor.top/49866294956E6488

Extracted

Path

C:\Users\Default\8yo0ez39o6-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 8yo0ez39o6. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BCB155FB051425BE 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/BCB155FB051425BE Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: N4sTPMx9AGdu3/NOYjaFj2hdWIlsGJUEYurui6ZeTCXghjOLB2766ElfAJDWLbSE tnfABSuKgPdvtzf3Xj41rEeZ2RvhjsBT2qM61WZn1CK+Iox6nud+jw3+ZppHcAUk TOLeP3ZBst/6EJPbKnz/4W5L2QYgIbqQSf++TRfcMF1jeEbfoJzCZrhh6R4Njyvs IedGVHEVrAUE4+i7DUUZdLJ1IQDF9+fATDjhizKqCjk7pth42Z348kubu891pKsW IrwE7ffQcBS4vgRZOA2RjYVQkzntGQtENBnCX+vcyJRvvOnbYWMOLT6VL1B7wYj4 aNrg+LRL3fHOhhKYeX5FdWIScnh+0b6LTdgNa1kBaFCisY+RZ94g3S52VFUPgxOK fXeFyn2bhB1v76httciogYi4q+ZvzjteQj0NKHh99s4qDsP4DHo0BUgU3KLOanY6 2/dGCzF6np4hynj0ROFgZh5xA+9F0XPpzxc35KyYQ2iezGgwplfVeb4ojhSuFnJM VIZN+/goST+Uu8E71QrALUwMU1mQwh/K3yO4Xlq8TQmNXctAJsQ3kKM35x1nQIIm OoVk6SP0S4MDCItS1sL/ku+R+0JpfZJPKKRcKTcPICtB2Ptrmj+R8xw6g8vaw/Uw xEERM9Xktxq+oKqs6VOVmoxqUP8h1OJL5tM7Q2vZlq1EC4pQQN/rkzcTvMRi/Xxi BZoi2iT/4stfBJPIRxYYHDONkh9KyVtjW3pzsjTIXtNkA4pdSv7y0/V2mCnEl+rZ yRZ60xEHSGuJs7tjdc6HNQdO6lDBrymnb13F0wZWqLySDIwpm2s166T+bQc+0uJ/ LhxA8nlgYrnJuBWVgojgoTKAWdCDaaD4k3gHgYJW0yQhcdrovvCuVXikdtqKk4RO c8iyzVG6SkChKWHSePZZxGNmHxB6S2pLO29k/6VIpi4Tumb/+FQCX+N+ipIm6wbN /e2saQYb1fM0OUjl+ltfg5WE1kUQMw/C36TnIOr1tubT6MhWSbsTuEocCs0epcjx L4j7lStukiwVERLunQ4JrvkHs27j8wKKMWBSVZvg/nuBk5AybW0N0SI9MOgjIGlh GO6lgGi4MWYhqDediU8FdrO6lH5uv3nV2O6ZXKtNuWghfXDLtDdiqiiQ8ynnbQsM ZX1SqRqnSpQqVZEr+X5qdFlJsjEmvNBh6Ar8xWwY0kY= Extension name: 8yo0ez39o6 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BCB155FB051425BE

http://decryptor.top/BCB155FB051425BE

Targets

    • Target

      745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f

    • Size

      1.9MB

    • MD5

      6f0f0f10532bcc6abaf04afd99811e4b

    • SHA1

      97f2891294853ccf9693d487f4fe11eea0dcb9d7

    • SHA256

      745da563270a1280bf3672f59bfc61bec18f2e87f9a3c86b15bab756a297125f

    • SHA512

      41a80f301a47e39c5eda4e444418143a8b320c1876970c2d9054c4d2c6f584e944f2a6bf1fd61c9c2a028a746eaa7b85c907a91aabb3a726e3693d96f90e90c2

    • SSDEEP

      49152:DIUWGS3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S:bWGS3S3S3S3S3S3S3S3S3S3S3S3S3S3m

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

    • Sodinokibi family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (213) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks