General

  • Target

    JaffaCakes118_b18bbd27b10bf27d6c626a1d721dbb83f8901c9083092adda80b2628ecff2e32

  • Size

    74KB

  • Sample

    241224-ws3v7stmhr

  • MD5

    08c456f9210b5ac3fda0c5f30969cc59

  • SHA1

    f4ddaacf312d6a7278b73099569f489e2da2e37c

  • SHA256

    b18bbd27b10bf27d6c626a1d721dbb83f8901c9083092adda80b2628ecff2e32

  • SHA512

    7380ad9598419f18bf5effe7880975648e2a495af9e9347cf91da2de120d8158cb97e044274e8532325f6d69e5c003dd2c1f19a235c4d5414b74ea51da3eef7f

  • SSDEEP

    1536:mx/JPaiFKVR4PsHXvK7MYmrBa8JTIKL3qeWVTJec1DiVb:YqCsi7Mvk8JTn3qFTfRiZ

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$12$wsDKYj/FlqR3lZ6H4K2Qmenp6QLHkWTltAhlc0fUr6S4AfxkJrEhy

Campaign

7029

Decoy

cuspdental.com

humanityplus.org

sportsmassoren.com

adoptioperheet.fi

kafu.ch

innote.fi

polychromelabs.com

milanonotai.it

logopaedie-blomberg.de

theletter.company

conexa4papers.trade

tampaallen.com

patrickfoundation.net

visiativ-industry.fr

idemblogs.com

copystar.co.uk

paulisdogshop.de

atozdistribution.co.uk

sinal.org

purposeadvisorsolutions.com

Attributes
  • net

    true

  • pid

    $2a$12$wsDKYj/FlqR3lZ6H4K2Qmenp6QLHkWTltAhlc0fUr6S4AfxkJrEhy

  • prc

    oracle

    synctime

    mspub

    sql

    outlook

    sqbcoreservice

    thebat

    agntsvc

    isqlplussvc

    mydesktopservice

    tbirdconfig

    ocomm

    visio

    powerpnt

    dbsnmp

    encsvc

    onenote

    firefox

    excel

    ocautoupds

    mydesktopqos

    wordpad

    steam

    ocssd

    winword

    xfssvccon

    dbeng50

    thunderbird

    msaccess

    infopath

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    7029

  • svc

    mepocs

    vss

    sql

    sophos

    svc$

    veeam

    backup

    memtas

Extracted

Path

C:\Users\67ny35-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 67ny35. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9457AD543F88C7FA 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/9457AD543F88C7FA Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: YQqLX24hNoLL7QezIi9twVse6/Vk8QuKwvC+mOQgbvUQr9+hdJFLGNGimAPxp1Hx hq2FN1i2q/Qx0qdGgupL3iF1GDTYmYn8tUX1CX3EGeY8qYACKbA/1fLhE++pSwDL qtatV+76XVpiBAZKj1X20xJ3HgWx1lR+DQCD5DMYrnPtExhVWaTAde2Z0aIeZV7T E5Ujm7YTgWs5zajTGJnd2eqsSA97IfRhHi9qxH/K34YMBrvbufSLui0wqwRiUD+b bNLFVAwxKWyLyRPB9VfQ0z3L4x9uTkJ2FtSm5EQxvbSa39lNHRxoyQz4BnX2OE8l eRSsUj7l+pCtSJaFykMheitBKnoNHlx9cz5C7WUrgLNYAqug3tFPTgIZ4jzZvGMO mixCd7D01CYdrG8er2gzX9erAiSLoULQ0TnMNFU8uE8K/pKedeZPunN3jtkSaoUk 5OkORU5nYTeuD1T9c7bnz2JrL4t3r9MqsOCh9Eh5GbetCrYbNExYTQdqJD8yogMl P8GwqlRiDOz6aZ+UfFkGRfAw5WHIJUxxL3VVC5b68W9b3Xrvp4VmF3FPY1RifVoh 3apxf/tDkUfSC/nFtwHyfAlyNAnIgS/kDeMGm9Z3iGTtJLuZfykYHDRgmPqOOrbp 4C/8QrJKP5NvI7Z3sMYWtfQOK6hQqAnfWw+qjQWKcp/IemZjOiUejOyZKujTcC3A WY3iqan+n8kT8LrGLMHNAnt20ObKkhDXzjsx7ZkvhCs3mQ+vSQtoVUCJReE5xQlU VOwAk03s01uniMaR+pGzm629O9BixafMAD45tqBdttCeU8ABi5IDSARJ5sxP7bZh eFeY6te/gQ3gunCdcY2YDiYcj+UnMlOC6qeUD4/wsvIqP7xpWOzzYZ64pTSToZL4 5iOVwpDQjbW5xI9gucXBUes3qIfS12iMyGRZL5Iql6DumMU2QeU7VHmcBmVrUgUE 9rTUkNF0+9+r5CrXtaQbem/MCxM0atraULgi6V6Dwz6tbGos3OZqQHoaMfcXOq8q dWDcGpeqtJLswrfZ1zqnUSIPG1N8aCtxeewinVloUJKDrWYOF2/6ryP+UPGYSsg1 DLN8nunatX+OrxTvou7yNbI6ugDVqdaTNBJVLHutdgjKDuMl4FwkwIZILsIBshYO G9z9QdBSMm67RQ+YmvxVyl+KK157QjU9JNJsvEjsffHKm09AfuGsQP3LnepliAFD sJnZYz5sZoysh5IkQJ8SxaKptNPlIdCNLpW6pziYOZE7HA0wEZ6OqgELVf+RY3Df XiImncik1TrDDndw1K3Qky0cApyMTuBdVvb8eJrQwvVE75JY66HZPwpvaPFPM7MR 3kiDUWrTZwTYESune3FnHcmuATw/9A== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9457AD543F88C7FA

http://decoder.re/9457AD543F88C7FA

Extracted

Path

C:\Users\2u7c3r0-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 2u7c3r0. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9E7DFEBBCC1557AD 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/9E7DFEBBCC1557AD Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 1/s06aDCkhMj1pRuAAlBGt782qsoE6pClapbXHMnAoEwLcNjU+CEFRkH9dbE1B/Y GYlQgEwgwgxwi1pcZh0nAyT6u1Kj65F5ebC+tU2jHRFwxIZ8PMpZWA7XQLeI3MK9 AClO7x068j3cCcysTrDXfp/9mNc1SVQamPKFapx9LOH4wrDTju89V2OmQopcgDQ6 ZWaR9NLor8G9uo+GbKNpnKj09Z1ST0TUiX71oqgvpDtm8F3FUlxKNB2bwYPFLMF6 wPGIng4VSx9ZP/6KFeeI7lsfLqhexPeLvbZ5yhg5LcJLgcDAd38ip4odeHBv84A+ pM04yCA7NuWSJNTI+PX6I+wAGWPJGO1Ht1wM1MHKlqKpv8FDgaPn4ksktM7iH44I DRXOD04n9hA12YVY0JcDFuBz6U/pHJvFdRe4fzNoTTk/qSMAW9ipB8SUTb1rs1oR 59acP3KW3kyzqWJ63CQJ3NB4/BxmKgk5Ct2LSNllJFkmOFWbC7SFjlze8beUNlHW ED4HMSvJ841VX9AV2KmhdiWONnvHMWXPsmXnc7UrPuzu8qTethr4feRO/fIII1ro QfY2DqaxwJOCKCpoNweu/SyoVCabea0OZVv0DOhIe/wlEcCYg+JOg6D5mlghYAhi 9o48qDeRL20LbpEcpUH/COUliFNhrsER8o+pcWbAC6ng09AiJbXLQ11PqfhnxQ+2 OwHm5VZBPvSP8NTEiEklBibhkYM5Eq/M53w9KkQZaq+YCWtzkasUyGTOCsfdM3yD 1nQAMT1oc9A0/nRlmvw/zqHC/gRtlUOfpFEKmT59L9PCK/yAzGtp9m6o4xukTGZI +e9GOev5iJTdqG3eq3Blo9Jheq/Oy4oVWLKLkbDqO44CDmlqgY7v+AOlPzMkTfL6 XIQxC4KV5KSjjzAEj+RL1zjQCP7i8c0yMxFHbGP/f6i0slkQ8Pwqu+kGwyVWnZr8 Ef9dKb+1z2rYfJCfvR5KeNU7VCkZU1AihjJdMSq/YxKp7R419jtlmNTGodMVUnKQ OouheUScYBJNC4hYWDb9Y7haQeCUrIEXe+I+tgK0fDdwQgtEAdXZzl8p82O1wA4i Z0KrvO2Hc32RJv2cg3TEFB+R3zvDAWDJC2BptBdA5w0IPjVKviiHKwfKvWPr9lmu 4SsQyZILJzg6j8mcWvQxx+Hqz+YkNwrBhpxYwcnzrRuMoKSvtC/79pVxemrhH9J2 N/aqbTyR+JSWaQnSfTHOtaQkLzFzKIwr/5hEc35kmxsZfFF1LTKsIBYuRaA5xkxB J1MlLm3y72wdg2ogAUBjB5U3ssXyLJmhnrMY9+6QzUhMG3w/ifo4AGzkyp7T2rD8 KfZYxfsJ/7iYUWNnvaZX5QuVsC4X90XlQ3iNO7g6 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9E7DFEBBCC1557AD

http://decoder.re/9E7DFEBBCC1557AD

Targets

MITRE ATT&CK Enterprise v15

Tasks