Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
01-12-2021 19:37
Static task
static1
Behavioral task
behavioral1
Sample
jbs.bin.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
jbs.bin.exe
Resource
win10-en-20211104
General
-
Target
jbs.bin.exe
-
Size
117KB
-
MD5
95d182fca1dd8c8a1720f6db73e0503a
-
SHA1
d12eb17840ba81df2f540da61503b4ef1c885a6a
-
SHA256
d64724eed9210b51eca7fb9f50fab6e968fba50b598fe3879e298bec4d831ff3
-
SHA512
581d69e8d7d22f8ee9542ca6620a9c2b7d441a7db411cbb57b1d76d240874bb7bcc059f4dc512870989cad066001ba44f12f6b3c04fd524965ea95c90f3f6e65
Malware Config
Extracted
C:\7mk2sc63-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/60FC63E6348339EF
http://decryptor.cc/60FC63E6348339EF
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
jbs.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\InstallAdd.tif => \??\c:\users\admin\pictures\InstallAdd.tif.7mk2sc63 jbs.bin.exe File renamed C:\Users\Admin\Pictures\NewWrite.png => \??\c:\users\admin\pictures\NewWrite.png.7mk2sc63 jbs.bin.exe File renamed C:\Users\Admin\Pictures\ReceiveConvertFrom.crw => \??\c:\users\admin\pictures\ReceiveConvertFrom.crw.7mk2sc63 jbs.bin.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
jbs.bin.exedescription ioc process File opened (read-only) \??\D: jbs.bin.exe File opened (read-only) \??\B: jbs.bin.exe File opened (read-only) \??\L: jbs.bin.exe File opened (read-only) \??\P: jbs.bin.exe File opened (read-only) \??\R: jbs.bin.exe File opened (read-only) \??\S: jbs.bin.exe File opened (read-only) \??\T: jbs.bin.exe File opened (read-only) \??\V: jbs.bin.exe File opened (read-only) \??\Y: jbs.bin.exe File opened (read-only) \??\I: jbs.bin.exe File opened (read-only) \??\J: jbs.bin.exe File opened (read-only) \??\M: jbs.bin.exe File opened (read-only) \??\O: jbs.bin.exe File opened (read-only) \??\W: jbs.bin.exe File opened (read-only) \??\A: jbs.bin.exe File opened (read-only) \??\E: jbs.bin.exe File opened (read-only) \??\F: jbs.bin.exe File opened (read-only) \??\Q: jbs.bin.exe File opened (read-only) \??\U: jbs.bin.exe File opened (read-only) \??\X: jbs.bin.exe File opened (read-only) \??\Z: jbs.bin.exe File opened (read-only) \??\G: jbs.bin.exe File opened (read-only) \??\H: jbs.bin.exe File opened (read-only) \??\K: jbs.bin.exe File opened (read-only) \??\N: jbs.bin.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
jbs.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\g8wnkm222.bmp" jbs.bin.exe -
Drops file in Program Files directory 13 IoCs
Processes:
jbs.bin.exedescription ioc process File opened for modification \??\c:\program files\AddEdit.wmf jbs.bin.exe File opened for modification \??\c:\program files\BlockGrant.gif jbs.bin.exe File opened for modification \??\c:\program files\ConnectSubmit.ADTS jbs.bin.exe File opened for modification \??\c:\program files\GrantBlock.mpp jbs.bin.exe File opened for modification \??\c:\program files\ImportPop.vssm jbs.bin.exe File opened for modification \??\c:\program files\ResetHide.vsd jbs.bin.exe File opened for modification \??\c:\program files\StartInitialize.sql jbs.bin.exe File created \??\c:\program files\7mk2sc63-readme.txt jbs.bin.exe File opened for modification \??\c:\program files\UpdateUnlock.au3 jbs.bin.exe File opened for modification \??\c:\program files\SyncUnregister.docx jbs.bin.exe File opened for modification \??\c:\program files\MeasureUnblock.css jbs.bin.exe File opened for modification \??\c:\program files\UnprotectUnblock.emf jbs.bin.exe File created \??\c:\program files (x86)\7mk2sc63-readme.txt jbs.bin.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
jbs.bin.exepid process 3684 jbs.bin.exe 3684 jbs.bin.exe 3684 jbs.bin.exe 3684 jbs.bin.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
jbs.bin.exevssvc.exedescription pid process Token: SeDebugPrivilege 3684 jbs.bin.exe Token: SeTakeOwnershipPrivilege 3684 jbs.bin.exe Token: SeBackupPrivilege 1180 vssvc.exe Token: SeRestorePrivilege 1180 vssvc.exe Token: SeAuditPrivilege 1180 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\jbs.bin.exe"C:\Users\Admin\AppData\Local\Temp\jbs.bin.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3684
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:492
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1180