Malware Analysis Report

2024-10-19 10:36

Sample ID 230503-r62g3sgh5z
Target 3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.zip
SHA256 1204391f97b3ca1145b15689fe2185ac4b7aaee7c7108072f00b2efa42638174
Tags
ransomware sodinokibi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1204391f97b3ca1145b15689fe2185ac4b7aaee7c7108072f00b2efa42638174

Threat Level: Known bad

The file 3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.zip was found to be: Known bad.

Malicious Activity Summary

ransomware sodinokibi

Sodinokibi family

Sodinokibi/Revil Elf

Reads CPU attributes

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-03 14:49

Signatures

Sodinokibi family

sodinokibi

Sodinokibi/Revil Elf

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-03 14:49

Reported

2023-05-03 14:49

Platform

ubuntu1804-amd64-20221111-en

Max time kernel

3s

Max time network

4s

Command Line

[/tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf]

Signatures

Reads CPU attributes

Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online pkill N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/78/cmdline pkill N/A
File opened for reading /proc/4/cmdline pkill N/A
File opened for reading /proc/19/cmdline pkill N/A
File opened for reading /proc/26/status pkill N/A
File opened for reading /proc/34/status pkill N/A
File opened for reading /proc/36/cmdline pkill N/A
File opened for reading /proc/28/status pkill N/A
File opened for reading /proc/407/cmdline pkill N/A
File opened for reading /proc/593/status pkill N/A
File opened for reading /proc/1/status pkill N/A
File opened for reading /proc/21/status pkill N/A
File opened for reading /proc/169/status pkill N/A
File opened for reading /proc/191/status pkill N/A
File opened for reading /proc/362/status pkill N/A
File opened for reading /proc/1/cmdline pkill N/A
File opened for reading /proc/81/cmdline pkill N/A
File opened for reading /proc/82/cmdline pkill N/A
File opened for reading /proc/355/status pkill N/A
File opened for reading /proc/583/status pkill N/A
File opened for reading /proc/8/status pkill N/A
File opened for reading /proc/25/cmdline pkill N/A
File opened for reading /proc/115/status pkill N/A
File opened for reading /proc/166/status pkill N/A
File opened for reading /proc/368/cmdline pkill N/A
File opened for reading /proc/344/status pkill N/A
File opened for reading /proc/424/cmdline pkill N/A
File opened for reading /proc/31/cmdline pkill N/A
File opened for reading /proc/36/status pkill N/A
File opened for reading /proc/80/cmdline pkill N/A
File opened for reading /proc/155/cmdline pkill N/A
File opened for reading /proc/164/status pkill N/A
File opened for reading /proc/19/status pkill N/A
File opened for reading /proc/30/cmdline pkill N/A
File opened for reading /proc/154/cmdline pkill N/A
File opened for reading /proc/344/cmdline pkill N/A
File opened for reading /proc/362/cmdline pkill N/A
File opened for reading /proc/428/status pkill N/A
File opened for reading /proc/563/cmdline pkill N/A
File opened for reading /proc/5/status pkill N/A
File opened for reading /proc/7/cmdline pkill N/A
File opened for reading /proc/79/status pkill N/A
File opened for reading /proc/159/cmdline pkill N/A
File opened for reading /proc/162/status pkill N/A
File opened for reading /proc/16/status pkill N/A
File opened for reading /proc/26/cmdline pkill N/A
File opened for reading /proc/594/status pkill N/A
File opened for reading /proc/2/cmdline pkill N/A
File opened for reading /proc/32/cmdline pkill N/A
File opened for reading /proc/161/cmdline pkill N/A
File opened for reading /proc/167/cmdline pkill N/A
File opened for reading /proc/191/cmdline pkill N/A
File opened for reading /proc/428/cmdline pkill N/A
File opened for reading /proc/582/cmdline pkill N/A
File opened for reading /proc/586/cmdline pkill N/A
File opened for reading /proc/22/cmdline pkill N/A
File opened for reading /proc/24/status pkill N/A
File opened for reading /proc/82/status pkill N/A
File opened for reading /proc/347/cmdline pkill N/A
File opened for reading /proc/427/cmdline pkill N/A
File opened for reading /proc/85/cmdline pkill N/A
File opened for reading /proc/160/status pkill N/A
File opened for reading /proc/220/cmdline pkill N/A
File opened for reading /proc/10/status pkill N/A
File opened for reading /proc/18/cmdline pkill N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/.Test-unix/qoxaq-readme.txt /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf N/A
File opened for modification /tmp/.ICE-unix/qoxaq-readme.txt /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf N/A
File opened for modification /tmp/systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-resolved.service-zVdWPp/qoxaq-readme.txt /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf N/A
File opened for modification /tmp/systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-timedated.service-IAjiNi/tmp/qoxaq-readme.txt /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf N/A
File opened for modification /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf N/A N/A
File opened for modification /tmp/systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-timesyncd.service-EVlWiO/tmp/qoxaq-readme.txt /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf N/A
File opened for modification /tmp/systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-timesyncd.service-EVlWiO/qoxaq-readme.txt /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf N/A
File opened for modification /tmp/netplan_6lzywoh5/qoxaq-readme.txt /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf N/A
File opened for modification /tmp/qoxaq-readme.txt /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf N/A
File opened for modification /tmp/.XIM-unix/qoxaq-readme.txt /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf N/A
File opened for modification /tmp/systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-timedated.service-IAjiNi/qoxaq-readme.txt /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf N/A
File opened for modification /tmp/.font-unix/qoxaq-readme.txt /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf N/A
File opened for modification /tmp/.X11-unix/qoxaq-readme.txt /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf N/A
File opened for modification /tmp/systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-resolved.service-zVdWPp/tmp/qoxaq-readme.txt /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf N/A

Processes

/tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf

[/tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf]

sh

[sh -c uname -a && echo " | " && hostname]

uname

[uname -a]

hostname

[hostname]

sh

[sh -c uname -a && echo " | " && hostname]

uname

[uname -a]

hostname

[hostname]

sh

[sh -c pkill -9 vmx-*]

pkill

[pkill -9 vmx-*]

sh

[sh -c esxcli --formatter=csv --format-param=fields=="WorldID,DisplayName" vm process list | awk -F "\"*,\"*" '{system("esxcli vm process kill --type=force --world-id=" $1)}']

awk

[awk -F "*,"* {system("esxcli vm process kill --type=force --world-id=" $1)}]

Network

Files

/tmp/.Test-unix/qoxaq-readme.txt

MD5 fa16f8fe9bfae53621cc729aad65b5dc
SHA1 b12944c1673a9c7592a2420e6ba5f06721e0e380
SHA256 d71419b19aa480db5785d069335cbdeec49acfba1d18b9bf916f177315c10e97
SHA512 7862096e561b352f80d26ce9694bf50a1756106660fda6528f09a343d56f3dc314726254cec7e78de2a62f76c63e57310aa2437615c0593b89e9d1caaa3d8677