sodinokibi | 997002d2e69d8b491d6bc9d9617add41fa8997b9add6f9b762f67972575ac616

General

Target

432762b33257f4141a6bba741df12acc_JaffaCakes118.dll
Size

166KB
MD5

432762b33257f4141a6bba741df12acc
SHA1

fad7158d984be89c9c02837ebee741605f878e83
SHA256

997002d2e69d8b491d6bc9d9617add41fa8997b9add6f9b762f67972575ac616
SHA512

8cf350107bb8e1a8c6e6bc58b84b8d1c3762104f019880a42cb57a32376a5e892d332acce171aa6fe0815ff53c952dd997eeaa42c151ae2d2cb0556f9e97630a
SSDEEP

3072:MJMawtnGqtWoKeZ9fh1CgnNto6jfyKON3+yugCr:Ww9vteqJggn7oUfeugq

Score

10^/10

sodinokibi ransomware

Malware Config

Extracted

Path

C:\Users\51t90-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 51t90. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1F91C0DA2F241912 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/1F91C0DA2F241912 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: NYAkUbxQ+fktCiDS8pcr5FCMnHFRQGmJoQRSmyZxC9Yf2LQMFGzKc0A//kFj1Ua6 eIWH57u3Ppe8qJOq13CpqSow+8goRtzkOivMWHjVYnHChsEbFsje8A87RiWHXH7y V0Urmm3WOB//T7ikFHObZtF6LvOBOeu7TmC6DKMseTGzoU0UQy79REv4BQlAcsGs ieE0D17PfEHIE+ygua+lCAgmeRZ5pm29sDTEEycmwPqSA0oqyCAYSScVoX2zN9aW 4OEo+S08C9tCEOgABS+IOLWZTUX34e2I2vELkb1/KnWJmeOz3PikP0bvbbnzeSKW 4FWHo2avvPEt5TcPWSp4frTiAg/0Utkpe//C+GKf+ymEV1cfDlJ1XZ/YTV11Kq0M dxc5hdDgwgS1tSf17PmQ/bNlGItkRjk+Zvg1kzflmy9FVOru12hiI/44DpW0EnqG ZgBzPrbZCTLjNEgU57ucbVAulCUMS4kLjhTHO9NmosyfDrk/anWIciNyKaeQYqP9 i+iGBYk0whbJeZrsc1xibvmWHgfaBl8vnAf2pmfWKi4/P7+KL+wF+O8P3DvDcwYw 6pRYT1MiW/KsrOaoSXD6uGDzc/CNb4nhggeGTABAxoR0rYLOQeRkhK4/TRlq4FPl WwqZ/WM+5SVaG00cytcRvnlWYS8slfdqQBKuqujZVxIuluZb+ZUKvQHAwBkOUoSb P6MQXwixga3TU7nG+bs8OuBBTotliGmjIMpz8iFNfD4+3fvEmmMOvo84gxKKfc3a H15ph+S9em+zDIbWQRQhUZ0wfjWA/e2F6nkKJ2quYcUhcnkVyM+9W/TX9mKcEcDu uNv9FMW+9PbC7MKJRFdm+XHjpDZq0DUSk8SvwZb4gzDMkQNHYnTfz40lYABy1KxL zn21Epxpwgrxuiu2yPWFOvRY2ZQW3ZK/yzb0xHMOOTn+ccq9Yy66SscgW03lEfpD SjaoBnPJc2RTvuJxajeKepoO2aEybU25yiC4zZsK2bJNgoVV8mJ2cTUs0KoevHmz Dvo9dl2Uym+h4TCfzOdWtEwTB/SYg1f/BIM5lVGI0dDHOn0GGfogo2zFp5DYnTlG X1o0/mwLELt78PWkdYeX1ZoxZ/MFmHHSzNtKrcakyWmNgOQf/gTB+TkDQCaGqSvy m6/u5kmIpYD6mHj2mN3N65Z6m4SLOQgMGu2MnAAkVR4Xu2hd3JGgefwx1kbGdt1q UTNXH2QRdRkS5E6blXZgO9WCMbr1v5pZ+IU+NoQC8hbUzIHyC/Ve9sMC7qkOjkr7 vDfNVETeWoTssnVvVHWrSXfOKbhG3k7d7trDcm8bAwHh7EMCB2KCHki8Mgfl5qHl l6Qwa6wy6gaUnoTGNwJJdGxrL8CU53yrjxXPEGFVERtHQngi ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1F91C0DA2F241912

http://decryptor.cc/1F91C0DA2F241912

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\D:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\PublishJoin.jfif	rundll32.exe
File opened for modification	\??\c:\program files\SetGrant.eps	rundll32.exe
File opened for modification	\??\c:\program files\DisableShow.3gp2	rundll32.exe
File opened for modification	\??\c:\program files\ProtectAssert.tmp	rundll32.exe
File opened for modification	\??\c:\program files\AddSearch.xlt	rundll32.exe
File opened for modification	\??\c:\program files\DisableMerge.pcx	rundll32.exe
File opened for modification	\??\c:\program files\SuspendRead.mov	rundll32.exe
File opened for modification	\??\c:\program files\ExportReceive.vbe	rundll32.exe
File opened for modification	\??\c:\program files\JoinInstall.gif	rundll32.exe
File opened for modification	\??\c:\program files\UnpublishSend.eps	rundll32.exe
File opened for modification	\??\c:\program files\WaitTest.au	rundll32.exe
File created	\??\c:\program files\51t90-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\ConvertToUpdate.wma	rundll32.exe
File opened for modification	\??\c:\program files\FindCompress.wax	rundll32.exe
File opened for modification	\??\c:\program files\InvokeSubmit.TS	rundll32.exe
File opened for modification	\??\c:\program files\UseCompress.wav	rundll32.exe
File created	\??\c:\program files (x86)\51t90-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\BlockStep.vst	rundll32.exe
File opened for modification	\??\c:\program files\RegisterExit.xsl	rundll32.exe
File opened for modification	\??\c:\program files\SplitPublish.xhtml	rundll32.exe
File opened for modification	\??\c:\program files\HideOpen.htm	rundll32.exe
File opened for modification	\??\c:\program files\LimitSubmit.mp3	rundll32.exe
File opened for modification	\??\c:\program files\PublishRepair.pptx	rundll32.exe
File opened for modification	\??\c:\program files\SelectSwitch.css	rundll32.exe
File opened for modification	\??\c:\program files\SkipRename.mp4	rundll32.exe
File opened for modification	\??\c:\program files\CompareConvert.wma	rundll32.exe
File opened for modification	\??\c:\program files\ConvertReceive.svg	rundll32.exe
File opened for modification	\??\c:\program files\SaveStop.ogg	rundll32.exe
File opened for modification	\??\c:\program files\WatchApprove.bmp	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
556	rundll32.exe
556	rundll32.exe
4948	powershell.exe
4948	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	556	rundll32.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeBackupPrivilege	2764	vssvc.exe
Token: SeRestorePrivilege	2764	vssvc.exe
Token: SeAuditPrivilege	2764	vssvc.exe
Token: SeTakeOwnershipPrivilege	556	rundll32.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 556	2268	rundll32.exe	83
PID 2268 wrote to memory of 556	2268	rundll32.exe	83
PID 2268 wrote to memory of 556	2268	rundll32.exe	83
PID 556 wrote to memory of 4948	556	rundll32.exe	90
PID 556 wrote to memory of 4948	556	rundll32.exe	90

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\432762b33257f4141a6bba741df12acc_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\432762b33257f4141a6bba741df12acc_JaffaCakes118.dll,#1
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4948

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1380

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\51t90-readme.txt

Filesize
6KB

MD5
09bb7fecde0d1fc9d3cbf0b49a979e0c

SHA1
48c55a7dfc39a064ab7fed0d4d4ab81d94c9907d

SHA256
cd856e5417f0454d4aee9af8c2c06a23bb9a621f6e024c71a5cd50083de6ead4

SHA512
b3d215a0395e51755454a42bd39bbc8aca371798a0b39a6234d675e2e26898cbec3a23a51485cab0306d96c8376696b1d99c117ded8a0d6e7d48d417f2070b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ckpirc3t.iqu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4948-0-0x00007FF972D63000-0x00007FF972D65000-memory.dmp

Filesize
8KB

Download
memory/4948-6-0x000001F485570000-0x000001F485592000-memory.dmp

Filesize
136KB

Download
memory/4948-11-0x00007FF972D60000-0x00007FF973821000-memory.dmp

Filesize
10.8MB

Download
memory/4948-12-0x00007FF972D60000-0x00007FF973821000-memory.dmp

Filesize
10.8MB

Download
memory/4948-15-0x00007FF972D60000-0x00007FF973821000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing