sodinokibi | 12096093901347150ac72d6c9c1cbacf4de7d6a51ef1ab4cddc06f85311dd8ab

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-05-2024 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44e5f6b16ab566006f4d970662afc38e_JaffaCakes118.dll
Size

158KB
MD5

44e5f6b16ab566006f4d970662afc38e
SHA1

67f15baf34ecf32839c441adb55c309bbda173ac
SHA256

12096093901347150ac72d6c9c1cbacf4de7d6a51ef1ab4cddc06f85311dd8ab
SHA512

f5596ecf863ee98b550b86da3d5e560994dd23827170fec6aaa4dd515ee147d140a24671b35b814303bce4164729ea9d929a4345798997132a7e91aff4c1cf8f
SSDEEP

1536:/gAJlgaPladwnfzDcep9O3F7Pbi4eTMluxtXDCntTnICS4AEuzF8gM5iZQ1+mexx:3PwdkzDcC2Lbi4eTMlwDCnuzO/gQw1n

Score

10^/10

sodinokibi defense_evasion execution impact ransomware

Malware Config

Extracted

Path

C:\Users\v160g73-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion v160g73. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0A053683E59C34E1 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/0A053683E59C34E1 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: RRy0L4zYLVhURSpiR9lYE18KAA2KAoIECAieNZdgBTTMowt4smdtdLQpt50iL6QN 4ZdLOtL+3TJecEY65fxixH0hhPS19XZcSxtJ55Lk3RjU0QLZ+ArY+rnmiwSduwVf f+AHk06E2p4YZUwIeGLr1oVg+0OLTSZj26hdWX14eH8VcQRjJ5wxbpuJ5hkOTQsZ ZIRgL0OtxLAJUIy6cEREw3UrnRrhpmUPEr0eLwSQIRRXycC9OLv6+qt+sQunzO5K nAKlZWRmksBrnZj613+7EfeJNWP8YBKXAhFxChrG5DxgOkBK3YIF7WQenCU2uZDB h1Lp8j3t4ndioH6do4nL+1Yuw5bUarB1Y80Fiyk2mbs+k02qHVagBXSHVNIxrV2H YaRhhorZjasPVtUG2eLuLfoGzjnrP+sqq8iglc44pK0Dz6xf6zCtoiYrFSaJ7A5x 2Pwo4FILNIXa3NZdqQ6h0eOem5h/F6SxiQf8PQZ5buVRvMpIykbdIUb9oEekZX6y zEBNVKhIJjZfp4ZIQ50vso4PHiGcaDquSXUTqCizDKJIfPJl1+jXG363ZnEsf1/6 wAWn96M2Jecn2eAWTRO5GBbGuBGVZhJU2Zi5tAJM1JLi8e6OvfKNidrIoo5Hs16s nKm5ttmucRHyTo+D2HAUjtlzMPUmdeItTPkiX2848Z64KrZXOCHyDIBA2EAEnYCw CEpZgigQcy3rf8WCYZH1/xpphffg3mJ0i+pxfNfLocrd3yuMSeNsfsWOxg54rMvN UuyWhOBkNcU0x31MKRJv/fBIBGKrFyyArv+4FGIC+EvzznpRXDFtDrctAS0hVhvB O0KYgt6ICpF34RKju+54igzbHv91L94NbHy/qzGWbxaERfKx/Ax1qIyapsaJwcEZ CpqhAESbVGm052afUN5TzAZNwZfXdbQ1NBkhlN6/K4CfWE+TN7gjyudDy1FSeSP1 mZoMsxGVQKRNjlQ6RXjlzbvd68MDZa4GfBC3SxsIbJu6x2QfbAQxh9+djEPMFIvE 2L/ZNp9JDytmPtxIaMiAB8/A1o3wqU3iGYBmCyzQxBAP3FCg+ej8wP4hitffbVNJ p5NvIiamST4mH5p1jae3pu2pxnMrfdS4ZHKX9Kor6pNm3qwonh30M/UkUL1fcTiB 8bCZmdeZK1a53STYQcLHyKu+Qz0nEb33IClAxg== Extension name: v160g73 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0A053683E59C34E1

http://decryptor.top/0A053683E59C34E1

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (1113) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DissolveNoise.png	rundll32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\57d8acaf.lock	rundll32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\v160g73-readme.txt	rundll32.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\v160g73-readme.txt	rundll32.exe
File created	C:\Program Files\Microsoft Games\Chess\ja-JP\57d8acaf.lock	rundll32.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\57d8acaf.lock	rundll32.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	rundll32.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\v160g73-readme.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\PICTIM32.FLT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.jpg	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	rundll32.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VBA\v160g73-readme.txt	rundll32.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\57d8acaf.lock	rundll32.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\57d8acaf.lock	rundll32.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\57d8acaf.lock	rundll32.exe
File created	C:\Program Files\Microsoft Games\More Games\v160g73-readme.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	rundll32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der	rundll32.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\57d8acaf.lock	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\sqloledb.rll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105232.WMF	rundll32.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\v160g73-readme.txt	rundll32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat	rundll32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\57d8acaf.lock	rundll32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\v160g73-readme.txt	rundll32.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\57d8acaf.lock	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00525_.WMF	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01143_.WMF	rundll32.exe
File opened for modification	C:\Program Files\RedoUnprotect.ttc	rundll32.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\mpvis.dll.mui	rundll32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\meta-index	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\en-US\FreeCell.exe.mui	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Composite.thmx	rundll32.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpEvMsg.dll.mui	rundll32.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\v160g73-readme.txt	rundll32.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\v160g73-readme.txt	rundll32.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\v160g73-readme.txt	rundll32.exe
File created	C:\Program Files\VideoLAN\v160g73-readme.txt	rundll32.exe
File created	C:\Program Files (x86)\Common Files\System\ado\ja-JP\57d8acaf.lock	rundll32.exe
File created	C:\Program Files\VideoLAN\VLC\locale\57d8acaf.lock	rundll32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\57d8acaf.lock	rundll32.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\v160g73-readme.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086428.WMF	rundll32.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\v160g73-readme.txt	rundll32.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.jpg	rundll32.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\v160g73-readme.txt	rundll32.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\ja-JP\v160g73-readme.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01183_.WMF	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\it-IT\wab32res.dll.mui	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\javafx-mx.jar	rundll32.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\ja-JP\TableTextService.dll.mui	rundll32.exe
File opened for modification	C:\Program Files\Windows Sidebar\fr-FR\Sidebar.exe.mui	rundll32.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\v160g73-readme.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00369_.WMF	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00543_.WMF	rundll32.exe
File created	C:\Program Files\Windows Sidebar\de-DE\v160g73-readme.txt	rundll32.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\WMPMediaSharing.dll.mui	rundll32.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\57d8acaf.lock	rundll32.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\57d8acaf.lock	rundll32.exe
File created	C:\Program Files\DVD Maker\de-DE\57d8acaf.lock	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08758_.WMF	rundll32.exe
File created	C:\Program Files\Windows Media Player\Visualizations\v160g73-readme.txt	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1780	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2988	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	276	vssvc.exe
Token: SeRestorePrivilege	276	vssvc.exe
Token: SeAuditPrivilege	276	vssvc.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2988	2144	rundll32.exe	28
PID 2144 wrote to memory of 2988	2144	rundll32.exe	28
PID 2144 wrote to memory of 2988	2144	rundll32.exe	28
PID 2144 wrote to memory of 2988	2144	rundll32.exe	28
PID 2144 wrote to memory of 2988	2144	rundll32.exe	28
PID 2144 wrote to memory of 2988	2144	rundll32.exe	28
PID 2144 wrote to memory of 2988	2144	rundll32.exe	28
PID 2988 wrote to memory of 1972	2988	rundll32.exe	29
PID 2988 wrote to memory of 1972	2988	rundll32.exe	29
PID 2988 wrote to memory of 1972	2988	rundll32.exe	29
PID 2988 wrote to memory of 1972	2988	rundll32.exe	29
PID 1972 wrote to memory of 1780	1972	cmd.exe	31
PID 1972 wrote to memory of 1780	1972	cmd.exe	31
PID 1972 wrote to memory of 1780	1972	cmd.exe	31
PID 1972 wrote to memory of 1780	1972	cmd.exe	31

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\44e5f6b16ab566006f4d970662afc38e_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\44e5f6b16ab566006f4d970662afc38e_JaffaCakes118.dll,#1
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:1780

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\v160g73-readme.txt

Filesize
6KB

MD5
d579ebc5ac7603676fc79027a5c9e230

SHA1
358c1eb45a2a6cf455fad14396af8cb67809bc9d

SHA256
a0a74a487f9cd6036dfd68ee6dc44278561b09d614197ca42e9f60fb5e7fc9d4

SHA512
c6dfe6723c6b205598a2ffd1a9b31e65f5ec3291b8591f800e9e9fd650ec218a93d9cbd80dc386cb399136075f2335c68c1dd27b4c8796950f348510ad14b185

Download Submit