sodinokibi | 008d0c1a4e83a37d34c14993a6d76c18ae13c03ba54d12e1246fb1495a20e2a6

General

Target

612b61376219736601d49d2001645b30_JaffaCakes118.dll
Size

164KB
MD5

612b61376219736601d49d2001645b30
SHA1

86840cdd42c8aec339575a1d0e3fc784d3ad445c
SHA256

008d0c1a4e83a37d34c14993a6d76c18ae13c03ba54d12e1246fb1495a20e2a6
SHA512

1c48f5fba28504ae7e176053cf4ea127fb763e16aed7a34ee002a541072903e0fbf55f5090069da776030e0b153474948deced137d1b71152ac20adb7e15e728
SSDEEP

3072:v0XoUeZ/DVS8L73ea4MoCLfqQvFfamVw3O1:veoUeZR2TRCWQFfamme

Score

10^/10

sodinokibi ransomware

Malware Config

Extracted

Path

C:\Users\28y7qg1913-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 28y7qg1913. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5356259464F878BE 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/5356259464F878BE Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: iRA0dhrUzKmRKS/ym0qmAIKgsyuW1l+99bRlZlcebvDYoEzfY6BDmlO/692tzQuT q6SaEiF7TGkgRoHzF546Dm+j1x6QjvJCQHoeN8QS3ig0yqMPV0D7jjZb/hlK469c 9MKSblLEo5XlJG+gOT6CU1Q6fJO2vo+OjPCNvR5NS7ltyb+OeYFEu/8dChiyEagX RwQNYoHQa8ivcekTDusSDLmDC+0HYRT1zJ0BQn+EKKivF2rCIIDRhrinUXLL8MY7 XHD8AwvCT9g1PcLoBDmtvUmWP4GglSEKkls/d1oTftky8FNNK2ockmpmBanTIcQV RCX/Xx2p/a++kLQWKxeGDF78E4QwRuCBGAl+xMj8fsXGAUo3UR4YmZxbrYVK2vu4 swnZ/odDNr9Oje2UADUDH+26ndkoQOar8Eh1IeoenKNo4eYheADjh2z8VVt3PDMc Hk0buobVyWwcUcRsLjC/cLtx/1KW2mxZvjUvxhW5uWdjuw0QyimxvXpFtEMx7CE5 10JtKTaGmC4aWrhQWYsF5fDRuMim4ZPCMOGyrRtQyMO1CFaIRXuxVUftLt6FmN/U f+xvAz9hBBzngMEmiCS+g7GaEBv1qf7zeaUF0OECg7Q1G3KJbDVjgmv7mTP9R3WK I+/WuJeqW0rNhhaOMK3K4Fp2DOy08hwXRwJkzeZ+Km3hOem4cK5r4Kw6cI6bIpz1 TpwYqzOoWYZc4x5fIAdPVM7TFTXXBHN8+OpUTX/fBFFjIVyPql58x61EE0U45nNc fQX11ta8RLHaHzSp57XfIC9engdtVaGYV7DCDceHy2CjbKhnVzIpcSGeVOdsz0m8 iqFAyJ0vbHgNqfUFmYIetGi5xexZbpSCyht1mn19oIWIEoOdVSGcttuSfRe2nR8x Pz/K1JpPnfJrsjhAoOGwT772OxiA3Hqvq71QmwaD8DNZzQFabZIzTt34Xp2VgCqg J03WnI5txTeg50SRBNCzgxqmqZPf9Q+lYKNoFsA/dsBAAMKkBVRJz7R6kpdY/FBo kLw6DF/Xp4AuGxA8zP5m9GHgWZZboynxICcxTw8WJHNYjGD2//zgtV7uCgYAWLya TQ7qIkBFw3VV7beqV6HNZoUcMH1+DlTpYuHZvMbCLdoiuPPzlTLpo29gTgdajuVj pHzvBqwcNjxgsPIOe6oQEbn7tJqJGzx4ThCXolI9zezS26uEqcI31fWNoV3fjikr 9IuBvAJ5BMm0vmbFA8ZeZmMeYs0= Extension name: 28y7qg1913 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5356259464F878BE

http://decryptor.cc/5356259464F878BE

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\D:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\RevokeOpen.odt	rundll32.exe
File created	\??\c:\program files (x86)\28y7qg1913-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\ClearConvertTo.asx	rundll32.exe
File opened for modification	\??\c:\program files\ConvertFromSync.mpg	rundll32.exe
File opened for modification	\??\c:\program files\GrantMerge.M2TS	rundll32.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\28y7qg1913-readme.txt	rundll32.exe
File created	\??\c:\program files\28y7qg1913-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\EditSubmit.xhtml	rundll32.exe
File opened for modification	\??\c:\program files\UpdateBackup.htm	rundll32.exe
File opened for modification	\??\c:\program files\CompareSync.sql	rundll32.exe
File opened for modification	\??\c:\program files\SearchInitialize.otf	rundll32.exe
File opened for modification	\??\c:\program files\SelectSync.xlsm	rundll32.exe
File opened for modification	\??\c:\program files\FormatCheckpoint.css	rundll32.exe
File opened for modification	\??\c:\program files\SearchSplit.wmv	rundll32.exe
File opened for modification	\??\c:\program files\BlockSet.wmf	rundll32.exe
File opened for modification	\??\c:\program files\CompressReceive.pps	rundll32.exe
File opened for modification	\??\c:\program files\LimitMove.cr2	rundll32.exe
File opened for modification	\??\c:\program files\PushDisconnect.easmx	rundll32.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\28y7qg1913-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\DebugSearch.emz	rundll32.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\28y7qg1913-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\GetUnpublish.aifc	rundll32.exe
File opened for modification	\??\c:\program files\GroupRestart.wma	rundll32.exe
File opened for modification	\??\c:\program files\JoinExpand.mp2	rundll32.exe
File opened for modification	\??\c:\program files\OutTrace.vst	rundll32.exe
File opened for modification	\??\c:\program files\ResetPing.TTS	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2316	rundll32.exe
2132	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	rundll32.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeBackupPrivilege	2748	vssvc.exe
Token: SeRestorePrivilege	2748	vssvc.exe
Token: SeAuditPrivilege	2748	vssvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2316	2028	rundll32.exe	28
PID 2028 wrote to memory of 2316	2028	rundll32.exe	28
PID 2028 wrote to memory of 2316	2028	rundll32.exe	28
PID 2028 wrote to memory of 2316	2028	rundll32.exe	28
PID 2028 wrote to memory of 2316	2028	rundll32.exe	28
PID 2028 wrote to memory of 2316	2028	rundll32.exe	28
PID 2028 wrote to memory of 2316	2028	rundll32.exe	28
PID 2316 wrote to memory of 2132	2316	rundll32.exe	29
PID 2316 wrote to memory of 2132	2316	rundll32.exe	29
PID 2316 wrote to memory of 2132	2316	rundll32.exe	29
PID 2316 wrote to memory of 2132	2316	rundll32.exe	29

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\612b61376219736601d49d2001645b30_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\612b61376219736601d49d2001645b30_JaffaCakes118.dll,#1
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2132

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2740

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\28y7qg1913-readme.txt

Filesize
6KB

MD5
bd2dfb1c68d4471a3f9dadd28c1e37c3

SHA1
f2c9f28603e03ba78b7132e77adcd1bedec75cb7

SHA256
ffc6871acdaa6c62a0c9e49af759e0b7285f4c9e9aecc34e8addddcf7cf93832

SHA512
4fec9495b32b55eafa7d66badcba0a8e54c3624600e293b1829511218b47a83e7af643ad5c84b55ac4d79d6f72a8dd4d936aac1d98b269c6571778080398f59c

Download Submit
memory/2132-4-0x000007FEF4B5E000-0x000007FEF4B5F000-memory.dmp

Filesize
4KB

Download
memory/2132-5-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2132-6-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2132-7-0x000007FEF48A0000-0x000007FEF523D000-memory.dmp

Filesize
9.6MB

Download
memory/2132-8-0x000007FEF48A0000-0x000007FEF523D000-memory.dmp

Filesize
9.6MB

Download
memory/2132-9-0x000007FEF48A0000-0x000007FEF523D000-memory.dmp

Filesize
9.6MB

Download
memory/2132-10-0x000007FEF48A0000-0x000007FEF523D000-memory.dmp

Filesize
9.6MB

Download
memory/2132-11-0x000007FEF48A0000-0x000007FEF523D000-memory.dmp

Filesize
9.6MB

Download
memory/2132-12-0x000007FEF48A0000-0x000007FEF523D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing