sodinokibi | 839ea289781fd3aff964d3f375f04a160148a65291673705958e0ad859370d0a

General

Target

99654b84500c9d0bb3caa977a17b37b5_JaffaCakes118.dll
Size

114KB
MD5

99654b84500c9d0bb3caa977a17b37b5
SHA1

73700b03f83c49aa70f05d55a3d32509c5ef4669
SHA256

839ea289781fd3aff964d3f375f04a160148a65291673705958e0ad859370d0a
SHA512

bc1ede3e3cee45054a5aa8bc01350e1dcc3809884af15de97312c6596d58d36958e96d742923ac02d7dd2942bc66a888e332bc17cfc4a778b649fdb0542a9ba7
SSDEEP

1536:t+UsJjrePaONg5khnnI5drFqgNNtrpNOxXICS4AR4YMPlpPlckW8MRUmjC1e:t0rLOiqhnufNNtdxvWZckFmuY

Score

10^/10

sodinokibi ransomware

Malware Config

Extracted

Path

C:\Users\jri3b3v3-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension jri3b3v3. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0587798E459FFB01 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/0587798E459FFB01 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: tJfVr0N6R481nAUTm39Dn5AP/uZpiKvoaJFTTXOqq7oibMtc7SZc9NPj+oJ4Bpj0 PQ8R62HNnpThqNrh8nHSESKpPQVt0v2kz1y0wNph16vfvVHzzNHC8zEPUWH2UM1U 5DUo1DyEpkCZpuXfZ8qSWv9ulWxkgHWIYZKIO60Rlum0O2/M4NB4V0+RGfN1e6bx YcPDvbrGAnsOkgCTVUrdT9MsE2NisCn9vm3tP7tyiW6TPXzH6k6Eh+Bqn8VhyB4f 6Ys/QS9VM7ugq3K0tyrwufcVKtQutsKdckK5xZkTOfMe4KcnvONulu4OjpS1spbh e//K4/K+ahK58e/3K7VvyRK864jw0dgacHgtWmMlm7Im5OtTQddnqxCig3DjD7aL sCP7uqVzJeOxBFnmYr5l+m5q1pRzPI4CMdY0HWpj2TZLptiNlBqg21VZcKi+eXwK elvxUMCYk9GRgPeUiJlcQFsyXG1MSfbDwYHczni0bOUxr/u5FLX/5bzthYPmNrUs XcFoK1tx8GMAaafmNELTtD0CsJSUvTXlEB5HZ1MtQAT1dF4Avs3bt042kCyklxl6 XPTgq/AmlIT+BmfbydqHOE/RwEB/OQ9DRGHkNZBvuzGAtpI3esNzEl3rZyTcLVmp GLXSYmzSr8sgggT05O8MwhPMXqzJ0JSQUcixjoQ+wY/5bbR9oC6naZMQENTvEZX4 +xmuNp3wvPPhkklTcuQ3YT203XreyI9t5UzIRp9NHzmz9vygnVCnzC76+VxcUn31 jNhqC6ULnZv/s7XsIBvnZYlukc7ZdO7yNedgbYaSYu7J/zpZ9SJ9mji9lwLTAFmq L9Mk1674CE1IMTwQfE3GklJAgf3ePi8n57u9cTabLIQuHmRlbUS4XTRKAqYGwrj5 +8lLGbObRtcGtmbxg+P5ZJdCV6dft34J47gtbQ6Eiqmso4KRVymU5RM7ilsAbmUM 3pl1qBBYs5C0jQrXhJ/Cip55OBvlkd+1GKFcLxdiEHPgLs7oNhWzacn7aP5CbSOq qcdorfqlsTTk/I4LTEE1IRGRtMDx0/yc16PHdzibBLmK1vCyfnadtb/5yif4ia/R xzrIgUmXR3CL+h+H5E+zuBAxtC3jJ2cTRyL/E/faxT/GnLtnnbfqiTlbohlg4i/c RBSYY63irBURqqJlSPk+lVNzDerR/5S0dsLFDnL1sgjfHybguxaGseJepVCAGjS2 QxEAotYpHJNnpCFNwOM1piX6wLrlB3gCANxOa6hQvX7SQCpktaqah/xlCW2KzrXM PJPYzWyXEc98N5/mVkuIVgGMccsapEEa90DtD1/yJyeCzBoCV3IvdRJeJrFxELUK u+uXkgVMjN0jmEoiLpCRHIIl+GG2q0inQu902wQ+Aw5uyFDO ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0587798E459FFB01

http://decryptor.cc/0587798E459FFB01

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\D:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	\??\c:\program files\jri3b3v3-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\ApproveDisable.7z	rundll32.exe
File opened for modification	\??\c:\program files\AssertClear.xml	rundll32.exe
File opened for modification	\??\c:\program files\CopyAdd.mp3	rundll32.exe
File opened for modification	\??\c:\program files\DisableBackup.tiff	rundll32.exe
File opened for modification	\??\c:\program files\SelectRequest.htm	rundll32.exe
File opened for modification	\??\c:\program files\BlockConnect.rtf	rundll32.exe
File opened for modification	\??\c:\program files\DisconnectConnect.emz	rundll32.exe
File opened for modification	\??\c:\program files\RenameInvoke.raw	rundll32.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\jri3b3v3-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\AssertStop.xlsm	rundll32.exe
File opened for modification	\??\c:\program files\MountSearch.mp2v	rundll32.exe
File opened for modification	\??\c:\program files\UndoInvoke.wma	rundll32.exe
File opened for modification	\??\c:\program files\WaitRead.mov	rundll32.exe
File opened for modification	\??\c:\program files\WatchRestore.snd	rundll32.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\jri3b3v3-readme.txt	rundll32.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\jri3b3v3-readme.txt	rundll32.exe
File created	\??\c:\program files (x86)\jri3b3v3-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\CloseDismount.mpeg2	rundll32.exe
File opened for modification	\??\c:\program files\CompleteTest.ppt	rundll32.exe
File opened for modification	\??\c:\program files\MountOpen.i64	rundll32.exe
File opened for modification	\??\c:\program files\RevokeMeasure.mov	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2164	rundll32.exe
2940	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2164	rundll32.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeBackupPrivilege	1744	vssvc.exe
Token: SeRestorePrivilege	1744	vssvc.exe
Token: SeAuditPrivilege	1744	vssvc.exe
Token: SeTakeOwnershipPrivilege	2164	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2164	2352	rundll32.exe	28
PID 2352 wrote to memory of 2164	2352	rundll32.exe	28
PID 2352 wrote to memory of 2164	2352	rundll32.exe	28
PID 2352 wrote to memory of 2164	2352	rundll32.exe	28
PID 2352 wrote to memory of 2164	2352	rundll32.exe	28
PID 2352 wrote to memory of 2164	2352	rundll32.exe	28
PID 2352 wrote to memory of 2164	2352	rundll32.exe	28
PID 2164 wrote to memory of 2940	2164	rundll32.exe	29
PID 2164 wrote to memory of 2940	2164	rundll32.exe	29
PID 2164 wrote to memory of 2940	2164	rundll32.exe	29
PID 2164 wrote to memory of 2940	2164	rundll32.exe	29

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\99654b84500c9d0bb3caa977a17b37b5_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\99654b84500c9d0bb3caa977a17b37b5_JaffaCakes118.dll,#1
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2940

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\jri3b3v3-readme.txt

Filesize
6KB

MD5
0d2e58af07e6a44644edbf22b72c2f3e

SHA1
033584cb3f54254284bee182a920314062265eb9

SHA256
5873b05cee622e13bc4b76e8f1e53e94231d57816f7df17f18bc193380b9fe08

SHA512
05c0ef3e5973fdc15d60394f3417f466584dcb942b89dc92a296def3175d67916378532b60c1975a91f4286b90e57b085c4424ed69eb339630c70b520421cbd4

Download Submit
memory/2940-4-0x000007FEF5F9E000-0x000007FEF5F9F000-memory.dmp

Filesize
4KB

Download
memory/2940-5-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2940-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2940-7-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/2940-8-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/2940-9-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/2940-10-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/2940-11-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/2940-12-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing