Overview

overview

10

Static

static

10

2024-07-01...nokibi

ubuntu-24.04-amd64

10

Analysis

  • max time kernel
    0s
  • max time network
    132s
  • platform
    ubuntu-24.04_amd64
  • resource
    ubuntu2404-amd64-20240523-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
  • submitted
    01-07-2024 09:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-01_707009f5555115354ccb5a3b759e7a69_revil_sodinokibi

  • Size

    102KB

  • MD5

    707009f5555115354ccb5a3b759e7a69

  • SHA1

    40d8a0b3970ce4ccb2ec2b165c5253708ee928ca

  • SHA256

    11fd806cd4c320bca9dc958b2dac04e43691242421db878f266a9a5b09e12240

  • SHA512

    fd1d419377dfddc15c4dbf3c493e7dee33d8b4fef5cc510694f8f4bb263953f08d8464a6bcabbeb367b048e9a8237eb6191751a9e83ecd9ea3eabb780bc60ac7

  • SSDEEP

    3072:db+XoBHfYu9gggwgggwgggwgggwgggfk+LoS:dpkvo

Score
10/10
ransomware

Malware Config

Extracted

Path

/tmp/systemd-private-b594e7bbd978436eb43cb4aab7472fe8-systemd-oomd.service-RQPTru/tmp/rhkrc-readme.txt

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension rhkrc. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B65CB189B65CB189 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/B65CB189B65CB189 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: cpbYKMf7bb22oweXHnCNK///QYb/ArjDZlnITk2xCeqbsJzr6H1oagj/WBps6B20DPQ3cr7LbptZSmAhEKuNVDEkEWRzUw+XIMtpFrv8vob57+8gB93ZhbgkTvGoHOItIi9ZbDLbU6dYlwz6fjjLQla8aRmi9zzhebQRUGZTl/m1u0sTj5OmauPlxrskt3PjYBHKzXpn1T4O/LuCjcwMcOELlCflh00snut/Z/xKOQ6SgHQ8NCpMRbbt/hjatTpMY+ob2edBzgIe/iW0dJSUUjfIsq+/tbkyCadXmpj4SrLHSz+0wm9zeoVy9FT4/MVSyuHPKKDJY2i8FWF7xB3ffj49FsRiPtWq8/Kbwh9EXefCrRHaiD1LRso1x+8hQPG34cKgDySlesalKveHUDKbZYE8adavzEZLT/kJZVZ7uI4YYxwyVQgil5juJikki31iYqgSLpwtQxQg1+mcZu+jR88lNunyGKw6ZxEYU8TJdtG/GkT7jSaSEtnLeqkO ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B65CB189B65CB189

http://decoder.re/B65CB189B65CB189

Signatures

  • Manipulates ESXi 2 IoCs

    Manipulates ESXi.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads CPU attributes 1 TTPs 1 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 29 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/2024-07-01_707009f5555115354ccb5a3b759e7a69_revil_sodinokibi
    /tmp/2024-07-01_707009f5555115354ccb5a3b759e7a69_revil_sodinokibi
    1⤵
    • Writes file to tmp directory
    PID:2818
    • /bin/sh
      sh -c -- "uname -a && echo \" | \" && hostname"
      2⤵
        PID:2820
        • /usr/bin/uname
          uname -a
          3⤵
            PID:2821
          • /usr/bin/hostname
            hostname
            3⤵
              PID:2822
          • /bin/sh
            sh -c -- "uname -a && echo \" | \" && hostname"
            2⤵
              PID:2823
              • /usr/bin/uname
                uname -a
                3⤵
                  PID:2824
                • /usr/bin/hostname
                  hostname
                  3⤵
                    PID:2825
                • /bin/sh
                  sh -c -- "pkill -9 vmx-*"
                  2⤵
                    PID:2826
                    • /usr/bin/pkill
                      pkill -9 "vmx-*"
                      3⤵
                      • Reads CPU attributes
                      • Enumerates kernel/hardware configuration
                      • Reads runtime system information
                      PID:2827
                  • /bin/sh
                    sh -c -- "esxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm process list | awk -F \"\\\"*,\\\"*\" '{system(\"esxcli vm process kill --type=force --world-id=\" \$1)}'"
                    2⤵
                    • Manipulates ESXi
                    PID:2828
                    • /usr/bin/awk
                      awk -F "\"*,\"*" "{system(\"esxcli vm process kill --type=force --world-id=\" \$1)}"
                      3⤵
                      • Manipulates ESXi
                      PID:2830

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • /tmp/systemd-private-b594e7bbd978436eb43cb4aab7472fe8-systemd-oomd.service-RQPTru/tmp/rhkrc-readme.txt
                  Filesize

                  2KB

                  MD5

                  eec42767fc01f25c4b484af107d0f8fd

                  SHA1

                  9bbeab594f82074612d9d01efd2db055406170f5

                  SHA256

                  d67f5a64cc15fe05eadf0998deaa80362b9a08a0f81661bd5da86c6d4600c403

                  SHA512

                  f398584f3712faa81742ec0ed33722f33f07661fbdf3620d483551533d5568cca88ea9da911a66fc4b6b657ab4b91dacf5b30c8394b1d49d8d11fc4352af6aae

                  Download Submit