Overview

overview

10

Static

static

10

2024-07-01...nokibi

ubuntu-24.04-amd64

10

Analysis

  • max time kernel
    0s
  • max time network
    34s
  • platform
    ubuntu-24.04_amd64
  • resource
    ubuntu2404-amd64-20240523-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
  • submitted
    01-07-2024 13:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-01_73041d7b9a93d3cda76e2a052ac02e82_revil_sodinokibi

  • Size

    102KB

  • MD5

    73041d7b9a93d3cda76e2a052ac02e82

  • SHA1

    f995852f291e2c946e15d20d020bb8e8defd317f

  • SHA256

    776ea636ee33aab6b2db5f46889b027c297280db37400efb091e0d4a9001a7d7

  • SHA512

    6f430874949362bf2d9d29153c0f9d0e5c53ea7bf69a44cf14c2627981d87ff0ad45fb12c26223dc33ceebf57b6113db37e347b2b4b2fa7ac037a63edc209371

  • SSDEEP

    3072:db+XoBHfYu9gggwgggwgggwgggwggg2k+LoS:dphvo

Score
10/10
ransomware

Malware Config

Extracted

Path

/tmp/systemd-private-2f7dc25f32a041608470b3e794ff7c76-systemd-resolved.service-0xCfsI/tmp/rhkrc-readme.txt

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension rhkrc. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5BA9C4E55BA9C4E5 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/5BA9C4E55BA9C4E5 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: w5Zh1mssFhCSYtoJwJybxpsU0UpV0+p8rjbCpZSjdZv4sl3t+PyP/BEn1tGj/SnGIXeF6DrrvesGt+3Xnep2CS+YW9njFdHaur9GaK6iT7VBEmHIv+4pw1bwa3ZMk0op00vqJVwiyij0iuj+OhL03/hSQ1BNxtJcMxnE8w4ctWQTMSFTv8+fNQGDRwdaJa0wnqHXrHdxZ6GccOt95tgnpi8MEHWW8YWJcEsvhGXseOlwrVbgCo7d+3lqv33EHo64C1AzlBYlKV4mDsd3Xvm9oUzzxlfMVBdVHClehW2W4oC+SV1zDFx9kVgdgfYrcXG+rowiipd9eeGZAi764/5Wc2HTJWcIKVmP3bkINO7Mn8BuoElokg/c9J25FakpahzRCgxNyf/TYMeWqkKMa/tL4G/g6NjUgavUi5CTQmkPuEWWSefnI7ddaaoCZCJOo7w1s4K8SHJ8ql0UfkItsS72kdSQCyo8cGknbm8EwIF0ByuwrTycgWwZirEkGvjA ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5BA9C4E55BA9C4E5

http://decoder.re/5BA9C4E55BA9C4E5

Signatures

  • Manipulates ESXi 2 IoCs

    Manipulates ESXi.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads CPU attributes 1 TTPs 1 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 8 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/2024-07-01_73041d7b9a93d3cda76e2a052ac02e82_revil_sodinokibi
    /tmp/2024-07-01_73041d7b9a93d3cda76e2a052ac02e82_revil_sodinokibi
    1⤵
    • Writes file to tmp directory
    PID:3646
    • /bin/sh
      sh -c -- "uname -a && echo \" | \" && hostname"
      2⤵
        PID:3648
        • /usr/bin/uname
          uname -a
          3⤵
            PID:3649
          • /usr/bin/hostname
            hostname
            3⤵
              PID:3650
          • /bin/sh
            sh -c -- "uname -a && echo \" | \" && hostname"
            2⤵
              PID:3651
              • /usr/bin/uname
                uname -a
                3⤵
                  PID:3652
                • /usr/bin/hostname
                  hostname
                  3⤵
                    PID:3653
                • /bin/sh
                  sh -c -- "pkill -9 vmx-*"
                  2⤵
                    PID:3654
                    • /usr/bin/pkill
                      pkill -9 "vmx-*"
                      3⤵
                      • Reads CPU attributes
                      • Enumerates kernel/hardware configuration
                      • Reads runtime system information
                      PID:3655
                  • /bin/sh
                    sh -c -- "esxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm process list | awk -F \"\\\"*,\\\"*\" '{system(\"esxcli vm process kill --type=force --world-id=\" \$1)}'"
                    2⤵
                    • Manipulates ESXi
                    PID:3656
                    • /usr/bin/awk
                      awk -F "\"*,\"*" "{system(\"esxcli vm process kill --type=force --world-id=\" \$1)}"
                      3⤵
                      • Manipulates ESXi
                      PID:3658

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • /tmp/systemd-private-2f7dc25f32a041608470b3e794ff7c76-systemd-resolved.service-0xCfsI/tmp/rhkrc-readme.txt
                  Filesize

                  2KB

                  MD5

                  0c415f3fcceb2b958692701e59e93ac1

                  SHA1

                  40098bf07bd0bb8bac95f0c6f184f0b286a17c25

                  SHA256

                  d46966fc0e607814c372a81ee8ae327476955be6b3b79e24a10455e9a03ef36f

                  SHA512

                  02bee19cdbe5af0f5ba5878db1998c17f0c413ce41f2160cd8977413bd0027404071781fe197f1c23cf434c623d8796feb37ed860bc56f289d301d1f1f5d2910

                  Download Submit