sodinokibi | d976a41f366fb1e3a0a5d15878d84e24704949973d9e0ccead9a779dee03ef0f

Resubmissions

18-09-2024 11:32

240918-nnmz7azakp 10

15-09-2024 12:50

240915-p21c4svflm 10

15-09-2024 12:44

240915-pysh4atflf 10

15-09-2024 12:04

240915-n83ldatdpl 10

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
Size

165KB
MD5

e2708d3c57b562b01da42f9e7549781f
SHA1

3d82951dbfab5629187b26ecb7388b7a05597f67
SHA256

d976a41f366fb1e3a0a5d15878d84e24704949973d9e0ccead9a779dee03ef0f
SHA512

c483968f981e64021025bf4f42424df3cfb88a55bd4cb7f2aa904515eccb85e239c3d44812b28d5b617b6b8476dcc3f4258465a211ae6e6725adbf1850234619
SSDEEP

3072:eCEq0R0nZ5ys5n4Y9doh7O79siUs/NaxohzDKMlt:lw02sJPi7O93N3FHlt

Score

10^/10

sodinokibi discovery ransomware

Malware Config

Extracted

Path

C:\Users\s7k82s16-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. CDHFUND. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension s7k82s16. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D761E04F4E92FC72 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/D761E04F4E92FC72 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 6iV3MEj0WMEDH2Ef419MB7nLo1O+G89Wdx6FgIvunDdGxSJ+pnt030vqGYjrqb0n 3KvVpy4Yl9xEFytrR2DjCjy2aju+PGDrbJg6URVNd1hO4DwBBOfgSdm/dpPwvuWp FN4/TsH1WG0NXTHjFkGQpl1gnGbFxIi6cfnfD2ZOL5SW3D//JIyutJ3CLJENHDKb szr0rPGqYCc6+mqZaWPQ5PONI72qjYKAeK1srMreZqTwIQHR3ESbBkUN0IUWu0h8 IoNYlTHntSJo39ZoES58piTO6Duaob9XidQNLzsVu8Id8A73duWPCqzY9vQegMYB pchfVUB3IM8uXOS8GsR9xURv8+t1a5RoDkBewODBJcNkZO/YKxPygkyL5wjavHJh dQc+mEkA8i2aWFpktsckpsXCxCWrtg0kAqY2+xxUKpgXvTCoYm/2UrPnQ31izZ5u J9KOjVS22psuctunBEN8UcaCurD0HJD/M//l4Eo+UHy3u8d1l7QhPvPyw8BoFmNT sQCp4sxVNL9FeSyU7Tidg99nDQmlHo5XfDQYv0QjEekYNUXS2yH8/cVX4VR/OLz0 mgZM4Ds2L8T+/Rzw44lyAyfTREjBQSfF1ltvKawmKX2QCv/9H2l9HAQLD5LwFEIL 18woFja8Q2IivvGxJJ3lSuyUndztHBG7ae17YQKpnXqJa0nV/tOooJcmssAx4yf4 CJVYKYpTm7IAJ5m/2UntCKqYox/lLqe2E9ILyAGKc6MKrf33e5kUkJWRr1X8rFKk y4SGIccXwh1S/SjBBs8AVoVkRC+wq7CyIVisY0EmfG8XPGolyzburo6Y7VQY9n4H fa2akFEej9+OuZ+w86iYV2xQIhEb7Kl31fmc0B+d4FdEGWMToemWsL0NCHh60gj2 W8x9LxAjhhs2ycVH4yiHtmLCzbrrg9sDqNwfjfMuwpinUkzPwuEii8wumC8EGMC+ PUD/OzepvqGWKGCuUFY3QnCx4tf/u3wFQOl/5cd3d0H0U9xyv3WEHmFTCCt0AGy3 AJ7IxicKMbzdeYRj/d0PhY3zyUBm0gVHAYzALMxfzAOQuvOQUo7FzVYSx2W3Ejh1 4PBgahbMMZwdp/KR5vMEDc7G9yNuwFUJ3w88STiAOq2QJf9iPKu+egu0eR4fyo+c N2FDATNcMPNmt2dVD/5HBy/XX7Pqv2Tv+1qGVKmYJW2rT43TUCpzRM6neiF859aR nDFMQf3nVWlsem/HhOnpVw== Extension name: s7k82s16 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D761E04F4E92FC72

http://decryptor.top/D761E04F4E92FC72

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\N:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\Q:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\W:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\O:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\A:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\K:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\L:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\S:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\Z:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\D:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\B:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\E:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\M:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\V:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\F:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\H:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\I:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\R:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\G:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\P:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\X:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\J:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\U:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened (read-only)	\??\Y:	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36y5redxkx0.bmp"	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe

Drops file in Program Files directory 36 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\s7k82s16-readme.txt	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\SyncShow.vssm	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\TestSplit.raw	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\MergeApprove.reg	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ProtectShow.mpeg2	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\SkipOut.001	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\SwitchAssert.ppt	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\s7k82s16-readme.txt	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\AssertDebug.dotm	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ProtectClose.au3	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ReceiveRestart.TS	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\RenameClose.xls	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\SearchUnpublish.i64	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\SyncUnpublish.rtf	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File created	\??\c:\program files\s7k82s16-readme.txt	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\DisconnectEdit.jfif	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\DisconnectUnlock.gif	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\RestoreFormat.jpeg	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\WaitUnpublish.wps	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\s7k82s16-readme.txt	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\DisableRedo.mhtml	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\EnterExit.php	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\PingResume.css	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\PushSubmit.vb	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ReadClear.vsd	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ReceiveUnlock.rmi	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\DebugMerge.vdx	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\PushWait.xps	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\SuspendRemove.css	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\BackupProtect.xht	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\CopyShow.odp	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\MeasureComplete.m4v	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\RevokeSend.3g2	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\AssertSave.jpeg	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\WritePop.gif	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\s7k82s16-readme.txt	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2856	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
2036	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeBackupPrivilege	2588	vssvc.exe
Token: SeRestorePrivilege	2588	vssvc.exe
Token: SeAuditPrivilege	2588	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2036	2856	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe	31
PID 2856 wrote to memory of 2036	2856	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe	31
PID 2856 wrote to memory of 2036	2856	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe	31
PID 2856 wrote to memory of 2036	2856	e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe	31

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e2708d3c57b562b01da42f9e7549781f_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2824

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\s7k82s16-readme.txt

Filesize
6KB

MD5
767297732b60308c025c0c1804ffce4c

SHA1
4669f6db0dd2253658da612bf5fae52aa5cefe02

SHA256
7895cc081181fd646b806f2525d3cb25098e7f8f6c8c149363a503743b45ba82

SHA512
064de7c9684d423249045fcce3680211604e5da620e0103bfd46f3b90245261435ff35e930b6518f9d571c12a19179ccc420382beb487087f185cec39c19f0ab

Download Submit
memory/2036-4-0x000007FEF515E000-0x000007FEF515F000-memory.dmp

Filesize
4KB

Download
memory/2036-5-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2036-6-0x00000000027A0000-0x00000000027A8000-memory.dmp

Filesize
32KB

Download
memory/2036-7-0x000007FEF4EA0000-0x000007FEF583D000-memory.dmp

Filesize
9.6MB

Download
memory/2036-8-0x000007FEF4EA0000-0x000007FEF583D000-memory.dmp

Filesize
9.6MB

Download
memory/2036-9-0x000007FEF4EA0000-0x000007FEF583D000-memory.dmp

Filesize
9.6MB

Download
memory/2036-10-0x000007FEF4EA0000-0x000007FEF583D000-memory.dmp

Filesize
9.6MB

Download
memory/2036-11-0x000007FEF4EA0000-0x000007FEF583D000-memory.dmp

Filesize
9.6MB

Download