Sodinokibi Analysis Process

Sodinokibi Analysis Process





The malware unlocks itself multiple times by allocating “VirtualAlloc” virtual memory and decoding the usage code to complicate the Analysis process. It should allocate a new space into the process memory and fill the code that is the task of overwriting the actual malware load on the mapped image of the original file. In this case, the process first separates the space in the Stack via "LocalAlloc", marks this area as executable with "VirtualProtect" and finally directs the flow of execution to the new memory area.





It tries to hide the "Kernel32.dll" library during analysis.



Some APIs that draw our attention: 
CreateFileW, LoadLibraryW, GetStartupInfoW, GetCommandLineW, CreateMutexA, DeleteFileA, GetWindowsDirectoryW,GetProcAddress, WriteFile, FindFirstFileExW

Returns the file path to the Windows directory on the system it is running on (c:\\windows\) and uses it to decide which directory to copy.

CreateMutex (Kernel32.dll): The following commands are executed on the target system before encryption is performed.

"C:\WINDOWS\system32\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures"

Along with the PowerShell command, Shadow deletes the copies by disabling Windows Recovery and Repair options.



powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==

Decode: “Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}”

Random extensions for encrypted files "." It is replaced by + 5-10 alphanumeric characters. The keys to be used during the encryption process and the extension are saved under “hklm/SOFTWARE/GitForWindows”.


Sections extracted in the configuration file:


Extracted ransomware message:



Command and Control Links: In the Configuration file we have extracted, there are the domain names to which the harmful link will be established in the 'Dmn' section.


Ransomware message: Once encrypted, this ransomware renamed all files in the system with a random 7 character extension. Below is a screenshot of the ransomware message displayed after the infection.


Sodinokibi takes advantage of many critical vulnerabilities, including Windows vulnerability (CVE-2018-8453). The “win32k.sys” vulnerability exists in this component.

IOC:

SHA-256: adef0855d17dd8dddcb6c4446e58aa9f5508a0453f53dd3feff8d034d692616f

SHA-256: 650dc6b6ccd3e1ce0442ccec936821827bd9974eeeb5afc855f2650c5dd59648

SHA-256: e031b650331185f21dcc098d62057cb1ef5cac8cb2b9dece3d37ea8c0a1aa6dc

SHA-256: e1f64fb15ac6d4acdc78fb1baf4862291228811de6f18082de30e5b57a0c2d44

SHA-256: 5d1a6f9af7a9990c9adcb64b7fed3683e8a69cb6ea7fd62a21f59502d246873f

Please feel free to submit your suggestions. : joefreedy@protonmail.com


Popular Posts