~Dissecting Malware
f0wL's Blog about Malware Analysis and Reverse Engineering
~Dissecting Malware
GermanWiper's big Brother? GandGrab's kid ? Sodinokibi!

After last week's analysis on GermanWiper I thought it would be about time to have a Look at Sodinokibi aka REvil, the new weird kid on the block.


Background

According to Cybereason the Sodinokibi Ransomware was written by the same guys who created GandCrab, which is a pretty big deal after GandCrab retired recently. The samples that I'll be looking at today were first dropped in Asia, but it did not take long to reach other continents as well.

A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live.

Where I dug up the samples this time:

Sodinokibi #1 available @ https://malshare.com/sample.php?action=detail&hash=6cb6fda0b353d411a30c5b945e53ea52 sha256 bace25c1ec587d099b4c566b1a07978dd9cb3bd67c2acaa55d2e4644a7877070

Sodinokibi #2 available @ https://malshare.com/sample.php?action=detail&hash=7354af1a63f222ede4c9e0a6f84d57c2 sha256 2fea45f7be7c7313ee6e4fe7ad9ef64d9966a2391003a00dcbbd6214e9c522ef

Running Sodinokibi

Running it through VirusTotal we get a pretty good detection rate, but that is to be expected since REvil is around for a few days already. Here's a direct Link to the VT Analysis.


VT Analysis


Looking at Detect it easy we don't see anything special either. The PE seems to be built with MS Visual Studio 2015 (Linker Version 14).

Detect it easy - Info

Entropy-wise we can observe a huge drop near the end of the binary.

Detect it easy - Entropy

Running Sodinokibi


The imports definitely indicate that somethings is wrong here. Only loading kernel32.dll with 3 entries is a bit minimalistic for ransomware.


Running Sodinokibi


For one to get his/her Hands on the actual PE with an intact/complete IAT there are a couple of possible ways. Sergei Frankoff explained a very fast, but slightly "messy" Method on OALive. I'll try to replay this technique and plan to come back to this sample soon to try and script my way out of this hole.




Loading REvil into x32dbg

A dump of the strings in the binary file can be found here. Likewise a sample of the ransomnote dropped as a textfile by the malware is available here.

The Decryptor


Thanks to a businessman who shall remain nameless but decided to pay the ransom we can take a look at the Decryptor V1.3 as well. My feeling about this executable is, that it is being built to order rather than prepared in case a decryption is requested. The tool feels relatively unpolished because of the active debugging, no obfuscation or anti-evasion.

The GUI of the Decryptor


The Debug Console of the Decryptor


Running it through Detect it Easy there is nothing spectacular going on here. Consistent with the ransomware itself the decryptor was built with Visual Studio 2015 as well. Entropy-wise there are no surprises either at 4.64889.

Running Sodinokibi

OL4/y7znO6S6W7qPdbyz7S1iWvOlwRAz6y4Y0qL0+1g= 31869wv07x


IOCs

Sodinokibi / REvil Ransomware (SHA256)

bace25c1ec587d099b4c566b1a07978dd9cb3bd67c2acaa55d2e4644a7877070
2fea45f7be7c7313ee6e4fe7ad9ef64d9966a2391003a00dcbbd6214e9c522ef
ada9794bcc8e87af05f9982522e26f7ead3d1cb07bb76ce58fac1bf98e41cf53

URLs

httx://decryptor[.]top
httx://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion



TFW Ransomware is only your side hustle...

and you constantly have to apply for jobs. A partial analysis of the "GermanWiper" Ransomware

Today someone posted about a Ransomware attack on the local chat plaform Jodel (don't judge please, as you know the sketchy corners of the web get you the best samples :D) which instantly peaked my interest. What I got was this email and the two attached files. The two attached files Applicant Name - Lebenslauf Aktuell.doc.lnk and Applicant Name - Arbeitszeugnisse Aktuell.doc.lnk are made to look like Microsoft Office...

Read More
Picking Locky 🔓

Back in 2016 Locky was (one of) the first to commercialize the "art" of holding data for ransom. I picked this strain because I would like a bit more of a challenge in terms of obfuscation and anti-disassembly techniques, so strap in for this OG Ransomware

Locky (at least the first few versions) is said to be created by the makers of the Dridex/Cridex banking trojans. For example the spreading mechanism via macros in Word or Excel documents sent out via carefully crafted spear-phishing emails is exactly the same for both of these strains. A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with...

Read More
Third time's the charm? Analysing WannaCry samples

After over two years since the inital spread of the ransomware and Malwaretechs sentencing last week I got a bit nostalgic and took a second look at different samples

Since the first wave of infections in May 2017 WannaCry is basically the goto example for the whole ransomware scheme and that is actually a good thing. The potential damage that WannaCry and the variants following the original version would have been massive if it wouldn't have been for Malwaretech, 2sec4u and all the other researchers who helped to contain the spread of ransomware powered by...

Read More
  • 2
  • 3

Receive Updates

ATOM

About me

DissectingMalwa.re Logo

Hey there! My Name is Marius Genheimer aka f0wL and I'm a Computer Science Student from Germany. As you can probably tell I like to analyse malware (especially Ransomware) in my spare time.

https://ransomware.email

A searchable database of E-Mail addresses used in Ransomnotes plus facts and analysis

"Security is #1 priority"

Key OpenPGP Key

Some of my Blogposts are listed on Malpedia, an invaluable resource for Malware Research. Check it out!

Malpedia