Get Started. It's Free
or sign up with your email address
sodinokibi by Mind Map: sodinokibi

1. Malpedia

1.1. REvil (Malware Family)

2. Hybrid-Analysis

2.1. Free Automated Malware Analysis Service - powered by Falcon Sandbox

3. Wireshark

3.1. Print no Drive

4. Compilador/Packer

4.1. Packer ->

4.1.1. NA

4.2. Compiler ->

4.2.1. Scan NFD: Visual C/C++(19.00.24215)

4.3. Linker ->

4.3.1. Scan DIE: Microsoft Linker(14.0, Visual Studio 2015)

4.4. MIME

4.4.1. application/vnd.microsoft.portable-executable

5. Hash

5.1. MD5

5.1.1. 1ff591e2e37178684b73926816ea758c

5.2. SHA1

5.2.1. 5b79dd2791a817e283bc41f6ef3eff42c3b8f131

5.3. SHA256

5.3.1. 2d73ce9f8e11bbbce1bec1147bf30ef60a6d362504fbf650b3c8a0ea6f7c4fbb

6. VT

6.1. Detecção:

6.1.1. 55/71

6.2. Imphash

6.2.1. 1e6452b349d3cbc048e72755b22f42e0

6.3. AV names

6.3.1. Avast: Win32:RansomX-gen [Ransom]

6.3.2. Avira: TR/Crypt.XPACK.Gen

6.3.3. BitDefender: Gen:Variant.Fugrafa.10828

6.3.4. ESET-NOD32: Win32/Filecoder.Sodinokibi

6.3.5. F-Secure: Trojan.TR/Crypt.XPACK.Gen

6.3.6. Fortinet: W32/Graftor.2A43!tr

6.3.7. Kaspersky: None

6.3.8. McAfee: GenericRXJB-QB!1FF591E2E371

6.3.9. Microsoft: Ransom:Win32/Revil.SI!MTB

6.3.10. Panda: Trj/Genetic.gen

6.3.11. Sophos: Mal/Generic-S

6.3.12. Symantec: ML.Attribute.HighConfidence

6.3.13. TrendMicro: Ransom_Sodinokibi.R069C0DH720

6.4. Basico

6.4.1. entropy: 6.99

6.4.2. Packed?: PACKED

6.5. Histórico

6.6. Domínios/IPs Conectados

6.7. Registros

6.8. URL VT

6.8.1. VirusTotal

6.9. Imported DLLs

6.9.1. SHELL32.dll

6.9.1.1. SHGetPathFromIDListW

6.9.1.2. SHBrowseForFolderW

6.9.2. KERNEL32.dll

6.9.2.1. HeapFree

6.9.2.2. CopyFileW

6.9.2.3. EnterCriticalSection

6.9.2.4. QueryPerformanceCounter

6.9.2.5. HeapAlloc

6.9.2.6. SetConsoleTextAttribute

6.9.2.7. LoadLibraryA

6.9.2.8. lstrlenW

6.9.2.9. GetStdHandle

6.9.2.10. DeleteCriticalSection

6.9.2.11. SetThreadAffinityMask

6.9.2.12. GetProcAddress

6.9.2.13. GetConsoleScreenBufferInfo

6.9.2.14. GetCurrentThread

6.9.2.15. QueryPerformanceFrequency

6.9.2.16. CreateThread

6.9.2.17. WriteFile

6.9.2.18. CloseHandle

6.9.2.19. IsProcessorFeaturePresent

6.9.2.20. DeleteFileW

6.9.2.21. GetModuleHandleW

6.9.2.22. InitializeCriticalSection

6.9.2.23. OutputDebugStringW

6.9.2.24. CreateFileW

6.9.2.25. MoveFileW

6.9.2.26. SetEndOfFile

6.9.2.27. ExitProcess

6.9.2.28. GetProcessHeap

6.9.2.29. WriteConsoleW

6.9.2.30. LeaveCriticalSection

6.9.3. COMDLG32.dll

6.9.3.1. GetOpenFileNameW

6.9.4. USER32.dll

6.9.4.1. MessageBoxW

6.9.4.2. SendMessageW

6.9.4.3. EnableWindow

6.9.4.4. EndDialog

6.9.4.5. DialogBoxParamW

6.9.4.6. IsDlgButtonChecked

6.9.4.7. SetDlgItemTextW

6.9.4.8. SetDlgItemInt

6.9.4.9. SetWindowTextW

6.9.4.10. GetDlgItem

6.9.4.11. wsprintfW

6.9.4.12. CheckDlgButton

6.9.5. GDI32.dll

6.9.5.1. CreateFontW

7. Strings

7.1. decrypt_one_file

7.2. master_sk

7.3. pc_sk

7.4. C:\re2\rwdec\src\dec.c

7.5. file_decrypt_callback

7.6. dec_main

7.7. _vsnwprintf

7.8. ntdll

7.9. stdout_hexdump

7.10. C:\re2\core\src\common\debug.c

7.11. C:\re2\core\src\common\system.c

7.12. is_ru_speak

7.13. expand 32-byte kexpand 16-byte k

7.14. C:\re2\bin\Debug\rwdec_x86_debug.pdb

7.15. Possível PowerShell

7.15.1. EnterCriticalSection LeaveCriticalSection DeleteFileW SetEndOfFile CloseHandle CreateThread GetModuleHandleW CopyFileW MoveFileW GetStdHandle CreateFileW WriteFile OutputDebugStringW QueryPerformanceCounter QueryPerformanceFrequency HeapAlloc HeapFree GetProcessHeap InitializeCriticalSection DeleteCriticalSection ExitProcess GetCurrentThread GetProcAddress SetThreadAffinityMask lstrlenW LoadLibraryA GetConsoleScreenBufferInfo SetConsoleTextAttribute WriteConsoleW KERNEL32.dll MessageBoxW wsprintfW SendMessageW DialogBoxParamW EndDialog GetDlgItem SetDlgItemInt SetDlgItemTextW CheckDlgButton IsDlgButtonChecked EnableWindow SetWindowTextW USER32.dll CreateFontW GDI32.dll SHGetPathFromIDListW SHBrowseForFolderW SHELL32.dll GetOpenFileNameW COMDLG32.dll IsProcessorFeaturePresent

7.16. XML

7.16.1. <?xml version="1.0" encoding="utf-8"?> <assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"> <dependency xmlns="urn:schemas-microsoft-com:asm.v2"> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="requireAdministrator" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </windowsSettings> </application> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" /> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" /> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" /> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" /> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" /> </application> </compatibility> </assembly>

7.17. {"all": true, "master_sk": "Mw+RhrusyMgzMzbljjPswRrAvZr9ntIpvcHCS5qfNjg=", "ext": ["universal_tool_xxx_yyy"]}

7.18. VERIFICAR BINTEXT - Possui mais informações que strings cli

8. Análise de código

8.1. Dlls/Funções importadas

9. Comportamental

9.1. Rede

9.1.1. DNS

9.1.2. IP

9.2. HTTP

9.3. HTTPS

10. Analise com Capa/Fireeye -> fireeye/capa

10.1. [email protected]:~/Documents/daryus/analise-malware/prova/revil$ ../../../../../Tools/capa revil.exe loading : 100%|███████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 469/469 [00:00<00:00, 825.17 rules/s] matching: 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 275/275 [00:09<00:00, 28.19 functions/s] +------------------------+------------------------------------------------------------------------------------+ | md5 | 1ff591e2e37178684b73926816ea758c | | sha1 | 5b79dd2791a817e283bc41f6ef3eff42c3b8f131 | | sha256 | 2d73ce9f8e11bbbce1bec1147bf30ef60a6d362504fbf650b3c8a0ea6f7c4fbb | | path | revil.exe | +------------------------+------------------------------------------------------------------------------------+ +------------------------+------------------------------------------------------------------------------------+ | ATT&CK Tactic | ATT&CK Technique | |------------------------+------------------------------------------------------------------------------------| | DEFENSE EVASION | Obfuscated Files or Information [T1027] | | EXECUTION | Shared Modules [T1129] | +------------------------+------------------------------------------------------------------------------------+ +-----------------------------+-------------------------------------------------------------------------------+ | MBC Objective | MBC Behavior | |-----------------------------+-------------------------------------------------------------------------------| | ANTI-BEHAVIORAL ANALYSIS | Debugger Detection::Anti-debugging Instructions [B0001.034] | | | Debugger Detection::Software Breakpoints [B0001.025] | | CRYPTOGRAPHY | Encrypt Data::RC4 [C0027.009] | | | Encryption Key::RC4 KSA [C0028.002] | | | Generate Pseudo-random Sequence::RC4 PRGA [C0021.004] | | DATA | Checksum::CRC32 [C0032.001] | | | Encoding::Base64 [C0026.001] | | | Encoding::XOR [C0026.002] | | DEFENSE EVASION | Obfuscated Files or Information::Encoding-Standard Algorithm [E1027.m02] | | FILE SYSTEM | Copy File [C0045] | | | Delete File [C0047] | | | Write File [C0052] | | PROCESS | Create Thread [C0038] | | | Terminate Process [C0018] | +-----------------------------+-------------------------------------------------------------------------------+ +------------------------------------------------------+------------------------------------------------------+ | CAPABILITY | NAMESPACE | |------------------------------------------------------+------------------------------------------------------| | check for software breakpoints | anti-analysis/anti-debugging/debugger-detection | | execute anti-debugging instructions | anti-analysis/anti-debugging/debugger-detection | | hash data with CRC32 | data-manipulation/checksum/crc32 | | encode data using Base64 | data-manipulation/encoding/base64 | | encode data using XOR (14 matches) | data-manipulation/encoding/xor | | reference AES constants (2 matches) | data-manipulation/encryption/aes | | encrypt data using RC4 KSA | data-manipulation/encryption/rc4 | | encrypt data using RC4 PRGA | data-manipulation/encryption/rc4 | | contains PDB path | executable/pe/pdb | | contain a resource (.rsrc) section | executable/pe/section/rsrc | | copy file | host-interaction/file-system/copy | | delete file | host-interaction/file-system/delete | | move file | host-interaction/file-system/move | | write file | host-interaction/file-system/write | | print debug messages | host-interaction/log/debug/write-event | | terminate process | host-interaction/process/terminate | | create thread (4 matches) | host-interaction/thread/create | | link function at runtime | linking/runtime-linking | | parse PE header (4 matches) | load-code/pe | +------------------------------------------------------+------------------------------------------------------+

10.2. [email protected]:~/Documents/daryus/analise-malware/prova/revil$ ../../../../../Tools/capa -v revil.exe loading : 100%|██████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 469/469 [00:00<00:00, 1622.88 rules/s] matching: 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 275/275 [00:12<00:00, 22.88 functions/s] md5 1ff591e2e37178684b73926816ea758c sha1 5b79dd2791a817e283bc41f6ef3eff42c3b8f131 sha256 2d73ce9f8e11bbbce1bec1147bf30ef60a6d362504fbf650b3c8a0ea6f7c4fbb path revil.exe timestamp 2021-03-21T14:05:57.850040 capa version v1.6.0-0-g7a8c057 format auto extractor VivisectFeatureExtractor base address 0x400000 rules (embedded rules) function count 275 total feature count 9156 check for software breakpoints namespace anti-analysis/anti-debugging/debugger-detection scope function matches 0x4095A5 execute anti-debugging instructions namespace anti-analysis/anti-debugging/debugger-detection scope function matches 0x403E16 hash data with CRC32 namespace data-manipulation/checksum/crc32 scope function matches 0x4058DB encode data using Base64 namespace data-manipulation/encoding/base64 scope function matches 0x40A431 encode data using XOR (14 matches) namespace data-manipulation/encoding/xor scope basic block matches 0x4057EF 0x4058F9 0x405A82 0x406738 0x406773 0x4068BB 0x407570 0x4077BE 0x4078F7 0x407A52 0x40957A 0x409609 0x409659 0x4096F4 reference AES constants (2 matches) namespace data-manipulation/encryption/aes scope function matches 0x406AAA 0x4074ED encrypt data using RC4 KSA namespace data-manipulation/encryption/rc4 scope function matches 0x405780 encrypt data using RC4 PRGA namespace data-manipulation/encryption/rc4 scope function matches 0x4057D8 contains PDB path namespace executable/pe/pdb scope file contain a resource (.rsrc) section namespace executable/pe/section/rsrc scope file copy file namespace host-interaction/file-system/copy scope function matches 0x401EA6 delete file namespace host-interaction/file-system/delete scope function matches 0x401EA6 move file namespace host-interaction/file-system/move scope function matches 0x401EA6 write file namespace host-interaction/file-system/write scope function matches 0x402B96 print debug messages namespace host-interaction/log/debug/write-event scope function matches 0x402B96 terminate process namespace host-interaction/process/terminate scope function matches 0x402916 create thread (4 matches) namespace host-interaction/thread/create scope basic block matches 0x4017C1 0x4019DE 0x401B76 0x4024A8 link function at runtime namespace linking/runtime-linking scope function matches 0x402ABD parse PE header (4 matches) namespace load-code/pe scope function matches 0x4089EE 0x408FD0 0x4091C9 0x4096E1

10.3. [email protected]:~/Documents/daryus/analise-malware/prova/revil$ ../../../../../Tools/capa -vv revil.exe loading : 100%|███████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 469/469 [00:00<00:00, 918.45 rules/s] matching: 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 275/275 [00:10<00:00, 26.52 functions/s] md5 1ff591e2e37178684b73926816ea758c sha1 5b79dd2791a817e283bc41f6ef3eff42c3b8f131 sha256 2d73ce9f8e11bbbce1bec1147bf30ef60a6d362504fbf650b3c8a0ea6f7c4fbb path revil.exe timestamp 2021-03-21T14:15:27.623376 capa version v1.6.0-0-g7a8c057 format auto extractor VivisectFeatureExtractor base address 0x400000 rules (embedded rules) function count 275 total feature count 9156 check for software breakpoints namespace anti-analysis/anti-debugging/debugger-detection author [email protected] scope function mbc Anti-Behavioral Analysis::Debugger Detection::Software Breakpoints [B0001.025] references LordNoteworthy/al-khaser examples al-khaser_x86.exe_:0x431020 function @ 0x4095A5 and: subscope: and: mnemonic: cmp @ 0x4095AE or: number: 0xCC @ 0x4095A8 match: contain loop @ 0x4095A5 or: characteristic: loop @ 0x4095A5 characteristic: tight loop @ 0x409609, 0x409659 execute anti-debugging instructions namespace anti-analysis/anti-debugging/debugger-detection author [email protected] scope function mbc Anti-Behavioral Analysis::Debugger Detection::Anti-debugging Instructions [B0001.034] examples Practical Malware Analysis Lab 16-03.exe_:0x401300 function @ 0x403E16 or: count(mnemonic(rdtsc)): 2 or more @ 0x403E21, 0x403E2C, 0x403E42 hash data with CRC32 namespace data-manipulation/checksum/crc32 author [email protected] scope function mbc Data::Checksum::CRC32 [C0032.001] examples 2D3EDC218A90F03089CC01715A9F047F:0x403CBD, 7D28CB106CB54876B2A5C111724A07CD:0x402350, 7EFF498DE13CC734262F87E6B3EF38AB:0x100084A6 function @ 0x4058DB or: and: mnemonic: shr @ 0x4058FB number: 0xEDB88320 @ 0x405903 number: 0x8 @ 0x4058F3 characteristic: nzxor @ 0x4058F5, 0x405908 encode data using Base64 namespace data-manipulation/encoding/base64 author [email protected] scope function att&ck Defense Evasion::Obfuscated Files or Information [T1027] mbc Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm [E1027.m02], Data::Encoding::Base64 [C0026.001] examples BFB9B5391A13D0AFD787E87AB90F14F5:0x1314889C, 074072B261FC27B65C72671F13510C05:0x100049B2, 5DB2D2BE20D59AA0BE6709A6850F1775:0x18001CC30, 08AC667C65D36D6542917655571E61C8:0x406EAA function @ 0x40A431 and: mnemonic: shl @ 0x40A5C2, 0x40A5CD, 0x40A5D5, 0x40A697, and 2 more... mnemonic: shr @ 0x40A6E6, 0x40A719, 0x40A723, 0x40A74E, and 2 more... number: 0x3F @ 0x40A6E9, 0x40A726, 0x40A729, 0x40A75B, and 2 more... or: number: 0x3D = '=' @ 0x40A9B5 match: contain loop @ 0x40A431 or: characteristic: loop @ 0x40A431 characteristic: tight loop @ 0x40B052 optional: number: 0x2 @ 0x40A697, 0x40A6DC, 0x40A6F8, 0x40AACE, and 4 more... number: 0x3 @ 0x40A463, 0x40A479, 0x40A47C, 0x40A694, and 14 more... number: 0x4 @ 0x40A517, 0x40A529, 0x40A54E, 0x40A5C2, and 13 more... number: 0x6 @ 0x40A496, 0x40A5FD, 0x40A6E6, 0x40A723, and 3 more... encode data using XOR (14 matches) namespace data-manipulation/encoding/xor author [email protected] scope basic block att&ck Defense Evasion::Obfuscated Files or Information [T1027] mbc Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm [E1027.m02], Data::Encoding::XOR [C0026.002] examples 2D3EDC218A90F03089CC01715A9F047F:0x403D7E basic block @ 0x4057EF and: characteristic: tight loop @ 0x4057EF characteristic: nzxor @ 0x405832 not: or: number: 0xFFFFFFFF number: 0xFFFFFFFFFFFFFFFF number: 0xFFFFFFF number: 0xFFFFFFFFFFFFFFF number: 0x7EFEFEFF number: 0x81010101 number: 0x81010100 number: 0x7EFEFEFEFEFEFEFF number: 0x8101010101010101 number: 0x8101010101010100 basic block @ 0x4058F9 and: characteristic: tight loop @ 0x4058F9 characteristic: nzxor @ 0x405908 not: or: number: 0xFFFFFFFF number: 0xFFFFFFFFFFFFFFFF number: 0xFFFFFFF number: 0xFFFFFFFFFFFFFFF number: 0x7EFEFEFF number: 0x81010101 number: 0x81010100 number: 0x7EFEFEFEFEFEFEFF number: 0x8101010101010101 number: 0x8101010101010100 basic block @ 0x405A82 and: characteristic: tight loop @ 0x405A82 characteristic: nzxor @ 0x405A85 not: or: number: 0xFFFFFFFF number: 0xFFFFFFFFFFFFFFFF number: 0xFFFFFFF number: 0xFFFFFFFFFFFFFFF number: 0x7EFEFEFF number: 0x81010101 number: 0x81010100 number: 0x7EFEFEFEFEFEFEFF number: 0x8101010101010101 number: 0x8101010101010100 basic block @ 0x406738 and: characteristic: tight loop @ 0x406738 characteristic: nzxor @ 0x406742 not: or: number: 0xFFFFFFFF number: 0xFFFFFFFFFFFFFFFF number: 0xFFFFFFF number: 0xFFFFFFFFFFFFFFF number: 0x7EFEFEFF number: 0x81010101 number: 0x81010100 number: 0x7EFEFEFEFEFEFEFF number: 0x8101010101010101 number: 0x8101010101010100 basic block @ 0x406773 and: characteristic: tight loop @ 0x406773 characteristic: nzxor @ 0x40677B not: or: number: 0xFFFFFFFF number: 0xFFFFFFFFFFFFFFFF number: 0xFFFFFFF number: 0xFFFFFFFFFFFFFFF number: 0x7EFEFEFF number: 0x81010101 number: 0x81010100 number: 0x7EFEFEFEFEFEFEFF number: 0x8101010101010101 number: 0x8101010101010100 basic block @ 0x4068BB and: characteristic: tight loop @ 0x4068BB characteristic: nzxor @ 0x4068C3, 0x4068CF, 0x4068DB, 0x4068E8, and 28 more... not: or: number: 0xFFFFFFFF number: 0xFFFFFFFFFFFFFFFF number: 0xFFFFFFF number: 0xFFFFFFFFFFFFFFF number: 0x7EFEFEFF number: 0x81010101 number: 0x81010100 number: 0x7EFEFEFEFEFEFEFF number: 0x8101010101010101 number: 0x8101010101010100 basic block @ 0x407570 and: characteristic: tight loop @ 0x407570 characteristic: nzxor @ 0x407596, 0x4075AB, 0x4075BD, 0x4075E7, and 8 more... not: or: number: 0xFFFFFFFF number: 0xFFFFFFFFFFFFFFFF number: 0xFFFFFFF number: 0xFFFFFFFFFFFFFFF number: 0x7EFEFEFF number: 0x81010101 number: 0x81010100 number: 0x7EFEFEFEFEFEFEFF number: 0x8101010101010101 number: 0x8101010101010100 basic block @ 0x4077BE and: characteristic: tight loop @ 0x4077BE characteristic: nzxor @ 0x4077EA, 0x4077F9, 0x40780A, 0x40780C, and 4 more... not: or: number: 0xFFFFFFFF number: 0xFFFFFFFFFFFFFFFF number: 0xFFFFFFF number: 0xFFFFFFFFFFFFFFF number: 0x7EFEFEFF number: 0x81010101 number: 0x81010100 number: 0x7EFEFEFEFEFEFEFF number: 0x8101010101010101 number: 0x8101010101010100 basic block @ 0x4078F7 and: characteristic: tight loop @ 0x4078F7 characteristic: nzxor @ 0x4078FA, 0x407900, 0x407933, 0x407942, and 6 more... not: or: number: 0xFFFFFFFF number: 0xFFFFFFFFFFFFFFFF number: 0xFFFFFFF number: 0xFFFFFFFFFFFFFFF number: 0x7EFEFEFF number: 0x81010101 number: 0x81010100 number: 0x7EFEFEFEFEFEFEFF number: 0x8101010101010101 number: 0x8101010101010100 basic block @ 0x407A52 and: characteristic: tight loop @ 0x407A52 characteristic: nzxor @ 0x407A77, 0x407A87, 0x407A94, 0x407A99, and 11 more... not: or: number: 0xFFFFFFFF number: 0xFFFFFFFFFFFFFFFF number: 0xFFFFFFF number: 0xFFFFFFFFFFFFFFF number: 0x7EFEFEFF number: 0x81010101 number: 0x81010100 number: 0x7EFEFEFEFEFEFEFF number: 0x8101010101010101 number: 0x8101010101010100 basic block @ 0x40957A and: characteristic: tight loop @ 0x40957A characteristic: nzxor @ 0x40957F, 0x409583, 0x40958F not: or: number: 0xFFFFFFFF number: 0xFFFFFFFFFFFFFFFF number: 0xFFFFFFF number: 0xFFFFFFFFFFFFFFF number: 0x7EFEFEFF number: 0x81010101 number: 0x81010100 number: 0x7EFEFEFEFEFEFEFF number: 0x8101010101010101 number: 0x8101010101010100 basic block @ 0x409609 and: characteristic: tight loop @ 0x409609 characteristic: nzxor @ 0x409614 not: or: number: 0xFFFFFFFF number: 0xFFFFFFFFFFFFFFFF number: 0xFFFFFFF number: 0xFFFFFFFFFFFFFFF number: 0x7EFEFEFF number: 0x81010101 number: 0x81010100 number: 0x7EFEFEFEFEFEFEFF number: 0x8101010101010101 number: 0x8101010101010100 basic block @ 0x409659 and: characteristic: tight loop @ 0x409659 characteristic: nzxor @ 0x409664 not: or: number: 0xFFFFFFFF number: 0xFFFFFFFFFFFFFFFF number: 0xFFFFFFF number: 0xFFFFFFFFFFFFFFF number: 0x7EFEFEFF number: 0x81010101 number: 0x81010100 number: 0x7EFEFEFEFEFEFEFF number: 0x8101010101010101 number: 0x8101010101010100 basic block @ 0x4096F4 and: characteristic: tight loop @ 0x4096F4 characteristic: nzxor @ 0x4096F7, 0x4096FA, 0x4096FD, 0x409703, and 188 more... not: or: number: 0xFFFFFFFF number: 0xFFFFFFFFFFFFFFFF number: 0xFFFFFFF number: 0xFFFFFFFFFFFFFFF number: 0x7EFEFEFF number: 0x81010101 number: 0x81010100 number: 0x7EFEFEFEFEFEFEFF number: 0x8101010101010101 number: 0x8101010101010100 reference AES constants (2 matches) namespace data-manipulation/encryption/aes author [email protected] scope function att&ck Defense Evasion::Obfuscated Files or Information [T1027] function @ 0x406AAA or: bytes: 50 A7 F4 51 53 65 41 7E = d-0 @ 0x406B43, 0x406B86, 0x406BCD, 0x406C03, and 8 more... function @ 0x4074ED or: bytes: 50 A7 F4 51 53 65 41 7E = d-0 @ 0x407587, 0x4075D8, 0x40762A, 0x40767C encrypt data using RC4 KSA namespace data-manipulation/encryption/rc4 author [email protected] scope function att&ck Defense Evasion::Obfuscated Files or Information [T1027] mbc Cryptography::Encrypt Data::RC4 [C0027.009], Cryptography::Encryption Key::RC4 KSA [C0028.002] examples 34404A3FB9804977C6AB86CB991FB130:0x403D40, C805528F6844D7CAF5793C025B56F67D:0x4067AE, 9324D1A8AE37A36AE560C37448C9705A:0x404950, 782A48821D88060ADF0F7EF3E8759FEE3DDAD49E942DAAD18C5AF8AE0E9EB51E:0x405C42, 73CE04892E5F39EC82B00C02FC04C70F:0x40646E function @ 0x405780 or: and: subscope: and: = initialize S characteristic: tight loop @ 0x40579E or: number: 0x100 @ 0x4057C9 and: = initialize S characteristic: tight loop @ 0x40578E or: number: 0x100 @ 0x405792 or: count(mnemonic(movzx)): 2 or more @ 0x4057A5, 0x4057AE, 0x4057B6 or: = modulo key length mnemonic: div @ 0x4057A8 encrypt data using RC4 PRGA namespace data-manipulation/encryption/rc4 author [email protected] scope function att&ck Defense Evasion::Obfuscated Files or Information [T1027] mbc Cryptography::Encrypt Data::RC4 [C0027.009], Cryptography::Generate Pseudo-random Sequence::RC4 PRGA [C0021.004] examples 34404A3FB9804977C6AB86CB991FB130:0x403DB0, 34404A3FB9804977C6AB86CB991FB130:0x403E50, 9324D1A8AE37A36AE560C37448C9705A:0x4049F0, 73CE04892E5F39EC82B00C02FC04C70F:0x4064C6 function @ 0x4057D8 and: count(characteristic(nzxor)): 1 @ 0x405832 or: count(mnemonic(movzx)): 4 or more @ 0x4057F3, 0x405802, 0x405807, 0x40581D, and 2 more... count(characteristic(calls from)): 4 or fewer count(basicblock): 4 or more @ 0x4057D8, 0x4057E8, 0x4057EF, 0x405843, and 1 more... match: contain loop @ 0x4057D8 or: characteristic: tight loop @ 0x4057EF contains PDB path namespace executable/pe/pdb author [email protected] scope file examples 464EF2CA59782CE697BC329713698CCC string: C:\re2\bin\Debug\rwdec_x86_debug.pdb @ 0xE390 contain a resource (.rsrc) section namespace executable/pe/section/rsrc author [email protected] scope file examples A933A1A402775CFA94B6BEE0963F4B46:0x41fd25 section: .rsrc @ 0x412000 copy file namespace host-interaction/file-system/copy author [email protected] scope function mbc File System::Copy File [C0045] examples Practical Malware Analysis Lab 01-01.exe_:0x401440 function @ 0x401EA6 or: api: kernel32.CopyFile @ 0x40208E delete file namespace host-interaction/file-system/delete author [email protected] scope function mbc File System::Delete File [C0047] examples 946A99F36A46D335DEC080D9A4371940:0x100015F0, 31600AD0D1A7EA615690DF111AE36C73:0x401A15, 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001E04 function @ 0x401EA6 or: api: kernel32.DeleteFile @ 0x4021C5, 0x4021FC move file namespace host-interaction/file-system/move author [email protected] scope function function @ 0x401EA6 or: api: kernel32.MoveFile @ 0x402204 write file namespace host-interaction/file-system/write author [email protected] scope function mbc File System::Write File [C0052] examples Practical Malware Analysis Lab 01-04.exe_:0x4011FC, 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x1400025C4 function @ 0x402B96 and: or: api: kernel32.WriteFile @ 0x402BBC print debug messages namespace host-interaction/log/debug/write-event author [email protected] scope function examples 493167E85E45363D09495D0841C30648:0x401000 function @ 0x402B96 or: api: kernel32.OutputDebugString @ 0x402B9F terminate process namespace host-interaction/process/terminate author [email protected] scope function mbc Process::Terminate Process [C0018] examples C91887D861D9BD4A5872249B641BC9F9:0x401A77 function @ 0x402916 and: or: api: kernel32.ExitProcess @ 0x402AB6 create thread (4 matches) namespace host-interaction/thread/create author [email protected], [email protected] scope basic block mbc Process::Create Thread [C0038] examples 946A99F36A46D335DEC080D9A4371940:0x10001DA0, B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x408020 basic block @ 0x4017C1 or: api: kernel32.CreateThread @ 0x401815 basic block @ 0x4019DE or: api: kernel32.CreateThread @ 0x4019F4 basic block @ 0x401B76 or: api: kernel32.CreateThread @ 0x401B8C basic block @ 0x4024A8 or: api: kernel32.CreateThread @ 0x4024AA link function at runtime namespace linking/runtime-linking author [email protected] scope function att&ck Execution::Shared Modules [T1129] examples 9324D1A8AE37A36AE560C37448C9705A:0x404130, Practical Malware Analysis Lab 01-04.exe_:0x401350 function @ 0x402ABD and: or: api: kernel32.LoadLibrary @ 0x402ACD or: api: kernel32.GetProcAddress @ 0x402AD4 parse PE header (4 matches) namespace load-code/pe author [email protected] scope function att&ck Execution::Shared Modules [T1129] examples 9324D1A8AE37A36AE560C37448C9705A:0x403DD0 function @ 0x4089EE or: and: offset: 0x3C = IMAGE_DOS_HEADER.e_lfanew @ 0x408BA4 or: and: offset/x32: 0x50 = IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage @ 0x408CDC offset/x32: 0x34 = IMAGE_NT_HEADERS.OptionalHeader.ImageBase @ 0x408B4D function @ 0x408FD0 or: and: offset: 0x3C = IMAGE_DOS_HEADER.e_lfanew @ 0x409027, 0x409035, 0x409043 or: and: offset/x32: 0x50 = IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage @ 0x40914F offset/x32: 0x34 = IMAGE_NT_HEADERS.OptionalHeader.ImageBase @ 0x40905A, 0x409068, 0x409073 function @ 0x4091C9 or: and: offset: 0x3C = IMAGE_DOS_HEADER.e_lfanew @ 0x4092E6 or: and: offset/x32: 0x50 = IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage @ 0x4093AD offset/x32: 0x34 = IMAGE_NT_HEADERS.OptionalHeader.ImageBase @ 0x4092B3 function @ 0x4096E1 or: and: offset: 0x3C = IMAGE_DOS_HEADER.e_lfanew @ 0x40972F, 0x409927, 0x409935, 0x409B00, and 3 more... or: and: offset/x32: 0x50 = IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage @ 0x40970E, 0x40981B, 0x409828, 0x409ADB, and 3 more... offset/x32: 0x34 = IMAGE_NT_HEADERS.OptionalHeader.ImageBase @ 0x40978C, 0x4098A0, 0x4098AE, 0x409E29, and 3 more...

11. MalwareBazaar

11.1. MalwareBazaar | SHA256 2d73ce9f8e11bbbce1bec1147bf30ef60a6d362504fbf650b3c8a0ea6f7c4fbb (Sodinokibi)behaviorgraphtop1signatures22112->11132->13152->1562->6process3signatures4176->1796->9process5

12. Any.run

12.1. 2d73ce9f8e11bbbce1bec1147bf30ef60a6d362504fbf650b3c8a0ea6f7c4fbb.bin.sample.gz (MD5: 453D7A300C6BFA2AEB7DD90929D7ED62) - Interactive analysis - ANY.RUN

13. Regras YARA

13.1. https://raw.githubusercontent.com/advanced-threat-research/Yara-Rules/master/ransomware/RANSOM_Sodinokibi.yar

13.2. rule MAL_RANSOM_REvil_Oct20_1 { meta: description = "Detects REvil ransomware" author = "Florian Roth" reference = "Internal Research" date = "2020-10-13" hash1 = "5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4" hash2 = "f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5" hash3 = "f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d" hash4 = "fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501" strings: $op1 = { 0f 8c 74 ff ff ff 33 c0 5f 5e 5b 8b e5 5d c3 8b } $op2 = { 8d 85 68 ff ff ff 50 e8 2a fe ff ff 8d 85 68 ff } $op3 = { 89 4d f4 8b 4e 0c 33 4e 34 33 4e 5c 33 8e 84 } $op4 = { 8d 85 68 ff ff ff 50 e8 05 06 00 00 8d 85 68 ff } $op5 = { 8d 85 68 ff ff ff 56 57 ff 75 0c 50 e8 2f } condition: uint16(0) == 0x5a4d and filesize < 400KB and 2 of them or 4 of them }

13.3. rule win_revil_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-12-01" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.5.0" tool_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "REvil (Malware Family)" malpedia_rule_date = "20201127" malpedia_hash = "ae61de407d8ec67cdbe44187237e174f42b42c47" malpedia_version = "" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 833d????????00 752f 6a00 6800001000 6a00 } // n = 5, score = 4200 // 833d????????00 | // 752f | jne 0x31 // 6a00 | push 0 // 6800001000 | push 0x100000 // 6a00 | push 0 $sequence_1 = { 50 57 ff15???????? 83c410 8bc7 } // n = 5, score = 4200 // 50 | push eax // 57 | push edi // ff15???????? | // 83c410 | add esp, 0x10 // 8bc7 | mov eax, edi $sequence_2 = { 894a58 8bce 89425c 33c0 8b9a88000000 8b928c000000 } // n = 6, score = 4200 // 894a58 | mov dword ptr [edx + 0x58], ecx // 8bce | mov ecx, esi // 89425c | mov dword ptr [edx + 0x5c], eax // 33c0 | xor eax, eax // 8b9a88000000 | mov ebx, dword ptr [edx + 0x88] // 8b928c000000 | mov edx, dword ptr [edx + 0x8c] $sequence_3 = { 8d8510ffffff 50 8d8560ffffff 50 8d45b0 50 e8???????? } // n = 7, score = 4200 // 8d8510ffffff | lea eax, [ebp - 0xf0] // 50 | push eax // 8d8560ffffff | lea eax, [ebp - 0xa0] // 50 | push eax // 8d45b0 | lea eax, [ebp - 0x50] // 50 | push eax // e8???????? | $sequence_4 = { 743c 0fb71f 8bd7 6685db } // n = 4, score = 4200 // 743c | je 0x3e // 0fb71f | movzx ebx, word ptr [edi] // 8bd7 | mov edx, edi // 6685db | test bx, bx $sequence_5 = { 745c ff750c e8???????? 8906 59 85c0 7427 } // n = 7, score = 4200 // 745c | je 0x5e // ff750c | push dword ptr [ebp + 0xc] // e8???????? | // 8906 | mov dword ptr [esi], eax // 59 | pop ecx // 85c0 | test eax, eax // 7427 | je 0x29 $sequence_6 = { 8b7df8 85ff 7749 7205 83f9ff 7742 85d2 } // n = 7, score = 4200 // 8b7df8 | mov edi, dword ptr [ebp - 8] // 85ff | test edi, edi // 7749 | ja 0x4b // 7205 | jb 7 // 83f9ff | cmp ecx, -1 // 7742 | ja 0x44 // 85d2 | test edx, edx $sequence_7 = { 8365fc00 8d45fc 56 50 8d450c 50 } // n = 6, score = 4200 // 8365fc00 | and dword ptr [ebp - 4], 0 // 8d45fc | lea eax, [ebp - 4] // 56 | push esi // 50 | push eax // 8d450c | lea eax, [ebp + 0xc] // 50 | push eax $sequence_8 = { c3 0fbec0 83f861 7f10 740a 83e841 } // n = 6, score = 4200 // c3 | ret // 0fbec0 | movsx eax, al // 83f861 | cmp eax, 0x61 // 7f10 | jg 0x12 // 740a | je 0xc // 83e841 | sub eax, 0x41 $sequence_9 = { 8b7d08 57 e8???????? 59 59 85c0 7407 } // n = 7, score = 4200 // 8b7d08 | mov edi, dword ptr [ebp + 8] // 57 | push edi // e8???????? | // 59 | pop ecx // 59 | pop ecx // 85c0 | test eax, eax // 7407 | je 9 condition: 7 of them and filesize < 155794432 }

14. Outros links referentes ao REvil Sodinokibi

14.1. REvil Sodinokibi Ransomware: DataBreach Analysis - Swascan

14.2. https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

14.3. https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf

15. tria.ge

15.1. Overview Report