Win32/Filecoder.Sodinokibi [Threat Name] go to Threat
Win32/Filecoder.Sodinokibi.N [Threat Variant Name]
Category | trojan |
Size | 912264 B |
Aliases | Ransom:Win32/Sodinokibi (Microsoft) |
Troj/Ransom-GIQ (Sophos) | |
Trojan.Encoder.34110 (Dr.Web) |
Short description
Win32/Filecoder.Sodinokibi.N is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Installation
When executed, the trojan creates the following files:
- C:\Windows\mpsvc.dll (808328 B, Win32/Filecoder.Sodinokibi.N trojan)
- C:\Windows\MsMpEng.exe (22224 B)
The trojan launches the following processes:
- C:\Windows\MsMpEng.exe (22224 B)
Payload information
Win32/Filecoder.Sodinokibi.N is a trojan that encrypts files on fixed, removable and network drives.
The trojan searches for files with the following file extensions:
- *.*
It avoids files from the following directories:
- $recycle.bin
- $windows.~bt
- $windows.~ws
- appdata
- application data
- boot
- intel
- mozilla
- msocache
- perflogs
- program files
- program files (x86)
- programdata
- system volume information
- tor browser
- windows
- windows.old
It avoids files with the following filenames:
- autorun.inf
- boot.ini
- bootfont.bin
- bootsect.bak
- desktop.ini
- iconcache.db
- ntldr
- ntuser.dat
- ntuser.dat.log
- ntuser.ini
- thumbs.db
It avoids files with the following extensions:
- .386
- .adv
- .ani
- .bat
- .bin
- .cab
- .cmd
- .com
- .cpl
- .cur
- .deskthemepack
- .diagcab
- .diagcfg
- .diagpkg
- .dll
- .drv
- .exe
- .hlp
- .hta
- .icl
- .icns
- .ico
- .ics
- .idx
- .key
- .ldf
- .lnk
- .lock
- .mod
- .mpa
- .msc
- .msi
- .msp
- .msstyles
- .msu
- .nls
- .nomedia
- .ocx
- .prf
- .ps1
- .rom
- .rtp
- .scr
- .shs
- .spl
- .sys
- .theme
- .themepack
- .wpx
The trojan encrypts the file content.
The curve25519, Salsa20 encryption algorithm is used.
An additional .%variable% extension is appended.
The following file is dropped in the same folder:
- %variable%-readme.txt
It contains the following text:
A string with variable content is used instead of %variable% .
To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Other information
The trojan may delete files stored in the following folders:
- $Recycle.Bin
The trojan keeps various information in the following Registry keys:
- [HKEY_LOCAL_MACHINE\SOFTWARE\BlackLivesMatter]
- "96la6"="%data%"
- "Ed7"="%data%"
- "JmfOBvhb"="%data%"
- "QleQ"="%data%"
- "Ucr1RB"="%data%"
- "wJWsTYE"="%data%"
- [HKEY_CURRENT_USER\SOFTWARE\BlackLivesMatter]
- "96la6"="%data%"
- "Ed7"="%data%"
- "JmfOBvhb"="%data%"
- "QleQ"="%data%"
- "Ucr1RB"="%data%"
- "wJWsTYE"="%data%"
The trojan may terminate specific running processes.
The following services are disabled:
- backup
- memtas
- mepocs
- sophos
- sql
- svc$
- veeam
- vss
The trojan may execute the following commands:
- netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
The trojan removes all of the volume shadow copies in order to prevent restoring the original files.
This file/image is set as a wallpaper.
The trojan may display the following message:
When files encryption is finished, the trojan removes itself from the computer.