Skip to main content



Extracting Sodinokibi Configuration

During my analysis of a Sodinokibi sample, I discovered that the malware opens up a console window and write debug messages as well as write the [DBG] messages on the text file called "DBG_LOG.txt". 

Sodinokibi is known to exploit several critical vulnerabilities, including Oracle WebLogic server (CVE-2019-2725) and 0-day Windows vulnerability (CVE-2018-8453) to infect systems.

The malware unpacks itself multiple times by allocating virtual memory and decrypting the exploitation code:

Kernel component win32k.sys can be seen referred to, which is where the vulnerability CVE-2018-8453 exists.

Depending on the processor architecture, one of the shellcode options contains in the body is executed.

A new thread is created and by placing a on-execution hardware breakpoint, I was able to follow the thread.

Finally, I could see the decrypted configuration for the malware:

I decoded the base64 decoded blobs within the configuration and it turned out to be the ransowmare note.

The con…

Latest Posts

Suspicious Strings in Memory

Live forensic collection and triage using CyLR, CDQR and Skadi