Analysis of Foreign Ransomware


Hash of the File: 232ca9cefd0b1b0d2cc11c11090124720cbf90778210e30c3e9f8841512dfd22
File type: EXE file

Static analysis

This ransomware code starts checking for running OS platform details and the conditions failed then it triggers Dr. Watson error. It then retrieves a handle to the current window station for the calling process using “GetProcessWindowStation”. The code again to query the details of WinMajor details and if the condition fails then it triggers Dr Watson error.
  call    __get_winmajor
.text:3A2F8D8D                 add     esp, 4
.text:3A2F8D90                 push    eax
.text:3A2F8D91                 call    __invoke_watson_if_error
.text:3A2F8D96                 add     esp, 18h

Further it retrieves the GetActiveWindow and uses the “GetLastActivePopup ()” to Determines which pop-up window owned by the specified window was most recently active.

Retrieving volume details:
     call    ds:SetErrorMode
.text:3A2E34FF                 push    0C8h            ; cchBufferLength
.text:3A2E3504                 lea     eax, [ebp+68h+RootPathName]
.text:3A2E3507                 push    eax             ; lpszVolumeName
.text:3A2E3508                 call    ds:FindFirstVolumeW
.text:3A2E350E                 push    offset aVolumes ; "\nVolumes:\n"
.text:3A2E3513                 call    _wprintf
.text:3A2E3518                 lea     eax, [ebp+68h+RootPathName]
.text:3A2E351B                 pop     ecx
.text:3A2E351C                 mov     dword_3A31E898, esi
.text:3A2E3522                 lea     ecx, [eax+2]

Ransomware needs find the volume details and then proceed for encrypting the file. Malware code retrieving FindFirstVolume+FindNextVolume gives all the volumes present including Windows reserved and system recovery partition. The return value is a unique GUID for the volume which can also be found in registry (HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume).

Observed behavior

File created: "%APPDATA%\info.exe

Looking for the following processes to terminate:
"taskkill /f /im oracle.exe"
"taskkill /f /im sqlite.exe"
"taskkill /f /im sql.exe"

Deleting Volume shadow copy to not allowing the backup restoring functionalities in the windows system:

"vssadmin.exe" with commandline "Delete Shadows /All /Quiet"

Auto-start registry entry:



Physical location of the file matches: "%APPDATA%\info.exe"




These registry entries are to maintain the persistence of the malware in the infected system.

Ransom Notes:

"Hello!All your files have been encrypted by usIf you want restore files write on e-mail – fileskey(at)qq(.)com or fileskey(at)cock(.)li"



Popular Posts