Analysis of Foreign Ransomware
Ransomware needs find the volume details and then proceed for encrypting the file. Malware code retrieving gives all the volumes present including Windows reserved and system recovery partition. The return value is a unique GUID for the volume which can also be found in registry (HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume).
Hash of the File: 232ca9cefd0b1b0d2cc11c11090124720cbf90778210e30c3e9f8841512dfd22
File type: EXE file
This ransomware code starts checking for running OS platform details and the conditions failed then it triggers Dr. Watson error. It then retrieves a handle to the current window station for the calling process using “GetProcessWindowStation”. The code again to query the details of WinMajor details and if the condition fails then it triggers Dr Watson error.
Further it retrieves the GetActiveWindow and uses the “GetLastActivePopup ()” to Determines which pop-up window owned by the specified window was most recently active.
File created: "%APPDATA%\info.exe
Looking for the following processes to terminate:
"taskkill /f /im oracle.exe"
"taskkill /f /im sqlite.exe"
"taskkill /f /im sql.exe"
Deleting Volume shadow copy to not allowing the backup restoring functionalities in the windows system:
"vssadmin.exe" with commandline "Delete Shadows /All /Quiet"
Auto-start registry entry:
Physical location of the file matches: "%APPDATA%\info.exe"
These registry entries are to maintain the persistence of the malware in the infected system.
"Hello!All your files have been encrypted by usIf you want restore files write on e-mail – fileskey(at)qq(.)com or fileskey(at)cock(.)li"