Analysis
Ransomware needs find the volume details and then proceed for encrypting the file. Malware code retrieving FindFirstVolume+FindNextVolume gives all the volumes present including Windows reserved and system recovery partition. The return value is a unique GUID for the volume which can also be found in registry (HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume).
Hash of the File: 232ca9cefd0b1b0d2cc11c11090124720cbf90778210e30c3e9f8841512dfd22
File type: EXE file
Static analysis
This ransomware code starts checking for running OS platform details and the conditions failed then it triggers Dr. Watson error. It then retrieves a handle to the current window station for the calling process using “GetProcessWindowStation”. The code again to query the details of WinMajor details and if the condition fails then it triggers Dr Watson error.
call __get_winmajor
.text:3A2F8D8D add esp, 4
.text:3A2F8D90 push eax
.text:3A2F8D91 call __invoke_watson_if_error
.text:3A2F8D96 add esp, 18h
Further it retrieves the GetActiveWindow and uses the “GetLastActivePopup ()” to Determines which pop-up window owned by the specified window was most recently active.
Retrieving volume details:
call ds:SetErrorMode
.text:3A2E34FF push 0C8h ; cchBufferLength
.text:3A2E3504 lea eax, [ebp+68h+RootPathName]
.text:3A2E3507 push eax ; lpszVolumeName
.text:3A2E3508 call ds:FindFirstVolumeW
.text:3A2E350E push offset aVolumes ; "\nVolumes:\n"
.text:3A2E3513 call _wprintf
.text:3A2E3518 lea eax, [ebp+68h+RootPathName]
.text:3A2E351B pop ecx
.text:3A2E351C mov dword_3A31E898, esi
.text:3A2E3522 lea ecx, [eax+2]
Observed behavior
File created: "%APPDATA%\info.exe
Looking for the following processes to terminate:
"taskkill /f /im oracle.exe"
"taskkill /f /im sqlite.exe"
"taskkill /f /im sql.exe"
Deleting Volume shadow copy to not allowing the backup restoring functionalities in the windows system:
"vssadmin.exe" with commandline "Delete Shadows /All /Quiet"
Auto-start registry entry:
Key: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"
Value: "ENCRYPTER"
Physical location of the file matches: "%APPDATA%\info.exe"
Key: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"
Value: "USERINFO"
"%APPDATA%\recovery.txt"
These registry entries are to maintain the persistence of the malware in the infected system.
Ransom Notes:
"Hello!All your files have been encrypted by usIf you want restore files write on e-mail – fileskey(at)qq(.)com or fileskey(at)cock(.)li"
hxxp://qq(.)com
No comments:
Post a Comment