I found this sample while browsing the new public submissions on AnyRun on the 1st of December. It peaked my interest because there were just three samples of it on the platform at the time of writing this and they were all uploaded very recently.
A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live.
DeathRansom @ AnyRun | VirusTotal | HybridAnalysis
--> sha256 3c9f777654a45eb6219f12c2ad10082043814389a4504c27e5aec752a8ee4ded
As always one of my go to tools is DetectItEasy. In this case it tells us that we are dealing with a .NET Application and you know what that means: Let's whip out the .NET Analysis VM and take a look.
This looks pretty promising. Because .NET Code is not compiled to Machine Language directly but rather to the Common Intermediate Language (CIL) just in time we can inspect it without the need for a disassembler with Telerik JustDecompile or dnSpy.
Looking at the Output it looks like we have a Powershell Script in front of us that has been run through PS2EXE, a kind of "converter" (a wrapper to be more precise) for ps1 scripts to PE executables.
Decoding the Base64 string we got from the binary gets us two more blocks of what looks like base64 strings and a few lines of PowerShell code between it.
Decompressing one of the gzip blocks yields us a Portable Executable!
The dropped .SaveTheQueen.LOG found in C:\ProgramData\. SaveTheQueen does not leave a ransomnote or other information to contact the crooks.
CLR: 2.0.50727.5420Drive: C:
Because the Registry edits resemble something seen before in LockerGoga I'd like to make a short comparison between the two stains.
"Feature" | SaveTheQueen | LockerGoga | ||
---|---|---|---|---|
Ransomnote | none | txt File in %Desktop% | ||
Logging | C:\ProgramData\SaveTheQueen.LOG | C:\.log | ||
Registry | ||||
Binary | .NET | Visual C++ |
IOCs
SaveTheQueen
SaveTheQueen.exe --> SHA256: 3c9f777654a45eb6219f12c2ad10082043814389a4504c27e5aec752a8ee4ded SSDEEP: 12288:a4Gvlgr3S/Jsftu5hU17WFKp4NpBvUssesKtIKy7vr4YT0PgZ304lGrDJo8YFfDY:ayw3ZwEaSAVX8Zye/
Registry Keys
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session00xx Owner --> 6C 0A 00 00 26 23 E1 EB AC A6 D5 01HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session00xx
SessionHash --> 32 Byte HexHKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session00xx
RegFiles0000 --> Files to be encrypted/stolenHKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session00xx
RegFilesHash --> 32 Byte Hex
Article Link: https://dissectingmalwa.re/god-save-the-queen-cause-ransom-is-money-savethequeen-encryptor.html