Stop Ransomware


#1

SHA1: A793D3A0452379B0800DE128B54F315E761E259B

File type: Microsoft Visual C++ 9.0 – Visual Studio 2008 (E8)

So another sample I just received. It turns out to be a ransomware, which seems to be the STOP variance.

The packer

The packer is one I have encountered quite a few times before. According to some information obtained, it is sold by someone who goes by “Alex”. It is very much characteristic for it’s use of junk APIs, which involves calling APIs with 0 as the parameter like this:

After that, it uses GlobalAlloc, VirtualProtect and decrypts a shellcode, which is then executed with a call instruction, which is then dumped and trimmed for static analysis. After some reverse engineering, the payload is unpacked. In order to unpack this packer quickly in the future for others who encounter the same variant of packer: Step into the shellcode (finding it is your job), find the pattern 6A 00 8D 45 DC 50 FF 75 F0 8B 85 58 FF FF FF FF 70 02 8B 85 58 FF FF FF 83 C0 3A 50 E8 E3 07 00 00 83 C4 14, look at the call, watch the 3rd parameter, and step over the call. The decrypted buffer will be there.

Unpacked file:

SHA1: 5881BB7EB22D5E91357FCCDB9C2ADF0B775B5182

File type: Microsoft Visual C++ v.12 – 2013 ( E8 ) www.microsoft.com [ * Internet Behavior on ->> WININET.dll

The unpacked file then drops a few files (some of which I’ll look at later). Opening it up in IDA, we can immediately notice some strings that can be used for identification.

And indeed these strings were useful: Searching for the mutex we find a hybrid-analysis of a sample that is marked as a ransomware, as well as a full runtime trace of it.

The file when executed drops 5 files, one of which opens up a fake Windows Update prompt. It proceeds to create a service which is then launched, after which it exits.

It then very nicely crashes Windows Explorer, and send HTTP requests to 2ip[.]ua to obtain the IP. It then drops _readme.txt in the document directory.

For some reason the ransomware did not actually encrypt files in my VM, perhaps due to VM detection. Due to that I can’t really go on much further about the ransomware, however the samples (both packed and unpacked) are available on virustotal and virusbay for anyone interested. Based on the virustotal results, it seems to be the Stop Ransomware (which is, unfortunately, not something that would stop ransomware).

Article Link: https://krabsonsecurity.com/2019/03/14/stop-ransomware/