Try not to stare - MedusaLocker at a glance

Malware Analysis
1
Logo
myth.png512×512

===== Work in Progress =====

A short disclaimer: downloading and running the samples linked below will compromise your computer and data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live.

medusa.exe @ AnyRun --> sha256 3a5b015655f3aad4b4fd647aa34fda4ce784d75a20d12a73f8dc0e0d866e7e01

dix_16.exe @ HybridAnalysis --> sha256 49da42d00cc3ad6379ead2e07fd5f09bd358b144a6e78aad4bb1a8298e2bb568


Image Base64 String
medusa-image.png1087×111


Pest Doctor
medusa-pngpest.png1095×268


Extracted PDB-Path: C:\Users\Gh0St\Desktop\MedusaLockerInfo\MedusaLockerProject\MedusaLocker\Release\MedusaLocker.pdb


Detect it easy
medusa-die.png778×557
medusa.exe Entropy
medusa-entropy.png942×643
Ghidra Main Function


Pest Doctor


Pest Doctor


Pest Doctor .exe, .dll, .sys, .ini, .lnk, .rdp, .encrypted


Pest Doctor


Pest Doctor
medusa-kill.png701×292 


wrapper, DefWatch, ccEvtMgr, ccSetMgr, SavRoam, sqlservr, sqlagent, sqladhlp, Culserver, RTVscan, sqlbrowser, SQLADHLP, 
QBIDPService, Intuit.QuickBooks.FCS, QBCFMonitorService, sqlwriter, msmdsrv, tomcat6, zhudongfangyu, SQLADHLP, 
vmware-usbarbitator64, vmware-converter, dbsrv12, dbeng8wxServer.exe, wxServerView, sqlservr.exe, sqlmangr.exe, 
RAgui.exe, supervise.exe, Culture.exe, RTVscan.exe, Defwatch.exe, sqlbrowser.exe, winword.exe, QBW32.exe, QBDBMgr.exe, 
qbupdate.exe, QBCFMonitorService.exe, axlbridge.exe, QBIDPService.exe, httpd.exe, fdlauncher.exe, MsDtSrvr.exe, 
tomcat6.exe, java.exe, 360se.exe, 360doctor.exe, wdswfsafe.exe, fdlauncher.exe, fdhost.exe, GDscan.exe, ZhuDongFangYu.exe


Pest Doctor


Pest Doctor
medusa-appdata.png812×262


Pest Doctor
medusa-medrec.png770×211


Pest Doctor
medusa-reg1.png1429×496

HKEY_USERS\S-1-5-21-1716914095-909560446-1177810406-1000\Software\Medusa


Pest Doctor


Pest Doctor


Pest Doctor
medusa-note0.png1191×841


Pest Doctor
medusa-entropy2.png858×643


Pest Doctor


Pest Doctor


Pest Doctor
medusa-note.png1075×873


Pest Doctor
medusa-bleep.png882×402


Pest Doctor


Pest Doctor


IOCs

Medusa (SHA256)

medusa.exe --> SHA256: 3a5b015655f3aad4b4fd647aa34fda4ce784d75a20d12a73f8dc0e0d866e7e01
               SSDEEP: 12288:f+IZ+bobAyYFJPrsU4VwryxjpBx8ajiOhA8tsV1YRbRb7:2++EMyYFJPoUecOh8aWdD1UB7 

dix_16.exe --> SHA256: 49da42d00cc3ad6379ead2e07fd5f09bd358b144a6e78aad4bb1a8298e2bb568

SSDEEP: 24576:nJC1YAOp0eRaNaQgxPubcoiukAby3LV1jqjx9/WBRQ/8PxS//lTQKJfF27:nw1OfMGxRoiuWZ1jUx9qrS3lsC27

E-Mail Addresses

Ctorsenoria@tutanota[.]com
Folieloi@protonmail[.]com
mrromber@cock[.]li
mrromber@tutanota[.]com
sambolero@tutanoa[.]com
rightcheck@cock[.]li

Associated Files

svchostt.exe
HOW_TO_OPEN_FILES.html

Registry Keys

HKCU\SOFTWARE\Medusa
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ --> EnableLinkedConnections = 1


Medusa Icon made by Freepik from www.flaticon.com

Article Link: https://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html