Let’s have a look at a funny ransomware today. Before we start I have to mention that H4rM0n1cH4cK has already done a very good video about this malware. I am going to repeat his work and see whether we can get more.

First, DIE showed that the malware is packed with UPX. So we can easily unpack it.

After we unpack it, we can open it with pestudio and it says that the resource area is actually a PE file.

So we can strip the PE out with the HxD.

The file we dumped is a .net file. There are several indications for PE file. One thing you can see is that in the directories of the file there is “com-runtime”. So you can open it with dnSpy. And it is easy to locate the function below.

Yeah, these are the keys that you can input and unlock the screen.

I also want to see the persistence method the malware uses. But I can’t find it in ProcessMonitor. And actually it copy a file here to make itself start every time the system starts.

Ok, so why I say the malware is funny. That’s because you can simply use the task manager to close the ransomware. And sometimes I just click the unclock button without actually inputting something, it close itself too. So,haha.

Any question, please contact me at xudong_shao@hotmail.com