This is actually the first malware that I analyzed totally on my own. And yeah, the process is quite interesting. You can get the malware here.
So first, I tried to unpack it and extracted the payload. I opened the malware in Ollydbg and let it break on every new dll. So I just ran it until two new sections shows up. If we click on it, we can see it’s the PE file format.
Save the payload and open it in IDA.
At the beginning, we see these two functions sub_402A10 and sub_402980.
The first function gets the volume serial number. If we go into it, we can see it iterates from ‘A’ to ‘Z’ and when it comes to ‘C’, the GetVolumeInformation API successfully gets the serial number of ‘C’ volume so it breaks out the loop. In my system, the serial number for my ‘C’ volume is EC4EBD1D. For the second function, it uses GetUserName API and then calculates a number. Look at this.
Yeah, I analyzed it and we can see the algorithm is like this: multiply every character by 128 and add the next character. So I get 1CF0ED with the user name ‘sam’.
So after these two functions, we can see two APIs CreateMutex and WaitForSingleObject. They are used to make sure only one virus is running on the victim’s machine. And we can see that, it uses Wsprintf to link the two numbers we got from those two functions together to be the mutex’s name. Then we come to here.
So at the function sub_403180, it wants to create a file C://Users/sam/AppData/Roaming/1FAAXB2.tmp but failed. After that, it came to sub_4024D0. This is actually the function that it stays persistence. It copy the payload and set the registry key to run every time the system boots. Check it out here.
Ok, let’s move on.
The function I highlighted here is the actual encryption. Double click it.
The malware checks the type of our drive. The ‘C’ volume is DRIVE_FIXED. And if we use sharefold in the virtualbox, it might be DRVIVE_REMOTE, it will be encrypted too. So after it checks the drive’s type, it starts encryption. The actually process is long, so let’s just look at some key points here.
We can see the encryption APIs here.
This is where the encryption begins. We can see the plaintext there.
The content changes after the encryption.
To make the whole process clear, I draw a picture.
Yeah, this’s the whole process.
Any question, please contact me at firstname.lastname@example.org