~Dissecting Malware
// f0wL's Blog about malware analysis and reverse engineering
~Dissecting Malware
The Blame Game - About False Flags and overwritten MBRs

MBR Lockers have become popular again with Skids. Let's look at a sample that was spread yesterday and caught a lot of attention.

Let's start right off with a short introduction: The Malware analyzed here is a so-called MBR (Master Boot Record) Locker. It is targeting (like most of the time) only PCs running Windows. The good news is: in this case there is neither encryption nor deletion happening on the file system so there's a good chance for victims to recover their files. A possible mitigation for suers woulds be running MBRFilter which is developed by Talos Intelligence. Now to the Message displayed in the VM below: Pressing CTRL+ALT+ESC for a possible bypass / failsafe to boot the OS (described in this BleepingComputer article) doesn't seem to work for this sample.


After Vitali published the tweet below a whole crowd formed in the emerging thread to please unlock their PCs. Both Vitali Kremez and MalwareHunterTeam made it clear multiple times that they are not affiliated with this campaign in any way, but some of the victims still seemed to miss this fact and got quite worked up about their PCs being compromised. Unfortunately this was not the first and won't be the last time that respected ethical researchers are targeted in such decreditation acts. I'm not qualified to talk about any psychological reasoning behind such actions, but it's either an attempt to a Denial of Service (Vitalis Twitter DMs and Mentions were filled with complaints and accusations) or looking for attention (not in this case because there were no hints on the malware actors) like the Maze Team.

After talking to a victim to clarify the infection method and origin of the malware I received a link to this pirated Version of Adobe Illustrator. Lures like this one are often trojanized with malware or straight-up malicious from the start like in this case. Obviously this cannot be considered common knowledge for every user and this is what criminals are taking advantage of for years and years to come.

Source Website

A quick check confirmed my suspicion that every download on this site is "spiked" with malware. The Filenames of the executables contain a unique-per-download string. The victim will be redirected to a second site where a user agent check for Windows and matching Browsers (IE, Edge) is performed. The executable is downloaded from another URL from a directory called ru53332 which might give us a hint as to where the malware originated from (this looks like a client subfolder, this host might spread other strains as well).


Below you can see a process graph of the Glupteba Infection generated by Any.Run. This is just a subsection of the whole graph and since there was so much going on it was pretty difficult to make out if the MBR Locker actually was delivered with this installer. None of my tests in VMs or on a physical test machine resulted in a corrupted MBR, so at the moment I can neither confirm nor deny that the Locker was actually delivered via crackedion[.]com.

Process Graph

Interestingly all the executables named WinmonX.sys had broken certificate chains which should be a red flag for AVs running on the vicitims system. There were startup tasks scheuduled for all three of these files.

Certificate Verification

WinMonProcessManager contains a list of ca. 600 Anti-Virus executable names and it's only purpose is to disable all AV services while the trojan does its "magic":

exantivirus-cnet.exe, zonealarm.exe, ldnetmon.exe, norton_internet_secu_3.0_407.exe, antivirus.exe, netmon.exe, AvastPE2.exe, avast_free_antivirus_setup_online.exe, EmsisoftAntiMalwareSetup.exe, drweb32.exe, nod32.exe, f-prot95.exe, f-prot.exe, drwebupw.exe, AvastUI.exe, mcshield.exe ... and so on 😉

The Detection Signatures from different engines on VT and the Intezer Analysis declared the dropped executables as parts of the Glupteba Trojan, which has been around for some time now. Additionally there were hints to another Strain called RanumBot that I have not ivestigated further up until now. In the screenshot you can see the windefender.exe sample that was submitted to Intezer. It was written in Go, packed with UPX and was stuffed with strings. I did not investigate this executable further, but at first I thought that this could have been the MBR Locker because it contains strings related to Poly1305/ChaCha20.


To show the effect of the MBR Locker on the OS Drive I simply used a live system to write the first sector of the Disk to a file ( sudo dd if=/dev/sdX of=mbrdump.bin bs=512 count=1 ). The top dump shows the standard MBR contents and below is the corrupted version displaying only the message to the user.

Good MBR
Overwritten MBR

Reading the imports with Rabin2 there's nothing out of the ordinary, but there are a few things I wanted to see here. I expected to see CreateFile, which would be used to write the MBR Text playload to the first sector of the disk (\\.\PhysicalDrive0) later. Unlike Petya, which checked whether the PartitionStyle of the drive is actually an MBR (via DeviceIoControl), this MBR Locker isn't too concerned about that. There is also some generic anti-debugging via IsDebuggerPresent, but I didn't expect any further measures since the overall design of the malware is very poor.


Taking a look at the sections of the binary we can spot a .upx section. This looks suspicious because a sample packed with UPX would have three sections named upx0 (packed), upx1 (stub) and optionally upx2 (unpacked) like in the image below.



Printing the contents of the .upx section we can see that the text payload is encrypted.

Overwritten MBR

The decryption routine is found very quickly since the executable only contains three functions in total. As one might have guessed already the text payload is XORed and therefore has to be decrypted before writing to the MBR. The screenshot below shows the decryption function and south of that you can see the text extraction out of the .upx section we discussed earlier.

XOR Decryption Function

Reading the ciphertext out of .upx

The good-ish news is, that in this case the changes made to the Master Boot Record are reversible with a Backup of the MBR Sector. Alternatively victims can try to repair the MBR with Microsoft's bootrec /fixmbr and /fixboot. Sucess in this case depends on the partition style of the Windows install (since the MBR in GPT layouts is reserved for protective Reasons; on MBR installs bootrec may not be able to recover the Partition table because the whole sector is overwritten. See Vitalis Tweet here). I verified on a physical GPT install that LBA 1 and following is not affected by the MBRLocker and should keep the GPT recoverable. TestDisk is theoretically capable of recovering both partitioning layouts. I'd advise victims to use File Recovery software like Photorec as an option for data recovery if a clean install is necessary.

In one case a victim contacted me about an additional STOP Ransomware Infection (.mpaj extension, online keyed), but at the moment I can't confirm that this incident happend in conjunction with the pirated Software Installer / MBRLocker.

As there is currently no public sample of the second version of the MBR Locker I will update this article once it is available. Stay tuned :)


T1059 --> Command-Line Interface --> Execution

T1179 --> Hooking --> Persistence

T1215 --> Kernel Modules and Extensions --> Persistence

T1179 --> Hooking --> Privilege Escalation

T1112 --> Modify Registry --> Defense Evasion

T1179 --> Hooking --> Credential Access

T1012 --> Query Registry --> Discovery


VK-Wiper MBR Locker

Glupteba related:

Adobe+Illustrator+CS6+Full+Crack+With+Serial+Keygen+{Latest+2019}+Free-UNIQUESTRING.exe --> SHA256: 5e00e50d04130b470825d6c1bd58542d32a0a4f52c4d6e6ff01ea1cfad8fce3e
                                                                                            SSDEEP: 98304:luH/zVSNmGHjYKNC/qPqaMy25WJTZsRvO6Y:8HBymGDY/O4ikvO

windefender.exe --> SHA256: 28e8776a07789daf08629815da0a6eb69613410912447c189a51002f54d956ca
                    SSDEEP: 49152:mFeWvXwa1xkJrwBskK0CCD/ozKc3k8HxmYfJpz4U+TiAGTeI6h6gHquAb7/i:CvXwaerwBIbKcrxmYfJF45SV/i

Winmon.exe --> SHA256: 889fb266c4c01bb4ef67635249c8daeb641fc86ce62fc280b34beec415fb6129
               SSDEEP: 96:/XAUM8mqN18vwLvVfjm3ZAeyRYOiRIfad/WrJ37CgES:7pNuv2LSZA1fEWrR7vES

WinmonFS.exe --> SHA256: eb0be2ac3833c843214a55b14c31125a7b600d5272bdf322c4871f42627576e4
                 SSDEEP: 384:WVYr1nH9XRl8iueNYUaNhuqO3t6PsPJVPswHEvDdvHqciss+E96Vg:vrRlFpaNhuqO3njovpPTtTK

WinmonProcessMonitor.exe --> SHA256: f609c6656a0c451dafa5173df0cd848f7cb7f22c4f150f8d16716c12593de66c
                             SSDEEP: 384:s+B62cfu4RaQNDEiULv/oGUOY1wR7OLwOMEP5PkdkQE:sOmu4RLNAiUL/oGGS7OLDP5PkdkQE

MBR Locker V1:

sentinelone.scr --> SHA256: 4cd23a989a8f196b1f49e5e66c6ecfa0cebf63f04950ae4d64127aaedda9e89c
                    SSDEEP: 48:Zvt+BLdtWU2ew9FRCfH8BArSXXmzdh4vMASG2HvzqEsG8V:Z1+9dtWU2ew9rC/8Kiidh4vMASNHvzB



Ransomnote V1

~SentinelOne Labs Ransomware~
Your system was unprotected, so we locked down access to Windows.
You need to buy SentinelOne antivirus in orer to restore your computer.
My name is Vitali Kremez. Contacts are below.
Phone: [Redacted]
E-mail 1: [Redacted]
E-mail 2: [Redacted]

After you buy my antivirus I will send you unlock code.
Enter Unlock code: 

Jamba Superdeal: Helo Sir, you want to buy mask? - Corona Safety Mask SMS Scam

As if there wasn't enough pain and suffering in the world already because of COVID-19 some criminals still try to piggyback on the fear of others. A quick look at an Andorid SMS "Worm".

Since the current COVID-19 outbreak is getting masively taken advantage of by various cybercriminals I thought it would be a good opportunity to try out Android reverse engineering. Let's dive right in: The following dynamic part of this analysis was done in VirtualBox with the most recent Version of Android-x86. For those playing along at home: The Setup is really simple (as Live Booting is sufficient). Just remember to crank up the Video...

Read More
Why would you even bother?! - JavaLocker

Today we'll take a look at a windows ransomware built with Java. As you might have guessed this will get ugly and is therefore not for the faint of heart.

Hey there, yeah it has been a while. I've been quite busy with university stuff for the past weeks, so I'm trying to get back into the analysis/blogging thing. I've been looking for interesting/"innovative" samples that differ from the common tricks and techniques. It was unavoidable that I would have to look at a ransomware strain written in the most beautiful programming language there is sooner or later: Java. Let's get it over with. This strain...

Read More
The Opposite of Fileless Malware - NodeJS Ransomware

This one is a few days old already but still worth a look. Have I mentioned that I hate Javascript?

This is not the first time that someone built a Ransomware Strain with NodeJS (check out this article about Ransom32 and let's not forget about Nodersok), but it's not an everyday sight either. This Malware Sample was first discovered by Xavier Mertens in a post to the SANS ISC Forum here. A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of...

Read More
Not so nice after all - Afrodita Ransomware

A new Ransomware strain spread by malicious Office documents targeted at Croatian systems - let's check it out

This strain was first discovered by Korben Dallas on Twitter on the 9th of January. As I already mentioned the Malware is delivered via a Malspam/Maldoc attack crafted for Users / Companies from Croatia. Researchers that were involved in the initial analysis: @KorbenD_Intel, @James_inthe_box, @Malwageddon, @pollo290987 and I (@f0wlsec). Thank you for your contributions! @James_inthe_box @malwrhunterteam @Malwageddon 69450923d812f3696e8280508b636955 XLS 12/60 VT scan detections....

Read More
"Nice decorating. Let me guess, Satan?" - Dot / MZP Ransomware

Happy new year y'all. And with it there's new Ransomware to analyze, so come along for the ride :D

Dot "MZP" Ransomware @ AnyRun | VirusTotal | HybridAnalysis --> sha256 bebf5c12e35029e21c9cca1da53eb43e893f9521435a246ea991bcced2fabe67 This sample was first discovered by AmigoA and AkhmendTaia on the 31st of December 2019. AV Detections and Ransomnote contents didn't seem to match any previously present strain. The Note is delivered via a .txt File with a strange numeric victim ID and only one contact email address. The extension appended to encrypted Files seems to...

Read More
Setting up a Malware Exchange for 36C3 with Viper

Since my original project for 36c3 (something with chinese gear and coreboot) didn't really work out in time I had an even better idea: Setting up a Malware Sample Exchange

After checking the projects and self-organized Sessions I couldn't find anything related to Malware Research or a place to discuss reverse engineering (besides CTF maybe), so with the "Malware XCHG" I want to create a place for attendees to share malicious binaries and discuss them at the same time. To host this project at the MysteryHack Assembly I wanted to use a small but capable enough machine which is why I used the Intel NUC...

Read More
I literally can't think of a fitting pun - MrDec Ransomware

I took notice of the Ransomware Family after a series of posts in the Bleeping Computer Forum.

It employs techniques that are not seen very often in other ransomware samples, so the Analysis is actually quite difficult, but I'm hoping reading this is also a bit interesting atleast. Work in Progress Because Christmas and 36c3 is coming up in the next few I days I might have to push this analysis back a bit. A general disclaimer as always: downloading and running the samples linked below will lead to the encryption...

Read More
Another one for the collection - Mespinoza (Pysa) Ransomware

Back in October of 2019 the Mespinoza Ransomware family first surfaced via Malspam. On the 14th of December it returned with a new extension .pysa so let's see if any changes have been made.

Fun Fact: The Extension "pysa" is probably derived from the Zanzibari Coin with the same name. Apparently it's quite popular with collectors. But enough of the pocket change, so let me put my two cents in on this sample :D A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning...

Read More
A "Project.exe" that should have stayed in a drawer - MZRevenge / MaMo434376

I first read about this strain on Twitter but it didn't seem like a big thing. Turns out I Was wrong: In the last 3 days I collected over 35 samples :O

Searching for "Project.exe" on AnyRun yields more than a healthy list of results all matching this strain. Oh would you look at that: Looks like we have a Borland Delphi application here 🧐 Yep, it's that ugly it definitely is Deplhi :D And the criminals seem to have a very strong opinion about the Land of the Free but no arguments to back it up (since the rest...

Read More
  • 1
  • 2

About me

Hey there! My Name is Marius Genheimer aka f0wL and I'm a Computer Science Student from Germany. As you can probably tell I like to analyse malware (especially Ransomware) in my spare time.


A searchable database of E-Mail addresses used in Ransomnotes plus facts and analysis

Receive Updates


"Security is #1 priority"

Key OpenPGP Key