God save the Queen [...] 'cause Ransom is money - SaveTheQueen Encryptor

Post image

Honestly I couldn’t decide between the title above and “All crimes are paid“, but Sex Pistols fans will get it regardless ¯\(ツ)

I found this sample while browsing the new public submissions on AnyRun on the 1st of December. It peaked my interest because there were just three samples of it on the platform at the time of writing this and they were all uploaded very recently.

A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live.

SaveTheQueen @ AnyRun | VirusTotal | HybridAnalysis –> sha256 3c9f777654a45eb6219f12c2ad10082043814389a4504c27e5aec752a8ee4ded


As always one of my go to tools is DetectItEasy. In this case it tells us that we are dealing with a .NET Application and you know what that means: Let’s whip out the .NET Analysis VM and take a look.

Detect it easy

This looks pretty promising. Because .NET Code is not compiled to Machine Language directly but rather to the Common Intermediate Language (CIL) just in time we can inspect it without the need for a disassembler with Telerik JustDecompile or dnSpy.

Sidebar of JustDecompile

Looking at the Output it looks like we have a Powershell Script in front of us that has been run through PS2EXE, a kind of “converter” (a wrapper to be more precise) for ps1 scripts to PE executables.

The Base64 encoded string

Decoding the Base64 string we got from the binary gets us two more blocks of what looks like base64 strings and a few lines of PowerShell code between it.

Extracted Base64

Decompressing one of the gzip blocks yields us a Portable Executable!

Decompressing the Code

The dropped .SaveTheQueen.LOG was found in C:\ProgramData\. SaveTheQueen does not leave a ransomnote or other information to contact the crooks.

CLR: 2.0.50727.5420

Drive: C:\

Because the Registry edits resemble something seen before in LockerGoga I’d like to make a short comparison between the two stains.

“Feature” SaveTheQueen LockerGoga
Ransomnote none txt File in %Desktop%
Logging C:\ProgramData\SaveTheQueen.LOG C:\.log
Registry Restartmanager\Session00xx Restartmanager\Session00xx
Binary .NET Visual C++


Update 19.12.2019:

A new variant of the SaveTheQueen Ransomware was found the MalwareHunterTeam. I’ll update this article asap.



MITRE ATT&CK

T1035 –> Service Execution –> Execution

T1215 –> Kernel Modules and Extensions –> Persistence

T1179 –> Hooking –> Persistence

T1055 –> Process Injection –> Privilege Escalation

T1179 –> Hooking –> Privilege Escalation

T1045 –> Software Packing –> Defense Evasion

T1055 –> Process Injection –> Defense Evasion

T1112 –> Modify Registry –> Defense Evasion

T1179 –> Hooking –> Credential Access

T1012 –> Query Registry –> Discovery

T1046 –> Network Service Scanning –> Discovery

T1120 –> Peripheral Device Discovery –> Discovery

T1057 –> Process Discovery –> Discovery


IOCs

SaveTheQueen

SaveTheQueen.exe --> SHA256: 3c9f777654a45eb6219f12c2ad10082043814389a4504c27e5aec752a8ee4ded
                     SSDEEP: 12288:a4Gvlgr3S/Jsftu5hU17WFKp4NpBvUssesKtIKy7vr4YT0PgZ304lGrDJo8YFfDY:ayw3ZwEaSAVX8Zye/

Registry Keys

HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session00xx
Owner -->  6C 0A 00 00 26 23 E1 EB  AC A6 D5 01

HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session00xx
SessionHash --> 32 Byte Hex

HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session00xx
RegFiles0000 --> Files to be encrypted/stolen

HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session00xx
RegFilesHash --> 32 Byte Hex

You May Also Like