~Dissecting Malware
// f0wL's Blog about malware analysis and reverse engineering
~Dissecting Malware
Try not to stare - MedusaLocker at a glance

Mystic but also a new(-ish) threat: Medusa ransomware. Let's take a quick peek, but don't look too close or you may need to fetch backups soon.

Logo

===== Work in Progress =====

A short disclaimer: downloading and running the samples linked below will compromise your computer and data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live.

medusa.exe @ AnyRun --> sha256 3a5b015655f3aad4b4fd647aa34fda4ce784d75a20d12a73f8dc0e0d866e7e01

dix_16.exe @ HybridAnalysis --> sha256 49da42d00cc3ad6379ead2e07fd5f09bd358b144a6e78aad4bb1a8298e2bb568


Image Base64 String


Pest Doctor


Extracted PDB-Path: C:\Users\Gh0St\Desktop\MedusaLockerInfo\MedusaLockerProject\MedusaLocker\Release\MedusaLocker.pdb


Detect it easy

medusa.exe Entropy

Ghidra Main Function


Pest Doctor


Pest Doctor


Pest Doctor

.exe, .dll, .sys, .ini, .lnk, .rdp, .encrypted


Pest Doctor


Pest Doctor


wrapper, DefWatch, ccEvtMgr, ccSetMgr, SavRoam, sqlservr, sqlagent, sqladhlp, Culserver, RTVscan, sqlbrowser, SQLADHLP, 
QBIDPService, Intuit.QuickBooks.FCS, QBCFMonitorService, sqlwriter, msmdsrv, tomcat6, zhudongfangyu, SQLADHLP, 
vmware-usbarbitator64, vmware-converter, dbsrv12, dbeng8wxServer.exe, wxServerView, sqlservr.exe, sqlmangr.exe, 
RAgui.exe, supervise.exe, Culture.exe, RTVscan.exe, Defwatch.exe, sqlbrowser.exe, winword.exe, QBW32.exe, QBDBMgr.exe, 
qbupdate.exe, QBCFMonitorService.exe, axlbridge.exe, QBIDPService.exe, httpd.exe, fdlauncher.exe, MsDtSrvr.exe, 
tomcat6.exe, java.exe, 360se.exe, 360doctor.exe, wdswfsafe.exe, fdlauncher.exe, fdhost.exe, GDscan.exe, ZhuDongFangYu.exe


Pest Doctor


Pest Doctor


Pest Doctor


Pest Doctor

HKEY_USERS\S-1-5-21-1716914095-909560446-1177810406-1000\Software\Medusa


Pest Doctor


Pest Doctor


Pest Doctor


Pest Doctor


Pest Doctor


Pest Doctor


Pest Doctor


Pest Doctor


Pest Doctor


Pest Doctor


IOCs

Medusa (SHA256)

medusa.exe --> SHA256: 3a5b015655f3aad4b4fd647aa34fda4ce784d75a20d12a73f8dc0e0d866e7e01
               SSDEEP: 12288:f+IZ+bobAyYFJPrsU4VwryxjpBx8ajiOhA8tsV1YRbRb7:2++EMyYFJPoUecOh8aWdD1UB7 

dix_16.exe --> SHA256: 49da42d00cc3ad6379ead2e07fd5f09bd358b144a6e78aad4bb1a8298e2bb568
               SSDEEP: 24576:nJC1YAOp0eRaNaQgxPubcoiukAby3LV1jqjx9/WBRQ/8PxS//lTQKJfF27:nw1OfMGxRoiuWZ1jUx9qrS3lsC27 

E-Mail Addresses

Ctorsenoria@tutanota[.]com
Folieloi@protonmail[.]com
mrromber@cock[.]li
mrromber@tutanota[.]com
sambolero@tutanoa[.]com
rightcheck@cock[.]li 

Associated Files

svchostt.exe
HOW_TO_OPEN_FILES.html

Registry Keys

HKCU\SOFTWARE\Medusa
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ --> EnableLinkedConnections = 1


Medusa Icon made by Freepik from www.flaticon.com


Earn-quick-BTC-with-Hiddentear.mp4 / About Open Source Ransomware

Pun intended. Gootkit is one of the most spread banking malware at the moment and I deemed it a good opportunity to deobfuscate a bit of scrambled code

A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live. "Shade Ransomware creater is stupid fxxxxx.exe" @ Any.Run --> sha256 ba978eee90be06b1ce303bbee33c680c2779fbbc5b90c83f0674d6989564a70a Because HiddenCrypt is Written in C# utilizing the .NET Framework 4 static analysis...

Read More
GermanWiper's big Brother? GandGrab's kid ? Sodinokibi!

After last week's analysis on GermanWiper I thought it would be about time to have a Look at Sodinokibi aka REvil, the new weird kid on the block.

According to Cybereason the Sodinokibi Ransomware was written by the same guys who created GandCrab, which is a pretty big deal after GandCrab retired recently. The samples that I'll be looking at today were first dropped in Asia, but it did not take long to reach other continents as well. A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be...

Read More
TFW Ransomware is only your side hustle...

and you constantly have to apply for jobs. A partial analysis of the "GermanWiper" Ransomware

Today someone posted about a Ransomware attack on the local chat plaform Jodel (don't judge please, as you know the sketchy corners of the web get you the best samples :D) which instantly peaked my interest. What I got was this email and the two attached files. The two attached files Applicant Name - Lebenslauf Aktuell.doc.lnk and Applicant Name - Arbeitszeugnisse Aktuell.doc.lnk are made to look like Microsoft Office...

Read More
Picking Locky 🔓

Back in 2016 Locky was (one of) the first to commercialize the "art" of holding data for ransom. I picked this strain because I would like a bit more of a challenge in terms of obfuscation and anti-disassembly techniques, so strap in for this OG Ransomware

Locky (at least the first few versions) is said to be created by the makers of the Dridex/Cridex banking trojans. For example the spreading mechanism via macros in Word or Excel documents sent out via carefully crafted spear-phishing emails is exactly the same for both of these strains. A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with...

Read More
Third time's the charm? Analysing WannaCry samples

After over two years since the inital spread of the ransomware and Malwaretechs sentencing last week I got a bit nostalgic and took a second look at different samples

Since the first wave of infections in May 2017 WannaCry is basically the goto example for the whole ransomware scheme and that is actually a good thing. The potential damage that WannaCry and the variants following the original version would have been massive if it wouldn't have been for Malwaretech, 2sec4u and all the other researchers who helped to contain the spread of ransomware powered by...

Read More

About me

Hey there! My Name is Marius Genheimer aka f0wL and I'm a Computer Science Student from Germany. As you can probably tell I like to analyse malware (especially Ransomware) in my spare time.

https://sandbox.lol

My shot at an automated analysis platform based on the Cuckoo Sandbox. Feel free to drop your samples!

https://phish.fishing

A tracking and logging system for Phishing attacks and Malspam

Receive Updates

ATOM

Contacts