~Dissecting Malware
// f0wL's Blog about malware analysis and reverse engineering
~Dissecting Malware
God save the Queen [...] 'cause Ransom is money - SaveTheQueen Encryptor

Honestly I couldn't decide between the title above and "All crimes are paid", but Sex Pistols fans will get it regardless ¯\(ツ)/¯

I found this sample while browsing the new public submissions on AnyRun on the 1st of December. It peaked my interest because there were just three samples of it on the platform at the time of writing this and they were all uploaded very recently.

Logo

A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live.

SaveTheQueen @ AnyRun | VirusTotal | HybridAnalysis --> sha256 3c9f777654a45eb6219f12c2ad10082043814389a4504c27e5aec752a8ee4ded


As always one of my go to tools is DetectItEasy. In this case it tells us that we are dealing with a .NET Application and you know what that means: Let's whip out the .NET Analysis VM and take a look.

Detect it easy


This looks pretty promising. Because .NET Code is not compiled to Machine Language directly but rather to the Common Intermediate Language (CIL) just in time we can inspect it without the need for a disassembler with Telerik JustDecompile or dnSpy.

Sidebar of JustDecompile


Looking at the Output it looks like we have a Powershell Script in front of us that has been run through PS2EXE, a kind of "converter" (a wrapper to be more precise) for ps1 scripts to PE executables.

The Base64 encoded string


Decoding the Base64 string we got from the binary gets us two more blocks of what looks like base64 strings and a few lines of PowerShell code between it.

Extracted Base64


Decompressing one of the gzip blocks yields us a Portable Executable!

Decompressing the Code

The dropped .SaveTheQueen.LOG was found in C:\ProgramData\. SaveTheQueen does not leave a ransomnote or other information to contact the crooks.

CLR: 2.0.50727.5420

Drive: C:\


Because the Registry edits resemble something seen before in LockerGoga I'd like to make a short comparison between the two stains.

"Feature" SaveTheQueen LockerGoga
Ransomnote none txt File in %Desktop%
Logging C:\ProgramData\SaveTheQueen.LOG C:\.log
Registry Restartmanager\Session00xx Restartmanager\Session00xx
Binary .NET Visual C++



Update 19.12.2019:

A new variant of the SaveTheQueen Ransomware was found the MalwareHunterTeam. I'll update this article asap.



MITRE ATT&CK

T1035 --> Service Execution --> Execution

T1215 --> Kernel Modules and Extensions --> Persistence

T1179 --> Hooking --> Persistence

T1055 --> Process Injection --> Privilege Escalation

T1179 --> Hooking --> Privilege Escalation

T1045 --> Software Packing --> Defense Evasion

T1055 --> Process Injection --> Defense Evasion

T1112 --> Modify Registry --> Defense Evasion

T1179 --> Hooking --> Credential Access

T1012 --> Query Registry --> Discovery

T1046 --> Network Service Scanning --> Discovery

T1120 --> Peripheral Device Discovery --> Discovery

T1057 --> Process Discovery --> Discovery


IOCs

SaveTheQueen

SaveTheQueen.exe --> SHA256: 3c9f777654a45eb6219f12c2ad10082043814389a4504c27e5aec752a8ee4ded
                     SSDEEP: 12288:a4Gvlgr3S/Jsftu5hU17WFKp4NpBvUssesKtIKy7vr4YT0PgZ304lGrDJo8YFfDY:ayw3ZwEaSAVX8Zye/

Registry Keys

HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session00xx
Owner -->  6C 0A 00 00 26 23 E1 EB  AC A6 D5 01

HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session00xx
SessionHash --> 32 Byte Hex

HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session00xx
RegFiles0000 --> Files to be encrypted/stolen

HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session00xx
RegFilesHash --> 32 Byte Hex



Quick and painless - Reversing DeathRansom / "Wacatac"

No flashy wallpapers or other bells and whistles, but if you aren't careful and maintain backups as you should DeathRansom will take your data with it to its grave. Or will it ?

A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live. DeathRansom @ AnyRun | VirusTotal | HybridAnalysis --> sha256 3a5b015655f3aad4b4fd647aa34fda4ce784d75a20d12a73f8dc0e0d866e7e01 The plain text note doesn't look that special. I'll be refering to this strain as Deathransom, since the Read More


About PINEs and supply chain attacks gone wrong

I got myself a Pinebook Pro to run and port OpenBSD on. (Un)fortunatelly it seems like slowly but surely everything I get my hands on has something to do with Malware, so let's have a look what's in store today.

Sality @ AnyRun | HybridAnalysis | VirusTotal --> sha256 37f1b6394a408e0a959b82ff118a526c1362b4ddc1db5da03c9ffa70acaebff4 To all Pinebook Users that may be affected by this Malware: It will not pose any threat to the notebook itself. It will however, potentially infect Windows machines that mount the eMMC storage (which is not a common use case). To remove Sality simply run a system upgrade or run this script manually. On the 3rd of November it was first publicly...

Read More
Try not to stare - MedusaLocker at a glance

Mystic but also a new(-ish) threat: Medusa ransomware. Let's take a quick peek, but don't look too close or you may need to fetch backups soon.

A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live. medusa.exe @ AnyRun --> sha256 3a5b015655f3aad4b4fd647aa34fda4ce784d75a20d12a73f8dc0e0d866e7e01 dix_16.exe @ HybridAnalysis --> sha256 49da42d00cc3ad6379ead2e07fd5f09bd358b144a6e78aad4bb1a8298e2bb568 Taking a look at the stringdump that stringsifter produced one of the first things that stood out was this...

Read More
Earn-quick-BTC-with-Hiddentear.mp4 / About Open Source Ransomware

No, this will not be a skiddy Tutorial on how to earn quick crypto but rather an analysis of the Open Source Ransomware "Hiddentear".

A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live. "Shade Ransomware creater is stupid fxxxxx.exe" @ Any.Run --> sha256 ba978eee90be06b1ce303bbee33c680c2779fbbc5b90c83f0674d6989564a70a Because HiddenCrypt is Written in C# utilizing the .NET Framework 4 static analysis...

Read More
Nicht so goot - Breaking down Gootkit and Jasper (+ FTCODE)

Pun intended. Gootkit is one of the most spread banking malware at the moment and I deemed it a good opportunity to deobfuscate a bit of scrambled code

A short disclaimer: downloading and running the samples linked below will compromise your computer and data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live. Gootkit Stage 3 Sample available @ Hybrid Analysis --> 3e846a7316dbc15a38cfd522b14ad3f1a72d79959cbae9fd14621400d77cbc37 #gootkit #jasperloader #banker Jshttps://t.co/PsYBIeph19Payloadhttps://t.co/hLThGNJDiKIOCswws.tkgventures.[com -> ont.carolinabeercompany.[com/bolp.cabs/adp.reevesandcompany.[com/rbody320@VK_Intel @malwrhunterteam @James_inthe_box @reecdeep— JAMESWT (@JAMESWT_MHT)...

Read More
Return of the Mummy - Welcome back, Emotet

Or to be more historically precise: Imhotep was the Egyptian, Emotet is the Malware strain we are going to take a Look at. Last week it returned from its summer vacation with a few new tricks

A short disclaimer: downloading and running the samples linked below will compromise your computer and data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live. Emotet Sample #1 @ Hybrid Analysis --> sha256 6076e26a123aaff20c0529ab13b2c5f11259f481e43d62659b33517060bb63c5 Emotet Sample #2 @ Hybrid Analysis --> sha256 757b35d20f05b98f2c51fc7a9b6a57ccbbd428576563d3aff7e0c6b70d544975 Emotet brought home a few souveniers from summer trip as well. The image above and below show...

Read More
Malicious RATatouille 🐀

Remcos is a commercially sold Remote Adiministration Toolkit (RAT) that is regularly distributed as Spyware

Depending on the licensing model and capabilities Remcos is sold for 58$ to 389$ by the company (with the pretty fitting name) Breaking Security. Feature-wise the manfacturer's website lists: Remote Administration, Support, Surveillance, Anti-Theft and Proxy. In most cases the executable is dropped via a boobytrapped Office or XML Document. Of course I will not link to any of their webpages or products since shilling out for cybercriminals would be the last thing I'd do....

Read More
Osiris, the god of afterlife...and banking malware?!

After coming back from the Chaos Communication Camp two days ago I thought it would be a good idea to check on the current malware events out there, so come along for the ride

I came across this sample after this tweet by @James_inthe_box : Found by @FewAtoms at:borel[.]fr/notices/CanadaPost.zip -> vbs drops:https://naot[.]org/cms/file/fixed111.exeI'd like to say with confidence: I have no idea what this is. https://t.co/z18z17Kau8 pic.twitter.com/68zg3HpkRI— James (@James_inthe_box) August 28, 2019 A short disclaimer: downloading and running the samples linked below will compromise your computer and data, so be f$cking careful. Also check with your...

Read More
GermanWiper's big Brother? GandGrab's kid ? Sodinokibi!

After last week's analysis on GermanWiper I thought it would be about time to have a Look at Sodinokibi aka REvil, the new weird kid on the block.

According to Cybereason the Sodinokibi Ransomware was written by the same guys who created GandCrab, which is a pretty big deal after GandCrab retired recently. The samples that I'll be looking at today were first dropped in Asia, but it did not take long to reach other continents as well. A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be...

Read More

About me

Hey there! My Name is Marius Genheimer aka f0wL and I'm a Computer Science Student from Germany. As you can probably tell I like to analyse malware (especially Ransomware) in my spare time.

https://ransomware.email

A searchable database of E-Mail addresses used in Ransomnotes plus facts and analysis

https://sandbox.lol

An automated analysis platform based on the Cuckoo Sandbox. Feel free to drop your samples!

Receive Updates

ATOM

"Security is #1 priority"

Key OpenPGP Key