Petrovic Posted June 29, 2016 Share Posted June 29, 2016 Petya ransomware is quickly becoming a household name and in typical cyber-criminal fashion, copycat families are starting to emerge. In this post, we have the benefit of analyzing “malware-in-development” and can observe its growth over the coming weeks. The ransomware is called Satana (devil/satan in Italian) and similar to the Petya and Mischa bundle, Satana works in two modes. The first mode behaves like Petya, a dropper (that is a typical PE file) writes to the beginning of the infected disk a low-level module which is a bootloader with a tiny custom kernel. The second mode behaves like typical ransomware and encrypts files one by one (just like Mischa). Contrary to the Petya and Mischa bundle, these modes are not used as alternatives, but are both utilized, one after the other, to infect the system. Analyzed samples 46bfd4f1d581d7c0121d2b19a005d3df – main sample d236fcc8789f94f085137058311e848b – unpacked Behavioral analysis After being executed, the sample disappears and installs a copy of itself in %TEMP% under a random name: At the beginning of the execution (if started from a normal user account) – the application triggers a UAC notification which is executed repeatedly until the user click “Yes”: Once executed, the malware writes the malicious code to the beginning of the disk (low-level attack). Then it proceeds with encrypting files. Contact data chosen for a particular client are also saved in the Windows Registry: One really curious thing about this ransomware is that it announces everything it does: Including the progress in encrypting files: It may suggest, that the product is still at the early stage of development. The sample that we encountered is most likely experimental. Usually malware authors don’t want to leave debug code in their final product. Low-level attack Satana installs itself silently and does not throw any BSOD prompts (contrary to Petya), but just write it’s malicious modules at the beginning of the disk and patiently waits for the reboot. After the system boots back up, it shows a screen with the ransom note: Contrary to Petya, the kernel is not capable of performing any low-level encryption. High-level attack (like typical ransomware) The malware encrypts files one by one, and in each folder drops a ransom note:!satana!.txt. All encrypted files are renamed to: <email_address>__<original_name> (e-mail is randomly chosen from the hardcoded pool): Example of the note: NOTE: The generated Bitcon Wallets are invalid. It can be a bug or a symptom that this sample was not intended to be released. All files are encrypted with the same unique key (the same input produces the same output). Comparison of unencrypted and encrypted file content: Visible and regular patterns suggests, that the encryption algorithm is either a block cipher or custom XOR based. Inside A dropper is packed in a FUD/crypter. After defeating this layer we can see a payload that is another executable. Authors left many strings making their intentions clear and the analysis easier: Debug strings are printed generously during the malware’s execution, giving away interesting information: This payload contains all the functions necessary for the infection process. What is attacked? In the first (low-level) mode, only the MBR is encrypted (and stored in Sector 6). Recovering the original MBR from a backup allows for the system to boot again. In the second mode, Satana encrypts files on local disks as well as on unmapped network shares. Attacked extensions: .bak .doc .jpg .jpe .txt .tex .dbf .db .xls .cry .xml .vsd .pdf . csv .bmp .tif .1cd .tax .gif .gbr .png .mdb .mdf .sdf .dwg .dxf .dgn .stl .gho .v2i .3ds .ma .ppt .acc .vpd .odt .ods .rar .zip .7z .cpp .pas .asm It deletes shadow backups by deploying VSSADMIN.EXE with parameters: Delete Shadows /All /Quiet Encryption Satana divides file content into 32 byte long chunks – each chunk is encrypted separately. That’s why patterns of the original file are reflected in the encrypted content. Before the encryption is executed, ransomware prepares a random buffer. As a random number generator it uses RTDSC (Read Time-Stamp Counter) – the output of the function is processed and the full key is composed. Conclusion Satana seems to be a ransomware at an early stage of development. It displays some interesting features, but also contains flaws. The low-level attack code looks unfinished – but authors show an interest in developing the product in this direction and we can expect that in the next version it will be improved. We don’t expect this malware is going to be distributed on a large scale yet – it is rather a work in progress, but what we observed now is likely going to be the base for additional threats down the line. Full Article Link to comment Share on other sites More sharing options...
knowledge-Spammer Posted July 25, 2016 Share Posted July 25, 2016 Link to comment Share on other sites More sharing options...
knowledge-Spammer Posted July 26, 2016 Share Posted July 26, 2016 today some girl show me some little tricks to fix this ransomware see this topic mayhelp if u get this ransomware on your pc u can fix with out pay money https://hshrzd.wordpress.com/2016/03/31/petya-key-decoder/ she a nice girl mayhelp for Petya and soon Satana Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.