Extract Archive
Unpack file with UPX
Load TempKey in memory
“c9e0b830ff18645849b8dbab57e477b5”
CPU Checkif (cores < 3) { Exit; }
Check resourcesIf (!filexists(base*.dat)) {exit;}
Check Windows VersionIf (!WinVistaOrGreater) {exit;}
Final Key
Key = TempKey XOR 0x03
DecoyBase8.tmp = Base8.dat XOR Key
XOR0x08
Real sampleBase16.tmp = Base16.dat XOR key
DecoyBase32.tmp = Base32.dat XOR Key
XOR0x32
DecoyBase64.tmp = Base64.dat XOR Key
XOR0x64
Clean-up:remove (base*.tmp)
Run samplecmd /c base16.tmp
Identify .NET binary Decompile binary RansomKiller: MainApp
Write Registry KeyRAND 15 char = HKLM\Software\
SergSec\Key
CPU Checkif (cores < 5) { Exit; }
Checks for MAC of Netcard Checks for debugger
Checks for malware analysis software
Detect HyperV
MainApp
Scan Buy product Update signatures Settings
goes through files, doesn’t do anything Open Register Form
Open Register Form
Checks for internet by connecting to https://cyber-europe.net
Checks the key by sending a GET request to https://cyber-europe.net/
evl/ransomkill/reg.php
If (reply == “260CA9DD8A4577FC00B7BD5810298
076") { RegisterProduct; }
Enables all buttons of MainApp
Easter Egg: checks if public key of SergSec is installed in the CA Store
Downloads https://cyber-europe.net//evl/ransomkill/update.rk
Check if it’s a Thursday
Decrypt using AES-128 update.rk to updt.exe
Gets AES Key = serial number of SergSec public certificate
Executes updt.exe
Creates Task: binary to be ran on 12th Oct 2016
Autoupdate: creates a Registry Key in HKLM\Software\SergSec\AutoUpdate
= 1
Autostart: creates a Registry Key in HKLM\Software\Microsoft\Windows\
CurrentVersion\Run\RansomKillerApp\base16.tmp
Auto schedule: creates a weekly Task in the Windows Task Scheduler named
RK_Weekly
Sign in
Easter Egg: if (user == “demo”)&(password==”demo”) {
AccessWebPanel; }
updt.exe
MainApp
Hides Window
Stalls Execution via Search Stalls Execution via Math
Calculation
Checks for debugger(Necromancy Check)
Deletes Old Logs
Anti-Forensics Checks
Username
Computer Name
Processes Running CheckChecks for debugger(Running Proccess)
Stalls Execution via Search2
Keylogger ScreenGrabber
Sends data to:10.210.1.12
Exfiltrator
Stores key strikes in:rNdfgl34f.txt
Grabs Printscreen test.jpg
500 Strikes
Persistance Deletes Logs