Malware Database

Hello all!  Before going into the malware I would first like to introduce myself. My name is Brendan, but everyone knows me as 333halfevil. I love dissecting malware and catching naughty rogues. I’ll be looking forward to sharing my submissions with you.

Nasty ransomware which requires you to SMS a certain number, in order to receive a code that unlocks your PC.
File 88f496d7000be8dceab405899fda46001d7bbadf.EXE
Result: 20/37 (54.05%)
VirusTotal
ThreatExpert

Now for the analysis…

What ransomware always tries to do is push itself into your start up, that way whenever you boot your PC you end up at the same screen you started with. In this case, this ransomware uses a very simple technique, adding itself to the startup area of the registry. Remember once executed this ransomware will reek havoc on your system.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
  • sound = “%Windir%\Media\8BD4B97176FF5382D384DC7E61F52D68.exe”

This program then again uses another very clever technique. It accesses C:\??WINDOWS\??system32\??msctfime.ime, Microsoft Text Frame Work Service. Why does it do this? For the simple reason to SCARE you and make the specialized code that is needed in order to ‘unlock’ your system. From accessing this file, it generates a special output for only your computer, which you are then ‘required’ to SMS to the number. I stress this, if you are ever hijacked by ransomware hire a professional to remove it. Do not try it yourself. This piece of ransomware was not booby-trapped , however others are and can do serious harm to your system if you are not careful. Continuing on…

It then overwrites a service driver, ??KsecDD, your Kernel Security Support Provider Interface. But again, what does this mean? KsecDD is your kernel level security default, once this bit of ransomware has added itself to the kernel level, you know it does not want to be removed.

Well that’s some ransomware for ya’. Hope it has been interesting.

~333halfevil