MegaCortex, a ransomware which was first spotted in January this year, has become active again and has changed the way it previously attacked/targeted the corporate world. In order to simplify its execution and increase its scale of operation, it uses ‘Command Prompt’ instead of ‘PowerShell’ in current targeted campaign.
1.While analyzing we found that the sample is digitally signed by “Thawte, Inc” and publisher is “ABADAN PIZZA LTD”, a UK based company.
Fig.1 The sample is digitally signed.
2. The ransom note is written in an aggressive and offhand language.
Fig.2 Very aggressive stance in ransom note.
Upon execution, MegaCortex cannot pass User Account Control and hence below pop up appears asking for access for the same.
Fig.3 Pop up asking for access.
The entire process of encryption is visible to the user as it appears on the command prompt as shown below:
Fig.4 Encryption activity can be seen through command prompt.
Once executed it creates lot of sub-processes hence creating a large process tree. As shown in the image:
Fig.5 Process Tree
After encrypting a file, it appends “. megacortex” extension at the end of file’s name. The pattern is <file_name>. <original extension>. <new extension> as shown in below image: –
Fig.6 Encrypted files naming pattern
This ransomware will also create a log file located at “C:\x5gj5_gmG8.log” which records the names of files that could not be encrypted because of various reasons like access denied as the file is locked.
Fig.7 Log file
Once execution has been started, it uses “net stop ‘service name’ /y“and “sc config ‘service name’ start = disabled” commands to terminate/disable services. It disables or terminates approx. 1400 services and processes before starting encryption. It looks for service names that could be from a security software, backup servers, database servers, etc.
Fig.8 Security products services will be stopped.
Fig.9 Few services which MegaCortex looks for to terminate.
While performing static analysis, we noticed that only ‘KERNAL32.dll’ was the DLL that was loaded initially. Much to our surprise, during debugging we found a lot more DLL’s that were loaded and out of which ‘cryptobase.dll’ was the DLL that is being used for encryption and decryption activity.
Fig.10 Used and imported DLLs
The sample itself contains an encrypted instance which is encrypted using SALSA20 algorithm. Firstly, it decrypts the instance itself using ‘RtlGenRandom’ function. The ‘Advapi32.dll’ using this function as a resource named ‘SystemFunction036’. This function is used instead of API’s from ‘cryptobase.dll’ to deceive analyst into believing that it is one of the genuine system functions.
Fig.11 Algorithm used for Encryption.
To encrypt files, it first scans the directories and then starts to encrypt the files by launching instances of itself. Each instance encrypts only one file.
Fig 12. File encryption activity
During decryption of its own instance, the encrypted sample is stored at the address pointed by ‘EDI’ register. The address of the decryption key is stored in the ‘ESP’ register. The key is being used to decrypt the data and store the data at the address pointed by ‘ESI’ register. In the below image, decryption has been started and can be seen in the hex dump at the address pointed by ‘ESI’.
Fig.13 Decryption Loop
To save the time and efforts, MegaCortex adds the marker ’MEGA-G8=’ at each file that is encrypted by this ransomware.
Fig.14 Marker is added to each encrypted file
MegaCortex ransomware has a blacklist of the extensions that it will not encrypt. It has a list of around 30 file extensions that include .bat, .exe, .dll, .sys, .tmp, etc. as shown below: –
Fig.15 List of the blacklisted extension
After encryption, the ransomware will also delete the volume shadow copies to prevent recovery of encrypted files.
For that it uses “vssadmin delete shadows /all /for=C:\”
Fig.16 Command used to delete shadow copies
Ransom Note: –
The ransom note is written in a text file named “!!!_READ-ME_!!!.txt” which is kept on the desktop. It contains two email IDs for the victims to contact the attacker for information regarding payment.
The ransom varies from 2 BTC to 600 BTC.
Fig.16. Ransom note
It is clearly seen that the attacker is no more ready to negotiate with the victims. Further they do not give any instructions as to how to buy bitcoins and asks the victim to Google the process. Also, they mention that they have attacked the system for profits and not to do any sort of charity.
Most ransom notes walk you through the payment process and even show a lot of sympathy with the victim. But the attacker has an aggressive outlook towards the victim!
The end of ransom note concludes with: “Man is the master of everything and decides everything.”
Subject Matter Experts: –
Lavisha Mehndiratta, Shivani Mule | Quick Heal Security Labs