Loading the hardcoded settings is performed by dedicated functions (in the described sample it starts at RVA = 0x2dcf):Īttacked extensions are decrypted in chunks (each chunk contains several extensions) and then added to the list. This malware doesn’t have any external configuration – all the strings (including attacked file extensions and blacklisted paths) are hardcoded in obfuscated form and decrypted in-line. Rokku attacks local disks as well as network shares.
Research about the implementation details and possible flaws is in progress. Then, the random key is encrypted with a locally implemented RSA algorithm. Random values are retrieved using advapi32.SystemFunction036 – that is RtlGenRandom. Fragment of the implementation is shown below:Įvery file is encrypted by Salsa20 with a new, random key. Reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /fįrom the behavioral analysis and experiments we concluded, that Rokku – like most of the ransomware – uses symmetric and asymmetric encryption.Īs the main, symmetric encryption algorithm, authors decided to use Salsa20 (Salsa was also used by the Petya ransomware). Reg add "HKLM\SYSTEM\CurrentControlSet\services\VSS" /v Start /t REG_DWORD /d 4 /f We can see the typical SHA512 constants in the code:įirst half of the SHA512 hash and the are concatenated together and used as a mutex name (with the help of mutex malware prevent from being run more than once at the same time).įinally, removing backups and stopping backup services is performed – by execution of the following commands: wmic shadowcopy delete /nointeractive Both parts are concatenated together ( ) and hashed using local implementation of SHA512 (this implementation comes from OpenSSL)…
#Malwarebytes id and key 2016 not blacklisted serial number#
…and the volume serial number of the disk, where the Windows is installed (using GetVolumeInformation). That’s why we decided to take a closer look, not only at the internal structure of this malware but also at the similarities and differences between these two products. The building blocks of Rokku reminded us of the Chimera ransomware. Currently, it’s most common distribution method is spam where a malicious executable is dropped by a VB script belonging to the e-mail’s attachment. Rokku is yet another ransomware, discovered in recent weeks.
0 kommentar(er)
