Analysis of SkidLocker ransomware using AES-256 Encryption Algorithm

Analysis of SkidLocker ransomware using AES-256 Encryption Algorithm


0 × 01 Overview

The SkidLocker ransomware uses AES-256 encryption algorithms to encrypt different types of files by retrieving the content of the file information, and the ransom amount needs to be paid in 0.500639 bitcoin ($208.50 ).

 

0 × 02 Analysis

Create "C: \ Users \ W7_MMD \ ransom.jpg" on the victim host, "C: \ User \ W7_MMD \ Desktop \ WindowsUpdate. bat "," C: \ Users \ W7_MMD \ Desktop \ READ_IT.txt ", run C: \ Users \ W7_MMD \ Decrypter. exe runs two http post requests with the IP address 23227199175 (USA). The detailed information of the infected machine is sent: username, Host Name (pcname), and a standard key (servkey) communicate with the server:/createkeys. php: Obtain the RSA key that will be encrypted with the password. /Getamount. php: Get the relevant amount information. Payment retrieval file: 0.500639.

 

It uses CreatePassword and getInt to randomly generate the password of the encrypted file. The key length is the 32 characters obtained from abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ1234567890.

 

 

It uses the methods EncryptTextRSA and RSAENcrypt to encrypt the password (newly created) through the RSA protocol, and uses the Public Key obtained from the C2 server, with a size of 2048bit.

 

The C & C server stores the password for sending information (encrypted through the RSA Protocol). The sending parameter is "aesencrypted". It may be a technology that obfuscated network traffic monitoring analysts. /Savekey. php/update. php/finished. php

 

Then, use the function to select different drives (partitions) and scan these drivers (C: \ D: \, E: \, F: \, G: \ H :\, I :\\, J :\and K :\\) Search for the following file types in these disk directories :.

 

TXT，.DOC，.DOCX，.xls，.xlsx，.PDF，.PPS，.PPT，.PPTX， ODT，.gif，.jpg，.png，.db，.csv，.SQL，.MDB，.sln，.PHP，.asp，.aspx，.html，.xml，.PSD，.FRM，.MYD ，.MYI，.DBF，.MP3，.MP4，.AVI，.MOV，.MPG，.rm，.WMV.m4a，.mpa，.WAV，SAV，.gam，.LOG，.ged ,.，.myo，.tax，.ynab，.ifx，.ofx，.qfx，.QIF，.qdf，.tax2013，.tax2014，.tax2015，.box，.ncf，NSF，.NTF，.lwp 。

 

Files in the C: \ Windows folder are not encrypted. Calculate the SHA256 hash value defined in the text as the password and set the new password to encrypt the file. The algorithm uses AES encryption to send information stored in the file and a password of 256 bytes in length. Use the received data to access and rewrite each file (encrypted ),. Add the extension. locked.

 

The target file downloaded by one year is executed by decrypter.exe. This will be used to retrieve the encrypted information, which is obtained from the IP address server 23.227.199.83 (United States. You can also download and modify the image library wallpaper (I .imgur.com/By3yCwd.jpg) from imgur.com ).

 

View the content on the Web server and view other types of malware.

 

The website let-me-help-you-with-that.webnode.com in read_it.txt is used to provide decryption passwords to victims who have paid ransom.

 

Run decrypter.exe in the final cuendoprocess, and then download the modified wallpaper from I .imgur.com/eroa81p.jpg to save the password of the attacker.

 

0 × 03 release files

File Name:

ransom.exe / Size: 25.0 KB / VT

MD5:

6fc471eb0a2ea50d6a3b689855a68c0a 

SHA1:

a886411a5ab5f87732ab10ef098bad5bb305ec68 

SHA256:

38cd5dc5601b401de1f53be12a1998e666c112ac62cc110dc1f1c91246a77817 filename: mm.exe / Size: 25.0 KB / VT MD5: 85a65cd0146355f1e3e42755e4feaeed SHA1: 03c2243acb5d48bb57b8ed2ed617b8f3199c7711 SHA256: af4802e84b5575ef2ade1ef103739afb7352807884dbf1ce7b7c770d994465f7 filename: mm1.exe / Size: 76.5 KB / VT MD5: f578c991d6dbc426103c119f8c97e577 SHA1: d06761ae89328fc73436bf08491b27b5980254cc SHA256: 6be813322ca2cfcd4a937a7087fb19d716c3e696d0f7ca442e67d5adb451aadc Filename: bb2old.exe / Size: 247.5 KB / VT MD5: 553c3faf060aaa2c083d66db468c1c70 SHA1: d8b09de3b0b4968d50ad2d4098d3a991c8c3373f SHA256: f6a74ead6c58e939050580889017f2d5e4a646980509de79c4fb151722388ec1 Filename: Decrypter.exe / size: 11.0 KB / VT MD5: bb78607edb2aaed95747319bd61258a8 SHA1: 07efccb34829a338b6fa2a45af15a151e736acdf SHA256: 9bcb2750326ba0880151f1f4ba524aae2915c54dbb75d949a8c35f95f80a253e