DetectItEasy  
PE32 Compiler: VB.NET
  Library: .NET (v4.0.30319)
  Linker: Microsoft Linker
File size 2.50 MB (2625536 bytes)
PEiD packer .NET executable

Malware Structure

The ransomware is structured as follows :

structure

We will attempt to detail each of the Form…

Form 1 - Main Form

form1

public Form1()
{
    base.Load += this.Form1_Load;
    base.LostFocus += this.Form1_LostFocus;
    base.FormClosing += this.Form1_FormClosing;
    this.InitializeComponent();
}

Loading Form1

private void Form1_Load(object sender, EventArgs e)
{
MyProject.Computer.Audio.Play(Resources.dox, AudioPlayMode.BackgroundLoop);
try
{
Form1.SendMessage(base.Handle, 793U, base.Handle, (IntPtr)11468800L);
...
Form1.SendMessage(base.Handle, 793U, base.Handle, (IntPtr)11468800L);
}

try
{
string text = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.Desktop), "ReadMe_LighterRansomware.txt");
string text2 = "If you are reading this, you have unblocked or cheated your way out. Remember, WE KNOW WHAT YOU DID....";
File.WriteAllText(text, text2);
}

try
{
Screen screen = Screen.AllScreens[1];
MyProject.Forms.Form2.StartPosition = FormStartPosition.Manual;
MyProject.Forms.Form2.Location = screen.Bounds.Location + (Size)new Point(100, 100);
MyProject.Forms.Form2.Show();
this.Timer2.Start();
}

this.TaskBarVisible(false);
MyProject.Forms.Form3.Show();
MyProject.Forms.Form4.Show();
Desktop.DesktopIconsHide();
try
{
File.Copy(Application.ExecutablePath, "C:\\Users\\" + Environment.UserName + "\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Generic.exe");
}
}

  1. Looping Audio Playback: Plays an audio file named dox in the background continuously. This action could be used to distract the user or create a stressful atmosphere.

  2. Sending Messages to the Window: Attempts to send a specific message to the form’s window 19 times with the same parameters, likely to perform a non-standard or application-specific action such as manipulating the window’s state or appearance in a repeated manner.

  3. Creating a Text File on the Desktop with Specific Content: Writes a file ReadMe_LighterRansomware.txt on the user’s desktop with the message “If you are reading this, you have unblocked or cheated your way out. Remember, WE KNOW WHAT YOU DID….” This content appears threatening, suggesting surveillance or retribution, characteristic of the methods used by ransomware to intimidate victims.

  4. Displaying a Form on a Specific Screen After Verification: Attempts to position and display a form (Form2) on the second screen, if more than one screen is connected, adjusting its position to be slightly offset. This action could be intended to intrusively utilize the user’s multi-screen workspace.

  5. Hiding the Taskbar and Displaying Other Forms, Modifying User Environment: Hides the Windows taskbar, displays other forms (Form3 and Form4), and hides desktop icons, significantly altering the user’s work environment, potentially to disorient or prevent normal access to system resources.

  6. Copying the Executable to the Startup Folder to Ensure Persistence: Ensures the malware’s persistence by copying the executable to the Windows startup folder under a generic name (Generic.exe), ensuring its execution at every user login session. This technique aims to hide and maintain malicious activity without arousing suspicion.

Form1 Closing protection

close-protection

  1. Form1_LostFocus Event Handler:

    • The Form1_LostFocus method is triggered whenever the form (Form1) loses focus, meaning when the user clicks on another window or a different application comes to the foreground.
    • Inside this method, base.Focus(); is called. This line forces the form to regain focus immediately after losing it. Essentially, this makes it difficult for the user to switch to another application, as the form continuously forces itself back into focus.

  2. Form1_FormClosing Event Handler:

    • The Form1_FormClosing method is triggered whenever an attempt is made to close Form1. This can happen through various actions, such as clicking the close button on the form’s title bar, pressing Alt+F4, or right-clicking the form’s taskbar icon and selecting ‘Close window’.
    • Within this method, there’s a conditional check for if (e.CloseReason == CloseReason.UserClosing). This checks if the reason for the form closing is due to a user action (like pressing the close button).
    • If the condition is true, e.Cancel = true; is executed. This line cancels the close event, preventing the form from closing when the user tries to close it. In essence, it makes the form persistently stay open against the user’s attempts to close it, unless it’s terminated by external means such as shutting down the application through Task Manager or the application itself providing another mechanism to exit.

Form1 Timer Tick

alt text

  1. Timer1_Tick Event Handler:

    • This method is called each time Timer1 ticks (which occurs at intervals set elsewhere in the code).
    • The base.BringToFront(); method call forces the form to come to the front of all other windows. This means that whenever the timer ticks, the form attempts to make itself the topmost window, ensuring it remains visible and in focus over other applications.

  2. Timer2_Tick Event Handler:

    • This method manages a countdown process displayed on the form, specifically updating Label13, Label10, and Label8 to show a countdown timer, most likely in the format of hours, minutes, and seconds respectively.
    • Each tick of Timer2 decreases the value of Label13 (presumably seconds) by 1. When Label13 reaches 10, its font color changes to red, indicating an approaching deadline. Once it hits 0, it resets to 59, decrements Label10 (presumably minutes) by 1, and checks similar conditions for Label10 and Label8 (presumably hours).
    • If Label10 reaches 10 or 0, similar actions are taken as with Label13, including changing the font color to red at 10 and adjusting Label8 when reaching 0.
    • When Label8 (hours) decreases to 10, its font color also changes to red. If it reaches 0, indicating the countdown has completed, the application executes a system shutdown command using Interaction.Shell("shutdown -s -t 3", AppWinStyle.MinimizedFocus, false, -1);. This command shuts down the computer after a 3-second delay.

Form 2

Keyboard Hooking

keyboard-hooking

KeyboardCallback Method

  • This method is called every time a keyboard event occurs (key stroke, press, release).
  • The Code parameter is checked to see if it equals 0, meaning the event should be processed. If Code is not 0, the event is passed to the next hook in the chain using CallNextHookEx.
  • The IsHooked method is called with ref lParam (the KBDLLHOOKSTRUCT structure containing details about the key event) to check if the current key event should be blocked.
  • If IsHooked returns true (meaning the key should be blocked), num is set to 1, preventing the event from propagating further.
  • Otherwise, CallNextHookEx is called to pass the event to the next hook in the chain.

IsHooked Method

  • Checks if the key event matches a specific combination of keys that should be blocked.
  • Blocks the following key combinations:
    • Ctrl + Esc: Checked by key code 27 (vkCode for Esc) and if the Ctrl key (17) is pressed simultaneously.
    • Alt + Tab: Checked by key code 9 (vkCode for Tab) and the flag 32 indicating if Alt is pressed.
    • Alt + Escape: Checked by key code 27 and flag 32 for Alt.
  • Whenever one of these combinations is detected, a message is logged (via the HookedState method, not shown here), and true is returned to indicate that the event should be blocked.

CallNextHookEx

  • An external declaration (likely via P/Invoke) of a WinAPI function that passes the key event to the next hook in the chain. This function is used to allow other hooks to process the event if it’s not meant to be blocked.

In summary, this code enables a Windows Forms application to intercept and block certain key combinations (like Ctrl + Esc, Alt + Tab, and Alt + Escape) using a global keyboard hook. This can be used for applications requiring increased control over the user environment, such as presentation software or kiosk applications, but should be used cautiously to not detract from the overall user experience.

Form 3

Form 4

Form4 Load

form4-load-01

The code defines a series of methods intended to encrypt files across various directories on a user’s system. Each cryptX method specifies a different target directory for encryption using AES encryption, facilitated by generating an AES key at the beginning of each method. The directories intended for scanning and encryption include:

  1. Desktop: Uses Environment.SpecialFolder.Desktop to target the user’s Desktop folder for encryption.
  2. My Music: Uses Environment.SpecialFolder.MyMusic for the user’s Music folder.
  3. Documents (Personal): Uses Environment.SpecialFolder.Personal for the Documents folder.
  4. My Videos: Uses Environment.SpecialFolder.MyVideos for the Videos folder.
  5. Contacts: Directly targets the Contacts folder in the user’s profile.
  6. Downloads: Directly targets the Downloads folder in the user’s profile.
  7. User-defined directory: Encrypts a directory stored in this.userDir, which seems to be a variable holding a custom path.
  8. OneDrive: Directly targets the OneDrive folder in the user’s profile.
  9. My Pictures: Uses Environment.SpecialFolder.MyPictures for the Pictures folder.
  10. Root directories on drives A: through Y: (excluding C:), directly targeting each drive root. It’s noteworthy that C:\ is targeted specifically in crypt9 method.

The encryptAll method, called within each cryptX method, seems to recursively encrypt all files within the specified directory and its subdirectories, as indicated by its implementation that iterates over all files and directories within the passed directory path.

Form4 Crypt (encryptAll method)

encrypt-01

encrypt-01

  1. Selection of Directory and AES Key Generation:

    • Methods crypt2 to crypt34 and crypt9 in the Form4 class handle file encryption in specific directories. Each method starts by generating an AES key by calling the generateKey method.

  2. AES Key Generation:

    • The generateKey method in the AES class uses the Rijndael algorithm with a key size of 128 bits. It generates a random key that will be used for encrypting the files.

  3. Encryption of Files in Specified Directory:

    • Once the AES key is generated, the method crypt2 to crypt34 or crypt9 calls the encryptAll method of the Form4 class, passing the target directory and the AES key.

  4. Recursive Traversal of Files and Subdirectories:

    • The encryptAll method starts by listing all files in the specified directory using Directory.GetFiles. It then iterates over these files to encrypt them.
    • It then uses Directory.GetDirectories to get a list of subdirectories and recursively calls encryptAll for each found subdirectory.

  5. Encryption of Each File:

    • The encryptFile method is responsible for encrypting each file individually. It first checks if the file type is allowed for encryption.
    • If the file is allowed, it reads the file’s content, adds the filename in clear text for later reference, and then encrypts the entire content using the AES algorithm.
    • The original file is then deleted and replaced with a new encrypted version with a .L0cked extension.

  6. Generation of Random File Name:

    • The getRandomFileName method in the CryptFile class generates a random file name of variable length, which is used for encrypted files.

Form4 Block

block-method

The code functions designed to forcibly close specific system applications and utilities on a Windows computer in a loop, which could be a technique used by malware to prevent users from responding or utilizing troubleshooting tools. Here are the programs targeted by these functions:

  1. block(): Shuts down the Windows Task Manager (taskmgr).
  2. block2(): Shuts down the Command Prompt (cmd).
  3. block3(): Shuts down Sysinternals Process Explorer (procexp).
  4. block4(): Shuts down the 64-bit version of Sysinternals Process Explorer (procexp64).
  5. block5(): Shuts down the Registry Editor (regedit).
  6. block6(): Shuts down CCleaner 64-bit (CCleaner64).
  7. block7(): Shuts down System Configuration (msconfig).

Each function continuously searches for processes by their name and kills them immediately if found, then waits for 100 milliseconds before repeating the operation. This approach ensures that even if a user attempts to relaunch these applications, they will be quickly closed again. This can severely hamper troubleshooting and system recovery efforts in the event of a malware attack.

Decrypt process

Here’s the decryption procedure in the following code along with an explanation of each line.

using System;
using System.IO;
using System.Text;

public class AES
{
    // This AES class is not defined in the provided code, but it's used for encrypting and decrypting data.
    // Let's assume it contains methods for AES encryption and decryption.
}

public class Example
{
    public static bool decryptFile(string orgFile, byte[] aesKey)
    {
        // Using the "checked" directive to enable arithmetic overflow checking.
        checked
        {
            try
            {
                // Get the directory path of the original file.
                string directory = new FileInfo(orgFile).DirectoryName + "\\";

                // Get the extension of the original file.
                string extension = new FileInfo(orgFile).Extension;

                // Get the filename without extension.
                string fileName = new FileInfo(orgFile).Name.Split(new char[] { '.' })[0];

                // Check if the file extension is ".L0cked".
                if (extension != ".L0cked")
                {
                    return false; // If not, the file is not encrypted.
                }

                // Read the content of the original file as a byte array.
                byte[] fileContent = File.ReadAllBytes(orgFile);

                // Decrypt the file content using the provided AES key.
                fileContent = AES.AES.decrypt(fileContent, aesKey);

                // Extract the last 256 bytes from the decrypted file.
                byte[] last256Bytes = new byte[256];
                Array.ConstrainedCopy(fileContent, fileContent.Length - 256, last256Bytes, 0, 256);

                // Convert the 256 bytes to a UTF-8 string.
                string fileNameFromBytes = Encoding.UTF8.GetString(last256Bytes);

                // Remove any trailing newline characters from the string.
                fileNameFromBytes = fileNameFromBytes.TrimEnd(new char[1]);

                // Resize the file content to exclude the extracted 256 bytes.
                Array.Resize<byte>(ref fileContent, fileContent.Length - 256);

                // Write the decrypted content to a new file with the retrieved name.
                File.WriteAllBytes(directory + fileNameFromBytes, fileContent);

                // Delete the original encrypted file.
                File.Delete(orgFile);

                return true; // Return true if decryption and renaming were successful.
            }
            catch (Exception ex)
            {
                // Handle any exceptions that occurred during the decryption process.
            }

            return false; // Return false if an exception occurred.
        }
    }
}

Sponsored by logo any.run

<
Previous Post
Diop Trojan (Ransomware)
>
Next Post
Xorist Ransomware