Ransom.Win32.STOP.THGOAAI

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It saves downloaded files into the said created folder.

It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following copies of itself into the affected system:

• %AppDataLocal%\{Hash of Machine GUID}\{malware file name}.exe

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following files:

• %System Root%\SystemID\PersonalID.txt

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

It adds the following processes:

• "{Executed Malware File Path}\{Executed Malware File Name}.exe" --Task -> malware is executed via Task Scheduler
• icacls "%AppDataLocal%\{Hash of Machine GUID}" /deny *S-1-1-0:(OI)(CI)(DE,DC)
• "%AppDataLocal%\{Hash of Machine GUID}\updatewin.exe -- Admin" ← downloaded and detected as Trojan.Win32.MALREP.THOABAAI
• "%AppDataLocal%\{Hash of Machine GUID}\updatewin1.exe -- Admin" ← downloaded and detected as Trojan.Win32.MALREP.THOABAAI

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It creates the following folders:

• %AppDataLocal%\{Hash of Machine GUID}

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• {Hash of Machine GUID}

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
SysHelper = ""%AppDataLocal%\{Hash of Machine GUID}\{Malware File Name}.exe" --AutoStart"

Other System Modifications

This Ransomware adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion
SysHelper = 1

Download Routine

This Ransomware connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}.ug/tesptc/penelop/updatewin.exe
• http://{BLOCKED}.ug/tesptc/penelop/updatewin1.exe
• http://{BLOCKED}.ug/tesptc/penelop/updatewin2.exe
• As of this writing, below the following sites are inaccessible:
  • http://{BLOCKED}.ug/tesptc/penelop/3.exe
  • http://{BLOCKED}.ug/tesptc/penelop/4.exe
  • http://{BLOCKED}.ug/tesptc/penelop/5.exe

Trend Micro detects the dowloaded file as:

• Trojan.Win32.MALREP.THOABAAI

It saves downloaded files into the said created folder.

Other Details

This Ransomware connects to the following URL(s) to get the affected system's IP address:

• https://api.2ip.ua/geo.json

It does the following:

• Connects to the URL to get the arguments needed for the "--Service" and "--ForNetRes" to perform it's routine:
  
  • http://{BLOCKED}.ug/AJshdd74568oHIUHSusf6441/Asjdioaiuf738/get.php?pid={HASH PID}
• Checks if there is an existing copy of itself in %AppDataLocal% then delete it and drops a copy of itself at %AppDataLocal%
• Adds the following Scheduled Task:
  
  • Task Name: Time Trigger Task
  Schedule: Once, after triggered repeat every 5 mins. Trigger expires at 5/2/2030 8:00 AM
  Task to be run: "%AppDataLocal%\{Hash of Machine GUID}\{Malware File Name}.exe"
• It accepts/ add the following arguments to check its execution:
  
  • --Admin -> run the malware as admin
  • --AutoStart -> executes using autorun registry keys.
  • --ForNetRes {Argumet from the URL} {Argument From the URL}
  • --Service {PID of the Parent Malware Running} {Argumet from the URL} {Argument From the URL}
  • IsAutoStart -> Execute malware as an autostart
  • IsNotAutoStart -> Execute malware not as an autostart
  • IsTask/Task -> Execute malware as a task
  • IsNotTask -> Execute malware not as a task

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• .sys
• .bat
• .dll
• .lnk
• .ini
• _readme.txt
• ntuser.dat

It avoids encrypting files found in the following folders:

• C:\$Recycle.Bin\
• C:\PerfLogs\
• C:\$WINDOWS.~BT\
• C:\dell\
• C:\Intel\
• C:\MSOCache\
• C:\Games\
• C:\Windows.old\
• %AppDataLocal%
• %Application Data%
• %Windows%
• %ProgramData%\Microsoft\
• %ProgramData%\Package Cache\
• %ProgramData%\Desktop\
• %Public%
• %Program Files% ; (for both 32 and 64 bit OS)
• {Logical Drive Letter}\Users\%username%\AppData\Roaming\
• {Logical Drive Letter}\Users\%username%\AppData\Local\
• {Logical Drive Letter}\Windows\
• {Logical Drive Letter}\PerfLogs\
• {Logical Drive Letter}\ProgramData\Desktop\
• {Logical Drive Letter}\ProgramData\Microsoft\
• {Logical Drive Letter}\ProgramData\Package Cache\
• {Logical Drive Letter}\Users\Public\
• {Logical Drive Letter}\$Recycle.Bin\
• {Logical Drive Letter}\$WINDOWS.~BT\
• {Logical Drive Letter}\dell\
• {Logical Drive Letter}\Intel\
• {Logical Drive Letter}\MSOCache\
• {Logical Drive Letter}\Program Files\
• {Logical Drive Letter}\Program Files (x86)\
• {Logical Drive Letter}\Games\

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.. %Public% is the folder that serves as a repository of files or folders common to all users, which is usually C:\Users\Public in Windows Vista, 7, and 8.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It appends the following extension to the file name of the encrypted files:

• .litar

It drops the following file(s) as ransom note:

• {Encrypted File Directory}\_readme.txt