King Ouroboros is a family of ransomware that encrypts files and appends the .[id=XXXXXXXXXX][[email protected]].limbo extension and drops ransom note file Read-Me-Now.txt.
The executable file sample can be found at app.any.run.
Executable file details
Process Graph
The executable file “sample.exe” when executed, encrypts all files in the system and creates a new process “uiapp.exe” which displays the ransomware nag(ransom note/message).
Indicators of Compromise
- Drops file uiapp.exe, info.txt, Read-Me-Now.txt
- Drops file uiapp.exe in C:\\ProgramData\uiapp.exe (Hash : ac2c435634b60a4b1c6fa150c88c9d753ec3e1fd1c2a3690d2250416d1783b27)
- Drops info.txt in C:\\ProgramData\info.txt
- Drops file Read-Me-Now.txt
- Connects to the following URL’s
- www[.]sfml-dev[.]org/ip-provider[.]php
- 176[.]31[.]68[.]30 for ftp, tcp and http
- Passes FTP authentication credential in plaintext
- Traffic containing USER:admin PASS:asmodeusasmodeus to 176[.]31[.]68[.]30 on port 21
- Encrypts file with unique extension
- .[id=XXXXXXXXXX][[email protected]].limbo
Deeper Analysis
The sample executable is a Windows 32-bit PE file compiled by Visual C++.
The file when executed enumerates all drives in the system.
It then retrieves the bitmask representing the currently available disk drives.
The sample file opens all files in each logical drives as binary stream.
It then encrypts all the file contents using a stream cipher which contains permutations and advanced calculus. The analysis of encryption algorithm used will be published in next post.
It then appends the extension
.[id=XXXXXXXXXX][[email protected]].limbo to each file as shown above.
After encryption the sample drops a ransom note as Read-Me-Now.txt in each directory.
It makes a request to www[.]sfml-dev[.]org/ip-provider[.]php
The response to the above request is the public IP of the victim.
The sample generates a unique key for each infected PC based on ID which is sent to the attacker’s server.
The sample file also downloads and executes another executable from an FTP server at 176[.]31[.]68[.]30 .
The authentication credentials for the ftp server were found to be USER : “admin”, PASS : ”asmodeusasmodeus”.
It downloads the file uiapp.exe to C:\\ProgramData\ .
And executes the downloaded file by creating a new process that runs in the security context of the calling process.
UIAPP.EXE
I got the file uiapp.exe quickly from the previously found FTP server.
The file was a .net PE executable file. So, I decompiled the file to see what it does. Looking at the main function we saw it triggered a GUI-application by executing Form1.
The uiapp.exe as indicated by its name is just a UI application to display ransomnote/message on the victim’s desktop and nothing else.
The file sample.exe encrypts all files on the victim’s computer and downloads file uiapp.exe to notify the victim about the compromise.
References:
Stay tuned for more analysis and other amazing stuff. If you love and support my work use the below link to buy me a coffee and help me with my research.
That’s really great work:)
The directory has a nww sample: crypt.exe
It’s hash value isn’t listed in your write-up. I recommend checking that out too if you have time.
Oh yes i did check it today, and has new email and extension but the functionality seems same. Hints to be related to NK’s APT group lazarus. Thanks for the info though.