Malware AnalysisReverse Engineering

Analysis of King Ouroboros Ransomware

Read-Me-Now

King Ouroboros  is a family of ransomware that encrypts files and appends the .[id=XXXXXXXXXX][[email protected]].limbo extension and drops ransom note file Read-Me-Now.txt.

Read-Me-Now.txt

The executable file sample can be found at app.any.run.

Executable file details

Process Graph

Process Graph

The executable file “sample.exe” when executed, encrypts all files in the system and creates a new process “uiapp.exe” which displays the ransomware nag(ransom note/message).

Indicators of Compromise

  •  Drops file uiapp.exe, info.txt, Read-Me-Now.txt
    • Drops file uiapp.exe in C:\\ProgramData\uiapp.exe (Hash : ac2c435634b60a4b1c6fa150c88c9d753ec3e1fd1c2a3690d2250416d1783b27)
    • Drops info.txt in C:\\ProgramData\info.txt
    • Drops file Read-Me-Now.txt
  •  Connects to the following URL’s
    • www[.]sfml-dev[.]org/ip-provider[.]php
    • 176[.]31[.]68[.]30 for ftp, tcp and http
  •  Passes FTP authentication credential in plaintext
    • Traffic containing USER:admin PASS:asmodeusasmodeus to 176[.]31[.]68[.]30 on port 21
FTP creds
Encrypted file samples

Deeper Analysis

The sample executable is a Windows 32-bit PE file compiled by Visual C++. 

GetDriveTypesA

The file when executed enumerates all drives in the system.

GetLogicalDrives

It then retrieves the bitmask representing the currently available disk drives.

ReadFile

The sample file opens all files in each logical drives as binary stream.

Permutations

It then encrypts all the file contents using a stream cipher which contains permutations and advanced calculus. The analysis of encryption algorithm used will be published in next post.

Mail to
limbo extension

It then appends the extension

.[id=XXXXXXXXXX][[email protected]].limbo to each file as shown above.

Read-Me-Now

After encryption the sample drops a ransom note as Read-Me-Now.txt in each directory.

It makes a request to www[.]sfml-dev[.]org/ip-provider[.]php

ip-provider.php

The response to the above request is the public IP of the victim.

TCP stream

The sample generates a unique key for each infected PC based on ID which is sent to the attacker’s server.

The sample file also downloads and executes another executable from an FTP server at 176[.]31[.]68[.]30 .

USER PASS

The authentication credentials for the ftp server were found to be USER : “admin”, PASS : ”asmodeusasmodeus”.

uiapp.exe

It downloads the file uiapp.exe to C:\\ProgramData\ .

CreateProcessA

And executes the downloaded file by creating a new process that runs in the security context of the calling process.

UIAPP.EXE

FTP

I got the file uiapp.exe quickly from the previously found FTP server.

uiapp.exe

The file was a .net PE executable file. So, I decompiled the file to see what it  does. Looking at the main function we saw it triggered a GUI-application by executing Form1.

The uiapp.exe as indicated by its name is just a UI application to display ransomnote/message on the victim’s desktop and nothing else.

uiapp.exe

The file sample.exe encrypts all files on the victim’s computer and downloads file uiapp.exe to notify the victim about the compromise.

References:

Stay tuned for more analysis and other amazing stuff. If you love and support my work use the below link to buy me a coffee and help me with my research.

3 thoughts on “Analysis of King Ouroboros Ransomware

  1. The directory has a nww sample: crypt.exe
    It’s hash value isn’t listed in your write-up. I recommend checking that out too if you have time.

    1. Oh yes i did check it today, and has new email and extension but the functionality seems same. Hints to be related to NK’s APT group lazarus. Thanks for the info though.

Leave a Reply

Your email address will not be published. Required fields are marked *