Analysing STOP Ransomware

Overview

STOP/DJVU ransomware can be executed with one of the parameters listed: --Admin, --ForNetRes, --Task , --AutoStart or --Service . It gathers location information of the victim with the help of a geolocation API service and compares its hard coded country codes to the victim’s code, if one of them matches the malware stops running. It uses the Salsa20 algorithm to encrypt files and adds the .cdpo file extension at the end of each one of them. The malware maintains persistence with two methods: a run key named SysHelper and a scheduled task called Time Trigger Task. It drops additional payloads (in our case Vidar and a Clipboard Hijacker) from malicious URLs and a Public Key is also loaded from the C2 server.

Unpacking

The unpacking procedure is fairly simple. We only have to put a breakpoint on the WriteProcessMemory function that writes data to an area of memory in a specified process, then run the program until it hits that breakpoint. We need to dump the 3rd argument of WriteProcessMemory which is the lpBuffer that is a pointer to the buffer that contains data to be written in the address space of the specified process. After following it in dump, the MZ signature is found which is a clear indicator of a Windows executable. The last thing that should be done is to clear the junk code in a hex editor and we finally obtain the unpacked file.

Execution Parameters

Before we get into analysing what this malware is capable of, it’s important to note that it can execute itself with different parameters from command line. First, the ransomware tries to launch itself with --Admin IsNotAutoStart IsNotTask parameters. It gives admin access rights while the IsNotAutoStart indicates it won’t run automatically when the system starts up and the IsNotTask parameter means the execution of the program is not scheduled automatically.

However, STOP ransomware has five more ways to start its execution:

• --Admin IsAutoStart IsTask
• --ForNetRes IsAutoStart IsTask
• --Task
• --AutoStart
• --Service

Location Information

The malware first makes a request to the Geo-IP API service https[:]//api.2ip.ua/geo.json which obtains quite a few location related information of the victim and collects it in a JSON file. Here is an example of it according to the geolocation site:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

{"ip":"8.8.8.8",
"country_code":"US",
"country":"United states of america",
"country_rus":"США",
"country_ua":"США",
"region":"California",
"region_rus":"Калифорния",
"region_ua":"Каліфорнія",
"city":"Mountain view",
"city_rus":"Маунтин-Вью",
"latitude":"37.38605",
"longitude":"-122.08385",
"zip_code":"94035",
"time_zone":"-08:00"}

 
The country_code field is compared and checked to numerous other countries:

Where RU is Russia, BY is Belarus, UA is Ukraine, AZ is Azerbaijan, AM is Armenia, TJ is Tajikistan, KZ is Kazakhstan, KG is Kyrgyzstan, UZ is Uzbekistan, SY is Syria. In case one of the hard coded country_code is detected, the ransomware stops execution. However, if it doesn’t match, the execution of the malware continues.

Persistence

This malware uses two types of persistence methods. Under the Software\Microsoft\Windows\CurrentVersion\Run registry key, it creates a value called SysHelper. This makes the malware run every time the victim logs on. Then it executes the following command inside the created directory:

• icacls "C:\Users\admin\AppData\Local\8a4577dc-de55-4eb5-b48a-8a3eee60cd95" /deny *S-1-1-0:(OI)(CI)(DE,DC)

The command denies the “Delete” and “Delete Child” permissions for the group ‘Everyone’ on this specific directory. The randomly named directory 8a4577dc-de55-4eb5-b48a-8a3eee60cd95 is generated by the malware itself with the UuidCreate and UuidToStringW functions.

The other persistence mechanism is a scheduled task with the Task Scheduler COM API. After viewing and searching the scheduled tasks on the infected machine, we notice a suspicious task called Time Trigger Task. The action details confirm that it is indeed related to the malware and it is repeated after every 5 minutes indefinitely.

HTTP Communication

Public Key

In this specific PCAP, we have three crucial HTTP messages to analyse. First, it sends a GET request to the habrafa[.]com C2 host which contains a pid in the URL that is an MD5 hash of the victim’s MAC address. The host then responds back with a PUBLIC KEY (in PEM format) and an id which are stored in a text file called bowsakkdestx.txt on the victim’s machine.  

Malicious Payloads

The second HTTP message requests a file from brusuax[.]com with the name build2.exe which is a Windows executable. After unpacking, it is revealed that it’s a Vidar stealer malware which is quite common in case of STOP ransomware. It steals information and cryptocurrencies, if you want to get familiar with the infostealer and its functionalities, look for related articles in Malpedia’s collection.

 
  There is also a build3.exe loaded by the ransomware from the habrafa[.]com C2 host. This is also a Windows executable as the MZ signature indicates.

This PE file seems packed, but fortunately the unpacking is pretty easy and similar to the one described above. We just have to set a breakpoint on the NtWriteVirtualMemory function, then follow the third argument in dump. After that, follow in memory map and dump it to a file. The very last thing we have to do is cleaning the file in a hex editor. This additional payload is a Clipboard Hijacker that keeps track of the clipboard activity and aims to replace the cryptocurrency address with the attacker’s own address. It executes the following command on the victim:

• /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

This creates a scheduled task named Azure-Update-Task with a schedule frequency of one minute, and runs the mstsca.exe file which is the malicious executable. Further looking into the unpacked sample, a mutex named M5/610HP/STAGE2 and several cryptocurrency addresses were found:

Configuration

The malware has several data tables in the .data section. These tables have either 10 or 16 values that point to the .rdata section. That is the location of the actual data we have to decrypt to extract the configuration. The XOR operator is used for the encryption procedure with the value 0x80.

File Encryption

The ransomware uses the Salsa20 algorithm to encrypt files on the victim’s computer. After analyses, the file indicates that OpenSSL was also used in the encryption process since it contains several related strings. There are a few file extensions that the malware doesn’t encrypt, such as .sys, .ini, .DLL, .dll, .blf, .bat, .lnk, and .regtrans-ms. This sample uses the .cdpo file extension for the encrypted files, however the extension varies from executable to executable. The first 5 bytes are not encrypted by the ransomware while at the end of each file, the ransomware appends a UUID (created with CreateUuid and UuidToStringA functions) that is encrypted with the RSA 2048 Public Key, the PersonalID and the {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5} value:

The ransom note is placed in the _readme.txt file that specifies the ransom demand and presents additional information like emails to contact, a WeTransfer link that supposedly demonstrates how to decrypt an encrypted file and the personal ID of the user:

A PersonalID.txt file is also created and placed in the SystemID folder on the victim’s machine:

Yara Rule

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

rule STOP_ransomware
{
    meta:
        description = "Detects Unpacked STOP Ransomware Samples"
        author = "Glyc3rius"
        date_created = "11/02/2024"
        sha256 = "236259fb27568c5b6ba0ed090909d2f1aeb70258673f3b561514350a65eba77a"
    strings:
         $s_launch_arg1 = "--Admin" wide
         $s_launch_arg2 = "IsNotAutoStart" wide
         $s_launch_arg3 = "IsNotTask" wide
         $s_launch_arg4 = "--AutoStart" wide 
         $s_launch_arg5 = "IsAutoStart" wide
         $s_launch_arg6 = "IsTask" wide
         $s_launch_arg7 = "--ForNetRes" wide
         $s_launch_arg8 = "--Task" wide
         $s_launch_arg9 = "--Service" wide

         $s_pdb = "encrypt_win_api.pdb"         
         $s_jpg = "5d2860c89d774.jpg" wide
         $s_scheduled_task = "Time Trigger Task" wide

         $mutex_1 = "{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}"
         $mutex_2 = "{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}"
         $m_end_of_encrypted_file = "{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}"
        
   condition:
         uint16(0) == 0x5a4d
         and all of ($s*) 
         and (any of ($m*))
}

IOCs

References

• DJVU: The Ransomware That Seems Strangely Familiar…
• The STOP Ransomware Variant
• STOP Ransomware Technical Analysis Report
• A Detailed Analysis of the STOP Ransomware
• Package deal: Malware bundles causing disruption and damage across EMEA
• STOP (DJVU) RANSOMWARE: RANSOM FOR YOUR SHADY HABITS!
• ANY.RUN Task Of The Sample