Introduction

Once infected, Saturn ransomware executes commands to disable Windows repair and clear Windows backup catalog. It encrypts the files and adds Saturn to their name. The ransomware also leaves a ransom note in each folder, which contains a link to the payment site.

The authors of the newly-discovered Saturn ransomware are allowing anyone to become a ransomware distributor for free via a newly launched Ransomware-as-a-Service (RaaS) affiliate program.

The Source of delivery is unknown and it is still under research.

File Information

File Name: SATURN_RANSOM.exe

MD5: BBD4C2D2C72648C8F871B36261BE23FD

SHA-1: 77C525E6B8A5760823AD6036E60B3FA244DB8E42

File Type: PE 32 Bit Image

Advance Static Analysis

Tools Used: IDA Pro, Dependency Walker.

Snapshot 1

Once executed, the Ransomware checks for the Virtual Box software to find out whether it is being analyzed inside a virtual machine and if found, it exits from the process.

It uses Windows Registry to check for specific keys that are related to the Virtual Box. It calls “RegOpenKeyExA” windows API to check the above mentioned Registry Keys.

Snapshot 2

Additionally it also checks for Sandboxie application, to find out whether it is being executed inside a Sandbox. As highlighted above the Ransomware checks for DLL “sbieDll.dll” which comes with Sandboxie software.

The picture [From Internet] below gives us the information about the Sandboxie application related to this DLL.

Snapshot 3

Snapshot 4

The Ransomware then launches cmd.exe and might ping the above mentioned IP Address.

Snapshot 5

The Ransomware again uses cmd.exe to launch vssadmin.exe & wmic.exe to delete all the Shadow copies stored in the system in order to prevent the user from taking the backup after encrypting the system.

Then it uses bcdedit.exe [Boot Configuration Editor] which disables windows error recovery on startup as highlighted above.

Some of the Important artifacts of Saturn Ransomware which was obtained by the Advance Static Analysis were mentioned above. Now I will continue with my Dynamic Analysis.

Dynamic Analysis

Environment Used

Machine:

OS:

VMware [Virtual Machine]

Win 7 x64

Tools Used: Process Monitor, Process Explorer, Regshot, TrackFolderChanges, Wireshark.

Snapshot 6 below highlights the Saturn Ransomware which is executed and running in Process. As explained in the Static Analysis, the sample launches cmd, vssadmin, wmic.

Snapshot 6

Command Line of the cmd.exe

  • C:\Windows\System32\cmd.exe” /C vssadmin.exe delete shadows /all /quiet & wmic.exe shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

Command Line of the Vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Command Line of the wmic.exe

wmic.exe shadowcopy delete

Looking through the command line of the Process gives us a good info about the functionality of the process.

Snapshot 7

Persistence

Saturn Ransomware creates a shortcut file [LNK] in the startup folder in order to execute the sample always after a reboot, which targets the original malware file.

Encryption / Modification style

Snapshot 8

This Ransomware Sample encrypts specific files in the system. As highlighted above it first encrypts and adds an extension “.SGRd” to the text file. Later it again renames the encrypted file back to “.txt” extension. Finally it renames the file by adding “.saturn” in the filename.

Malware authors would have chosen this method of encryption / Modification of the files in order to bypass the behavior based Ransomware Detectors which would detect new Ransomwares with their modification style.

Decryption

Once Encrypted the files in victim system, it creates three files in all the directories in which it has encrypted. They are files which provide instruction on how to decrypt the files back. It is also creating a key file in all the directories.

TOR website for Payment & Decryption

Bitcoin Address for Payment

Snapshot 9

Currently they are demanding 300$ for the Decryption process as shown above. They have given a warning that the price will raise up after one week.

Conclusion

Ransomwares are evolving day by day. We should follow the best practices while using the internet or handling spam emails. Kindly be aware and share the knowledge as much as possible.

No Comments

Post a Comment

Comment
Name
Email
Website