The document describes the behavior of a ransomware sample. It unpacks files, checks system requirements like CPU cores and Windows version, decrypts decoy files using XOR, identifies a .NET binary, writes registry keys for persistence, checks for security software and debuggers, downloads and executes updates, and includes keylogging and screenshot capturing functionality before deleting logs and persisting on the system.

1. Extract Archive
Unpack file with UPX
Load TempKey in memory
“c9e0b830ff18645849b8dbab57e47
7b5”
CPU Check
if (cores < 3) { Exit; }
Check resources
If (!filexists(base*.dat)) {exit;}
Check Windows Version
If (!WinVistaOrGreater) {exit;}
Final Key
Key = TempKey XOR 0x03
Decoy
Base8.tmp = Base8.dat XOR Key
XOR0x08
Real sample
Base16.tmp = Base16.dat XOR key
Decoy
Base32.tmp = Base32.dat XOR Key
XOR0x32
Decoy
Base64.tmp = Base64.dat XOR Key
XOR0x64
Clean-up:
remove (base*.tmp)
Run sample
cmd /c base16.tmp
Identify .NET binary Decompile binary RansomKiller: MainApp
Write Registry Key
RAND 15 char = HKLMSoftware
SergSecKey
CPU Check
if (cores < 5) { Exit; }
Checks for MAC ofNetcard Checks for debugger
Checks for malware analysis
software
Detect HyperV
MainApp
Scan Buy product Update signatures Settings
goes through files, doesn’t do anything Open Register Form
Open Register Form
Checks for internet by connecting to
https://cyber-europe.net
Checks thekey by sending a GET
request to https://cyber-europe.net/
evl/ransomkill/reg.php
If (reply ==
“260CA9DD8A4577FC00B7BD5810298
076") { RegisterProduct; }
Enables all buttons of MainApp
Easter Egg: checks ifpublic key of
SergSec is installed in the CA Store
Downloads https://cyber-europe.net//
evl/ransomkill/update.rk
Check ifit’s a Thursday
Decrypt using AES-128 update.rk to
updt.exe
Gets AES Key = serial number of
SergSec public certificate
Executes updt.exe
Creates Task: binary to be ran on 12th
Oct 2016
Autoupdate: creates a Registry Key in
HKLMSoftwareSergSecAutoUpdate
= 1
Autostart: creates a Registry Key in
HKLMSoftwareMicrosoftWindows
CurrentVersionRun
RansomKillerAppbase16.tmp
Auto schedule: creates a weekly Task
in theWindows Task Scheduler named
RK_Weekly
Sign in
Easter Egg: if (user ==
“demo”)&(password==”demo”) {
AccessWebPanel; }

2. updt.exe
MainApp
Hides Window
Stalls Execution via Search
Stalls Execution via Math
Calculation
Checks for debugger
(Necromancy Check)
Deletes Old Logs
Anti-Forensics Checks
Username
Computer Name
Processes Running CheckChecks for debugger
(Running Proccess)
Stalls Execution via Search2
Keylogger ScreenGrabber
Sends data to:
10.210.1.12
Exfiltrator
Stores key strikes in:
rNdfgl34f.txt
Grabs Printscreen
test.jpg
500 Strikes
Persistance Deletes Logs