<\/p>\n
Technical Analysis<\/strong><\/p>\n 1.<\/strong> The mother file is packed with the MPRESS packer (as shown in the snippet in fig 1) which after execution drops many public version EternalBlue files on the victim\u2019s machine.<\/p>\n Fig 1. The file is packed with Mpress packer<\/p>\n 2. These files are dropped at \u2018C:\\Users\\All Users\\\u2019 location. These files are also packed with the MPRESS packer.<\/p>\n 3. Mother file scans for all the systems which are in the same network using EternalBlue to find outdated SMB services and encrypts files on the host systems to maximize profit from attack.<\/p>\n Fig 2. Dropped EternalBlue files<\/p>\n <\/p>\n <\/p>\n This version of Satan also drops mmkt.exe (Mimikatz) which is an open-source tool that permits the attacker to dig out credential information from the Windows lsass (Local Security Authority Subsystem Service). Using Mimikatz, it then stores credential of network computers and then it accesses and infects machines on the same network using these credentials.<\/p>\n It had dropped satan.exe on the victim\u2019s machine at C drive and executed it, which is responsible for encryption.<\/p>\n Fig 3. Drop location for satan.exe from mother file.<\/p>\n For storing unique host identifier, it drops a file with name \u201cKSession\u201d at \u201cC:\\Windows\\Temp\\\u201d<\/p>\n Satan renames an encrypted file in following way:<\/p>\n E.g.: Example.jpg to [dbger@protonmail.com] Example.jpg.dbger<\/p>\n Following are the infection marker files and encrypted files with their pattern.<\/p>\n The ransom note of this ransomware looks like this (fig 5)<\/p>\n Fig 5. Ransom note<\/p>\n After encrypting all the data on the victim\u2019s machine, it kills Satan.exe from memory but the mother file keeps running for sending data to a Command and Control server as seen from the following snippet.<\/p>\n Fig6. Connection to CNC server.<\/p>\n <\/p>\n How Quick Heal protects its users from the Satan ransomware : –<\/strong><\/p>\n Quick Heal works on multiple levels to protect its users from this threat. These levels include:<\/p>\n \u00a0 \u00a0<\/strong><\/p>\n How to stay safe from ransomware attacks<\/strong><\/p>\n <\/p>\n Indicators of compromise:<\/p>\n Subject matter experts<\/strong><\/p>\n Priyanka Dhasade, Shalaka Patil | Quick Heal Security Labs<\/p>\n <\/p>\n <\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" Satan ransomware first occurred in early 2017. And it has resurfaced with a new variant in 2018. We have seen it using new, innovative techniques to spread such as EternalBlue exploit to distribute over compromised networks. This variant of Satan propagates using the below techniques: Mimikatz EternalBlue – exploit CVE-2017-0143 Technical Analysis 1. […]<\/p>\n","protected":false},"author":39,"featured_media":86423,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-86406","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86406"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/39"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=86406"}],"version-history":[{"count":3,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86406\/revisions"}],"predecessor-version":[{"id":86425,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86406\/revisions\/86425"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/86423"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=86406"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=86406"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=86406"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/06\/1.png\")
<\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/06\/2.jpg\")
<\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/06\/3.png\")
<\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/06\/4.jpg\")
Fig 4. Encrypted files pattern.<\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/06\/5.jpg\")
<\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/06\/6.png\")
<\/p>\n\n
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/06\/7.jpg\")
<\/strong>Fig 7. Behavior Detection<\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/06\/8.png\")
<\/strong>\u00a0Fig 8. Anti-Ransomware Detection<\/p>\n\n
\n