{"id":87915,"date":"2019-07-30T12:57:12","date_gmt":"2019-07-30T07:27:12","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=87915"},"modified":"2019-07-30T12:57:35","modified_gmt":"2019-07-30T07:27:35","slug":"megacortex-returns","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/megacortex-returns\/","title":{"rendered":"MegaCortex Returns\u2026"},"content":{"rendered":"

MegaCortex, a ransomware which was first spotted in January this year, has become active again and has changed the way it previously attacked\/targeted the corporate world. In order to simplify its execution and increase its scale of operation, it uses \u2018Command Prompt\u2019 instead of \u2018PowerShell\u2019 in current targeted campaign.<\/p>\n

Key Points:<\/u><\/strong><\/p>\n

1.While analyzing we found that the sample is digitally signed by \u201cThawte, Inc\u201d and publisher is “ABADAN PIZZA LTD\u201d, a UK based company.<\/p>\n

\"\"<\/p>\n

Fig.1 The sample is digitally signed.<\/p>\n

2. The ransom note is written in an aggressive and offhand language.<\/p>\n

\"\"<\/p>\n

Fig.2 Very aggressive stance in ransom note.<\/p>\n

BEHAVIOUR ANALYSIS:<\/u><\/strong><\/p>\n

Upon execution, MegaCortex cannot pass User Account Control and hence below pop up appears asking for access for the same.<\/p>\n

\"\"<\/p>\n

Fig.3 Pop up asking for access.<\/p>\n

The entire process of encryption is visible to the user as it appears on the command prompt as shown below:<\/p>\n

\"\"<\/p>\n

Fig.4 Encryption activity can be seen through command prompt.<\/p>\n

Once executed it creates lot of sub-processes hence creating a large process tree. As shown in the image:<\/p>\n

\"\"<\/p>\n

Fig.5 Process Tree<\/p>\n

After encrypting a file, it appends \u201c. megacortex\u201d extension at the end of file\u2019s name. The pattern is <file_name>. <original extension>. <new extension> as shown in below image: –<\/p>\n

\"\"<\/p>\n

Fig.6 Encrypted files naming pattern<\/p>\n

This ransomware will also create a log file located at \u201cC:\\x5gj5_gmG8.log\u201d which records the names of files that could not be encrypted because of various reasons like access denied as the file is locked.<\/p>\n

\"\"<\/p>\n

Fig.7 Log file<\/p>\n

CODE ANALYSIS:<\/u><\/strong><\/p>\n

Once execution has been started, it uses \u201cnet stop \u2018service name\u2019 \/y\u201cand \u201csc config \u2018service name\u2019 start = disabled\u201d commands to terminate\/disable services. It disables or terminates approx. 1400 services and processes before starting encryption. It looks for service names that could be from a security software, backup servers, database servers, etc.<\/p>\n

\"\"<\/p>\n

Fig.8 Security products services will be stopped.<\/p>\n

\"\"<\/p>\n

Fig.9 Few services which MegaCortex looks for to terminate.<\/p>\n

While performing static analysis, we noticed that only \u2018KERNAL32.dll\u2019 was the DLL that was loaded initially. Much to our surprise, during debugging we found a lot more DLL\u2019s that were loaded and out of which \u2018cryptobase.dll\u2019 was the DLL that is being used for encryption and decryption activity.<\/p>\n

\"\"<\/p>\n

Fig.10 Used and imported DLLs<\/p>\n

The sample itself contains an encrypted instance which is encrypted using SALSA20 algorithm. Firstly, it decrypts the instance itself using \u2018RtlGenRandom\u2019 function. The \u2018Advapi32.dll\u2019 using this function as a resource named \u2018SystemFunction036\u2019. This function is used instead of API\u2019s from \u2018cryptobase.dll\u2019 to deceive analyst into believing that it is one of the genuine system functions.<\/p>\n

\"\"<\/p>\n

Fig.11 Algorithm used for Encryption.<\/p>\n

To encrypt files, it first scans the directories and then starts to encrypt the files by launching instances of itself. Each instance encrypts only one file.<\/p>\n

\"\"<\/p>\n

Fig 12. File encryption activity<\/p>\n

During decryption of its own instance, the encrypted sample is stored at the address pointed by \u2018EDI\u2019 register. The address of the decryption key is stored in the \u2018ESP\u2019 register. The key is being used to decrypt the data and store the data at the address pointed by \u2018ESI\u2019 register. In the below image, decryption has been started and can be seen in the hex dump at the address pointed by \u2018ESI\u2019.<\/p>\n

\"\"<\/p>\n

Fig.13 Decryption Loop<\/p>\n

To save the time and efforts, MegaCortex adds the marker \u2019MEGA-G8=\u2019 at each file that is encrypted by this ransomware.<\/p>\n

\"\"<\/p>\n

Fig.14 Marker is added to each encrypted file<\/p>\n

MegaCortex ransomware has a blacklist of the extensions that it will not encrypt. It has a list of around 30 file extensions that include .bat, .exe, .dll, .sys, .tmp, etc. as shown below: –<\/p>\n

\"\"<\/p>\n

Fig.15 List of the blacklisted extension<\/p>\n

After encryption, the ransomware will also delete the volume shadow copies to prevent recovery of encrypted files.<\/p>\n

For that it uses \u201cvssadmin delete shadows \/all \/for=C:\\\u201d<\/p>\n

\"\"<\/p>\n

Fig.16 Command used to delete shadow copies<\/p>\n

Ransom Note: –<\/strong><\/p>\n

The ransom note is written in a text file named \u201c!!!_READ-ME_!!!.txt\u201d which is kept on the desktop. It contains two email IDs for the victims to contact the attacker for information regarding payment.<\/p>\n

The ransom varies from 2 BTC to 600 BTC.<\/p>\n

\"\"<\/p>\n

Fig.16. Ransom note<\/p>\n

It is clearly seen that the attacker is no more ready to negotiate with the victims. Further they do not give any instructions as to how to buy bitcoins and asks the victim to Google the process. Also, they mention that they have attacked the system for profits and not to do any sort of charity.<\/p>\n

Most ransom notes walk you through the payment process and even show a lot of sympathy with the victim. But the attacker has an aggressive outlook towards the victim!<\/p>\n

The end of ransom note concludes with: \u201cMan is the master of everything and decides everything.\u201d<\/p>\n

 <\/p>\n

IOC\u2019s: –<\/p>\n

MD5:c12ab67f2835b3a867af6c91aa3d3039<\/p>\n

 <\/p>\n

Subject Matter Experts: –<\/strong><\/p>\n

Lavisha Mehndiratta,\u00a0Shivani Mule\u00a0| Quick Heal Security Labs<\/p>\n","protected":false},"excerpt":{"rendered":"

MegaCortex, a ransomware which was first spotted in January this year, has become active again and has changed the way it previously attacked\/targeted the corporate world. In order to simplify its execution and increase its scale of operation, it uses \u2018Command Prompt\u2019 instead of \u2018PowerShell\u2019 in current targeted campaign. Key Points: 1.While analyzing we found […]<\/p>\n","protected":false},"author":39,"featured_media":87937,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1671,910],"tags":[],"class_list":["post-87915","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-encryption","category-ransomware"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87915"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/39"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=87915"}],"version-history":[{"count":3,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87915\/revisions"}],"predecessor-version":[{"id":87950,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87915\/revisions\/87950"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/87937"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=87915"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=87915"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=87915"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}