According to other basic static analysis tools, the malware contains various suspicious function API imports, and libraries.The malware imports several API functions from the crypt32.dll cryptography library in addition to importing other suspicious functions. Imports such as:
According to the section information for the binary, it includes a section called “.keys”, this is a good indication that the malware is embedding keys for the purpose of decryption some data such as an embedded configuration file or the public keys used for data encryption (due to this payload being ransomware).
The malware sample also includes debug information that states the binary was compiled on Monday, April 6th of 2020.
The samples entry function is responsible for carrying out the majority malicious activity.
On execution the sample first checks the installed languages on the victims system, this is done by calling the checkInstalledLanguages() function which calls the the API functions GetLocaleInfoW and compares the returned languages against a hard-coded array of language values. If a language on the “ignore” list is found, the executing process calls GetCurrentProcess to get a HANDLE to the calling process, and then calls TerminateProcess. This is a very common check performed by ransomware, typically EMEA based malware will ignore systems if they include language packs such as Russian,and others in the geographical region.
This version of the malware checks for:
Azerbaijani, Armenian, Belarussian, Kazahk, Kyrgyz, Moldavian, Tajik, Russian, Turkmen, Uzbek, and Ukrainian
After the initial language check occurs, if the victim does not include one of the “ignore” languages on their system, the malware gets the computers hostname, current users username, and queries a set of hard-coded Registry keys and values. The returned values from these queries are concatenated into a single variable which is then passed through a function responsible for generating a hash value.
The hash generation algorithm is done by taking the string, XORing it against the value 0xab01ff3, and then performing a set of mathematical operations against it, ultimately resulting in a unique identifier being returned back to the program.
This unique hash value is later used for creating a new event (by name) on the system using the value.
The malware continues multiple embedded encrypted strings in the form of a configuration datafile which at runtime decode using the decryption_routine1 function.
The first three occurrences of data decryption result in three parts of the configuration: