Brian Stadnicki
Canopy Posts Tags Categories
Brian Stadnicki

Contents

Fantom ransomware

 included in malware analysis
   837 words   4 minutes 

6 years ago, kaspersky reported a piece of ransomware which displayed a fake windows update screen during encryption.

/posts/malware-fantom-ransomware/ransom-note.png

I don’t know the distribution, but I know it starts at Fantom.exe. This appears to be an odd custom loader, but all the main functionality is implemented in the .NET executables.

There are 2 parts to the ransomware: the encryptor and the fake windows update screen.

Assemblies

Encryptor

This .NET assembly needs to first be dumped from the running ransomware process using ExtremeDumper, and then the criticalupdate01.exe deobfuscated using .NET Reactor Slayer. The other assemblies dumped are loaders/duplicates. DnSpy is now used to analyse.

The main functionality of the encryptor is in criticalupdate.Form1, with the main function of go. The following occurs in here:

  • Extract and execute WindowsUpdate.exe, the application responsible for the fake windows update screen
  • It makes sure the file name doesn’t have a version eg v0 in its name
  • Disable task manager
  • Generate an encryption password and encrypt with the public key
  • Check ip address, but appears unused
  • Loop over all the files on all drives
    • Check if correct file type
    • If so, encrypt the file, add .fantom extension
    • Add the ransom note DECRYPT_YOUR_FILES.HTML to the directory
  • Changes the wallpaper
  • Delete system restore backups
  • Deletes itself

Fake windows update

The WindowsUpdate.exe which is dropped into the user’s temp directory is only responsible for showing the windows update screen with a spinner. It stays on top, but you can simly alt+tab and exit it.

/posts/malware-fantom-ransomware/update-screen.png

IOCs

Hashes:

  • f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
  • 489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

Files:

  • DECRYPT_YOUR_FILES.HTML
  • C:\Users\user\AppData\Local\TempWindowsUpdate.exe
  • .fantom

File types: asf, pdf, xls, waw, txt, rtf, rar, avs, spr, d3dbsp, dif, mp3, pl, wb2, das, jpe, sfs, dxf, dot, pbp, mxp, qif, ppd, ari, asr, ipa, trp, mlx, djvu, act, pst, shw, xpt, css, w3x, euc, fpp, asset, pbf, aro, ex, col, disk, sav, php, vcd, wmv, ashx, ut3, api, ape, amxx, aip, yab, vc, tur, tu, tpx, swf, zoo, zipx, zap, z04, z02, xpi, war, wad, vsi, tlz, tg, tbz2, sqx, shr, shar, sh, litemod, rofl, DayZProfile, db0, vfs0, lrf, vpp_pc, arch00, ntl, fsh, rim, psk, tor, fpk, dazip, 001, esm, blob, dmp, layout, sid, sis, ztmp, vdf, fos, svg, hkdb, itl, mddata, sidd, bkp, bc6, t13, ibank, sum, sc2save, apk, forge, iwi, sdt, scx, scm, sad, pxp, pwf, ppf, sen, sdn, rev, puz, pcv, pak, jgz, gzig, gz, cbz, cbr, car, arj, odt, ods, doc, ppt, pptx, pptm, nri, nrg, mds, isz, img, flp, fcd, dvd, dmg, chk, cgf, bsp, blp, big, bic, abk, wdgt, url, svr, moz, htm, dap, cms, cer, bml, qbb, arc, 7z, wsh, wbk, unx, avi, wma, val, saf, raw, ra, xml, aspx, asp, sln, docx, max, gzip, tar, psa, potx, pot, pkh, pkb, pab, odp, odf, mdn, mbx, lcf, lcd, kmz, dii, opf, odi, odc, csv, ncd, nav, msp, mov, ifo, vob, mip, mic, mag, jpw, jpf, jpc, jiff, jif, ink, cam, dbfv, eps, jpg, dng, arw, dcr, erf, mrwref, rw2, r3d, pef, x3f, pem, pfx, p7c, jpeg, rb, py, desc, unity3d, lbf, bkf, qic, bc7, pkpass, tax, gdb, t12, sie, m4a, odt, odm, odb, xlsx, xlk, mdb, xf, mdf, pdd, cag, bmf, bmc, arr, amu, ais, adi, pbs, 3df8, 3d4, 3d, xvid, wvx, wmx, wmmp, wmd, wm, vdo, mp4, wav, cdr, ace, png, diz, crd, boc, bib, bdr, bdp, ase, asc, ans, aim, adt, cso, indd, asmx, cd, ccd, wtf, wtd, w3g, vtf, vmf, uxx, uvx, gif, bmp, md, pwm, kwm, mpg, mpeg, m2v, xlv, xll, xlam, xla, qtr, qpx, oxt, utx, utc, dxe, dvi, dotx, dotm, dex, ddcx, ddc, nds, mdl, md3, lvl, lgp, ldb, iwd, h4r, h3m, grf, gam, ff, elf, dem, cty, owl, lbi, java, jav, dal, ctt, cch, dic, adpb, ade, snp, vhd, dwg, amr, amf, aac, mbox, man, ltr, lp2, kwd, idx, gthr, prt, prc, ppsm, potm, jc, dbx, clr, bpl, bp3, bp2, slt, dbb, cwf, cfg, fds, fdr, faq, srf, cr2, nrw, orf, ptx, crt, p12, wpd, dxg, wps, log, bak, html, bck, 1cd, yps, xlm, wpl, ver, std, ap, adr, udf, js, jar, isu, flv, m3u, xxx, ascx, asa, wotreplay, rgss3a, epk, bik, slm, re4, bsa, ltx, for, fla, f90, abw, xwd, mkv, json, ac3, flac, exif , jfif, p7b, der, srw, rwl, raf, nef, mrw, mef, kdc, crw, bay, sr2, 3fr, ai, dbf, ut2, usx, usa, err, uop, unr, umx, uax, sud, ogg, oga, tax2016, tax2015, mod, accdb, upk, bar, hkx, kdb, mpqge, mcmeta, m2, cfr, snx, tpu, swd, so, rsrc, res, pm, pli, plc, svi, stx, srt, scn, rv, rum, rts, tch, qtq, evo, dvx, divx, dir, sfx, eql, dsp, dsk, dpr, dpl, dpk, dox, dob, dev, dcu, dcp, csi, cs, cpp, cp, cod, cc, cap, mcd, xlwx, ltm, xltx, xlsb, xlr, xlc, xl, wmdb, wks, vmt, upoi, vpk, kf, menu, ncf, mcgame, sb, itm, wmo, map, cas, gho, syncdb, mdbackup, hplg, hvpl, icxs, itdb, sidn, qdf, zip, psd, msg, wave, wow, wpk, 3g2, 3gp, 3gp2, 3mm, tif, docm, xlsm, pps, ppsx, qel, rgn, rsw, rte, sdb, sdc, sds, sql, stt, tcx, thmx, txd, txf, amx, nfo, now, oft, pwi, rng, rtx, run, ssa, text, rrt

Updated on 2022-02-09
 reverse engineeringmalwareransomware
Back | Home