The ASEC analysis team discovered that the STOP ransomware is being distributed in Korea. This ransomware is being distributed at a very high volume that it is ranked among the Top 3 in the ASEC Weekly Malware Statistics (November 28th, 2022 – December 4th, 2022). The files that are currently being distributed are in the form of MalPe just like SmokeLoader and Vidar, and the filenames include a random 4-byte string as shown below.
- %SystemDrive%\users\[user]\appdata\local\temp\4316.exe
- %SystemDrive%\users\[user]\appdata\local\temp\8c21.exe
- %SystemDrive%\users\[user]\appdata\local\temp\a579.exe
- %SystemDrive%\users\[user]\appdata\local\[uuid]\2399.exe
- %SystemDrive%\users\[user]\appdata\local\[uuid]\1da9.exe
When the ransomware is executed, it first connects to hxxps://api.2ip.ua/geo.json and checks the country code. If the code corresponds to any of the countries below, encryption is not performed.
Country Code
If the identified code does not belong to the list above, a folder is created in the %LOCALAPPDATA% folder with the name, [uuid], and the executable copies itself into this folder. Afterward, the –AutoStart argument is assigned to the copied file and the file is added to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper registry.
Created registry
Also, in order to prevent the copied file from being modified or deleted, the icacls command is used to remove all permissions on this folder and its subfolders.
- Execution command: icacls “%LocalAppData%\[uuid]” /deny *S-1-1-0:(OI)(CI)(DE,DC)
Modified folder permissions
Afterward, in order for the ransomware file to run continuously, the task is added to Task Scheduler under the name, Time Trigger Task. The file added to the Task Scheduler is then run every 5 minutes with –Task as the argument.
Task Scheduler
Additionally, for the ransomware to be executed with admin privilege, it is executed through Runas with –Admin IsNotAutoStart IsNotTask
The STOP ransomware connects to hxxp://fresherlights[.]com/test1/get.php?pid=[MD5 HASH value of the MAC address] and downloads the key data for file encryption. The downloaded data is saved in %LOCALAPPDATA%\bowsakkdestx.txt, and if the above URL is unavailable, the data within the ransomware is used.
bowsakkdestx.txt file
Files, folders, and extensions that are excluded from encryption are as follows.
|
C:\SystemID\, C:\Users\Default User\, C:\Users\Public\, C:\Users\All Users\, C:\Users\Default\, C:\Documents and Settings\, C:\ProgramData\, C:\Recovery\, C:\System Volume Information\, C:\Users\vmuser\AppData\Roaming\, C:\Users\vmuser\AppData\Local\, C:\Windows\, C:\PerfLogs\, C:\ProgramData\Microsoft\, C:\ProgramData\Package Cache\, C:\Users\Public\, C:\$Recycle.Bin\, C:\$WINDOWS.~BT\, C:\dell\, C:\Intel\, C:\MSOCache\, C:\Program Files\, C:\Program Files (x86)\, C:\Games\, C:\Windows.old\, D:\Users\[user]\AppData\Roaming\, D:\Users\[user]\AppData\Local\, D:\Windows\, D:\PerfLogs\, D:\dell\, D:\Intel\, D:\MSOCache\, D:\Games\, D:\ProgramData\Desktop\, D:\ProgramData\Microsoft\, D:\ProgramData\Package Cache\, D:\$Recycle.Bin\, D:\$WINDOWS.~BT\, D:\Program Files\, D:\Program Files (x86)\, E:\dell\, E:\Windows\, E:\PerfLogs\, E:\Users\Public\, E:\$Recycle.Bin\, E:\$WINDOWS.~BT\, E:\Program Files\, E:\Intel\, E:\MSOCache\, E:\Program Files (x86)\, E:\Games\, E:\ProgramData\Desktop\, E:\Users\vmuser\AppData\Roaming\, E:\Users\vmuser\AppData\Local\, E:\ProgramData\Microsoft\E:\ProgramData\Package Cache\, F:\dell\, F:\Windows\, F:\PerfLogs\, F:\ProgramData\Desktop\, F:\Users\Public\, F:\$Recycle.Bin\, F:\$WINDOWS.~BT\, F:\Intel\, F:\Users\[user]\AppData\Roaming\, F:\Users\[user]\AppData\Local\ , F:\ProgramData\Microsoft\ |
Folders excluded from encryption
|
ntuser.dat, ntuser.dat.LOG1, ntuser.dat.LOG2, ntuser.pol |
Files excluded from encryption
|
.sys, .ini, .DLL, .dll, .blf, .bat, .lnk, .regtrans-ms |
Extensions excluded from encryption
Upon infection, the filenames are changed to “[Original filename].bowd,” and the following ransom note is generated.
Ransom note ( _readme.txt )
As this ransomware is currently being mass-distributed, a variety of extensions have been detected besides .bowd.
|
Date of Identification |
File Extension |
|
11/03 |
.bowd |
|
11/07 |
.zate |
|
11/16 |
.fatp |
|
11/24 |
.tcvp |
|
11/29 |
.kcvp |
|
12/01 |
.uyit |
The STOP ransomware is run with a variety of argument values, and each argument performs a unique feature. In addition to the file encryption feature, some have the feature to download additional malware. The files downloaded through the STOP ransomware are banking malware among other various malware, thus caution on the part of the user is advised.
[File Detection]
- Trojan/Win.SmokeLoader.R532839(2022.11.04.02)
- Trojan/Win.Generic.R533564(2022.11.08.03)
- Infostealer/Win.Raccoon.R534639(2022.11.16.02)
- Trojan/Win.SmokeLoader.R536008(2022.11.25.01)
- Ransomware/Win.Extensions.C5314354(2022.11.26.00)
- Downloader/Win.BeamWinHTTP.R536869(2022.12.01.02)
- Trojan/Win.SmokeLoader.R536926(2022.12.02.01)
[Behavior Detection]
- Persistence/MDP.AutoRun.M203
[IOC Info]
- bcd360251e71a44bd89b76a137ab74e1
- dcf1661f464688799531f10aa23d535f
- ec9e7ec1f15a62c4758fb57a73c2ef43
- 1b6cb967d428b206838942f6dd48bc84
- 60af7021e4bf7e26d25852de5cb43eac
- 83c1e4e675d6c19eb31b92bbe0471341
- 623ec8b8c74e4e45a2380c41b5bb8045
- hxxp://fresherlights[.]com/test1/get.php
- hxxp://uaery[.]top/dl/build2.exe
- hxxp://fresherlights[.]com/files/1/build3.exe
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Malware Information