cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

TAU-TIN – PyCrypter Ransomware

TAU-TIN – PyCrypter Ransomware

Threat Analysis Unit - Threat Intelligence Notification

Title: TAU-TIN – PyCrypter Ransomware

Summary

PyCrypter is a ransomware variant that is written in Python with the source code publicly available. PyCrypter entrenches to automatically run on startup and read web browser data. It will also delete volume shadow copies by using scheduled tasks to ensure all the data cannot be restored easily. Following is the screenshot of the ransom note by PyCrypter Ransomware.

py1.png

Figure 1: Screenshot of the ransom note

This post serves to inform our customers about detection and protection capabilities within the VMware Carbon Black suite of products against PyCrypter Ransomware.

Details

PyCrypter variants will perform the following behavior:

  • Add registry key to ensure it will run every startup:
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Crypter = “Malware Directory”
  • Disable Windows Task Manager by modify its registry key value

py2.png

Figure 2: Event log from Cloud Enterprise EDR (CB ThreatHunter)

  • It will read user’s sensitive data from web browser from the following files:
    • %APPDATA%\Roaming\Mozilla\Firefox\profiles.ini
    • %APPDATA%\Local\Microsoft\Windows\History\desktop.ini
    • %APPDATA%\Local\Google\Chrome*
  • It will append the predefined extension value on the encrypted file; on this analyzed sample it was “.hitman”.

py3.png

Figure 3: Event log from Cloud Enterprise EDR (CB ThreatHunter) displaying PyCrypter appending “.hitman” as file extension onto encrypted files.

 

py4.png

Figure 4: Screenshot from PyCrypter created file “runtime.cfg”

  • It will encrypt all files with the following list of extensions:

dat

3dm

3g2

rtf

xltx

wma

class

rar

keychain

3ds

3gp

tex

prn

msi

cpp

tar

sdf

max

asf

wpd

dif

php

cs

7z

vcf

obj

flv

wps

slk

apk

h

cbr

jpg

dds

m4v

csv

xlam

app

java

deb

png

psd

mov

ged

xla

bat

lua

gz

tiff

tga

mpg

key

ods

cgi

pl

pkg

tif

thm

rm

pps

docm

com

py

rpm

gif

tif

srt

ppt

dotx

asp

sh

zipx

jpeg

tiff

swf

pptx

dotm

aspx

sln

iso

jif

yuv

vob

xml

xps

cer

swift

ged

jfif

ai

wmv

json

ics

cfm

vb

accdb

jp2

eps

doc

xlsx

mp3

css

vcxproj

db

jpx

ps

docx

xlsm

aif

htm

dem

dbf

j2k

svg

txt

xlsb

iff

html

gam

mdb

j2c

indd

pdf

xls

m3u

js

nes

sql

fpx

pct

log

mht

m4a

jsp

rom

fnt

pcd

mp4

msg

mhtml

mid

rss

sav

fon

bmp

avi

odt

htm

mpa

xhtml

tgz

otf

svg

mkv

pages

html

wav

c

zip

ttf

cfg

ini

prf

bak

old

tmp

torrent

 

 

  • It will also create additional files and multiple Python modules and code used by the ransomware under the folder %TEMP%_MEI[random number], such as the following listed file but not limited to:
    •  %APPDATA%\encrypted_files.txt
    • <Running Malware directory>\key.txt
    • %TEMP%\_MEI[random number]\runtime.cfg
    • %TEMP%\_MEI[random number]\bitcoin.bmp
    • %TEMP%\_MEI[random number]\lock.bmp
    • %TEMP%\_MEI[random number]\lock.ico
    • %TEMP%\_MEI[random number]\Crypto.Cipher._AES.pyd
    • %TEMP%\_MEI[random number]\Crypto.Cipher._DES.pyd
    • %TEMP%\_MEI[random number]\Crypto.Cipher._DES3.pyd
    • %TEMP%\_MEI[random number]\Crypto.Hash._SHA256.pyd
    • %TEMP%\_MEI[random number]\Crypto.Random.OSRNG.winrandom.pyd
    • %TEMP%\_MEI[random number]\Crypto.Util._counter.pyd
    • %TEMP%\_MEI[random number]\Crypto.Util.strxor.pyd
    • %TEMP%\_MEI[random number]\Include\pyconfig.h

 

py5.png

Figure 5: Event log from Cloud Enterprise EDR (CB ThreatHunter) showing PyCrypter creating additional files.

 

  • It will perform the deletion of volume shadow copies by creating a scheduled task with the following command: (Refer to Figure 6 for Process Chart)
    • C:\Windows\system32\cmd.exe /c "schtasks /create /tn updater47 /sc once /sd 01/01/1901 /tr "vssadmin Delete Shadows /All /Quiet" /st 00:00 /rl highest /ru SYSTEM /f"
    • C:\Windows\system32\cmd.exe /c "schtasks /run /i /tn updater47"
    • C:\Windows\system32\cmd.exe /c "schtasks /delete /tn updater47 /f"

 

Behavioral Summary

The following is a screenshot of Cloud Enterprise EDR (CB ThreatHunter) process chart by PyCrypter.

py6.png

Figure 6: Process Chart by PyCrypter

 

In addition, VMware Carbon Black Cloud Endpoint Standard (CB Defense) will display the malware’s overall triggered TTPs.

py7.png


Remediation:

MITRE ATT&CK TIDs

TID Tactics Technique
T1045 Defense Evasion Software Packing
T1143 Defense Evasion Hidden Window
T1083 Discovery File and Directory Discovery
T1060 Persistence Registry Run Keys / Startup Folder
T1112 Defense Evasion Modify Registry
T1036 Defense Evasion Masquerading
T1053 Execution,Privilege Escalation,Persistence Scheduled Task
T1119 Collection Automated Collection
T1081 Credential Access Credentials in Files
T1005 Collection Data from Local System
T1486 Impact Data Encrypted for Impact
T1056 Collection,Credential Access Input Capture
T1490 Impact Inhibit System Recovery
T1485 Impact Data Destruction

 

Indicators of Compromise (IOCs)

Indicator Type Context
4c0424fa3d761aa5bf79e3c61ab5880540d38c4fff7a241b1ef7113e3f1428d3 SHA 256 PyCrypter Ransomware
3682a60045347162d752932e2169a41d MD5 PyCrypter Ransomware
Labels (3)
0 Kudos
Article Information
Author:
Creation Date:
‎04-07-2020
Views:
98
Contributors