Analyze some TorrectLocker variant

Trying to commit myself to delve into some malware analysis I already do a short announcement that I’m starting to analyze the following sample ->

SHA 256 df7b812698866cf104eb2050032da470a1dd4bf97f1f69ed5522d9ebd727cd13

MD5 0e0dec5e31efb8841954e6de6b57151e

It’s well detected and seems to be ransomware. So let’s see if this post will get some updates in the future.

Ad-Aware Dropped:Trojan.Generic.20526704 20170327
AegisLab Troj.Ad.Teerac!c 20170327
AhnLab-V3 Malware/Win32.Ransom_.C1881385 20170327
ALYac Dropped:Trojan.Generic.20526704 20170327
Antiy-AVL Trojan/Win32.BTSGeneric 20170327
Arcabit Trojan.Generic.D1393670 20170327
Avast Win32:Malware-gen 20170327
AVG Inject3.CEOC 20170327
Avira (no cloud) TR/AD.Teerac.ljbch 20170327
AVware Trojan.Win32.Generic!BT 20170327
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9998 20170327
BitDefender Dropped:Trojan.Generic.20526704 20170327
CAT-QuickHeal Ransom.Enestedel 20170327
Cyren W32/Trojan.XAFT-1332 20170327
DrWeb Trojan.Encoder.761 20170327
Emsisoft Dropped:Trojan.Generic.20526704 (B) 20170327
ESET-NOD32 Win32/Filecoder.TorrentLocker.A 20170327
F-Secure Trojan.Generic.20526704 20170327
Fortinet W32/Teerac.A!tr 20170327
GData Dropped:Trojan.Generic.20526704 20170327
Invincea trojandownloader.win32.zlob.ama 20170203
K7AntiVirus Trojan ( 004e24c81 ) 20170327
K7GW Trojan ( 004e24c81 ) 20170327
Kaspersky 20170327
Malwarebytes Ransom.FileCryptor 20170327
McAfee RDN/Ransom 20170327
McAfee-GW-Edition BehavesLike.AdwareDoma.fc 20170327
Microsoft Ransom:Win32/Teerac 20170327
eScan Dropped:Trojan.Generic.20526704 20170327
Panda Trj/Agent.MM 20170327
Rising Ransom.FileCryptor!8.1A7 (cloud:fQfnzKNcPvB) 20170327
Sophos Troj/TorrentL-Z 20170327
Symantec Trojan.Gen.NPE 20170327
TrendMicro Ransom_.9BF54A21 20170327
VIPRE Trojan.Win32.Generic!BT 20170327
Webroot W32.Trojan.Gen 20170327
ZoneAlarm by Check Point 20170327

Some first notes:

After run the malware checks what the current temp diretory is and tries to
write a file to the directry: nsk83FC.tmp

After run the malware checks what the current temp diretory is and tries to
write a file to the directry: nsk83FC.tmp

Next it immeditaly removes the file again. Apperently the malware wants to check if there is a writetable temp directory available.

Next it checks how the executable is running.

Followed is to check the size of the executable, which in my case is 370338 Bytes (5A6A2). It is compared to a value in EBX which seems to be 0 (??)
The size is saved in the data section. Next the jump is made based on jle with 0. So basically the jump is always taken.

The malware starts to create some files in the temp directory:

Flapdoodle, 275Kb File, binwalk gives 0 information, no readable strings

Gareth.dll 38KB File, Microsoft, Portable PE
This DLL seems to create a new process or inject code in a running process.It it also has a string reference to Flapdoodle and an interesting function _ReturnTilapia (to be analyzed)

Next it creates a directory in the Temp folder, nst4BA2.tmp which has the following files in it:

System.dll binwalk which is also a MS Executable.

Next the executable crashed with a message saying that : There is no email program associated to perform the requested action. Please install an email program or, if one is already installed, create an association in the defaults Pograms control panel.

After creating the files the malware tries to load Gareth.DLL but apprently this goes wrong.

Update: I cannot get this torrentlocker sample working. Tried on Win7 & Win10 64 Bit but no go. Will not work……..

So up to the next sample.

One thought on “Analyze some TorrectLocker variant

  1. Dear Sir,
    I have been attacked by a ransomeware that encrypted all my files. I think it is enestedel.b rsm (not sure), can you advice me what to do in order to restore my files.

Leave a Reply

Your email address will not be published. Required fields are marked *

3 + 6 =