FortiGuard Labs Threat Research Report
Affected platforms: Microsoft WindowsImpacted parties: Windows UsersImpact: Encrypting important files on victims’ computers for ransomSeverity level: Critical
Last week, FortiGuard Labs captured a new Thanos ransomware sample. This ransomware is being popularly advertised on the underground market as a Ransomware-as-a-Service (RaaS) tool. In this blog we will present the analysis of the captured sample.
Malware PE File
This malware was written in C# (C-Sharp). C# is a programming language developed by Microsoft that runs on the .NET Framework. Using the “Detect It Easy” tool to check the information of this PE file, we can see that no packer or obfuscator were detected, and that it was compiled using VB.NET.
Another powerful tool we use to debug and analyze .Net-related malware is dnSpy.
As shown in Figure 2, the source code has been obfuscated. I tried to deobfuscate this sample using de4dot, but the tool detected an unknown obfuscator in the sample and failed to deobfuscate it. This makes it a little bit tricky for static analysis.
Through debugging and analyzing the decompiled code in dnspy, however, we still found a number of switch flags identifying which functionality is enabled. The variable names have also been obfuscated.
For example, if the network-spreading flag is enabled, the malware will download “paexec” from the URLs in Figure 4 and save it into the folder “C:Users[username]AppDataLocalTemp”. It then uses “paexec” to install the malware on other machines.