Search This Blog

Ring Ø Labs DOES NOT promote or advocate using any of the malware, techniques, or information presented in this site for harm. Doing so may violate the law. The topics mentioned here are for educational purposes only. Read more about us here

Thursday, July 6, 2017

ElmersGlue_3.exe

ElmersGlue is a UPX packed ransomware application that will ‘lock’ your computer until you pay approximately $150 USD in BitCoin. However, the computer can be unlocked without paying.








RING Ø LABS

Malware Report


DETAILS

VIDEO934284717.mp4.exe is a UPX packed ransomware application called ElmersGlue_3.exe. Unpacking the file can be accomplished with any UPX utility. As pointed out by an astute reader, UPX is unable to pack .NET applications. The ransomware in question is not natively packed with UPX, rather the overarching EXE (the dropper) is packed and this is the portion we can unpack with UPX.


ElmersGlue extracts a copy of itself to the %Temp% directory and achieves persistence by copying this same file to the Windows Startup Folder.  A batch file is also written to the %Temp% directory which launches the extracted ElmersGlue program.





Once running, ElmersGlue will lock your current desktop environment by remaining the topmost application at all times. ALT-TAB, CTRL-ALT-DEL, and other methods of regaining control to other processes have no effect due to this window remaining topmost at all times.



The ElmersGlue GUI claims that the current computer has been locked and that a ransom of $150 USD in BitCoins must be paid to unlock it. The application also claims that each computer is locked with a unique key. This isn’t true.





Upon closer inspection of the .NET code, it becomes clear that there is a hardcoded UNLOCK key: 83502631947189478135791649134973.
This key successfully unlocks the computer.





DROPPED FILES

C:\Users\User\AppData\Local\Temp\1A45.tmp\ElmersGlue_3.exe
C:\Users\User\AppData\Local\Temp\1A45.tmp\1A55.bat


PERSISTENCE

C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ElmersGlue_3.exe


REGISTRY

machine\software\microsoft\windows\windows error reporting\dontshowui = 00000001


DETECTION

The following indicators have been uploaded to Alienvault for blocking:



CONCLUSION

This version of ElmersGlue ransomware attempts to extort $150 USD in BitCoin from the user after locking their computer. The ransomware claims that each computer is locked with a unique key, but a hardcoded key was uncovered which allows the user to unlock their machine without paying a ransom.


FILE DETAILS

Filename
VIDEO934284717.mp4.exe
Packer
UPX
Hash
8f96e8a051cb8df97a27c36dcf71d585
Type
Ransomware - ElmersGlue
Sample
Video