ElmersGlue_3.exe

malware analysis fake ransomware elmersglue
ElmersGlue is a UPX packed ransomware application that will ‘lock’your computer until you pay approximately $150 USD in BitCoin. However, the computer can be unlocked without paying.
Filename
VIDEO934284717.mp4.exe
MD5
8f96e8a051cb8df97a27c36dcf71d585
Video


DETAILS 

VIDEO934284717.mp4.exe is a UPX packed ransomware application called ElmersGlue_3.exe. Unpacking the file can be accomplished with any UPX utility. As pointed out by an astute reader, UPX is unable to pack .NET applications. The ransomware in question is not natively packed with UPX, rather the overarching EXE (the dropper) is packed and this is the portion we can unpack with UPX.


ElmersGlue extracts a copy of itself to the %Temp% directory and achieves persistence by copying this same file to the Windows Startup Folder. A batch file is also written to the %Temp% directory which launches the extracted ElmersGlue program.




Once running, ElmersGlue will lock your current desktop environment by remaining the topmost application at all times. ALT-TAB, CTRL-ALT-DEL, and other methods of regaining control to other processes have no effect due to this window remaining topmost at all times.



The ElmersGlue GUI claims that the current computer has been locked and that a ransom of $150 USD in BitCoins must be paid to unlock it. The application also claims that each computer is locked with a unique key. This isn’t true.




Upon closer inspection of the .NET code, it becomes clear that there is a hardcoded UNLOCK key: 83502631947189478135791649134973.
This key successfully unlocks the computer.


CONCLUSION

This version of ElmersGlue ransomware attempts to extort $150 USD in BitCoin from the user after locking their computer. The ransomware claims that each computer is locked with a unique key, but a hardcoded key was uncovered which allows the user to unlock their machine without paying a ransom.