RING Ø LABS
VIDEO934284717.mp4.exe is a UPX packed ransomware application called ElmersGlue_3.exe. Unpacking the file can be accomplished with any UPX utility. As pointed out by an astute reader, UPX is unable to pack .NET applications. The ransomware in question is not natively packed with UPX, rather the overarching EXE (the dropper) is packed and this is the portion we can unpack with UPX.
ElmersGlue extracts a copy of itself to the %Temp% directory and achieves persistence by copying this same file to the Windows Startup Folder. A batch file is also written to the %Temp% directory which launches the extracted ElmersGlue program.
Once running, ElmersGlue will lock your current desktop environment by remaining the topmost application at all times. ALT-TAB, CTRL-ALT-DEL, and other methods of regaining control to other processes have no effect due to this window remaining topmost at all times.
The ElmersGlue GUI claims that the current computer has been locked and that a ransom of $150 USD in BitCoins must be paid to unlock it. The application also claims that each computer is locked with a unique key. This isn’t true.
Upon closer inspection of the .NET code, it becomes clear that there is a hardcoded UNLOCK key: 83502631947189478135791649134973.
This key successfully unlocks the computer.
machine\software\microsoft\windows\windows error reporting\dontshowui = 00000001
The following indicators have been uploaded to Alienvault for blocking:
This version of ElmersGlue ransomware attempts to extort $150 USD in BitCoin from the user after locking their computer. The ransomware claims that each computer is locked with a unique key, but a hardcoded key was uncovered which allows the user to unlock their machine without paying a ransom.