ElmersGlue is a ransomware application designed to "lock" user workstations until a ransom of approximately $150 USD in Bitcoin is paid. While it employs typical extortion tactics, the application contains significant flaws allowing for recovery without payment.
Filename: VIDEO934284717.mp4.exe
MD5: 8f96e8a051cb8df97a27c36dcf71d585
Sample: Download via Reverse.it
Technical Walkthrough
Technical Details
The initial dropper, VIDEO934284717.mp4.exe, is packed using UPX. While UPX generally does not support .NET applications, in this instance, it is used to pack the overarching wrapper/dropper. Unpacking can be achieved using standard UPX utilities to reveal the underlying .NET ransomware component, ElmersGlue_3.exe.
Execution and Persistence
Upon execution, ElmersGlue extracts a secondary copy of itself to the %Temp% directory. It achieves persistence by placing a copy of the executable in the Windows Startup Folder and creating a batch file in %Temp% to automate subsequent launches.
Desktop Locking Mechanism
ElmersGlue functions primarily as a "Screen Locker." It maintains dominance by setting its window as the "Topmost" application at all times. This prevents users from accessing the Task Manager (CTRL-ALT-DEL), switching tasks (ALT-TAB), or interacting with other processes, effectively hijacking the desktop environment.
The "Unique" Key Fallacy
The ransomware GUI claims that every infection is encrypted with a unique key. Forensic analysis of the .NET code reveals this is a bluff. The application relies on a hardcoded unlock key found within the binary:
83502631947189478135791649134973
Entering this specific string into the ransom interface successfully terminates the process and restores desktop access.
Conclusion
ElmersGlue is a low-sophistication extortion tool. While its "always-on-top" windowing strategy can be intimidating to average users, its reliance on hardcoded credentials and a simple .NET structure makes it trivial to defeat through basic static analysis.
Happy hunting.