Ring Ø Labs DOES NOT advocate using any of the malware, techniques, or information presented here for harm and doing so may violate the law. These topics are for mitigation and educational purposes only. Read more about us here

Sunday, July 16, 2017

FidRW.exe Ransomware

FidRW.exe is a piece of malware which will download additional stages to your computer with the ultimate goal of launching ransomware. These files are ultimately benign.







RING Ø LABS
Malware Report


DETAILS

FidRW.exe begins by logging in to the following FTP server:




IP: 69.89.20.50
URL: ftp.lassatt.com
PASSWORD: Z^?m6K!uh^rh


Upon successful authentication, there are 7 files listed in the server’s directory. FindRW.exe first requests exfiltrator.pdf which is actually an EXE. The file is downloaded as notepadd.exe and launched.




This second stage executable mimics the first and again logs into the FTP server but this time downloads persist.bat. This file is still under development as indicated by its contents. This will most likely be filled with persistence mechanisms to maintain the infection on the box.




The Demo_Ransomware.exe application collects the following system survey information and passes it back to the server.





After this, the application drops “Ransom Note.txt” to the public users directory and it reads:




Alas, we have been swindled by a ransomware application intended for demonstration/awareness purposes. Drats. No threat here.


DETECTION



The initial dropper and subsequent stages are adequately detected by many anti-virus solutions as being potentially malicious. Since this is an application intended for demonstration purposes only, so there is no real threat to be detected.


CONCLUSION

Although this application is intended for demonstration/awareness of how ransomware works, it uses real world techniques employed by malware around the globe. It is a nice example of multi-staged malware and can be used by RE/security researchers for practice.


FILE DETAILS

Filename
FidRW.exe
Packer
None
Hash
4ff4a8ac43c73b3829ec8452f7ef5ad7
Sample
Type
Ransomware - Fidelis Demonstration
Video