Ring Ø Labs DOES NOT advocate using any of the malware, techniques, or information presented here for harm and doing so may violate the law. These topics are for mitigation and educational purposes only. Read more about us here

Saturday, August 12, 2017

Choda Ransomware - The Lazy Malware

Today we analyze a piece of malware that calls itself Choda Ransomware. This is, by far, the laziest piece of ‘malware’ I’ve ever seen.







RING Ø LABS

Malware Report


FILE DETAILS

Filename
Choda Ransomware.exe
Packer
MPRESS
MD5
e501e536b58e7f1822b5064e3e4e61a0
Sample
Type
Ransomware
Video


DETAILS

I have analyzed lazy malware in my days, but this takes the cake. I hesitate to call this ‘malware’ because of the utter simplicity and odd demands it makes of its victims. Nevertheless, it does affect the system by denying access to the victim's computer until a demand is met. This meets the ‘ransomware’ checklist, so it must be classified as such.


We begin by examining the executable and find that it is packed with MPRESS. Due to the odd nature of this malware and lack of real ‘malware analysis’ knowledge gained from analyzing it, I am going to take a few moments and run through how to manually unpack MPRESS files.


1. Load the file in a debugger and break at the entry point.




2. Single step with F7 and place a Hardware RW breakpoint on ESP


3. Run the program with F9 and it should stop at a JMP instruction


4. Single step with F7 and you should be at the Original Entry Point (OEP)




5. Now use a dumper/import reconstructor to dump and fix-up the file






Now that the file is unpacked, we can fully examine its contents. There’s not much to see. The exe will dump out and run a batch file from the %temp% directory.




This batch file essentially kills Explorer.exe, launches CMD.exe, and instructs the user to visit a Google Docs page for further instructions. The termination of Explorer would remove all desktop icons and the taskbar leaving only the CMD window with the text below. This would surely startle most users especially with the ever growing presence of ransomware.





The Google Doc tells the user to create a Youtube channel, subscribe to choda100, take a screenshot of the subscription confirmation, and email it to [email protected] to receive a ‘decryption’ key.




Other than the odd demands of making a youtube account to subscribe to this YouTuber's channel, the ‘ransomware’ doesn’t lock/encrypt any files like it says. Furthermore, to restore the computer you merely have to type the password ‘ilovechoda’. You could also press CTRL-ALT-DEL, click FILE->RUN, and type explorer.exe. This would also restore the user’s environment.


Investigating choda100’s youtube channel reveals a Korean cyber security enthusiast with many hacking related videos. It is unclear whether this file was written by choda or a fan to generate views to the channel; or whether this is an unfinished/proof of concept ransomware application in the works.




DROPPED FILES

C:\Users\user\current\AppData\Local\Temp\3C09.tmp\choda ransomware.bat


PERSISTENCE

None


NETWORK TRAFFIC

None


DETECTION


There are many VirusTotal results for all stages of this file. Your home antivirus solution should detect the majority of this ransomware and its variants. There is no network traffic to signature.


CONCLUSION

Thanks to the recent ransomware scare across the globe, we cannot ignore that tactics as simple as killing Explorer and displaying a ransom note would scare the majority of users today. It is still unclear what the ultimate purpose of this application is. Is it simply a way to drive viewers to a particular Youtube channel or is it a proof of concept? We don’t know. But I do know that this is the laziest piece of malware I have ever analyzed.