Choda Ransomware - The Lazy Malware

malware analysis choda ransomware

Today we analyze a piece of malware that calls itself Choda Ransomware. This is, by far, the laziest piece of ‘malware’ I’ve ever seen. While technically functional as a screen locker, its execution is amateurish at best.

Filename: Choda Ransomware.exe
MD5: e501e536b58e7f1822b5064e3e4e61a0
Sample: Download via Reverse.it



Video Walkthrough



Unpacking MPRESS

The executable is packed with MPRESS, a lightweight packer similar to UPX. Since there isn't much depth to the actual malware, let's walk through the manual unpacking process using the "ESP Trick":

  1. Load & Break: Load the file in a debugger (like x64dbg) and break at the initial Entry Point.
  2. The ESP Trick: Step once (F7). Right-click the ESP register and follow it in the dump. Set a Hardware Breakpoint on Access (Dword) for that address.
  3. Run: Press F9. The unpacker will exhaust its routine and hit your breakpoint right before jumping to the Original Entry Point (OEP).
  4. Final Jump: You will stop at a JMP instruction. Step once more to land at the OEP.
  5. Dump: Use a tool like Scylla to dump the process and fix the Imports.


Technical Details

Once unpacked, the malware's behavior is revealed to be a simple wrapper. The executable's only real job is to drop and execute a batch file in the %TEMP% directory.

This batch file performs three "malicious" actions:

  • Kills Explorer: It runs taskkill /f /im explorer.exe, which removes the taskbar and icons, making the computer appear "locked."
  • Displays Message: It uses the command prompt to instruct the user to visit a Google Docs link.
  • Social Ransom: The Google Doc demands that the victim subscribe to a specific YouTube channel (choda100) and email a screenshot to get the "decryption" key.

In reality, no files are encrypted. The "ransomware" is purely a screen locker. A user can restore their system by simply running explorer.exe via Task Manager or by entering the hardcoded password: ilovechoda.



Dropped Files

  • %TEMP%\choda ransomware.bat

Detection

Most AV solutions detect this easily based on the MPRESS packer signature or the suspicious batch file behavior. There is no unique network traffic to signature, as it relies on legitimate sites like Google Docs and YouTube.



Conclusion

Choda Ransomware is less about profit and more about social engineering or perhaps a misguided attempt at gaining YouTube subscribers. While the tactics are primitive, the simple act of killing explorer.exe is often enough to panic a non-technical user. It serves as a reminder that not all "ransomware" involves complex cryptography—sometimes it's just a batch file with a bad attitude.



Happy hunting.