PrincessLocker ransomware has appeared some time ago and has drawn out attention by using the same template of the site for a victim as Cerber did. It is not a widespread ransomware, so it has taken some time before we got our hands on a sample. In this article, we dig deeper and try to answer questions about its internal similarities with Cerber (and other known ransomware).
Described version of the PrincessLocker ransomware is found decryptable. You can read details about file recovery here.
Analyzed sample
- 14c32fd132942a0f3cc579adbd8a51ed - original executable, distributed in a campaign
- 4142a59be1f59dbd8e1be832df893d08 - unpacked: core DLL
Behavioral analysis
Once executed, Princess Ransomware runs silently. It does not delete the original copy, but just encrypts all the data in the background. After finishing the encryption, it pops up a default browser and displays the ransom note. It drops notes in three file formats: HTML, URL shortcut, and TXT.Notes have a name following the pattern: !_HOW_TO_RESTORE_<added extension>.<note extension>
square.bmp : left – original, right encrypted with Princess
Network communication
During the encryption process, the application communicates with its C&C, that is hosted on a Tor-based site:Example 1:
In the request to n.php, the ransomware posts a set of encrypted and Base64-encoded data:QQ8EZkZ_dnFldWFKCVxyWFppe2QCcFFyd15XSxRSDHxcHHNdRVtFWEBGQhRHDAMHBgsHCQABAAoVQw8GWgJXRQUDBgULF1sOBQQdAAMBHwcdCQMVXg8FHwMdBgQDABRFDEcDWlBeAEdWBkFBXRRADAEHCQQVXQ8CAQYGF1cOSUBdUgoVRA9ndGFnfHNweXt9dB9HVEFHVEA=Decoded to:
Example 2:
In the request to f.php, the ransomware periodically posts smaller chunks of Base64-encoded data:Content from the above example:
dj11MGtibTF1ZTdzcmwmZj0xMTQwDecoded to:
v=u0kbm1ue7srl&f=1140
Inside
Like most malware, Princess comes wrapped in the encrypted layer—a tactic that protects the malicious core from the detection. The dropper loads the core module into its own memory (self-injection):The unpacked DLL is not independent. It needs to be loaded via a dropper, because it calls a function from the dropper module during execution:
Attacked targets
This ransomware attacks following drive types: 2 -removable, 3 - fixed, 4 -remote:
The key is generated only once before the encrypting loop is deployed. First, a random Unicode string is generated. Then, it is hashed using SHA256 algorithm:
key: SHA256(L"3igcZhRdWq96m3GUmTAiv9") ID: wjn6kdbblpiu extension: zzqebThe result of the hashing function is used to derive an AES 128 key:
Conclusion
Comparative analysis of the code with Cerber has proven that although both families share the same template for the Onion page, they do not have any significant internal similarities. PrincessLocker is way simpler, the mistake committed in the implementation allowed us to write a decryptor. It suggests that the authors of this malware are not as experienced.It is possible that this ransomware has been built using some fragments of other ransomware that authors got access to rather than being a work of the same authors as Cerber or Maktub.
In order to not give any hints to the threat actors behind the PrincessLocker, we decided to not disclose some parts of the analysis, which could suggest how to fix the discovered bug.
Appendix
http://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/ - Bleeping Computer about Princess RansomwareThis was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.
COMMENTS