StopCrypt Ransomware Utilizing Multi-Stage Shellcodes To Evade Detection

A new variant of StopCrypt ransomware has been discovered. It executes multi-stage shellcodes before launching a final payload containing the file encryption code.

This malware uses several techniques, such as detection evasion, a time-delaying loop of 600 million iterations, and several other mechanisms.

Moreover, the ransomware also uses scheduled tasks for its payload execution with command-line arguments, which are executed every five minutes. 

Technical Analysis

According to the reports shared with Cyber Security News, the malware infection cycle begins with creating a string of msim32.dll, but it is not even used in the ransomware execution process. 

Millions of iterations have been set up for a time-delay loop in which the same data is copied to a location with an incremental iteration value.

Similar techniques have been analyzed to be used throughout the malware execution to evade detection.

The evasion is due to the artificial extension time of the malicious code.

Incremental Iteration code (Source: SonicWall)

After this, the code allocates memory, using the LocalAlloc API and VirtualProtect to change the permissions of the memory block to READ, WRITE, and EXECUTE.

First Stage Payload

This stage resolves the required API using the Kernel_GetProcAddress API.

The ransomware creates API function calls by creating the function names or strings that contain the API names directly on the stack.

This is done as a replacement for using straightforward API calls that are easily detected and identified.

The addresses resolved by the malware are for the following APIs:

  • GlobalAlloc
  • VirtualAlloc
  • SetLastError
  • Sleep
  • CreateToolHelp32Snapshot
  • Module32First
  • CloseHandle 

CreateToolhelp32Snapshot is used in the malware code along with all of its modules to take a snapshot of the current process.

Moreover, the information about the first module of the process is extracted using Module32First API.

Snapshot code with all its modules (Source: SonicWall)

Second Stage Payload

The second stage of the malware performs the primary task of the shellcode, which is process hollowing.

The API functions created in this phase are resolved to the following addresses:

  • MessageBoxA
  • GetMessageExtraInfo
  • WinExec
  • CreateFileA
  • WriteFile
  • CloseHandle
  • CreateProcessA
  • GetThreadContext
  • VirtualAlloc
  • VirtualAllocEx
  • VirtualFree
  • ReadProcessMemory
  • WriteProcessMemory
  • SetThreadContext
  • ResumeThread
  • WaitForSingleObject
  • GetModuleFileNameA
  • GetCommandLineA
  • NtUnmapViewOfSection
  • NtWriteVirtualMemory
  • RegisterClassExA
  • CreateWindowExA
  • PostMessageA
  • GetMessageA
  • DefWindowProcA
  • GetFileAttributesA
  • GetStartupInfoA
  • VirtualProtectEx

The ransomware also checks the FileAttributes of a non-existent file for unknown purposes, which is speculated to be used to identify specific systems where the file might be present.

After certain operations, the ransomware calls the VirtualAlloc API to allocate memory with READ and WRITE permissions and store the path returned by the GetModuleFileNameA API.

Following this, the kernel32.GetStartupInfoA API is called for extracting startup information.

Final Payload

During the final process, the ransomware launches a resumed process with the parameter “Admin IsNotAutoStart IsNotTask” after which the ransomware creates a new directory in the C:\\Users\<user_name>\AppData\Local and copies the current malware image into it.

Further, it launches the icacls.exe process, the command-line utility used to view and modify access control lists (ACLs) in Windows.

The command used for executing icacls.exe denies the group permission to delete the specified file for “Everyone,” which prevents the ability to delete the malware.

Scheduled task (Source: SonicWall)

Additionally, the malware creates a scheduled task to execute a copy of the final payload with a command line argument -Task—every 5 minutes.

The ransomware encrypts the files and adds the .msjd extension to them, while putting a ransomware note under the name _readme.txt on every encrypted folder.

Ransom note (Source: SonicWall)

Indicators Of Compromise

  • GAV: StopCrypt.RSM (Trojan)

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *