cd ../../Reversing Malware

Mamba Ransomware (HDDCryptor)

6 minutes read

Download malware

Mamba ransomware encrypts hard drives rather than files, let’s see how it works inside.

Written in C++, without any protection, that makes our analysis a little bit easier (depends on protection):

Many interesting imports and strings are in the file, we can get can much useful information even only from imports and strings, because there is no compression or obfuscation:

To get big picture let’s prepare sandbox, regshot, procmon, procexp, fakenet, etc, and run it.
What?! Nothing happens, in procmon, there is only one entry:

…and nothing. Anti-VM? Maybe. Let’s open in IDA.

Aha! It’s not about anti-VM, it needs arguments (malware which needs arguments?!), in our case, it chose loc_4024DE branch and wanted to access the file but without success, seems like sub_4019E0 is a function to print messages to log_file.txt.

Back to our VM and run with the argument:

It creates folder and files:

Okay, there is our friend log_file.txt, which makes our analysis easier.

Oops, malware reboots Windows:

After reboot, 131.exe is running and executes mount.exe process and after that dccon.exe:

After some time, Windows reboots again and we get the following message:

You are Hacked !!!! Your H.D.D Encrypted , Contact Us For Decryption Key (w889901665@yandex.com) YOURID: 123139

Revert VM to latest snapshot, maybe files in C:\DC22 are from resource section, let’s check it.

Seems like there are two versions of same files for 32-bit and 64-bit Windows.
*dcapi.dll, *dccon.exe, *dcinst.exe, *dcrypt.exe, and *dcrypt.sys have same properties, they are part of DiskCryptor:

DiskCryptor is an open encryption solution that offers encryption of all disk partitions, including the system partition.

Now let’s check the normal version of diskcryptor: