Mamba Ransomware (HDDCryptor)6 minutes read
Mamba ransomware encrypts hard drives rather than files, let’s see how it works inside.
Written in C++, without any protection, that makes our analysis a little bit easier (depends on protection):
Many interesting imports and strings are in the file, we can get can much useful information even only from imports and strings, because there is no compression or obfuscation:
To get big picture let’s prepare sandbox,
fakenet, etc, and run it.
What?! Nothing happens, in procmon, there is only one entry:
…and nothing. Anti-VM? Maybe. Let’s open in
Aha! It’s not about anti-VM, it needs arguments (malware which needs arguments?!), in our case, it chose
loc_4024DE branch and wanted to access the file but without success, seems like
sub_4019E0 is a function to print messages to
Back to our VM and run with the argument:
It creates folder and files:
Okay, there is our friend
log_file.txt, which makes our analysis easier.
Oops, malware reboots Windows:
After reboot, 131.exe is running and executes
mount.exe process and after that
After some time, Windows reboots again and we get the following message:
You are Hacked !!!! Your H.D.D Encrypted , Contact Us For Decryption Key (firstname.lastname@example.org) YOURID: 123139
Revert VM to latest snapshot, maybe files in
C:\DC22 are from resource section, let’s check it.
Seems like there are two versions of same files for 32-bit and 64-bit Windows.
*dcrypt.sys have same properties, they are part of
DiskCryptor is an open encryption solution that offers encryption of all disk partitions, including the system partition.
Now let’s check the normal version of