2223
Home Malware Detailed Technical Analysis Report of Shrug2 Ransomware
Detailed Technical Analysis Report of Shrug2 Ransomware Detailed Technical Analysis Report of Shrug2 Ransomware
Malware,Ransomware | 07/27/2018

Detailed Technical Analysis Report of Shrug2 Ransomware


When was the last time you checked your PC health? Do you know your PC requires a regular Check Up!!!

Shrug2 Ransomware Overview

Recently, security researcher has found the new ransomware “Shrug2 Ransomware”.

This ransomware appends the filename of affected file by adding .Shrug2 extension in the last.

Once the encryption has been completed it shows the ransom note UI on the screen.

As per the ransom note, it demands 70 Dollars in the form of BTC in exchange of decryption. If the user didn’t pay on the time of 3 Days, it will delete the encrypted files after given time.

The victim has to send the ransom amount on the given bitcoin address 1Hr1grgH9ViEgUx73iRRJLVKH3PFjUteNx

 Flowchart

FlowChart

Technical Analysis of Shrug2 Ransomware

File Name: shr.exe

MD5: 04112AEC47401C3D91A92CFDF9DE02E6

SHA1: 6C2194F9067756CA039D57113E3B93A7A34659D4

SHA256: C89833833885BAFDCFA1C6EE84D7DBCF2389B85D7282A6D5747DA22138BD5C59

File Type: .EXE

Also, Read: How To Remove Srchbar.Com Redirect Completely From Your Browser?

 

Detail Description of Shrug2 Ransomware with Screenshots

This ransomware has a minimum requirement of dot net framework 4.5 as shown below

Assembly Information

Figure 1 Assembly Information

On execution of this ransomware, it first checks the internet connection presence, if there is no internet connection available in that case this ransomware won’t work.

It checks the internet presence on the machine by hitting the following URL

http://clients3.google.com/generate_204

The above link will return a 204 HTTP response without content when requesting it from the actual Google servers.

If it founds the internet connection on the user’s system, then it creates the following process tree on the victim machine

Process Tree

Figure 2 Process Tree

As shown below, this ransomware checks the registry flags based on that it does the activity

Query Registry

Figure 3 Query Registry

Following are the registry changes done by this ransomware

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Shrug2_RASAPI32

HKU\S-1-5-21-1901852483-795937795-1922846784-1000\ShrugTwo

HKU\S-1-5-21-1901852483-795937795-1922846784-1000\ShrugTwo\identifier: "admin/15010"

HKU\S-1-5-21-1901852483-795937795-1922846784-1000\ShrugTwo\installdate: "25/07/2018 23:40:58"

HKU\S-1-5-21-1901852483-795937795-1922846784-1000\ShrugTwo\crykey: "DQBgjJw3s3q04tbs7tPnlktXnpBiDyZC"

HKU\S-1-5-21-1901852483-795937795-1922846784-1000\ShrugTwo\cryiv: "WJYtqQd6h6j95gyh"

HKLM\SOFTWARE\Microsoft\Tracing\Shr_RASAPI32

HKLM\SOFTWARE\Microsoft\Tracing\Shr_RASMANCS

 

Once the registry flag step has been successful thereafter it executes the following command that modifies the access control list

cmd.exe /C Icacls . /grant Everyone:F /T /C /Q

Thereafter, it deletes the system restore point process. Instead of using WMIC.exe shadowcopy delete or vssadmin.exe Delete Shadows /All /Quiet.

As shown below, it uses the SRRemoveRestorePoint api to delete the system restore point or volume shadow copy from the victim machine. As per the following code it deletes up to 50 system restore points.

Delete Restore Point

Figure 4 Delete System Restore Point

Thereafter, it starts the process of searching matching file extensions this ransomware encrypts only those files that matches with its file extensions list. Following is the file extensions list

“.txt .docx .xls .doc .xlsx .ppt .pptx .odt .jpg .png .jpeg .csv .psd .sql .mdb .db .sln .html .php .asp .aspx .html .xml .json .dat .cpp .cs .py .pyw .c .js .java .mp4 .ogg .mp3 .wmv .avi .gif .mpeg .msi .zip .rar .7zip .7z .bmp .apk .yml .qml .py3 .aif .cda .mpa .wpl .mid .midi .pkg .deb .arj .z .o .rpm .tar.gz .gz .dbf .yml .tar .pl .rb .ico .tiff .tif .asp .xhtml .rss .jsp .htm ”

While the ransomware is running in the background it appends the affected filename by adding “.Shrug2” in the last.

File Extension

Figure 5 Shrug2 Extension

As shown below, this ransomware has self-deletion registry code which is done by silently by executing the following hidden process.

Self Destruction

Figure 6 Self Deletion

Once the encryption has been completed it shows the following ransom note UI screen on the Victim Desktop Screen (“Ooops! Your files have been encrypted”).

As shown above, this ransomware runs the countdown timer that deletes the files if the victim didn’t pay in given time.

RansomNote

Figure 7 Ransom Note

On clicking the “Check Payment” Button it starts checking the payment process by accessing the following URL

hxxp://tempacc11vl[.]000webhostapp.com/marthas_stuff/freehashes[.]txt

 

If the victim has paid the ransom amount it will cross check that part by accessing the following URL

hxxp://tempacc11vl[.]000webhostapp[.]com/marthas_stuff/upoldhash.php

Get peace of mind! Get rid of malicious programs instantly

Free Malware Scan Compatible with Win 10,8.1,8 & 7
 

Funniest part in this the proud feeling of shrug2 ransomware by asking “Are you proud of me, papa wannacry? What about you momma NotPetya?”

As shown above in the ransom note, ransomware creator has mentioned his Bitcoin Address (“1Hr1grgH9ViEgUx73iRRJLVKH3PFjUteNx”).

As shown below, currently no one has paid any ransom amount on the given bitcoin address.

Bitcoin Transaction

Figure 8 Bitcoin Transaction Information

As shown below, this ransomware also creates the shortcut file on desktop “@ShrugDecryptor@.lnk”

Desktop Shortcut

Figure 9 Desktop Shortcut

 

IOC’s

Associated File Names & Hashes:

File Name: shr.exe

MD5: 04112AEC47401C3D91A92CFDF9DE02E6

SHA1: 6C2194F9067756CA039D57113E3B93A7A34659D4

SHA256: C89833833885BAFDCFA1C6EE84D7DBCF2389B85D7282A6D5747DA22138BD5C59

File Type: .EXE

 

Associated Bitcoin Address

1Hr1grgH9ViEgUx73iRRJLVKH3PFjUteNx

 

Associated Registry Key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Shrug2_RASAPI32

HKU\S-1-5-21-1901852483-795937795-1922846784-1000\ShrugTwo

HKU\S-1-5-21-1901852483-795937795-1922846784-1000\ShrugTwo\identifier: "admin/15010"

HKU\S-1-5-21-1901852483-795937795-1922846784-1000\ShrugTwo\installdate: "25/07/2018 23:40:58"

HKU\S-1-5-21-1901852483-795937795-1922846784-1000\ShrugTwo\crykey: "DQBgjJw3s3q04tbs7tPnlktXnpBiDyZC"

HKU\S-1-5-21-1901852483-795937795-1922846784-1000\ShrugTwo\cryiv: "WJYtqQd6h6j95gyh"

HKLM\SOFTWARE\Microsoft\Tracing\Shr_RASAPI32

HKLM\SOFTWARE\Microsoft\Tracing\Shr_RASMANCS

Also, Read: Google To Bring Blockchain Technology To Its Cloud Services

 

Associated URL

hxxp://tempacc11vl[.]000webhostapp.com/marthas_stuff/freehashes[.]txt

hxxp://clients3[.]google[.]com/generate_204

hxxp://tempacc11vl.000webhostapp[.]com/marthas_stuff/upoldhash[.]php

Are you worried about your PC health?

Check your PC Health for Free!

Powered By:howtoremoveit.info Run Free Scan


Tips to Prevent virus and malware from Infecting Your System:
  1. Enable your popup blocker: Pop-ups and ads on the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs.
    So, avoid clicking uncertain sites, software offers, pop-ups etc. and Install a powerful ad- blocker for ChromeMozilla, and IE
  2. Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update.By doing this you can keep your device free from virus.According to the survey, outdated/older versions of Windows operating system are an easy target.
  3. Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
  4. Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection.Thus always backup important files regularly on a cloud drive or an external hard drive.
  5. Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like ITL Total Security or a good Malware Removal Tool like Download Virus RemovalTool

Newsletter

×
×
#include file="../statichtml/static_notification.html"

1

ITLSecureVPN_setup.exe
2

3

1

2

3

1

2

3