2334
Detailed Technical Analysis Report of Total Wipe Out Ransomware Detailed Technical Analysis Report of Total Wipe Out Ransomware
Malware Analysis | 08/24/2018

Detailed Technical Analysis Report of Total Wipe Out Ransomware


When was the last time you checked your PC health? Do you know your PC requires a regular Check Up!!!

Total Wipe Out Ransomware Overview

Recently, a security researcher has found the new ransomware “Total Wipe Out Ransomware”.

This ransomware appends the filename of the affected file by adding .TW extension in the last.

Once the encryption has been completed it shows the ransom note UI on the screen.

As per the ransom note, it demands 200 Dollar or 1XMR in the exchange of decryption but didn’t mention contact address nor the mode of payment.

This ransomware contains some bugs in the code might be due in the development stage.

 Flowchart

Flow Chart

Technical Analysis of Total Wipe Out Ransomware

File Name: total.exe

MD5: E7348CFD2D05AB3EA5230C7E109FCDC3

SHA1:7AA2AA99FFD40DA43961D28D31B76A514C44D9E7

SHA256: 54EF5DD5A99A13B476F3673A0BCE5219186A06D5D1A8C1769827267C421B6B65

File Type: .EXE

Get peace of mind! Get rid of malicious programs instantly

Free Malware Scan Compatible with Win 10,8.1,8 & 7
 

Detail Description of Total Wipe Out Ransomware with Screenshots

This ransomware has minimum requirement Dot Net Framework 4.0.

Assembly Information

Figure 1 Assembly Information

On execution of this ransomware, it launches a blank command window, which starts the encryption process in the background.

Blank Window

Figure 2 Blank Command Window

As shown below this ransomware targets the following special folders like (Desktop, Application Data, Personal, Recent, User Profile).

Target Directory

Figure 3 Target Directory

 

As shown below, malware actor has used PasswordDeriveBytes API with a predefined static password string “ballsack” and Key salt to array use to drive the key. It’s using AES encryption method for encrypting the victim system files.

AES Encryption

Figure 4 AES Encryption with PasswordDerivedBytes API

As shown below, Once the files are encrypted by the AES encryption technique malware actor is using .TW extension, that will be appended to the affected encrypted file name. Thereafter, it attempts to delete the original file from the system & it maintains the log of the encrypted file in files.txt file at C:\8000\ location. But due to a bug in the code, this log file doesn’t get created by the ransomware.

Extension

Figure 5 File Extension

This ransomware also dropped one text file (___________READ_FOR_YOUR_FILES_______________) in Downloads folder that contains the “BLABLABLABLABLABLABLABLABLABLA” string in it.

 

As you can see below, on the execution of the ransomware it encrypts the file and appends the filename by adding .TW extension.

File Extension

Figure 6 .TW Extension

This ransomware encrypts only those files that matches with its file extensions list. Following is the file extensions list

.DOC

.WSF

.SWF

.7Z

.DOCX

.DEM

.VOB

.CBR

.LOG

.GAM

.WMV

.DEB

.MSG

.NES

.3DM

.GZ

.ODT

.ROM

.3DS

.PKG

.PAGES

.SAV

.MAX

.RAR

.RTF

.DWG

.OBJ

.RPM

.TEX

.DXF

.BMP

.SITX

.TXT

.GPX

.DDS

.TAR

.WPD

.KML

.GIF

.GZ

.WPS

.KMZ

.JPG

.ZIP

.CSV

.ASP

.PNG

.ZIPX

.DAT

.ASPX

.PSD

.BIN

.GED

.CER

.PSPIMAGE

.CUE

.KEY

.CFM

.TGA

.DMG

.KEYCHAIN

.CSR

.THM

.ISO

.PPS

.CSS

.TIF

.MDF

.PPT

.HTM

.TIFF

.TOAST

.PPTX

.HTML

.YUV

.VCD

.SDF

.JS

.AI

.C

.TAR

.JSP

.EPS

.CLASS

.TAX2016

.PHP

.PS

.CPP

.TAX2017

.RSS

.SVG

.CS

.VCF

.XHTML

.INDD

.DTD

.XML

.CRX

.PCT

.FLA

.AIF

.PLUGIN

.PDF

.H

.IFF

.FNT

.XLR

.JAVA

.M3U

.FON

.XLS

.LUA

.M4A

.OTF

.XLSX

.M

.MID

.TTF

.ACCDB

.PL

.MP3

.CAB

.DB

.PY

.MPA

.CPL

.DBF

.SH

.WAV

.CUR

.MDB

.SLN

.WMA

.DLL

.PDB

.SWIFT

.3G2

.DMP

.SQL

.VB

.3GP

.DRV

.APK

.VCXPROJ

.ASF

.ICNS

.APP

.XCODEPROJ

.AVI

.ICO

.BAT

.BAK

.FLV

.LNK

.CGI

.TMP

.M4V

.SYS

.COM

.CRDOWNLOAD

.MOV

.CFG

.EXE

.ICS

.MP4

.INI

.GADGET

.MSI

.MPG

.PRF

.JAR

.TORRENT

.RM

.HQX

.PART

 

.SRT

.MIM

.UUE

 

 

It searches an above extension in the target drive and encrypts it.

Read Detailed Technical Analysis Report of Fake Xerox Multi function Printer Spam Campaign

By looking at this ransomware code and behavior process it seems that’s it currently in development. Due to currently under development this ransomware doesn’t delete Volume Shadow Copies from the system nor it deletes the System Restore Point.

Previous Version 

System Restore Point

Figure 7 Previous Version Folder& System Restore Point

 

Once the all the files are encrypted based on their file extensions list, in the last it changes the victim system Desktop Wallpaper with the ransom note and also launches the image in windows photo viewer.

Ransom Note

Figure 8 Ransom Note

As shown above, ransomware creator has written the ransom note in 9 different languages (English, Spanish, Hindi, Punjabi, Portuguese, Russian etc.).

As per the ransom note, ransomware creator has demanded 1 XMR / 200 Dollar ransom amount in the exchange of decryption tool, the interesting part of this ransomware is that ransomware creator has forgotten to mention their contact address or mode of payment, might be due to in development stage.

During analysis, we have found that this ransomware didn’t work properly at some point might be due to in development stage and also contain some bugs in the code which can be easily rectified by anyone.

By analyzing the code, we are assuming that this code has been written by some script kiddie or newbie.

 

 

IOC’s

Associated File Names & Hashes:

File Name: total.exe

MD5: E7348CFD2D05AB3EA5230C7E109FCDC3

SHA1:7AA2AA99FFD40DA43961D28D31B76A514C44D9E7

SHA256: 54EF5DD5A99A13B476F3673A0BCE5219186A06D5D1A8C1769827267C421B6B65

File Type: .EXE


Also, Read Detailed Technical Analysis Report of Ryuk Ransomware

Are you worried about your PC health?

Check your PC Health for Free!

Powered By:howtoremoveit.info Run Free Scan


Tips to Prevent virus and malware from Infecting Your System:

  1. Enable your popup blocker: Pop-ups and ads on the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs.
    So, avoid clicking uncertain sites, software offers, pop-ups etc. and Install a powerful ad- blocker for ChromeMozilla, and IE
  2. Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update.By doing this you can keep your device free from virus.According to the survey, outdated/older versions of Windows operating system are an easy target.
  3. Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
  4. Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection.Thus always backup important files regularly on a cloud drive or an external hard drive.
  5. Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like ITL Total Security or a good Malware Removal Tool like Download Virus RemovalTool
 

 

 

 

Newsletter

Are your devices Secure?

Best Anti-Malware program in 2018

ad_computer_work
Start Scan Now  Download Time: less than 1 minute
×
×

1

indicatorImg_logo
mlcsetup
2

3

1

2

3

1

2

3