Cobra Ransomware
Not a lot of information is known about the threat actor behind the ransomware. Based on the technical analysis, the code does not support victim ID tagging or a mechanism to track the victims. A bitcoin wallet address and a contact email are used to notify the threat actor of either a payment or negotiation.
With a lack of leak site or infrastructure, it is assumed that the threat actor is not targetting specific individuals or companies but instead hoping to spread the encryptor to unsuspecting victims in hopes of a ransom payout.
The encryptor is written in .NET with no obfuscation, leaving it easily identifiable for detection engineers.
Key Points
Configuration is not obfuscated
No leak site
Embedded Bitcoin address with no unique victim ID or TOR leak site
Linear encryption routine
Ransom note and Bitcoin address
Address: 14yGTDgzfsKrv6UhQnrVBDRJZtSuKNgiDP
!!! Boom Bitch \ud83d\udca5: YOUR FILES ARE ENCRYPTED By .COBRA!!!", "", "Your network/computer has been infected and all your files has encrypted with military-grade encryption. by our ransomware and you won't be able to decrypt them without our help .", "To retrieve your data, send $1197026 in Bitcoin to the following address within 48 hours:", "", "14yGTDgzfsKrv6UhQnrVBDRJZtSuKNgiDP", "", "Failure to comply will result in the permanent deletion of your files and their sale on the dark web. This is not a bluff.", "Do not attempt to remove the ransomware or call the authorities. Any attempt to do so will lead to immediate destruction of your data.", "Act now if you value your business and your privacy.", "", "How do I pay, where do I get Bitcoin?", "Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search", "yourself to find out how to buy Bitcoin. ", "Many of our customers have reported these sites to be fast and reliable:", "Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com", "", "Payment informationAmount: 18.301 BTC", "Bitcoin Address: 14yGTDgzfsKrv6UhQnrVBDRJZtSuKNgiDP", "", "contact me: (send Bulk mail)", "purchase@lnt-corp.com", "xwolf69@onionmail.org", "admin@lntdeal.com", "purchase@lntdeal.com"
Build information
SHA256 Hash: bf0c353bf4f59db1d33b62589cca64d29c915d3073c86cd04e78f1d28bb65d74 ( VirusTotal )
The ransomware is built using .Net
Program Flow
When the encryptor first fires, it attempts to determine if it is already running in the system and if the process is located in the expected application directory. The encryptor will attempt to copy itself to the Windows application roaming user directory as well as attempt to rename itself as svchost.exe for evasion purposes.
Once the location is set correctly, the encryptor will move onto setting up persistence, inhibiting the system recovery by deleting Windows shadow copies and disabling recovery modes. Lastly, the file discovery and encrypting of the drive takes place before dropping the ransom note and changing the system wallpaper.
All of the configuration is stored non-obfuscated and initialized in the class Program constructor.
Persistence
During the initial sequences of the encryptor, the persistence mechanism is added to the system by adding a new LNK shortcut file via the ‘StreamWriter()’ function. The shortcut is made up of a URL, IconIndex, Iconfile and the type [InternetShortcut]. The contents of the URL attribute will contain the ‘file://‘ indicator which will cause the shortcut to execute the malware sample. The file name will be ‘svchost.exe’.
Multiple Instances
The sample will determine if the encryptor is ready running by using an embedded string for the mutex. This will ensure that the encryptor does not run again.
The embedded config is checked to see if the application is running in administrative mode. If the configuration is set to true, the payload will then be executed as a runas command using the default Windows shell to re-execute the application using a new name ‘svchost.exe’.
If the application was not run as an admin, the system will perform a similar process but instead relaunch from the application roaming users but using the ProcessStartInfo structure and creating a new process.
Inhibit system recovery
Before encrypting specific files, the sample will first attempt to delete the Windows shadow copies using the typical vssadmin via cmd.exe. This is a common implementation to this technique and is easily catchable by system admins.
cmd.exe /c vssadmin delete shadow copies
Next it will move on to disabling recovery mode via bcedit and Windows Server backup catalog.
bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet
Lastly, the sample will disable the task manager via the system registry. This is not seen as often, but it is effective by attempting to stop the user from killing the encryptor quickly.
Encrypting the system
The encryptor uses the typical .NET APIs to identify files and directories. Although the iterator works linearly the lack of a robust threadpool will cause the encryptor to halt on operations while a single file that is sufficiently large or potentially “locked” by the another application. This can be fatal to the malware’s ability to encrypt the system fast enough before a user or automated tool can shut it down.
The encryptor lacks the typical Windows Restart manager service integration to identify running processes and their locked files. Since the malware authors left this part out of the encryptor, any file that is “locked” by another process will cause the encryptor to fail the process for that file. The Restart Manager API is typically seen in more seasoned ransomware families.
When iterating through directories, the encryptor will attempt to determine which files should be excluded. The list is small and contains the usual files you would expect, but this list is not enough to ensure system stability.
The overall encryption routine is fairly straight forward. It will setup the extension used for locked file ‘.COBRA’, generate a new private key and use the hardcoded public key (length 40) to ensure the RSA crypto context can sufficiently encrypt the file.
The file size is checked, and if the file is > 1368709120 bytes, then large encrypted file routine is used. This will ensure that only parts of the file are encrypted and does not hang the encryptor up for too long if it encounters a very large file (example: Virtual Machine hard disk file). Anything less will use the small file routine.
Once it is complete the read me file is dropped as
read_it_cobra.txt
Readme Note and Wallpaper
The readme note and the wallpaper are then configured by the sample to open ‘notepad' (or the default text edit application) and set the system wallpaper using the ‘user32.dll’ function ‘SystemParameterInfo()’ function. This is a common function used by other encryptors to set the wallpaper for the current or all users. (see above for readme note text). The image used for the wallpaper is embedded in the sample as a Base64 encoded string, this can be found in the class definition.
Configured file names to encrypt
".txt", ".jar", ".dat", ".contact", ".settings", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".odt", ".jpg", ".mka", ".mhtml", ".oqy", ".png", ".csv", ".py", ".sql", ".mdb", ".php", ".asp", ".aspx", ".html", ".htm", ".xml", ".psd", ".pdf", ".xla", ".cub", ".dae", ".indd", ".cs", ".mp3", ".mp4", ".dwg", ".zip", ".rar", ".mov", ".rtf", ".bmp", ".mkv", ".avi", ".apk", ".lnk", ".dib", ".dic", ".dif", ".divx", ".iso", ".7zip", ".ace", ".arj", ".bz2", ".cab", ".gzip", ".lzh", ".tar", ".jpeg", ".xz", ".mpeg", ".torrent", ".mpg", ".core", ".pdb", ".ico", ".pas", ".db", ".wmv", ".swf", ".cer", ".bak", ".backup", ".accdb", ".bay", ".p7c", ".exif", ".vss", ".raw", ".m4a", ".wma", ".flv", ".sie", ".sum", ".ibank", ".wallet", ".css", ".js", ".rb", ".crt", ".xlsm", ".xlsb", ".7z", ".cpp", ".java", ".jpe", ".ini", ".blob", ".wps", ".docm", ".wav", ".3gp", ".webm", ".m4v", ".amv", ".m4p", ".svg", ".ods", ".bk", ".vdi", ".vmdk", ".onepkg", ".accde", ".jsp", ".json", ".gif", ".log", ".gz", ".config", ".vb", ".m1v", ".sln", ".pst", ".obj", ".xlam", ".djvu", ".inc", ".cvs", ".dbf", ".tbi", ".wpd", ".dot", ".dotx", ".xltx", ".pptm", ".potx", ".potm", ".pot", ".xlw", ".xps", ".xsd", ".xsf", ".xsl", ".kmz", ".accdr", ".stm", ".accdt", ".ppam", ".pps", ".ppsm", ".1cd", ".3ds", ".3fr", ".3g2", ".accda", ".accdc", ".accdw", ".adp", ".ai", ".ai3", ".ai4", ".ai5", ".ai6", ".ai7", ".ai8", ".arw", ".ascx", ".asm", ".asmx", ".avs", ".bin", ".cfm", ".dbx", ".dcm", ".dcr", ".pict", ".rgbe", ".dwt", ".f4v", ".exr", ".kwm", ".max", ".mda", ".mde", ".mdf", ".mdw", ".mht", ".mpv", ".msg", ".myi", ".nef", ".odc", ".geo", ".swift", ".odm", ".odp", ".oft", ".orf", ".pfx", ".p12", ".pl", ".pls", ".safe", ".tab", ".vbs", ".xlk", ".xlm", ".xlt", ".xltm", ".svgz", ".slk", ".tar.gz", ".dmg", ".ps", ".psb", ".tif", ".rss", ".key", ".vob", ".epsp", ".dc3", ".iff", ".onepkg", ".onetoc2", ".opt", ".p7b", ".pam", ".r3d"