Satan Ransomware employs EternalBlue Exploit Kit

April 26, 2018


The SonicWall Capture Labs Threat Research Team have received reports of a new variant of the Satan ransomware. The Satan ransomware has been around since early 2017 but it was not until late 2017 that we have seen it adopt the use of the EternalBlue exploit kit. This is the same exploit kit that was and still is being used by ransomware such as WannaCry and BadRabbit and is being employed to penetrate more effectively through internal networks.

Infection Cycle:

Upon infection the trojan encrypts files on the system and prepends [] to the original filename. After infection it displays the following text:

The Trojan drops the following files to the filesystem:

  • %ALLUSERSPROFILE%\client.exe [Detected as GAV: Suspicious#mpress.2 (Trojan)]
  • %ALLUSERSPROFILE%\blue.exe [Detected as GAV: Squida.A_2 (Trojan)]
  • %ALLUSERSPROFILE%\blue.xml
  • %ALLUSERSPROFILE%\cnli-1.dll [Detected as GAV: MalAgent.J_39290 (Trojan)]
  • %ALLUSERSPROFILE%\coli-0.dll [Detected as GAV: Downloader.A_1172 (Trojan)]
  • %ALLUSERSPROFILE%\crli-0.dll [Detected as GAV: MalAgent.J_29735 (Trojan)]
  • %ALLUSERSPROFILE%\dmgd-4.dll [Detected as GAV: Artemis.A_162 (Trojan)]
  • %ALLUSERSPROFILE%\down64.dll
  • %ALLUSERSPROFILE%\exma-1.dll [Detected as GAV: Shadowbrokers.D_5 (Trojan)]
  • %ALLUSERSPROFILE%\libeay32.dll
  • %ALLUSERSPROFILE%\libxml2.dll
  • %ALLUSERSPROFILE%\ms.exe [Detected as GAV: SatanCryptor.RSM_2 (Trojan)]
  • %ALLUSERSPROFILE%\posh-0.dll [Detected as GAV: MalAgent.J_21737 (Trojan)]
  • %ALLUSERSPROFILE%\ssleay32.dll [Detected as GAV: Eqtonex.A_6 (Trojan)]
  • %ALLUSERSPROFILE%\star.exe [Detected as GAV: MalAgent.J_8604 (Trojan)]
  • %ALLUSERSPROFILE%\tibe-2.dll [Detected as GAV: MalAgent.H_9335 (Trojan)]
  • %ALLUSERSPROFILE%\star.xml
  • %ALLUSERSPROFILE%\tucl-1.dll [Detected as GAV: Shadowbrokers.DZ (Trojan)]
  • %ALLUSERSPROFILE%\trfo-2.dll [Detected as GAV: Downloader.A_1169 (Trojan)]
  • %ALLUSERSPROFILE%\tucl-1.dll [Detected as GAV: MalAgent.J_21729 (Trojan)]
  • %ALLUSERSPROFILE%\xdvl-0.dll [Detected as GAV: Eqtonex.A_2 (Trojan)]
  • %ALLUSERSPROFILE%\zlib1.dll [Detected as GAV: MalAgent.J_35104 (Trojan)]

The Trojan reports the infection to a C&C server:

The Trojan downloads and runs ms.exe and setup.exe from the C&C server:

We observed the trojan running blue.exe with its commandline arguments. This is an attempt to spread to other machines on the internal network:

Some configuration strings can be seen in the trojans memory after being unpacked:

The Trojan instructs victims to send 0.3 BTC to 14hCK6iRXwRkmBFRKG8kiSpCSpKmqtH2qo. It seems that some have fallen prey to its scheme:

We reached out to concerning file decryption but did not receive a response.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Satan.RSM (Trojan)
  • GAV: SatanCryptor.RSM_2 (Trojan)
  • GAV: Suspicious#mpress.2 (Trojan)
  • GAV: Squida.A_2 (Trojan)
  • GAV: MalAgent.J_39290 (Trojan)
  • GAV: Downloader.A_1172 (Trojan)
  • GAV: MalAgent.J_29735 (Trojan)
  • GAV: Artemis.A_162 (Trojan)
  • GAV: Shadowbrokers.D_5 (Trojan)
  • GAV: MalAgent.J_21737 (Trojan)
  • GAV: Eqtonex.A_6 (Trojan)
  • GAV: MalAgent.J_8604 (Trojan)
  • GAV: MalAgent.H_9335 (Trojan)
  • GAV: Shadowbrokers.DZ (Trojan)
  • GAV: Downloader.A_1169 (Trojan)
  • GAV: MalAgent.J_21729 (Trojan)
  • GAV: Eqtonex.A_2 (Trojan)
  • GAV: MalAgent.J_35104 (Trojan)