Email
YouTube
Twitter
RedditDETAILS
VIDEO934284717.mp4.exe is a UPX packed ransomware application called
ElmersGlue_3.exe. Unpacking the file can be accomplished with any UPX utility.
As pointed out by an astute reader, UPX is unable to pack .NET applications.
The ransomware in question is not natively packed with UPX, rather the
overarching EXE (the dropper) is packed and this is the portion we can unpack
with UPX.
ElmersGlue extracts a copy of itself to the %Temp% directory and achieves persistence by copying this same file to the Windows Startup Folder. A batch file is also written to the %Temp% directory which launches the extracted ElmersGlue program.
Once running, ElmersGlue will lock your current desktop environment by remaining the topmost application at all times. ALT-TAB, CTRL-ALT-DEL, and other methods of regaining control to other processes have no effect due to this window remaining topmost at all times.
The ElmersGlue GUI claims that the current computer has been locked and that a ransom of $150 USD in BitCoins must be paid to unlock it. The application also claims that each computer is locked with a unique key. This isn’t true.
Upon closer inspection of the .NET code, it becomes clear that there is a hardcoded UNLOCK key: 83502631947189478135791649134973.
This key successfully unlocks the computer.
ElmersGlue extracts a copy of itself to the %Temp% directory and achieves persistence by copying this same file to the Windows Startup Folder. A batch file is also written to the %Temp% directory which launches the extracted ElmersGlue program.
Once running, ElmersGlue will lock your current desktop environment by remaining the topmost application at all times. ALT-TAB, CTRL-ALT-DEL, and other methods of regaining control to other processes have no effect due to this window remaining topmost at all times.
The ElmersGlue GUI claims that the current computer has been locked and that a ransom of $150 USD in BitCoins must be paid to unlock it. The application also claims that each computer is locked with a unique key. This isn’t true.
Upon closer inspection of the .NET code, it becomes clear that there is a hardcoded UNLOCK key: 83502631947189478135791649134973.
This key successfully unlocks the computer.
CONCLUSION
This version of ElmersGlue ransomware attempts to extort $150 USD in BitCoin
from the user after locking their computer. The ransomware claims that each
computer is locked with a unique key, but a hardcoded key was uncovered which
allows the user to unlock their machine without paying a ransom.