Sonorousness ransomware unmasked

Sonorousness: the latest ransomware of the S-Locker family

Recently, NewSky Security received a threat sample from the security community that is a derivative of the S-Locker ransomware malware group, or family. This new derivative is known as Sonorousness, named for a class within the malware called “com.sonorousness“. When compared to S-Locker, this new malware contains some enhanced code protection techniques that resulted in a more difficult code analysis. We provide our analysis in this post.

The APK Overview

The Sonorousness ransomware is combined with an app that promises to deliver porn media. When installed, it performs the following behaviors.

 

  • Protects itself by requesting admin privileges
  • Sets its pop-up window to always be the top window to block or prevent the affected user from accessing the device settings and to revoke the admin setting
    Figure 1. Fake request to update by Sonorourness
    Figure 1. Fake request to update by Sonorourness

    Figure 2. Continuation of fake request to update by Sonorourness
    Figure 2. Continuation of fake request to update by Sonorourness – this overlay blocks access to the device settings
  • Registers as a new background service and launches itself on system startup
  • Displays alarm messages requesting money due to “illegal sexual video” activity:
  • Makes connections with a command & control (C&C) server that is under control of an attacker, every 30 seconds
  • Accepts remote command instructions from the C&C server such as take pictures, send pictures, download, and install arbitrary (.APK) files
  • Gathers and sends information from the device such as device contacts, phone number, and location

The ransomware implemented strong code-obfuscation techniques, and also encrypted its malicious DEX file.

Protection Methods

The ransomware .APK contains a DEX file and 2 resource files in HTML extension. One of the HTML files “info.html” is actually an encrypted DEX file and contains almost all of the ransomware code.

Figure 4. the file structure of Sonorousness ransomware
Figure 4. the file structure of Sonorousness ransomware

 

This approach to obfuscating and hiding in plain sight appears to have worked, at least in the short term, as evident by a recent multi-scanner scan report of the ransomware from VirusTotal.com:

 

Figure 5. VirusTotal scan results from April 2016 indicating detection by 2 of 56 security scanners
Figure 5. VirusTotal scan results from April 2016 indicating detection by 2 of 56 security scanners

 

The purpose of the primary DEX code of the ransomware is to decrypt the encoded component “info.html“, which is also DEX. In an attempt to hinder reverse engineering, Androguard was used to obfuscate the class, method, and variable names. The API calls were encapsulated with the getClass(), getMethod(), and invoke()This encrypted component was obfuscated using Androguard, resulting in making the API and class names appear in highly flexible string formats.

Using debugging tools, we recover the method names and spot the suspicious name “test.apk” which is actually the decrypted ransomware file name.

Figure 6. Suspicious class names shown in debugger
Figure 6. Decoded names and strings are shown in debugger

 

Figure 7. the main DEX decrypts "info.html" to "test.apk"
Figure 7. Primary DEX decrypts “info.html” to “test.apk

 

Figure 8. Routine loads recovered ransomware dex file at runtime
Figure 8. Routine loads recovered ransomware dex file at runtime

 

Figure 9. Routine recovers code using XOR with key 0x32

Figure 9b. Routine recovers code using XOR with key 0x32
Figure 9. Routine recovers code using XOR with key 0x32

 

At this point, the ransomware code is recovered and begins to execute.

Functions of the Ransomware

The ransomware uses social engineering (by displaying fake FBI alerts) in order to trick affected device users into paying the ransom. Interestingly, the only payment form requested and accepted is from an iTunes gift card. Sonorousness uses an annoying tactic of displaying the warning messages often using AlarmManager, with the alert window as the top most window.

Figure 10. code displays ransomware UI repeatedly using AlarmManager
Figure 10. Ransomware UI repeatedly displayed using AlarmManager

Sonorousness attempts to connect with a command and control (C&C) server to receive commands from an attacker.

Figure 11. Ransomware connects every 30 seconds with C&C domain server located in Russia
Figure 11. Ransomware connects every 30 seconds with C&C server located in Russia

 

Remote commands could include opening a specified URL, sending personal information, take photos, and install specified Android apps.

Figure 12. Parse JSON response, downloads & installs 3rd party APK
Figure 12. Parse JSON response, downloads & installs 3rd party APK

 

Figure 13. Sonorousness sends personal info
Figure 13. Sonorousness captures device and personal info to steal

 

Figure 14. Phone camera activation code
Figure 14. Phone camera activation code

 

In Conclusion – Approaches to Detection

Despite its code protection mechanism and social engineering tricks, it is not impossible to detect threats such as Sonorousness via reverse engineering or a sandbox. Here are some of our ideas:

Executable file forged as a resource file. It’s not normal that HTML files are in binary format. This can be detected by static analysis.

Executed a dynamic generated file. In the case of Sonorousness, the component “test.apk”, which is the ransomware body, is not within the primary code. It is generated at runtime and executed. The “write and execute” combination is definitely suspicious and this can be detected by dynamic execution.

Aggressively apply for device administrator. Without the device admin elevated privilege, this ransomware could be defeated by a simple “adb uninstall” command. Sonorousness displays the request window for device admin every 5 secs – classic behavior for malware. This can be detected via either static or dynamic approaches.

Pop up always-on-top screens to block the normal usage of the phone. This is yet another classic behavior for ransomware and other malware, and can be detected via either static or dynamic approaches.

 

Sample information

Adult Video APK SHA256
f6d23ae6c22ca7b4f2cf5ba34fa52dc0b864dda61b5ac7ef76a2cc2e02859c22

TEST.APK SHA256
bb34b454e18c41f19067b37dda98cd68c250986edaa7e0bbd3df27c83fe1ab9d

Hash values for similar samples
ecee53c5f88066df9dbe6f65a18b75976dada52f962af1d67da426bd44f8fbc8
39c8555bcdb5ee1b10774f29508c41fa1c6589e1e932c2b2a46463839299705c
26f36f716ab479124831d3f3c5ecadf776bd4c2384d63bd6e509b8eda7c60f1f
0c4551c84aa80b5ce3d6dea87d1a5b52b268f771cf20e626e9d46e095c910878

Figure 15. Sonorousness Application Overview
Figure 15. Sonorousness Application Overview

Leave a Reply

Your email address will not be published. Required fields are marked *