{
	"id": "c52a0e7c-1cd0-4486-a4ff-64a5f1ec630d",
	"created_at": "2026-04-06T00:14:04.798617Z",
	"updated_at": "2026-04-10T03:21:16.117606Z",
	"deleted_at": null,
	"sha1_hash": "0b6fd8997c3b564113828a131a1d73f5273440ee",
	"title": "Analysing STOP Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 739123,
	"plain_text": "Analysing STOP Ransomware\r\nBy Glyc3rius\r\nPublished: 2024-02-11 · Archived: 2026-04-05 18:19:00 UTC\r\nSTOP/DJVU ransomware can be executed with one of the parameters listed: --Admin , --ForNetRes , --Task , --\r\nAutoStart or --Service . It gathers location information of the victim with the help of a geolocation API service and\r\ncompares its hard coded country codes to the victim’s code, if one of them matches the malware stops running. It uses the\r\nSalsa20 algorithm to encrypt files and adds the .cdpo file extension at the end of each one of them. The malware\r\nmaintains persistence with two methods: a run key named SysHelper and a scheduled task called Time Trigger Task . It\r\ndrops additional payloads (in our case Vidar and a Clipboard Hijacker) from malicious URLs and a Public Key is also\r\nloaded from the C2 server.\r\nThe unpacking procedure is fairly simple. We only have to put a breakpoint on the WriteProcessMemory function that\r\nwrites data to an area of memory in a specified process, then run the program until it hits that breakpoint. We need to dump\r\nthe 3rd argument of WriteProcessMemory which is the lpBuffer that is a pointer to the buffer that contains data to be\r\nwritten in the address space of the specified process. After following it in dump, the MZ signature is found which is a clear\r\nindicator of a Windows executable. The last thing that should be done is to clear the junk code in a hex editor and we finally\r\nobtain the unpacked file.\r\nFigure 1: Unpacking STOP Ransomware\r\nBefore we get into analysing what this malware is capable of, it’s important to note that it can execute itself with different\r\nparameters from command line. First, the ransomware tries to launch itself with --Admin IsNotAutoStart IsNotTask\r\nparameters. It gives admin access rights while the IsNotAutoStart indicates it won’t run automatically when the system\r\nstarts up and the IsNotTask parameter means the execution of the program is not scheduled automatically.\r\nHowever, STOP ransomware has five more ways to start its execution:\r\n--Admin IsAutoStart IsTask\r\n--ForNetRes IsAutoStart IsTask\r\n--Task\r\n--AutoStart\r\n--Service\r\nhttps://glyc3rius.github.io/2024/02/stop/\r\nPage 1 of 7\n\nThe malware first makes a request to the Geo-IP API service https[:]//api.2ip.ua/geo.json which obtains quite a few\r\nlocation related information of the victim and collects it in a JSON file. Here is an example of it according to the\r\ngeolocation site:\r\n 1\r\n 2\r\n 3\r\n 4\r\n 5\r\n 6\r\n 7\r\n 8\r\n 9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n{\"ip\":\"8.8.8.8\",\r\n\"country_code\":\"US\",\r\n\"country\":\"United states of america\",\r\n\"country_rus\":\"США\",\r\n\"country_ua\":\"США\",\r\n\"region\":\"California\",\r\n\"region_rus\":\"Калифорния\",\r\n\"region_ua\":\"Каліфорнія\",\r\n\"city\":\"Mountain view\",\r\n\"city_rus\":\"Маунтин-Вью\",\r\n\"latitude\":\"37.38605\",\r\n\"longitude\":\"-122.08385\",\r\n\"zip_code\":\"94035\",\r\n\"time_zone\":\"-08:00\"}\r\n \r\nThe country_code field is compared and checked to numerous other countries:\r\nFigure 2: Country codes that stop execution\r\nWhere RU is Russia, BY is Belarus, UA is Ukraine, AZ is Azerbaijan, AM is Armenia, TJ is Tajikistan, KZ is\r\nKazakhstan, KG is Kyrgyzstan, UZ is Uzbekistan, SY is Syria. In case one of the hard coded country_code is detected,\r\nthe ransomware stops execution. However, if it doesn’t match, the execution of the malware continues.\r\nThis malware uses two types of persistence methods. Under the Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nregistry key, it creates a value called SysHelper . This makes the malware run every time the victim logs on. Then it\r\nexecutes the following command inside the created directory:\r\nicacls \"C:\\Users\\admin\\AppData\\Local\\8a4577dc-de55-4eb5-b48a-8a3eee60cd95\" /deny *S-1-1-0:(OI)(CI)\r\n(DE,DC)\r\nThe command denies the “Delete” and “Delete Child” permissions for the group ‘Everyone’ on this specific directory. The\r\nrandomly named directory 8a4577dc-de55-4eb5-b48a-8a3eee60cd95 is generated by the malware itself with the\r\nUuidCreate and UuidToStringW functions.\r\nThe other persistence mechanism is a scheduled task with the Task Scheduler COM API. After viewing and searching the\r\nscheduled tasks on the infected machine, we notice a suspicious task called Time Trigger Task . The action details confirm\r\nhttps://glyc3rius.github.io/2024/02/stop/\r\nPage 2 of 7\n\nthat it is indeed related to the malware and it is repeated after every 5 minutes indefinitely.\r\nFigure 3: Scheduled task under the Time Trigger Task name\r\nIn this specific PCAP, we have three crucial HTTP messages to analyse. First, it sends a GET request to the\r\nhabrafa[.]com C2 host which contains a pid in the URL that is an MD5 hash of the victim’s MAC address. The host\r\nthen responds back with a PUBLIC KEY (in PEM format) and an id which are stored in a text file called\r\nbowsakkdestx.txt on the victim’s machine.  \r\nFigure 4: HTTP Stream of the Public Key\r\nThe second HTTP message requests a file from brusuax[.]com with the name build2.exe which is a Windows\r\nexecutable. After unpacking, it is revealed that it’s a Vidar stealer malware which is quite common in case of STOP\r\nransomware. It steals information and cryptocurrencies, if you want to get familiar with the infostealer and its\r\nfunctionalities, look for related articles in Malpedia’s collection.\r\nFigure 5: HTTP Stream of build2.exe\r\n \r\n  There is also a build3.exe loaded by the ransomware from the habrafa[.]com C2 host. This is also a Windows\r\nexecutable as the MZ signature indicates.\r\nhttps://glyc3rius.github.io/2024/02/stop/\r\nPage 3 of 7\n\nFigure 6: HTTP Stream of build3.exe\r\n \r\nThis PE file seems packed, but fortunately the unpacking is pretty easy and similar to the one described above. We just have\r\nto set a breakpoint on the NtWriteVirtualMemory function, then follow the third argument in dump. After that, follow in\r\nmemory map and dump it to a file. The very last thing we have to do is cleaning the file in a hex editor. This additional\r\npayload is a Clipboard Hijacker that keeps track of the clipboard activity and aims to replace the cryptocurrency address\r\nwith the attacker’s own address. It executes the following command on the victim:\r\n/C /create /F /sc minute /mo 1 /tn \"Azure-Update-Task\" /tr\r\n\"C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Network\\mstsca.exe\"\r\nThis creates a scheduled task named Azure-Update-Task with a schedule frequency of one minute, and runs the\r\nmstsca.exe file which is the malicious executable. Further looking into the unpacked sample, a mutex named\r\nM5/610HP/STAGE2 and several cryptocurrency addresses were found:\r\nCryptocurrency Addresses\r\n1My2QNmVqkvN5M13xk8DWftjwC9G1F2w8Z\r\n3NLzE3tXwoagBrgFsjNNkPZfrESydTD8JP\r\nbc1qx8vykfse9s9llguez9cuyjmy092yeqkesl2r5v\r\nbnb136ns6lfw4zs5hg4n85vdthaad7hq5m4gtkgf23\r\nLLiNjWA9h4LxVtDigLQ79xQdGiJYC4oHis\r\nMBD2C8QV7RDrNtSDRe9B2iH5r7yH4iMcxk\r\nltc1qa5lae8k7tzcw5lcjfvfs3n0nhf0z3cgrsz2dym\r\naddr1qx4jwm700r2w6fneakg0r5pkg76vu7qkt6qv7zxza3qu3w9tyahu77x5a5n8nmvs78grv3a5eeupvh5qeuyv9mzpezuq60zykl\r\nAe2tdPwUPEZDqNhACJ3ZT5NdVjkNffGAwa4Mc9N95udKWYzt1VnFngLMnPE\r\nt1VQgJMcNsBHsDyu1tXmJZjDpgbm3ftmTGN\r\nDBbgRYaKG993LFJKCWz73PZqveWsnwRmGc\r\n89SPVUAPHDLSq5pRdf8Eo6SLnKRJ8BNSYYnvPL6iJxGP4FBCBmkeV3CTSLCbk6uydxRnub4gLH6TBRycxSAQN2m1Kcnhr\r\n42UxohbdHGMYGPvW5Uep45Jt9Rj2WvTV958B5G5vHnawZhA4UwoD53Tafn6GRmcGdoSFUfCQN6Xm37LBZZ6qNBorFw3b\r\n0xa6360e294DfCe4fE4Edf61b170c76770691aA111\r\nThe malware has several data tables in the .data section. These tables have either 10 or 16 values that point to the\r\n.rdata section. That is the location of the actual data we have to decrypt to extract the configuration. The XOR operator is\r\nused for the encryption procedure with the value 0x80 .\r\nhttps://glyc3rius.github.io/2024/02/stop/\r\nPage 4 of 7\n\nFigure 7: XOR encryption of the malware's configuration\r\nThe ransomware uses the Salsa20 algorithm to encrypt files on the victim’s computer. After analyses, the file indicates that\r\nOpenSSL was also used in the encryption process since it contains several related strings. There are a few file extensions\r\nthat the malware doesn’t encrypt, such as .sys , .ini , .DLL , .dll , .blf , .bat , .lnk , and .regtrans-ms . This\r\nsample uses the .cdpo file extension for the encrypted files, however the extension varies from executable to executable.\r\nThe first 5 bytes are not encrypted by the ransomware while at the end of each file, the ransomware appends a UUID\r\n(created with CreateUuid and UuidToStringA functions) that is encrypted with the RSA 2048 Public Key, the\r\nPersonalID and the {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5} value:\r\nFigure 8: Ending of an encrypted file in hex editor\r\nThe ransom note is placed in the _readme.txt file that specifies the ransom demand and presents additional information\r\nlike emails to contact, a WeTransfer link that supposedly demonstrates how to decrypt an encrypted file and the personal ID\r\nhttps://glyc3rius.github.io/2024/02/stop/\r\nPage 5 of 7\n\nof the user:\r\nFigure 9: Ransom note in _readme.txt file\r\n   \r\nA PersonalID.txt file is also created and placed in the SystemID folder on the victim’s machine:\r\nFigure 10: PersonalID.txt file on the victim's machine\r\n 1\r\n 2\r\n 3\r\n 4\r\n 5\r\n 6\r\n 7\r\n 8\r\n 9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\nrule STOP_ransomware\r\n{\r\n meta:\r\n description = \"Detects Unpacked STOP Ransomware Samples\"\r\n author = \"Glyc3rius\"\r\n date_created = \"11/02/2024\"\r\n sha256 = \"236259fb27568c5b6ba0ed090909d2f1aeb70258673f3b561514350a65eba77a\"\r\n strings:\r\n $s_launch_arg1 = \"--Admin\" wide\r\n $s_launch_arg2 = \"IsNotAutoStart\" wide\r\n $s_launch_arg3 = \"IsNotTask\" wide\r\n $s_launch_arg4 = \"--AutoStart\" wide\r\n $s_launch_arg5 = \"IsAutoStart\" wide\r\n $s_launch_arg6 = \"IsTask\" wide\r\n $s_launch_arg7 = \"--ForNetRes\" wide\r\n $s_launch_arg8 = \"--Task\" wide\r\n $s_launch_arg9 = \"--Service\" wide\r\n $s_pdb = \"encrypt_win_api.pdb\"\r\n $s_jpg = \"5d2860c89d774.jpg\" wide\r\n $s_scheduled_task = \"Time Trigger Task\" wide\r\n $mutex_1 = \"{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}\"\r\nhttps://glyc3rius.github.io/2024/02/stop/\r\nPage 6 of 7\n\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n $mutex_2 = \"{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}\"\r\n $m_end_of_encrypted_file = \"{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}\"\r\n \r\n condition:\r\n uint16(0) == 0x5a4d\r\n and all of ($s*)\r\n and (any of ($m*))\r\n}\r\nIndicators of Compromise Description\r\n5e19952acedb1da68215069d44ce1f3d48da10491151003148f1cceab03f1073 STOP Packed Sample\r\n236259fb27568c5b6ba0ed090909d2f1aeb70258673f3b561514350a65eba77a STOP Unpacked Sample\r\ne3d16f3f69fa0857f966022387ee6f9408385ddf389d09ffe7dc44acc8ac1ad5 Packed Vidar Infostealer (build2.exe)\r\n0e5849b3c364687599909abee08ab6638521ea62b887dc365e40d2589959ac8b Unpacked Vidar Infostealer\r\nfef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408\r\nPacked Clipboard Hijacker\r\n(build3.exe)\r\n8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 Unpacked Clipboard Hijacker\r\nhabrafa[.]com/test1/get.php Command and Control (C2)\r\nhttp[:]//brusuax[.]com/dl/build2.exe Payload URL , drops Vidar\r\nhttp[:]//habrafa[.]com/files/1/build3.exe\r\nPayload URL, drops Clipboard\r\nHijacker\r\nDJVU: The Ransomware That Seems Strangely Familiar…\r\nThe STOP Ransomware Variant\r\nSTOP Ransomware Technical Analysis Report\r\nA Detailed Analysis of the STOP Ransomware\r\nPackage deal: Malware bundles causing disruption and damage across EMEA\r\nSTOP (DJVU) RANSOMWARE: RANSOM FOR YOUR SHADY HABITS!\r\nANY.RUN Task Of The Sample\r\nSource: https://glyc3rius.github.io/2024/02/stop/\r\nhttps://glyc3rius.github.io/2024/02/stop/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://glyc3rius.github.io/2024/02/stop/"
	],
	"report_names": [
		"stop"
	],
	"threat_actors": [],
	"ts_created_at": 1775434444,
	"ts_updated_at": 1775791276,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0b6fd8997c3b564113828a131a1d73f5273440ee.pdf",
		"text": "https://archive.orkl.eu/0b6fd8997c3b564113828a131a1d73f5273440ee.txt",
		"img": "https://archive.orkl.eu/0b6fd8997c3b564113828a131a1d73f5273440ee.jpg"
	}
}