# When Threat Actors Fly Under the Radar: Vatet, PyXie and Defray777

**unit42.paloaltonetworks.com/vatet-pyxie-defray777/3**

Ryan Tracey, Drew Schmitt November 7, 2020

By [Ryan Tracey and](https://unit42.paloaltonetworks.com/author/ryan-tracey/) [Drew Schmitt](https://unit42.paloaltonetworks.com/author/drew-schmitt/)

November 6, 2020 at 6:15 PM

[Category: Malware,](https://unit42.paloaltonetworks.com/category/malware-2/) [Ransomware,](https://unit42.paloaltonetworks.com/category/ransomware/) [Unit 42](https://unit42.paloaltonetworks.com/category/unit-42/)

Tags: [Defray777,](https://unit42.paloaltonetworks.com/tag/defray777/) [PyXie,](https://unit42.paloaltonetworks.com/tag/pyxie/) [Vatet](https://unit42.paloaltonetworks.com/tag/vatet/)

This post is also available in: 日本語 [(Japanese)](https://unit42.paloaltonetworks.jp/vatet-pyxie-defray777/)

## Last, but Not Least: Defray777

[Defray777 is an elusive family of ransomware also known as Ransom X and](https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/) [RansomExx. Although it has recently been covered in the news](https://www.bleepingcomputer.com/news/security/montreals-stm-public-transport-system-hit-by-ransomware-attack/?_hsenc=p2ANqtz--TMeD-DcOlE_JbE5-1DKkStefcr1qAFppJIfTyGcye3y_Z5SsaryNC0zrBu7qu5iPsiwx0&utm_campaign=Ad%20hoc%20social%20posts%20&utm_content=143516149&utm_medium=social&utm_source=twitter&hss_channel=tw-29175108)
as a new family, it has been in use since at least 2018 and is responsible for a number of high-profile ransomware incidents -- as detailed in
the articles we linked to.

Defray777 runs entirely in memory, which is why there have been so few publicly discussed samples to date. In several recent incidents,
Defray777 was loaded into memory and executed by Cobalt Strike, which was delivered by the Vatet loader.

During our research, we discovered multiple decryptors for this ransomware family, going back as early as 2018. Reviewing decryptors from
2018 until present shows that there has been consistency in the ransomware’s encryption and decryption methodology, as well as the use of
[Themida for packing their decryptors. Table 10 shows a list of Defray777 decryptors discovered in AutoFocus, with a list of organizations that](https://www.oreans.com/themida.php)
suffered ransomware attacks. This shows that Defray777 has been consistently active since 2018.

**Date** **Victim**

12/7/2018 Education Organization

2/4/2019 Healthcare Organization

3/1/2019 Technology Organization

3/15/2019 Education Organization

8/8/2019 Healthcare Organization

8/25/2019 Education Organization

8/28/2019 Transportation and Logistics Organization

9/3/2019 Legal Organization


-----

9/6/2019 Education Organization

9/26/2019 Healthcare Organization

10/30/2019 Government Organization

11/1/2019 Healthcare Organization

2/4/2020 Technology Organization

2/10/2020 Government Organization

3/16/2020 Food Organization

10/17/2020 Finance Organization

_Table 10. Defray777 ransomware attacks listed by date and victim._

Figure 21.

Defray777 decryptor.
We have examined several recent Defray777 samples, including one sample that was obtained directly from memory during a recent incident.
Our in-depth analysis resulted in the findings outlined below.

**Decrypted Strings**

The string decryption process is the same as we saw with PyXie. The following strings were decrypted from a recent Defray777 sample:


-----

Already active [%s]
+%u (%u) files done [%s] [%u KB/s]

Started (PID: %u; Workers: %u; AES-%s) [%s]

Complete (+%u (%u) files done) [%s]

Work time: %d:%02d:%02d

Unable to get computer name

CryptoGuard

kernel32.dll

ConvertStringSecurityDescriptorToSecurityDescriptorW

advapi32.dll

IsWow64Process

SystemDrive

KiUserExceptionDispatcher

_Table 11. Defray777 encrypted strings._

**Prioritizing Defray777 on the Impacted System**

While deep diving on a recovered Defray777 sample, we found that Defray777 exhibits the following notable characteristics regarding the
prioritization of threads and processes:

During execution, the ransomware uses SetProcessPriorityBoost to prioritize the threads of the Defray777 process.
Defray777 additionally focuses on creating and prioritizing threads for encryption by calling SetThreadAffinityMask and
SetThreadPriorityBoost.
Defray777 uses multithreading to improve ransomware performance.

Figure 22. Prioritization of

Defray777 threads during execution.

**Killing “Undesirable” Processes**

As part of the execution workflow, Defray777 creates threads that will be responsible for the killing of processes that the threat actors deem to
be “undesirable.” The execution continues by getting a listing of processes using CreateToolhelp32Snapshot before iterating through all active
processes (with the exception of itself) and killing all “undesirable” processes. Defray777 specifically targets process that can be opened with
the desired access of SYNCHRONIZE | PROCESS_QUERY_INFORMATION | PROCESS_VM_WRITE | PROCESS_VM_READ |
PROCESS_VM_OPERATION | PROCESS_CREATE_THREAD.

Defray777 excludes all processes that contain the system file path in their full image path. Additionally, the ransomware will exclude the
following processes from being killed during execution:

powershell.exe rundll32.exe

wefault.exe explorer.exe

vmnat.exe

_Table 12. Excluded processes._

**Stopping System Services**

During execution, Defray777 stops the following services from running:

Acronis VSS Provider MSExchangeADTopology MSSQLSERVER SQLAgent$PRACTT

AcronisAgent MSExchangeAntispamUpdate MSSQLServerADHelper SQLAgent$PROD

AcronixAgent MSExchangeEdgeSync MSSQLServerADHelper100 SQLAgent$PROFXE


-----

AcrSch2Svc MSExchangeES MSSQLServerOLAPService SQLAgent$SBSMON

Antivirus MSExchangeFBA MySQL57 SQLAgent$SHAREP

ARSM MSExchangeFDS MySQL80 SQLAgent$SOPHOS

AVP MSExchangeIS NetMsmqActivator SQLAgent$SQL_200

BackupExecAgentAccelerator MSExchangeMailboxAssistants nginx SQLAgent$SQLEXP

BackupExecAgentBrowser MSExchangeMailboxReplication ntrtscan SQLAgent$SYSTEM

BackupExecDeviceMediaService MSExchangeMailSubmission OracleClientCache80 SQLAgent$TPS

BackupExecJobEngine MSExchangeMGMT OracleServiceXE SQLAgent$TPSAMA

BackupExecManagementService MSExchangeMTA OracleXETNSListener SQLAgent$VEEAMS

BackupExecRPCService MSExchangeProtectedServiceHost PDVFSService SQLAgent$VEEAMS

BackupExecVSSProvider MSExchangeRepl POP3Svc SQLBrowser

bedbg MSExchangeRPC ReportServer SQLsafe Backup Se

DbxSvc MSExchangeSA ReportServer$SQL_2008 SQLsafe Filter Servi

DCAgent MSExchangeSearch ReportServer$SYSTEM_BGC SQLSafeOLRServic

EhttpSrv MSExchangeServiceHost ReportServer$TPS SQLSERVERAGEN

ekrn MSExchangeSRS ReportServer$TPSAMA SQLTELEMETRY

Enterprise Client Service MSExchangeThrottling RESvc SQLTELEMETRY$E

EPSecurityService MSExchangeTransport sacsvr SQLWriter

EPUpdateService MSExchangeTransportLogSearch SamSs SstpSvc

EraserSvc11710 msftesql$PROD SAVAdminService svcGenericHost

EsgShKernel MSOLAP$SQL_2008 SAVService swi_filter

ESHASRV MSOLAP$SYSTEM_BGC SDRSVC swi_service

FA_Scheduler MSOLAP$TPS SepMasterService swi_update

IISAdmin MSOLAP$TPSAMA ShMonitor swi_update_64

IMAP4Svc MSSQL$BKUPEXEC Smcinst Symantec System R

KAVFS MSSQL$ECWDB2 SmcService TmCCSF

KAVFSGT MSSQL$PRACTICEMGT SMTPSvc tmlisten

kavfsslp MSSQL$PRACTTICEBGC SNAC TrueKey

klnagent MSSQL$PROD SntpService TrueKeyScheduler

macmnsvc MSSQL$PROFXENGAGEMENT Sophos Agent TrueKeyServiceHelp

masvc MSSQL$SBSMONITORING Sophos AutoUpdate Service UI0Detect

MBAMService MSSQL$SHAREPOINT Sophos Clean Service Veeam Backup Cata
Service

MBEndpointAgent MSSQL$SOPHOS Sophos Device Control Service VeeamBackupSvc

McAfeeEngineService MSSQL$SQL_2008 Sophos File Scanner Service VeeamBrokerSvc

McAfeeFramework MSSQL$SQLEXPRESS Sophos Health Service VeeamCatalogSvc

McAfeeFrameworkMcAfeeFramework MSSQL$SYSTEM_BGC Sophos MCS Agent VeeamCloudSvc

McShield MSSQL$TPS Sophos MCS Client VeeamDeploymentS

McTaskManager MSSQL$TPSAMA Sophos Message Router VeeamDeploySvc

mfefire MSSQL$VEEAMSQL2008R2 Sophos Safestore Service VeeamEnterpriseMa


-----

mfemms MSSQL$VEEAMSQL2012 Sophos System Protection
Service


VeeamHvIntegration


mfevtp MSSQLFDLauncher Sophos Web Control Service VeeamMountSvc

MMS MSSQLFDLauncher$PROFXENGAGEMENT sophossps VeeamNFSSvc

MongoDB MSSQLFDLauncher$SBSMONITORING SQL Backups VeeamRESTSvc

mozyprobackup MSSQLFDLauncher$SHAREPOINT SQLAgent$BKUPEXEC VeeamTransportSvc

MsDtsServer MSSQLFDLauncher$SQL_2008 SQLAgent$CITRIX_METAFRAME W3Svc

MsDtsServer100 MSSQLFDLauncher$SYSTEM_BGC SQLAgent$CXDB wbengine

MsDtsServer110 MSSQLFDLauncher$TPS SQLAgent$ECWDB2 WRSVC

MSExchangeAB MSSQLFDLauncher$TPSAMA SQLAgent$PRACTTICEBGC Zoolz 2 Service

_Table 13. Services stopped by Defray777._

**File Encryption**

Based on a recent Defray777 sample recovered from memory, the ransomware will get a listing of all logical drives on the system using a call
to GetLogicalDriveStringsW before iterating through each drive to encrypt files using the following process:

To begin, Defray777 checks for whether the processor feature PF_XMMI64_INSTRUCTIONS_AVAILABLE is present on the impacted
system.

If enabled, Defray777 knows that SSE2 is supported and more complex mathematical operations are possible.
Defray777 will also determine if the processor is capable of using AES-NI for improved encryption performance.
As encryption begins, a ransom note will be created in each directory where files will be encrypted.

The name of the ransom note will vary. However, from our research, the ransom notes most commonly contain a combination of
exclamation points, the string “README,” and a reference to the victim name.
Example: !!!_IMPACTED_Client_README_!!!.txt
The file contents will be encrypted using an on-the-fly generated AES key that gets encrypted with RSA-4096 and stored in the file footer
in a 512-byte block.
The encrypted file will be renamed by appending an extension that consists of a unique victim identifier and a randomized eight-digit
hexadecimal number.

Example: .v1ct1m-1bc461ac

Figure 23. Recent example of a

Defray777 ransom note.
Specifically, the encryption mechanism consists of the following steps:

Dynamically generate a 32-byte AES key.
Encrypt the file with AES-256 in ECB mode using 16-byte blocks.
Encrypt the AES key with RSA-4096 and append the 0x200 byte cipher text to the end of the encrypted file.

**Encryption Exclusions**

During the encryption process, Defray777 aims to encrypt as many files as possible without impacting the system’s core functionality. To
accomplish this, Defray777 uses a set of excluded folders, files and file extensions that will not be encrypted during execution.

Excluded Folders:

\windows\system32\ \windows\syswow64\ \windows\system\

\windows\winsxs\ \appdata\roaming\ \appdata\local\

\appdata\locallow\ \all users\microsoft\ \inetpub\logs\


-----

:\boot\ :\perflogs\ :\programdata\

:\drivers\ :\wsus\ :\efstmpwp\

:\$recycle.bin\ :\EFSTMPWP\ crypt_detect

cryptolocker ransomware

_Table 14. Folders excluded from encryption by Defray777._

Excluded files:

iconcache.db thumbs.db ransomware ransom

debug.txt boot.ini desktop.ini autorun.inf

ntuser.dat ntldr ntdetect.com bootfont.bin

bootsect.bak

_Table 15. Files excluded from encryption by Defray777._

It is also important to note that Defray777 adds the name of the ransom note into the excluded files list.

Excluded extensions:

.ani .cab .cpl .cur .diagcab

.diagpkg .dll .drv .hlp .icl

.icns .ico .iso .ics .lnk

.idx .mod .mpa .msc .msp

.msstyles .msu .nomedia .ocx .prf

.rtp .scr .shs .spl .sys

.theme .themepack .exe .bat .cmd

.url .mui

_Table 16. Extensions excluded from encryption by Defray777._

**Searching for Unmapped File Shares**

During execution, Defray777 uses WNetOpenEnumW and WNetEnumResourceW to search for file shares that may contain files that could be
encrypted. This tactic has been seen amongst other ransomware variants in the wild to encrypt files that are accessible via unmapped file
shares.


-----

Figure 24. Defray777 enumerating

network resources.

**Anti-Forensic Measures**

After all files are encrypted on the system, Defray777, like many other ransomware variants, implements common anti-forensics measures to
remove as much evidence of the intrusion as possible and make it extremely difficult for the system to be recovered without a backup.
Although these commands are common amongst other ransomware variants, Defray777 runs commands post-encryption, which means that
when security tools alert or take action against Defray777, the files have already been encrypted.

Commands executed by Defray777:

cipher.exe /w:[DRIVE]

fsutil.exe usn deletejournal /D [DRIVE]

wbadmin.exe delete catalog -quiet

bcdedit.exe /set {default} recoveryenabled no

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable

wevtutil.exe cl Application

wevtutil.exe cl System

wevtutil.exe cl Setup

wevtutil.exe cl Security

wevtutil.exe sl Security /e:false

_Table 17. Anti-forensic commands executed by Defray777._

Registry keys modified:

\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableConfig
\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR

\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR

\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig

_Table 18. Registry Keys Modified by Defray777._

**Defray777’s Port to Linux**

During the course of our research, we found that Defray777 ransomware has been ported over to Linux. Before Defray777, ransomware that
impacted both Windows and Linux operating systems was limited to being written in Java or scripting languages such as Python. These
ransomware variants would be considered cross-functional since they were written in a single language that must be installed and supported
by both operating systems. Defray777’s port to Linux ensures that the ransomware has standalone executables for each platform with no
external dependencies.

A ZIP archive was uploaded to a public malware repository on Oct. 17, 2020 that contained a Windows executable that was identified as a
Defray777 decryptor. Additionally included in this ZIP archive was an ELF binary named decryptor64. Analysis of this binary determined it to be
another Defray777 decryptor that had been ported to Linux.


-----

ed t t e dea t at t e e ay be u e s o s o e ay t e d, e bega u t g uto ocus a d qu c y u co e ed a
version of the ransomware encryptor.

Reviewing this sample further indicated that it was uploaded in August 2020. As of early October 2020, there appear to be zero detections by
antivirus (AV) in VirusTotal for the Linux version of Defray777.

A deeper review of the Linux and Windows variants of Defray777 determined that the encryption and decryption processes used were nearly
identical. In fact, by generating our own RSA key pair and modifying the binaries, we were able to confirm that the encryptors and decryptors
for both operating systems were interchangeable.

Unlike the Windows versions, the developers didn’t seem to put any effort into protecting the Linux samples. To our surprise, the binaries we
analyzed still had their symbols intact, which made reversing them quite a bit easier.

Figure 25. Named functions listing from ELF version of

Defray777.
One of the biggest differences between the Windows and Linux variants is the logic that determines which files to encrypt. The Windows
version will recurse the file system and encrypt anything that isn’t explicitly excluded. In contrast, the Linux variant will only encrypt directories
specified in a command line argument.

[Continue reading: Linking Vatet, PyXie and Defray777](https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4)

**Get updates from**
**Palo Alto**
**Networks!**

Sign up to receive the latest news, cyber threat intelligence and research from us

[By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.](https://www.paloaltonetworks.com/legal-notices/terms-of-use)


-----