# TellYouThePass Ransomware Analysis Reveals Modern Reinterpretation Using Golang **[crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/](https://www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/)** Anmol Maurya January 11, 2022 TellYouThePass ransomware, discovered in 2019, recently re-emerged compiled using Golang Golang’s popularity among malware developers makes cross-platform development more accessible TellYouThePass ransomware was recently associated with Log4Shell post-exploitation, targeting Windows and Linux The CrowdStrike Falcon® platform protects customers from Golang-written TellYouThePass ransomware using the power of machine learning and behavior-based detection [The TellYouThePass ransomware family was recently reported as a post-exploitation](https://www.crowdstrike.com/cybersecurity-101/ransomware/) malicious payload used in conjunction with a remote code execution vulnerability in Apache Log4j library, dubbed Log4Shell. ----- TellYouThePass was first reported in early 2019 as a financially motivated ransomware designed to encrypt files and demand payment for restoring them. Targeting both Windows and Linux systems, TellYouThePass ransomware re-emerged in mid-December 2021 along with other ransomware like Khonsari. This lesser-known ransomware family came back into the spotlight as a post-exploitation payload associated with the Log4Shell. The remote code execution vulnerability is estimated to expose affected organizations to a wave of cybersecurity risks. Previously known TellYouThePass ransomware samples were written in traditional programming languages like Java or .Net., but two new recent samples reported in public repositories have been rewritten and compiled in Golang. [Golang’s popularity among malware developers has steadily increased over the past years.](https://www.crowdstrike.com/blog/financial-motivation-drives-golang-malware-adoption/?&web_view=true) It allows them to use the same codebase and compile it for all major operating systems, making cross-platform development work more accessible. What follows is a deeper dive into the new Golang-written TellYouThePass ransomware samples for Windows and Linux and how the CrowdStrike Falcon platform protects against them. ## Setting Up the Analysis We first check the binary for the “Go build id” string to identify the Golang build used for compiling it. In recent campaigns of Go-written malware, especially in ransomware cases, attackers patch the binary to remove this string, making it difficult for researchers to use string-based signatures to detect the binary as Go. Going through the two samples — ``` 460b096aaf535b0b8f0224da0f04c7f7997c62bf715839a8012c1e1154a38984 (Windows) 5c8710638fad8eeac382b0323461892a3e1a8865da3625403769a4378622077e (Linux) ``` — we noticed that more than 85% of code in the Windows and Linux versions are almost the same: ----- Figure 1. The “main.” functions for both Windows and Linux samples are almost identical (Click to enlarge) A deeper dive into the some of the ransomware’s functions: Figure 2. TellYouThePass ransomware functions for the Windows sample in IDA Pro (Click to enlarge) [As we have previously discussed, we start by focusing on the “main.” functions in Golang.](https://www.crowdstrike.com/blog/financial-motivation-drives-golang-malware-adoption/) We notice in this case that the malware authors have left only one main function and changed the other functions to random names, making analysis difficult. The sample checks the existence of the files “ showkey.txt ” and “ public.txt ” with the help of OS.Getenv, using “ ALLUSERSPROFILE “ and “ HOMEDRIVE “ as keys in Windows and ``` Home and /tmp/ in Linux. If it is present, it means encryption occurred, and it exists using runtime_gopanic ; otherwise, it creates them. ``` ----- Figure 3. Encryption function followed by successful encryption for both Linux and Windows (Click to enlarge) For Windows, the return is “ C:\\ProgramData “ and `/root/` directory in Linux. Using ``` path.join to join “ showkey.txt “ and “ public.txt ” with the directories results in: ``` **Windows** **Linux** ” C:\\ProgramData/showkey.txt ” “ C:\\ProgramData/public.txt ” “ /root/showkey.txt ” “ /root/public.txt ” Table 1. Directories for saving showkey.txt and public.txt [The sample uses the Golang Crypto Packages for RSA key — some of them are](https://pkg.go.dev/crypto) [crypto_x509_MarshalPKCS1PublicKey,](https://pkg.go.dev/crypto/x509#MarshalPKCS1PublicKey) [crypto_x509_MarshalPKCS1PrivateKey,](https://pkg.go.dev/crypto/x509#MarshalPKCS1PrivateKey) [encoding_pem_EncodeToMemory and](https://pkg.go.dev/encoding/pem#EncodeToMemory) [crypto_rsa_GenerateMultiPrimeKey.](https://pkg.go.dev/crypto/rsa#GenerateMultiPrimeKey) As seen in Figure 4, `crypto_x509_ MarshalPKCS1PrivateKey converts the RSA private` key to PKCS #1, ASN.1 DER form. Then, [the encoding_pem_EncodeToMemory returns the](https://pkg.go.dev/encoding/pem#EncodeToMemory) PEM (Privacy Enhanced Mail) encoding, and after that, `runtime_slicebytetostring` converts bytes to string, resulting in the conversion of bytes to string (see Figure 5). ----- Figure 4. Function that generates the RSA private key ----- Figure 5. The generated RSA key (Click to enlarge) The RSA public key is generated using the ``` encoding_base64_ptr_Encoding_DecodeString and encoding_pem_encode packages ``` from Golang, as shown in Figure 6. ----- ----- Figure 6. Base64 decoding (Click to enlarge) After that, the PERSON_ID stores the encoding generated by [“encoding_base64__ptr_Encoding_EncodeToString” (in this case:](https://cs.opensource.google/go/go/+/go1.17.5:src/encoding/base64/base64.go;l=177) “ ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 `+/ ”` as array for Base64 std encoding) every time the sample runs, saving it into “ showkey.txt ”. Afterward, another key is generated using the function below (Figure 7), also saving it into “ public.txt ”: Figure 7. Key generation function (Click to enlarge) ## Ransomware Behavior Prior to Encryption TellYouThePass ransomware tries to kill some tasks and services before initiating the encryption routine, as shown in Table 2 below. However, in Linux, it requires root privilege to do that. Targeted applications include various email clients, database applications, web servers and document editors. It runs various commands using `cmd.exe` to kill tasks in Windows, and in Linux, it takes the [os_exec_command Go package to execute different commands using](https://cs.opensource.google/go/go/+/go1.17.5:src/os/exec/exec.go;l=169) `/bin/bash/ :` **Windows** **Linux** ----- “taskkill /f /im msftesql.exe “ “schtasks /delete /tn WM /F “ “taskkill /f /im sqlagent.exe “ “taskkill /f /im sqlbrowser.exe “ “taskkill /f /im sqlservr.exe “ “taskkill /f /im sqlwriter.exe “ “taskkill /f /im oracle.exe “ “taskkill /f /im ocssd.exe “ “taskkill /f /im dbsnmp.exe “ “taskkill /f /im synctime.exe “ “taskkill /f /im mydesktopqos.exe “ “taskkill /f /im agntsvc.exeisqlplussvc.” “taskkill /f /im xfssvccon.exe “ “taskkill /f /im mydesktopservice.exe “ “taskkill /f /im ocautoupds.exe “ “taskkill /f /im agntsvc.exeagntsvc.exe “ “taskkill /f /im agntsvc.exeencsvc.exe “ “taskkill /f /im firefoxconfig.exe “ “taskkill /f /im tbirdconfig.exe “ “taskkill /f /im ocomm.exe “ “taskkill /f /im mysqld.exe “ “taskkill /f /im mysqld-nt.exe “ “taskkill /f /im mysqld-opt.exe “ “taskkill /f /im dbeng50.exe “ “taskkill /f /im sqbcoreservice.exe “ “taskkill /f /im excel.exe “ “taskkill /f /im infopath.exe “ “taskkill /f /im msaccess.exe “ “taskkill /f /im mspub.exe “ “taskkill /f /im onenote.exe “ “taskkill /f /im outlook.exe “ “taskkill /f /im powerpnt.exe “ “taskkill /f /im steam.exe “ “taskkill /f /im sqlservr.exe “ “taskkill /f /im thebat.exe “ “taskkill /f /im thebat64.exe “ “taskkill /f /im thunderbird.exe “ “taskkill /f /im visio.exe “ “taskkill /f /im winword.exe “ “taskkill /f /im wordpad.exe” “taskkill /f /im tnslsnr.exe” “service mysql stop” “/etc/init.d/mysqld stop” “service oracle stop” “systemctl disable \”postgresql*\”” “systemctl disable \”mysql*\”” “systemctl disable \”oracle*\”” Table 2. TellYouThePass commands that try to terminate some tasks and services before initiating the encryption routine After that, it iterates through all directories from A to Z and encrypts the files. ----- Both the Windows and the Linux versions have a list of directory exclusions for encryption, shown in Table 3. **Windows** **Linux** EFI.Boot EFI.Microsoft Windows Program Files All Users Boot IEidcache ProgramData desktop.ini autorun.inf netuser.dat iconcache.db thumbs.db Local Settings bootfont.bin System Volume Information AppData Recycle.Bin Recovery /bin /boot /sbin /tmp /etc /lib /proc /dev /sys /usr/include /usr/java Table 3. TellYouThePass directory exclusions for encryption The TellYouThePass ransomware focuses on encrypting popular media and file extensions, saving their paths in the “ encfile.txt “ text file, located in the same folder as “ public.txt “ and “ showkey.txt ”. Below is the full list of targeted extensions for encryption: 1cd, 3dm, 3ds, 3fr, 3g2, 3gp, 3pr, 602, 7z, ps1, 7zip, aac, ab4, accdb, accde, accdr, accdt, ach, acr, act, adb, adp, ads, aes, agdl, ai, aiff, ait, al, aoi, apj, arc, arw, asc, asf, asm, asp, aspx, asx, avi, awg, back, backup, backupdb, bak, bank, bat, bay, bdb, bgt, bik, bin, bkp, blend, bmp, bpw, brd, c, cdf, cdr, cdr3, cdr4, cdr5, cdr6, cdrw, cdx, ce1, ce2, cer, cfg, cgm, cib, class, cls, cmd, cmt, conf, config, contact, cpi, cpp, cr2, craw, crt, crw, cs, csh, csl, csr, css, csv, dac, dat, db, db3, db_journal, dbf, dbx, dc2, dch, dcr, dcs, ddd, ddoc, ddrw, dds, der, des, design, dgc, dif, dip, dit, djv, djvu, dng, doc, docb, docm, docx, dot, dotm, dotx, drf, drw, dtd, dwg, dxb, dxf, dxg, edb, eml, eps, erbsql, erf, exf, fdb, ffd, fff, fh, fhd, fla, flac, flf, flv, flvv, fpx, frm, fxg, gif, gpg, gray, grey, groups, gry, gz, h, hbk, hdd, hpp, html, hwp, ibank, ibd, ibz, idx, iif, iiq, incpas, indd, jar, java, jnt, jpe, jpeg, jpg, jsp, jspx, ashx, js, kc2, kdbx, kdc, key, ----- kpdx, kwm, laccdb, lay, lay6, ldf, lit, log, lua, m, m2ts, m3u, m4p, m4u, m4v, mapimail, max, mbx, md, mdb, mdc, mdf, mef, mfw, mid, mkv, mlb, mml, mmw, mny, moneywell, mos, mov, mp3, mp4, mpeg, mpg, mrw, ms11, msg, myd, myi, nd, ndd, ndf, nef, nk2, nop, nrw, ns2, ns3, ns4, nsd, nsf, nsg, nsh, nvram, nwb, nx2, nxl, nyf, oab, obj, odb, odc, odf, odg, odm, odp, ods, odt, ogg, oil, orf, ost, otg, oth, otp, ots, ott, p12, p7b, p7c, pab, pages, paq, pas, pat, pcd, pct, pdb, pdd, pdf, pef, pem, pfx, php, pif, pl, plc, plus_muhd, png, pot, potm, potx, ppam, pps, ppsm, ppsx, ppt, pptm, pptx, prf, ps, psafe3, psd, pspimage, pst, ptx, pwm, py, qba, qbb, qbm, qbr, qbw, qbx, qby, qcow, qcow2, qed, r3d, raf, rar, rat, raw, rb, rdb, rm, rtf, rvt, rw2, rwl, rwz, s3db, safe, sas7bdat, sav, save, say, sch, sd0, sda, sdf, sh, sldm, sldx, slk, sql, sqlite, sqlite3, sqlitedb, sr2, srf, srt, srw, st4, st5, st6, st7, so, st8, stc, std, sti, stm, stw, stx, svg, swf, sxc, sxd, sxg, sxi, sxm, sxw, tar, tar.bz2, tbk, tex, tga, tgz, thm, tif, tiff, tlg, txt, uop, uot, vb, vbox, vbs, vdi, vhd, vhdx, vmdk, vmsd, vmx, vmxf, vob, wab, wad, wallet, war, wav, wb2, wk1, wks, wma, wmv, wpd, wps, x11, x3f, xis, xla, xlam, xlc, xlk, xlm, xlr, xls, xlsb, xlsm, xlsx, xlt, xltm, xltx, xlw, xml, ycbcra, yuv, zip. Finally, the ransom note contains information about the encryption algorithm used to encrypt the files, specifically RSA-1024 and AES-256. It also includes the personid, used for identifying the victim. Following 0.05 bitcoin transfer into a designated and hardcoded wallet, attackers promise to provide victims with the decryption tool to recover all files. Figure 9. TellYouThePass ransom note (Click to enlarge) ## CrowdStrike Falcon Protection ----- The Falcon platform automatically detects and protects against this type of Golang-written malware using the power of the cloud, on-sensor and in-the-cloud machine learning, and indicators of attack (IOAs) to detect the threat. As Figure 10 shows, Falcon’s cloud-based machine learning detects both Golang-written ransomware samples for TellYouThePass, immediately protecting Windows and Linux environments. CrowdStrike Falcon leverages machine learning to identify known and unknown malware or threats by understanding malicious intent. Both on-sensor and cloud-based machine learning can detect and prevent post-exploitation threats leveraging exploits such as Log4Shell to protect against malware, including the new Golang-written TellYouThePass ransomware. Figure 10. Falcon detection of Golang-written Windows TellYouThePass ransomware sample (Click to enlarge) ----- Figure 11. Falcon detection of Golang-written Linux TellYouThePass ransomware sample (Click to enlarge) The CrowdStrike Falcon platform provides protection against threats and visibility for all hosts in Windows, Linux and macOS, regardless of their location. The Falcon sensor can detect and prevent threats ranging from ransomware, cryptocurrency miners, trojans and botnets to stop today’s most sophisticated threats. ## Indicators of Compromise (IOCs) File/Host sha256 Windows `460b096aaf535b0b8f0224da0f04c7f7997c62bf715839a8012c1e1154a38984` Linux `5c8710638fad8eeac382b0323461892a3e1a8865da3625403769a4378622077e` Windows host Linux Host ``` 45[.]76[.]99[.]222[:]80 ``` ``` 158[.]247[.]216[.]148[:]80 ``` ## MITRE ATT&CK® Framework Mapping Attack Id Tactic Description T1059 Execution Command and Scripting Interpreter ----- T1053 Execution Persistence Privilege Escalation Scheduled Task/Job T1027 Defense Evasion Obfuscated Files or Information T1140 Defense Evasion Deobfuscate/Decode Files or Information T1083 Discovery File and Directory Discovery T1057 Discovery Process Discovery T1560 Collection Archive Collected Data T1486 Impact Data Encrypted for Impact **Additional Resources** _Read more about Golang malware in this blog: Golang Malware Is More than a Fad:_ _Financial Motivation Drives Adoption_ _Learn about another ransomware variant that uses a Golang packer: New_ _Ransomware Variant Uses Golang Packer_ _[Visit the product website to learn how the powerful CrowdStrike Falcon platform](https://www.crowdstrike.com/endpoint-security-products/falcon-platform/)_ _provides comprehensive protection across your organization, workers and data,_ _wherever they are located._ _[Get a full-featured free trial of CrowdStrike Falcon Prevent™ and see how true next-](https://www.crowdstrike.com/resources/free-trials/try-falcon-prevent/)_ _gen AV performs against today’s most sophisticated threats._ -----