{
	"id": "8d729443-d88a-41b9-966b-e95c5ff4b6f9",
	"created_at": "2026-04-06T00:14:37.756252Z",
	"updated_at": "2026-04-10T03:24:04.387051Z",
	"deleted_at": null,
	"sha1_hash": "8898a8f06014c8bb4c97ca91cae0d5612810940a",
	"title": "\"Nice decorating. Let me guess, Satan?\" - Dot",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 777862,
	"plain_text": "\"Nice decorating. Let me guess, Satan?\" - Dot\r\nBy f0wL\r\nPublished: 2020-01-02 · Archived: 2026-04-05 23:16:20 UTC\r\nHappy new year y'all. And with it there's new Ransomware to analyze, so come along for the ride :D\r\nDot \"MZP\" Ransomware @ AnyRun | VirusTotal | HybridAnalysis --\u003e sha256\r\nbebf5c12e35029e21c9cca1da53eb43e893f9521435a246ea991bcced2fabe67\r\nThis sample was first discovered by AmigoA and AkhmendTaia on the 31st of December 2019. AV Detections and\r\nRansomnote contents didn't seem to match any previously present strain. The Note is delivered via a .txt File with\r\na strange numeric victim ID and only one contact email address. The extension appended to encrypted Files seems\r\nto be a random 8 character lowercase string.\r\nBecause of the \"MZP\" (4D 5A 50) Magic at the beginning of the executable file they dubbed the Malware \"MZP\"\r\nRansomware. As I explained before with the MZRevenge/MaMo Ransomware the \"P\" after the MZ Magic String\r\nindicates that the binary was built with Borland Delphi and P stands for Pascal (the programming language).\r\nhttps://dissectingmalwa.re/nice-decorating-let-me-guess-satan-dot-mzp-ransomware.html\r\nPage 1 of 10\n\nIn my Opinion the Name \"MZP Ransomware\" is too generic to be useful for future reference, so I'd like to\r\npropose the name \"Dot Ransomware\" because of the File Icon found with the Malware Samples. It shows the\r\ncharacter \"Dot\" from the Warner Bros Cartoon Series \"Animaniacs\" popular in the mid-1990s.\r\nTwo things to note about the Output of \"Detect it easy\" for this sample:\r\n1. It confirms that the Ransomware was built with Borland Delphi (Version 4).\r\n2. This sample seems to be packed with UPX 3.91. Running upx -d 01.exe yields us the unpacked Version.\r\nThe Hashsums can be found in the IOC Section down below\r\nhttps://dissectingmalwa.re/nice-decorating-let-me-guess-satan-dot-mzp-ransomware.html\r\nPage 2 of 10\n\nLet's try something new :D Up until now I pretty much neglected memory dump analysis as a whole, but since I\r\nattended the Workshop on Volatility at 36c3 I noticed what I'm missing out on. With volatility -f IE9WIN7-\r\n20200102-171509.dmp --profile=Win7SP1x86_24000 pstree we can dump the process tree at the time of the\r\ncapture. We can see that 01.exe is running as a subprocess of explorer.exe.\r\nWith the privs plugin Volatility can show which process privileges are present, enabled, and/or enabled by default.\r\nBelow you can see a screencapture of the output for the Ransomware. The Plugins cmdscan and consoles sadly\r\ndid not return any output for 01.exe.\r\nhttps://dissectingmalwa.re/nice-decorating-let-me-guess-satan-dot-mzp-ransomware.html\r\nPage 3 of 10\n\nLet's check out what IDR (Interactive Delphi Reconstructor) can tell us about the binary. First off: Strings.\r\nThe first String related to the Compiler tells us that the criminals likely used HiASM (an old russian IDE for\r\nDelphi Development) to build the Malware. The DLL mentioned below comctl32.dll is often targeted for UAC\r\nBypasses. It also seems to track Mouse events to some extent this could either be used as an evasion mechanism\r\nhttps://dissectingmalwa.re/nice-decorating-let-me-guess-satan-dot-mzp-ransomware.html\r\nPage 4 of 10\n\nor entropy collection (the first option is a lot more plausible). \"HOW TO RESTORE ENCRYPTED\r\nFILES.txt\" is the filename of the dropped ransomnote, although I'm not sure about the use of \"DECRYPT\r\nFILES.txt\" since this file was not present on any infected system (Speculation: Does is select one out of multiple\r\nFilenames to make tracking more difficult?). Lastly we have a filepath and a string that looks like the criminal\r\ndragged his face across the keyboard once.\r\nAlright, let's move along. Because Delphi is notoriously weird and difficult to disassemble/decompile it is time to\r\ntry a new tool again. Today I will be using Ghidra with Dhrake developed by Jesko Hüttenhain. You can find the\r\nGit repository below and if you would like to know more about the inner workings of the two scripts you should\r\ndefinitely read his article about them here.\r\nA short tl;dr: Dhrake is short for \"Delphi hand rake\" and tries to fix missing symbols and borked function\r\nsignatures by matching to the symbols extracted through IDR beforehand. This will not only clean up the\r\ndecompilation results in Ghidra but also automatically create structs and virtual method tables for you instead of\r\ndoing it by hand (as if reversing Delphi wasn't already painfull enough). It's pretty cool, give it a try!\r\nThe first step to success (lol who am I kidding) is firing up Ghdira and loading the sample. Tell it to auto-analyze\r\nthe file.\r\nNext we need to extract the .IDC Symbol file with the Help of IDR. For this it is sufficient to clone the Git Repo\r\nand paste the Knowledge Base files from the Dropbox linked at the end of the Readme into it. After that is done\r\njust run IDR.exe, import the binary and choose IDC Generator under Tools.\r\nhttps://dissectingmalwa.re/nice-decorating-let-me-guess-satan-dot-mzp-ransomware.html\r\nPage 5 of 10\n\nAfter copying the two Dhrake scripts into your ghidra_scripts folder (e.g. ~/ghidra_scripts) you can refresh the list\r\nin the Script Manager once and switch to the Delphi Category. Run DhrakeInit and select the IDC file you created\r\nearlier.\r\nFiltering for \"VMT\" in the Symbol Tree gives you all the Symbols relevant to Dhrake. Just click the Name in the\r\nListing view once and run DhrakeParseClass (set the checkbox \"In Tool\" and press F8 to run). The Script will now\r\nautomatically create the corresponding class and vtable struct.\r\nhttps://dissectingmalwa.re/nice-decorating-let-me-guess-satan-dot-mzp-ransomware.html\r\nPage 6 of 10\n\nSo I guess we should continue with the analysis now :D As 90% of ransomware strains do \"Dot\" will read the\r\nKeyboard Layout as well. GetKeyboardLayout(0) returning 7 would be equivalent to a Japanese Keyboard Layout\r\n(wtf?). Passing 1 to GetKeyboardType will return the Subtype which is OEM specific, but will tell you how many\r\nfunction keys there are. Weird. Here's the Documentation.\r\nDot also queries the current cursor position on the screen and passes it on to another function. Haven't investigated\r\nfurther yet.\r\nhttps://dissectingmalwa.re/nice-decorating-let-me-guess-satan-dot-mzp-ransomware.html\r\nPage 7 of 10\n\nHere we are again: weird DLLs that may or may not be a UAC Bypass. UACme mentions two Methods (#21 and\r\n#22) employing comctl32.dll. Unsure what to make of this at the moment.\r\nIn one of the Szenarios I ran Regshot to see whether the Ransomware adds/modifies/deletes Registry Keys, but\r\nthere weren't any changes that I can attribute to it. Dot tries to read SOFTWARE\\Borland\\Delphi\\RTL\r\nFPUMaskValue.\r\nhttps://dissectingmalwa.re/nice-decorating-let-me-guess-satan-dot-mzp-ransomware.html\r\nPage 8 of 10\n\nThis is another work in progress article as I've come down with the \"Congress Flu\", so check back in a few days\r\nfor an update. Probably the most important thing this \"report\" is still missing is a look at the crypto\r\nimplementation. A look at the Imports reveals that it is not using the Windows Crypto API but rather a weird\r\nDelphi one. We'll see.\r\nMITRE ATT\u0026CK\r\nT1107 --\u003e File Deletion --\u003e Defense Evasion\r\nT1045 --\u003e Software Packing --\u003e Defense Evasion\r\nT1012 --\u003e Query Registry --\u003e Discovery\r\nT1076 --\u003e Remote Desktop Protocol --\u003e Lateral Movement\r\nIOCs\r\nDot Samples\r\n01.exe --\u003e SHA256: bebf5c12e35029e21c9cca1da53eb43e893f9521435a246ea991bcced2fabe67\r\n SSDEEP: 768:Qa8bmv7hNAMbgYT6hQdPLC7TasOKS/3U7fzd4tA9yenQ779Zo2lPnoCLnS9QtRbY:Ebmvs71+DKoKS\r\n01.exe --\u003e SHA256: aa85b2ec79bc646671d7280ba27f4ce97e8fabe93ab7c97d0fd18d05bab6df29\r\n SSDEEP: 98304:mt+HWV4nwA+8PgzCRfjMlFBiZhfcrQSav//dH768QyO4YXoftvFUmgaJml9iUybR:NddPgzC+lFk\r\nunpacked:\r\nhttps://dissectingmalwa.re/nice-decorating-let-me-guess-satan-dot-mzp-ransomware.html\r\nPage 9 of 10\n\n01.exe --\u003e SHA256: 814e061d2e58720a43bcb3fe0478a8088053f0a407e25ff84fb98850d128f81c\r\n SSDEEP: 1536:CCq2EikJZdZ529nEaqQOyergddb6apjAwzHx4D:7IZYxEHJrIdFjAwzHx4\r\nRegistry Changes\r\nInconclusive as Regshot didn't show anything suspicious, only Delphi related Keys at most\r\nE-Mail Addresses\r\nrecover_24_7@protonmail[.]com\r\nRansomnote\r\nIf you want to return your .[REDACTED: random 8-letter lowercase extension] files, contact us and we\r\nrecover_24_7@protonmail[.]com\r\nAll your files have been encrypted!\r\nYour personal identifier:\r\n===========================================================================================\r\n-------------------------------------------------------------------------------------------\r\n[REDACTED: 606-digit numeric ID]\r\n-------------------------------------------------------------------------------------------\r\n===========================================================================================\r\nSource: https://dissectingmalwa.re/nice-decorating-let-me-guess-satan-dot-mzp-ransomware.html\r\nhttps://dissectingmalwa.re/nice-decorating-let-me-guess-satan-dot-mzp-ransomware.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://dissectingmalwa.re/nice-decorating-let-me-guess-satan-dot-mzp-ransomware.html"
	],
	"report_names": [
		"nice-decorating-let-me-guess-satan-dot-mzp-ransomware.html"
	],
	"threat_actors": [
		{
			"id": "34eea331-d052-4096-ae03-a22f1d090bd4",
			"created_at": "2025-08-07T02:03:25.073494Z",
			"updated_at": "2026-04-10T02:00:03.709243Z",
			"deleted_at": null,
			"main_name": "NICKEL ACADEMY",
			"aliases": [
				"ATK3 ",
				"Black Artemis ",
				"COVELLITE ",
				"CTG-2460 ",
				"Citrine Sleet ",
				"Diamond Sleet ",
				"Guardians of Peace",
				"HIDDEN COBRA ",
				"High Anonymous",
				"Labyrinth Chollima ",
				"Lazarus Group ",
				"NNPT Group",
				"New Romanic Cyber Army Team",
				"Temp.Hermit ",
				"UNC577 ",
				"Who Am I?",
				"Whois Team",
				"ZINC "
			],
			"source_name": "Secureworks:NICKEL ACADEMY",
			"tools": [
				"Destover",
				"KorHigh",
				"Volgmer"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434477,
	"ts_updated_at": 1775791444,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8898a8f06014c8bb4c97ca91cae0d5612810940a.pdf",
		"text": "https://archive.orkl.eu/8898a8f06014c8bb4c97ca91cae0d5612810940a.txt",
		"img": "https://archive.orkl.eu/8898a8f06014c8bb4c97ca91cae0d5612810940a.jpg"
	}
}