# UIWIX – Evasive Ransomware Exploiting ETERNALBLUE **[minerva-labs.com/post/uiwix-evasive-ransomware-exploiting-eternalblue](https://www.minerva-labs.com/post/uiwix-evasive-ransomware-exploiting-eternalblue)** [Tweet](https://twitter.com/share) Last week everybody talked about the WannaCry ransomware, a non-evasive ransomware which exploited vulnerable servers to propagate, successfully infecting anything from digital billboards to the Russian interior ministry. Here at Minerva we took part in the global effort against evil, releasing a [free vaccination tool, explaining](http://www.minerva-labs.com/post/immune-yourself-from-wannacry-ransomware-with-minervas-free-vaccinator) how you may vaccinate in enterprise-scale ----- WannaCry drew attention to other threats exploiting the very same SMB vulnerability (MS17-010) using the Shadow Brokers’ ETERNALBLUE-DOUBLEPULSAR combination. Unlike WannaCry, there have been no reports on the number of machines infected by the UIWIX ransomware, neither about the “revenues” generated. We assume that it is a direct result of a single major difference between WannaCry and the UIWIX ransomware family used in these threats. WannaCry did not try to evade detection and some researchers reported that their honeypots were infected only three minutes after they were deployed. [Tweet about honeypots infected within 3 minutes](https://twitter.com/benkow_/status/863458632175898624) UIWIX however employed basic evasion techniques to stay under the radar: ----- [Tweet about the difficulty in obtaining a UIWIX sample](https://twitter.com/campuscodi/status/863875168439021569) In this blog post, we describe how the UIWIX ransomware bypasses existing security defenses to target endpoints. ## A Step-By-Step Analysis of How UIWIX Evades Detection UIWIX did not invent any new technique, they relied on simple known techniques – starting with a direct test for the presence of a debugger: Elementary test for the presence of a debugger ----- Later moving to detect different sandbox solutions, UIWIX checks the loaded modules against a black list a list of DLLs (see full list below): UIWIX tests if a DLL related to COMODO's sandbox is loaded Afterwards, the ransomware tests if a Cuckoo sandbox pipe is present: The malware tests if the Cuckoo pipe is present Ironically, the test for the Cuckoo pipe triggers both a signature and returns false even when executed in a Cuckoo sandbox: Although executed in a Cuckoo, the test returns false Now, UIWIX tests yet another list of DLLs, this time they are VM related: Sample tests if in a virtual environment ## Tracking the Evasion Techniques’ Source Code ----- From our analysis, it is quite clear that the coders of this ransomware relied on existing lists of artifacts to create the above “DetectSandbox()” and “DetectVM()” functions. We found some candidates for the source of the evasion techniques. In the image below, a snippet of code looks for sandbox solutions by the loaded DLLs: And [in this source shows another list collected for the very same purpose:](https://github.com/LordNoteworthy/al-khaser/blob/9507fdd7927efb2b3ef766f95f63fb0320d7a01d/al-khaser/Anti%20VM/Generic.cpp) It appears that those two lists were appended together in UIWIX (with dbghelp.dll and vmcheck.dll tested in a different function): ----- Another interesting similarity is in the malware code section which tests for VM pipes: And this is how they appear in a Russian hacking forum called “FuckAV”: Note how the order of the artifacts is an exact match to the malware! This list can also be found in [legitimate websites:](https://reverseengineering.stackexchange.com/questions/1686/how-to-detect-a-virtualized-environment/14838) ## Why Minerva Aces Against UIWIX ----- [Minerva Anti-Evasion Platform creates a virtual reality that fools the malware, making it](https://minerva-labs.com/approach) believe that it is in a hostile environment. Clever environmentally aware malware like UIWIX will avoid execution in a Minerva-protected endpoint as we make the malware believe it is in a VM or sandbox. UIWIX is exploiting unpatched machines to execute its DLL without writing itself to the disk. Luckily, Minerva works against any type of evasive threat, including file-less attacks like this one. ## IoC **Hashes** 3860c2526fc8acf5366573cdeb0a292036398d3ee9e7d9764a60ec5d0812582a 146581f0b3fbe00026ee3ebe68797b0e57f39d1d8aecc99fdc3290e9cfadc4fc **Searched VM related DLLs** SbieDll.dll api_log.dll dir_watch.dll pstorec.dll wpespy.dll cmdvrt32.dll SxIn.dll snxhk.dll **Searched Sandbox related DLLs** dbghelp.dll vmcheck.dll VBoxHook.dll VBoxMRXNP.dll **Searched Sandbox Pipes** \\.\pipe\cuckoo ----- **Searched VM Pipes** \\.\VBoxMiniRdrDN \\.\VBoxGuest \\.\pipe\VBoxMiniRdDN \\.\VBoxTrayIPC \\.\pipe\VBoxTrayIPC \\.\HGFS \\.\vmci **URLs** (as published by Lawrence Abrams in [BleepingComputer)](https://www.bleepingcomputer.com/news/security/uiwix-ransomware-using-eternalblue-smb-exploit-to-infect-victims/) hxxps://4ujngbdqqm6t2c53[.]onion[.]to hxxps://4ujngbdqqm6t2c53[.]onion[.]cab hxxps://4ujngbdqqm6t2c53[.]onion[.]nu hxxps://4ujngbdqqm6t2c53[.]onion[.]to hxxps://4ujngbdqqm6t2c53[.]onion[.]cab hxxp://4ujngbdqqm6t2c53[.]onion -----