{
	"id": "b931a637-0eed-439b-acb8-b68f3763c1d0",
	"created_at": "2026-04-06T00:12:56.682787Z",
	"updated_at": "2026-04-10T03:21:09.43527Z",
	"deleted_at": null,
	"sha1_hash": "c0945f8a7ecbb277d4f90e44face6db19bdd7566",
	"title": "Malware Analysis: Snake Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2470157,
	"plain_text": "Malware Analysis: Snake Ransomware\r\nBy Nishan Maharjan\r\nPublished: 2020-05-15 · Archived: 2026-04-05 23:00:34 UTC\r\n7 min read\r\nMay 15, 2020\r\nIntroduction\r\nThis article contains the analysis of snake ransomware. The sample used in analysis was downloaded from\r\nhttps://app.any.run/tasks/7b7d33d9-15f9-4d45-8ae4-291c8cde7ef8/.\r\nBasic Static Analysis\r\nFirst the sample was submitted to virustotal to see if it is identified as malicious\r\nhttps://www.virustotal.com/gui/file/e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60/detection.\r\nPress enter or click to view image in full size\r\nvirustotal\r\nWe can see that 60 out of 72 AV engines detect this sample as malicious.\r\nUsing coff explorer tool, we observe that there are very few number of imports, and there is a presence of .symtab section.\r\nThese both are signs of a binary written and compiled using the GO programming language.\r\nsections\r\nPress enter or click to view image in full size\r\nimports\r\nAfter string analysis, it is confirmed that this is a go binary.\r\nhttps://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017\r\nPage 1 of 7\n\nGO build id\r\nGo compiler adds the project used by the malware author\r\nProject Path\r\nRunning yara rule in the binary with the rules found in this public repository https://github.com/Yara-Rules/rules we get the\r\nfollowing results.\r\nnetwork connection\r\nAES encryption data\r\nWe can see that the malware has possible CnC traffic, and that malware is capable of performing AES encryption.\r\nhttps://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017\r\nPage 2 of 7\n\nBasic Dynamic Analysis\r\nFor basic dynamic analysis, the malware was already run in app.any.run, so i observed the data from there.\r\nAny run sandbox data\r\nThe malware is touted as malicious, but i do not see any network connection. So I ran the malware in a VM, the malware\r\nencrypted most of the data, but i could not file any help text, as to how to recover them.\r\nRunning in VM.\r\nCode Reversing\r\nUnlike regular golang binaries, there were no regular function names. The malware author has thus attempted to obfuscate\r\nthe various function names.\r\nhttps://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017\r\nPage 3 of 7\n\nCode Obfuscation\r\nSo in order to de-obfuscate the function names a tool called idagolang helper was used\r\nhttps://github.com/sibears/IDAGolangHelper.\r\nUsing IDA Golang Helper tool\r\nNow we getting somewhere, there are a lot of golang builtin functions that we can see. But looking at function name, I was\r\ntrying to get a hint of the purpose the various main functions , but the function names itself is weird and was most likely\r\nobfuscated/randomized to slow down reversing process.\r\nGolang built in functions renamed, but main names are garbage\r\nhttps://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017\r\nPage 4 of 7\n\nSo I started analyzing the main functions, eventually it led me to the syscall function call from the golangs built in function.\r\nsyscall\r\nSo after referring to the golangs documentationat https://golang.org/pkg/syscall/?GOOS=windows, it seemed that it was\r\nused to call a function from a windows dll file. Here’s a snippet.\r\nGolang documentation\r\nI could not determine the exact function being called via static analysis, so had to run the sample inside a debugger.\r\nGet Nishan Maharjan’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nIt seems the function that was being called is CreateMutexW.\r\nCreateMutexW\r\nhttps://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017\r\nPage 5 of 7\n\nBy observing that the value esp+0x18 being used in error condition check we can assume that it is the lastErr value and the\r\nrest is the returned pointer. Seeing this we can safely assume, that the function main_bhjfpdopjclepflkbeoj is responsible for\r\ncalling the windows function CreateMutexW and returning its value. Renaming the function to sycall_function. Renamed\r\nmain_ienocpmdijcihngapkhe to calls_function_Creating_global_and_sycall_create_mutex.\r\nContinuing further analysis, the function at 0054E480 was responsible for key extraction.\r\nKey extraction\r\nI did not see network communication for getting key, and after running the malware multiple times, the key seems to be the\r\nsame “ — — -BEGIN RSA PUBLIC KEY — — -\r\n\\nMIIBCgKCAQEAyQ+M5ve829umuy9+BSsUX/krgdF83L3m8/uxRvKX5EZbSh1+buON\\nZYr5MjfhrdiOGnrbB1j0Fy31U/uzvWcy7VvK/zcsO/5aAhu\r\n— — -END RSA PUBLIC KEY — — -\\n”.\r\nAfter indepth analysis, it seems function with name pattern main_ffhlhdmhalodcojcaeok_*** seems to be junk function,\r\nbecause the function just converts slice of byte to string or vice versa, and the value is not useful at all.\r\nDigging further, function sub_0053A060 is responsible for looping through each files and encrypting them and finally the\r\nfunction main_amgmhoeegchpnnaljano 00539C30 eventually calls io_ioutil_WriteFile. I thought it could be possibly help\r\nfile, so i debugged it and trying to find what it actually wrote.\r\nStatic Analysis\r\nhttps://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017\r\nPage 6 of 7\n\nDebugging\r\nThe file is at C:\\\\Fix-Your-Files.txt. but I could not find the file. The ransomware seems to have failed to write the file. So i\r\nthought may be it needed admin privileges to write the help file. I ran the sample again with admin privileges, and now it\r\nhas written the file.\r\nPress enter or click to view image in full size\r\nHelp Message\r\nThis just seems extremely odd. I do not understand why the author chose to write the help file in such a specific location\r\nwhere the user had to search for it. Other ransomwares seem to have changed the wallpaper itself, or drop the help file in\r\neach file. It just seems like a bad choice to keep the help file in a specific location where to write admin privileges was\r\nrequired.\r\nYara rule for this ransomware:\r\nrule SnakeRansomware{meta:Author = \"Nishan Maharjan\"Description = \"A yara rule to catch snake ransomware\"Data\r\nSource: https://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017\r\nhttps://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017"
	],
	"report_names": [
		"malware-analysis-snake-ransomware-a0e66f487017"
	],
	"threat_actors": [],
	"ts_created_at": 1775434376,
	"ts_updated_at": 1775791269,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c0945f8a7ecbb277d4f90e44face6db19bdd7566.pdf",
		"text": "https://archive.orkl.eu/c0945f8a7ecbb277d4f90e44face6db19bdd7566.txt",
		"img": "https://archive.orkl.eu/c0945f8a7ecbb277d4f90e44face6db19bdd7566.jpg"
	}
}