Malware Analysis: Snake Ransomware
By Nishan Maharjan
Published: 2020-05-15 · Archived: 2026-04-05 23:00:34 UTC
7 min read
May 15, 2020
Introduction
This article contains the analysis of snake ransomware. The sample used in analysis was downloaded from
https://app.any.run/tasks/7b7d33d9-15f9-4d45-8ae4-291c8cde7ef8/.
Basic Static Analysis
First the sample was submitted to virustotal to see if it is identified as malicious
https://www.virustotal.com/gui/file/e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60/detection.
Press enter or click to view image in full size
virustotal
We can see that 60 out of 72 AV engines detect this sample as malicious.
Using coff explorer tool, we observe that there are very few number of imports, and there is a presence of .symtab section.
These both are signs of a binary written and compiled using the GO programming language.
sections
Press enter or click to view image in full size
imports
After string analysis, it is confirmed that this is a go binary.
https://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017
Page 1 of 7

GO build id
Go compiler adds the project used by the malware author
Project Path
Running yara rule in the binary with the rules found in this public repository https://github.com/Yara-Rules/rules we get the
following results.
network connection
AES encryption data
We can see that the malware has possible CnC traffic, and that malware is capable of performing AES encryption.
https://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017
Page 2 of 7

Basic Dynamic Analysis
For basic dynamic analysis, the malware was already run in app.any.run, so i observed the data from there.
Any run sandbox data
The malware is touted as malicious, but i do not see any network connection. So I ran the malware in a VM, the malware
encrypted most of the data, but i could not file any help text, as to how to recover them.
Running in VM.
Code Reversing
Unlike regular golang binaries, there were no regular function names. The malware author has thus attempted to obfuscate
the various function names.
https://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017
Page 3 of 7

Code Obfuscation
So in order to de-obfuscate the function names a tool called idagolang helper was used
https://github.com/sibears/IDAGolangHelper.
Using IDA Golang Helper tool
Now we getting somewhere, there are a lot of golang builtin functions that we can see. But looking at function name, I was
trying to get a hint of the purpose the various main functions , but the function names itself is weird and was most likely
obfuscated/randomized to slow down reversing process.
Golang built in functions renamed, but main names are garbage
https://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017
Page 4 of 7

So I started analyzing the main functions, eventually it led me to the syscall function call from the golangs built in function.
syscall
So after referring to the golangs documentationat https://golang.org/pkg/syscall/?GOOS=windows, it seemed that it was
used to call a function from a windows dll file. Here’s a snippet.
Golang documentation
I could not determine the exact function being called via static analysis, so had to run the sample inside a debugger.
Get Nishan Maharjan’s stories in your inbox
Join Medium for free to get updates from this writer.
Remember me for faster sign in
It seems the function that was being called is CreateMutexW.
CreateMutexW
https://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017
Page 5 of 7

By observing that the value esp+0x18 being used in error condition check we can assume that it is the lastErr value and the
rest is the returned pointer. Seeing this we can safely assume, that the function main_bhjfpdopjclepflkbeoj is responsible for
calling the windows function CreateMutexW and returning its value. Renaming the function to sycall_function. Renamed
main_ienocpmdijcihngapkhe to calls_function_Creating_global_and_sycall_create_mutex.
Continuing further analysis, the function at 0054E480 was responsible for key extraction.
Key extraction
I did not see network communication for getting key, and after running the malware multiple times, the key seems to be the
same “ — — -BEGIN RSA PUBLIC KEY — — -
\nMIIBCgKCAQEAyQ+M5ve829umuy9+BSsUX/krgdF83L3m8/uxRvKX5EZbSh1+buON\nZYr5MjfhrdiOGnrbB1j0Fy31U/uzvWcy7VvK/zcsO/5aAhu
— — -END RSA PUBLIC KEY — — -\n”.
After indepth analysis, it seems function with name pattern main_ffhlhdmhalodcojcaeok_*** seems to be junk function,
because the function just converts slice of byte to string or vice versa, and the value is not useful at all.
Digging further, function sub_0053A060 is responsible for looping through each files and encrypting them and finally the
function main_amgmhoeegchpnnaljano 00539C30 eventually calls io_ioutil_WriteFile. I thought it could be possibly help
file, so i debugged it and trying to find what it actually wrote.
Static Analysis
https://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017
Page 6 of 7

Debugging
The file is at C:\\Fix-Your-Files.txt. but I could not find the file. The ransomware seems to have failed to write the file. So i
thought may be it needed admin privileges to write the help file. I ran the sample again with admin privileges, and now it
has written the file.
Press enter or click to view image in full size
Help Message
This just seems extremely odd. I do not understand why the author chose to write the help file in such a specific location
where the user had to search for it. Other ransomwares seem to have changed the wallpaper itself, or drop the help file in
each file. It just seems like a bad choice to keep the help file in a specific location where to write admin privileges was
required.
Yara rule for this ransomware:
rule SnakeRansomware{meta:Author = "Nishan Maharjan"Description = "A yara rule to catch snake ransomware"Data
Source: https://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017
https://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017
Page 7 of 7