{
	"id": "810cfc08-19b6-48ee-a104-02e27463c257",
	"created_at": "2026-04-06T00:07:35.247249Z",
	"updated_at": "2026-04-10T03:20:57.077197Z",
	"deleted_at": null,
	"sha1_hash": "ecefeb3b7b6de10812d6eb45b2edc4ee9088541a",
	"title": "A detailed analysis of the STOP/Djvu Ransomware – CYBER GEEKS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 16238421,
	"plain_text": "A detailed analysis of the STOP/Djvu Ransomware – CYBER\r\nGEEKS\r\nPublished: 2021-10-31 · Archived: 2026-04-05 21:28:24 UTC\r\nSummary\r\nSTOP/Djvu ransomware is not a very known ransomware like Conti, REvil or BlackMatter, however ESET\r\nranked it on the 3rd place in the top ransomware families in Q2 2020 (https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf). This ransomware can run with one of the following\r\nparameters: “–Admin”, “–Task”, “–AutoStart”, “–ForNetRes”, and “–Service”. The process doesn’t target specific\r\ncountries based on their country code, and also decrypts a list of files, file extensions and folders that will be\r\nskipped. Two persistence mechanisms are implemented: a Run registry key and a scheduled task created using\r\nCOM objects. The malware computes the MD5 hash of the MAC address and performs a GET request to the C2\r\nserver based on it. The binary also acts as a downloader for 2 malicious files called build2.exe and build3.exe. The\r\nvictim ID is decrypted using the XOR operator and then written to a file called PersonalID.txt. Both local drives\r\nand network shares are targeted by the malware, and the files are encrypted using the Salsa20 algorithm. The\r\nSalsa20 matrix used for encrypting files is based on a UUID generated using the UuidCreate API, which is\r\nencrypted using an embedded RSA public key (if the C2 server is unreachable) or a public key downloaded from\r\nthe C2 server. The RSA implementation found in the executable is taken from the OpenSSL project hosted at\r\nhttps://github.com/openssl/openssl.\r\nAnalyst: @GeeksCyber\r\nTechnical analysis\r\nSHA256: 4380c45fd46d1a63cffe4d37cf33b0710330a766b7700af86020a936cdd09cbe\r\nThe following PDB path can be found in the binary:\r\n“C:\\xudihiguhe\\jegovicatusoca\\jijetogez\\winucet\\xusev\\kucor.pdb”. There is a call to GlobalAlloc that allocates\r\nseveral bytes from the heap:\r\nFigure 1\r\nThe malware calls the LoadLibraryW function in order to load the “kernel32.dll” file into the address space of the\r\nprocess:\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 1 of 42\n\nFigure 2\r\nThe GetProcAddress API is utilized to retrieve the address of the “VirtualProtect” function:\r\nFigure 3\r\nThe memory area allocated above is filled in by the malware, and the VirtualProtect routine is used to change its\r\nprotection to 0x40 = PAGE_EXECUTE_READWRITE:\r\nFigure 4\r\nThere is also a lot of garbage code in the binary that is never executed, as shown in figure 5:\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 2 of 42\n\nFigure 5\r\nThe process jumps at the beginning of the new shellcode, as highlighted below:\r\nFigure 6\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 3 of 42\n\nThe binary retrieves the address of the following functions using GetProcAddress: “GlobalAlloc”,\r\n“GetLastError”, “Sleep”, “VirtualAlloc”, “CreateToolhelp32Snapshot”, “Module32First”, “CloseHandle”.\r\nCreateToolhelp32Snapshot is utilized to take a snapshot of the current process that includes all its modules (0x8 =\r\nTH32CS_SNAPMODULE):\r\nFigure 7\r\nThe ransomware extracts information about the first module of the process using the Module32First API:\r\nFigure 8\r\nThe malicious process allocates and populates a new memory area via a function call to VirtualAlloc (0x1000 =\r\nMEM_COMMIT and 0x40 = PAGE_EXECUTE_READWRITE):\r\nFigure 9\r\nThe process jumps at the beginning of the new shellcode, as highlighted below:\r\nFigure 10\r\nThe malware calls the LoadLibraryA API to load the following DLLs into memory: user32.dll, kernel32.dll and\r\nntdll.dll. It also retrieves the address of the following functions: “MessageBoxA”, “GetMessageExtraInfo”,\r\n“WinExec”, “CreateFileA”, “WriteFile”, “CloseHandle”, “CreateProcessA”, “GetThreadContext”, “VirtualAlloc”,\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 4 of 42\n\n“VirtualAllocEx”, “VirtualFree”, “ReadProcessMemory”, “WriteProcessMemory”, “SetThreadContext”,\r\n“ResumeThread”, “WaitForSingleObject”, “GetModuleFileNameA”, “GetCommandLineA”,\r\n“NtUnmapViewOfSection”, “NtWriteVirtualMemory”, “RegisterClassExA”, “CreateWindowExA”,\r\n“PostMessageA”, “GetMessageA”, “DefWindowProcA”, “GetFileAttributesA”, “GetStartupInfoA”,\r\n“VirtualProtectEx”, “ExitProcess”.\r\nFrom our perspective, the malware developers have implemented some actions that don’t influence the main\r\nexecution flow as an anti-analysis mechanism. GetFileAttributesA is used to retrieve file system attributes for a\r\nnon-existent file:\r\nFigure 11\r\nThe file registers a window class called “saodkfnosa9uin” using the RegisterClassExA routine:\r\nFigure 12\r\nThe CreateWindowExA function is utilized to create a new window (0x200 = WS_EX_CLIENTEDGE,\r\n0xCF0000 = WS_OVERLAPPEDWINDOW, 0x80000000 = CW_USEDEFAULT):\r\nFigure 13\r\nThe process allocates a new memory area via a function call to VirtualAlloc (0x1000 = MEM_COMMIT and\r\n0x4 = PAGE_READWRITE):\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 5 of 42\n\nFigure 14\r\nThe ransomware extracts the content of the STARTUPINFO structure:\r\nFigure 15\r\nThe malware creates a copy of itself in a suspended state via a call to CreateProcessA (0x08000004 =\r\nCREATE_NO_WINDOW | CREATE_SUSPENDED):\r\nFigure 16\r\nGetThreadContext is used to retrieve the context of a specific thread:\r\nFigure 17\r\nThe malicious binary unmaps a view of a section from the address of the newly created process using\r\nZwUnmapViewOfSection:\r\nFigure 18\r\nThe VirtualAllocEx routine is utilized to allocate new space in the newly created process (0x3000 =\r\nMEM_COMMIT | MEM_RESERVE and 0x40 = PAGE_EXECUTE_READWRITE):\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 6 of 42\n\nFigure 19\r\nThe ransomware writes data to the area allocated above using multiple calls to ZwWriteVirtualMemory, as\r\ndisplayed in figure 20:\r\nFigure 20\r\nThe SetThreadContext function is used to set the context for the remote thread:\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 7 of 42\n\nFigure 21\r\nThe binary resumes the main thread of the suspended process using ResumeThread:\r\nFigure 22\r\nWe’ve extracted the executable from memory, and we continue to analyze this file. The following PDB path has\r\nbeen found: “e:\\doc\\my work (c++)_git\\encryption\\release\\encrypt_win_api.pdb”. The binary initializes the use of\r\nthe WinINet functions by calling the InternetOpenW API (the user agent being “Microsoft Internet Explorer”):\r\nFigure 23\r\nThe malware performs a GET request to https[:]//api.2ip.ua/geo.json, which reveals details about the location of\r\nthe IP address:\r\nFigure 24\r\nInternetReadFile is used to read the response from the server, and an example of a JSON form is displayed below:\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 8 of 42\n\nFigure 25\r\nThe “country_code” element is compared with “RU” (Russian language), “BY” (Belarusian language), “UA”\r\n(Ukrainian language), “AZ” (Azerbaijani language), “AM” (Armenian language), “TJ” (Tajik language), “KZ”\r\n(Kazakh language), “KG” (Kyrgyz language), “UZ” (Uzbek language) and “SY” (Syriac language):\r\nFigure 26\r\nThe systems that have one of the languages enumerated above will not be encrypted. The priority for the current\r\nprocess is set to high by calling the SetPriorityClass routine (0x80 = HIGH_PRIORITY_CLASS):\r\nFigure 27\r\nThe executable retrieves the command-line string for the process and then returns an array of pointers to the\r\ncommand-line arguments:\r\nFigure 28\r\nIt’s important to mention that the malware can run with one of the following parameters: “–Admin”, “–Task”, “–\r\nAutoStart”, “–ForNetRes”, and “–Service”. We’ll describe the execution flows with different parameters later on.\r\nAll process IDs that correspond to the processes on the system are retrieved by calling the EnumProcesses API:\r\nFigure 29\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 9 of 42\n\nEach process object is opened by the ransomware using OpenProcess (0x410 =\r\nPROCESS_QUERY_INFORMATION | PROCESS_VM_READ):\r\nFigure 30\r\nThe malware extracts a handle for each module from a process that was successfully opened:\r\nFigure 31\r\nThe GetModuleBaseNameW function is used to retrieve the base name of a module that is compared with the\r\nname of the executable (in our case, “wininet_dump.exe”):\r\nFigure 32\r\nThe binary performs a lot of XOR operations (key = 0x80) in order to decrypt relevant strings. The next figure\r\ncontains a buffer with the C2 server securebiz[.]org:\r\nFigure 33\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 10 of 42\n\nThe ransomware opens the Run registry key using RegOpenKeyExW (0x80000001 =\r\nHKEY_CURRENT_USER and 0xF003F = KEY_ALL_ACCESS):\r\nFigure 34\r\nThe process is looking for a value called “SysHelper”, which doesn’t exist at this time:\r\nFigure 35\r\nThe UuidCreate function is used to generate a new UUID (16 random bytes):\r\nFigure 36\r\nThe process converts the UUID to a string using the UuidToStringW API:\r\nFigure 37\r\nA new directory based on the UUID is created by the malware:\r\nFigure 38\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 11 of 42\n\nThe CopyFileW routine is utilized to copy the executable to a new file in the above directory:\r\nFigure 39\r\nThe ransomware establishes persistence on the host by creating an entry called “SysHelper” under the Run\r\nregistry key, which will run the executable with the “–AutoStart” parameter whenever the user logs on:\r\nFigure 40\r\nThe binary denies “Everyone” to delete the folder created above using the icacls command, as highlighted in\r\nfigure 41:\r\nFigure 41\r\nA second persistence mechanism consists of creating a scheduled task (using COM objects) that will run the\r\nransomware every 5 minutes.\r\nThe malicious file initializes the COM library on the current thread using the CoInitialize function:\r\nFigure 42\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 12 of 42\n\nWe have observed that the implementation is similar to the one presented at https://docs.microsoft.com/en-us/windows/win32/taskschd/time-trigger-example–c—, however we’ll dig deeper and explain how the assembly\r\ncode looks like.\r\nThe CoInitializeSecurity routine is used to register and set the default security values for the process (0x6 =\r\nRPC_C_AUTHN_LEVEL_PKT_PRIVACY and 0x3 = RPC_C_IMP_LEVEL_IMPERSONATE):\r\nFigure 43\r\nThe process creates an object with the CLSID {0F87369F-A4E5-4CFC-BD3E-73E6154572DD}, which\r\nimplements the Schedule.Service class for operating the Windows Task Scheduler Service:\r\nFigure 44\r\nYou can notice if you follow the C++ implementation mentioned above that in a case of a function call such as p -\r\n\u003e f(a,b), the assembly representation contains 3 parameters pushed on the stack (because the pointer p is pushed as\r\nwell). An example of such a call is represented by the ITaskService::GetFolder method, which gets a folder of\r\nregistered tasks:\r\nFigure 45\r\nA task called “Time Trigger Task” is deleted using the ITaskFolder::DeleteTask method:\r\nFigure 46\r\nThe ITaskService::NewTask function is utilized to create an empty task definition object:\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 13 of 42\n\nFigure 47\r\nAn example of a safe release when the pointer is no longer used is shown in figure 48:\r\nFigure 48\r\nThe binary retrieves the registration information of the task (the description, the author, and the date the task is\r\nregistered) by calling the ITaskDefinition::get_RegistrationInfo method:\r\nFigure 49\r\nIRegistrationInfo::put_Author is used to set the author of the task to “Author Name”:\r\nFigure 50\r\nThe ransomware retrieves the principal for the task (which provides the security credentials) by calling the\r\nITaskDefinition::get_Principal function:\r\nFigure 51\r\nThe security logon type is set to 0x3 (TASK_LOGON_INTERACTIVE_TOKEN), which means that the task\r\nwill be run only in an existing interactive session:\r\nFigure 52\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 14 of 42\n\nITaskDefinition::get_Settings is utilized to retrieve the settings that describe how the Task Scheduler performs the\r\ntask:\r\nFigure 53\r\nThe file sets a Boolean value to 0xFFFFFFFF (VARIANT_TRUE) that indicates the Task Scheduler can start the\r\ntask at any time after its scheduled time has elapsed using the ITaskSettings::put_StartWhenAvailable method:\r\nFigure 54\r\nThe amount of time the Task Scheduler will wait for an idle condition to occur is set to 5 minutes via a function\r\ncall to IIdleSettings::put_WaitTimeout:\r\nFigure 55\r\nITaskDefinition::get_Triggers is used to get a collection of triggers used to start the task:\r\nFigure 56\r\nThe executable creates a new trigger for the task using the ITriggerCollection::Create method (0x1 =\r\nTASK_TRIGGER_TIME):\r\nFigure 57\r\nThere is a QueryInterface call with a parameter set as CLSID {B45747E0-EBA7-4276-9F29-85C5BB300006} –\r\nIID_ITimeTrigger:\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 15 of 42\n\nFigure 58\r\nThe identifier for the trigger is set to “Trigger1” using the ITrigger::put_Id function:\r\nFigure 59\r\nThe ransomware sets the date and time when the trigger is deactivated by calling the ITrigger::put_EndBoundary\r\nmethod:\r\nFigure 60\r\nThe system time is extracted via a call to the _time64 function:\r\nFigure 61\r\nThe malware formats the system time into a human-readable form using strftime:\r\nFigure 62\r\nThe malicious binary sets the date and time when the trigger is activated by calling the\r\nITrigger::put_StartBoundary method:\r\nFigure 63\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 16 of 42\n\nIActionCollection::Create is utilized to create and add a new action to the collection (0x0 =\r\nTASK_ACTION_EXEC):\r\nFigure 64\r\nThere is a QueryInterface call with a parameter set as CLSID {4c3d624d-fd6b-49a3-b9b7-09cb3cd3f047} –\r\nIID_IExecAction:\r\nFigure 65\r\nThe path of the executable is set to the copied file using the IExecAction::put_Path method:\r\nFigure 66\r\nThe “–Task” argument is added by calling the IExecAction::put_Arguments function:\r\nFigure 67\r\nFinally, the malware uses the ITaskFolder::RegisterTaskDefinition method to create the task called “Time Trigger\r\nTask” (0x6 = TASK_CREATE_OR_UPDATE):\r\nFigure 68\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 17 of 42\n\nHere is the newly created scheduled task in Windows Task Scheduler:\r\nFigure 69\r\nThe ransomware launches itself with the following parameters “–Admin IsNotAutoStart IsNotTask”\r\n(IsNotAutoStart = malware didn’t run based on the Run registry key, IsNotTask = malware didn’t run based on the\r\nscheduled task):\r\nFigure 70\r\n“–Task“ parameter\r\nWe’ll only highlight different actions that are performed by the ransomware running with this parameter without\r\nmentioning the same actions as in the case of running with no parameters.\r\nGetAdaptersInfo is utilized to retrieve adapter information (including the MAC address) for the localhost:\r\nFigure 71\r\nThe malware calls the CryptAcquireContextW API in order to obtain a handle to a particular key container within\r\na cryptographic service provider (0x1 = PROV_RSA_FULL and 0xF0000000 =\r\nCRYPT_VERIFYCONTEXT):\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 18 of 42\n\nFigure 72\r\nThe binary creates a handle to a CSP hash object using the CryptCreateHash API (0x8003 = CALG_MD5):\r\nFigure 73\r\nThe ransomware hashes a buffer that contains the MAC address extracted above via a function call to\r\nCryptHashData:\r\nFigure 74\r\nThe MD5 hash value is extracted by calling the CryptGetHashParam routine (0x2 = HP_HASHVAL):\r\nFigure 75\r\nA new thread is created by calling the CreateThread API:\r\nFigure 76\r\nThread activity – sub_16E690\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 19 of 42\n\nThe RegOpenKeyExW function is used to open the “Software\\Microsoft\\Windows\\CurrentVersion” registry key\r\n(0x80000001 = HKEY_CURRENT_USER and 0xF003F = KEY_ALL_ACCESS):\r\nFigure 77\r\nThe process is looking for a value named “SysHelper”, which doesn’t exist at this time (this is different from the\r\none in figure 34):\r\nFigure 78\r\nThe entry from above is created, and its value is set to 1 using the RegSetValueExW API:\r\nFigure 79\r\nThe executable tries to locate a file called “bowsakkdestx.txt” in the “C:\\Users\\\u003cUser\u003e\\AppData\\Local” directory,\r\nwhich doesn’t exist on our machine:\r\nFigure 80\r\nThere is a function call to InternetOpenW similar to the one presented in figure 23 (with the same user agent). The\r\nbinary performs a GET request to the C2 server securebiz[.]org with the parameter pid = MD5(MAC address):\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 20 of 42\n\nFigure 81\r\nThe response from the server is read using the InternetReadFile function:\r\nFigure 82\r\nThe binary creates the file called “bowsakkdestx.txt” using fopen:\r\nFigure 83\r\nThe file is populated using a function call to fwrite (the C2 server was down during our analysis, so we emulated\r\nthe network communications using FakeNet):\r\nFigure 84\r\nAn example of a real response can be seen at https://app.any.run/tasks/900f626a-2bf6-48b2-85f9-2328f2b2d0d2/\r\nand contains 2 elements: “public_key” and “id”. The malware wants to extract the “public_key” value from the\r\nresponse:\r\nFigure 85\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 21 of 42\n\nEven though the C2 server was down, the binary comes with a hard-coded RSA public key. The file from above is\r\ndeleted in any case:\r\nFigure 86\r\nUsing multiple XOR operations with 0x80, the ransomware decrypts the RSA public key in PKCS1 format, a\r\nvictim ID, and a URL that leads to another malicious file at http[:]//securebiz[.]org/files/1/build3.exe:\r\nFigure 87\r\nWe continue to analyze the main thread. A mutex called “{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}” is\r\ncreated via a function call to CreateMutexA:\r\nFigure 88\r\nThe malware decrypts the ransom note using the XOR operator:\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 22 of 42\n\nFigure 89\r\nThe following information is also decrypted (a list of files to be skipped, a list of extensions to be skipped, and a\r\nlist of directories to be skipped):\r\nntuser.dat, ntuser.dat.LOG1, ntuser.dat.LOG2, ntuser.pol\r\n.sys, .ini, .DLL, .dll, .blf, .bat, .lnk, .regtrans-ms\r\nC:\\SystemID\\, C:\\Users\\Default User\\, C:\\Users\\Public\\, C:\\Users\\All Users\\, C:\\Users\\Default\\,\r\nC:\\Documents and Settings\\, C:\\ProgramData\\, C:\\Recovery\\, C:\\System Volume Information\\,\r\nC:\\Users\\%username%\\A”ppData\\Roaming\\, C:\\Users\\%username%\\AppData\\Local\\, C:\\Windows\\,\r\nC:\\PerfLogs\\, C:\\ProgramData\\Microsoft\\, C:\\ProgramData\\Package Cache\\, C:\\Users\\Public\\,\r\nC:\\$Recycle.Bin\\, C:\\$WINDOWS.~BT\\, C:\\dell\\, C:\\Intel\\, C:\\MSOCache\\, C:\\Program Files\\,\r\nC:\\Program Files (x86)\\, C:\\Games\\, C:\\Windows.old\\\r\nD:\\Users\\%username%\\AppData\\Roaming\\, D:\\Users\\%username%\\AppData\\Local\\, D:\\Windows\\,\r\nD:\\PerfLogs\\, D:\\ProgramData\\Desktop\\, D:\\ProgramData\\Microsoft\\, D:\\ProgramData\\Package Cache\\,\r\nD:\\Users\\Public\\, D:\\$Recycle.Bin\\, D:\\$WINDOWS.~BT\\, D:\\dell\\, D:\\Intel\\, D:\\MSOCache\\,\r\nD:\\Program Files\\, D:\\Program Files (x86)\\, D:\\Games\\\r\nE:\\Users\\%username%\\AppData\\Roaming\\, E:\\Users\\%username%\\AppData\\Local\\, E:\\Windows\\,\r\nE:\\PerfLogs\\, E:\\ProgramData\\Desktop\\, E:\\ProgramData\\Microsoft\\, E:\\ProgramData\\Package Cache\\,\r\nE:\\Users\\Public\\, E:\\$Recycle.Bin\\, E:\\$WINDOWS.~BT\\, E:\\dell\\, E:\\Intel\\, E:\\MSOCache\\, E:\\Program\r\nFiles\\, E:\\Program Files (x86)\\, E:\\Games\\\r\nF:\\Users\\%username%\\AppData\\Roaming\\, F:\\Users\\%username%\\AppData\\Local\\, F:\\Windows\\,\r\nF:\\PerfLogs\\, F:\\ProgramData\\Desktop\\, F:\\ProgramData\\Microsoft\\, F:\\Users\\Public\\, F:\\$Recycle.Bin\\,\r\nF:\\$WINDOWS.~BT\\, F:\\dell\\, F:\\Intel\\\r\nThe executable retrieves the user name associated with the current thread by calling the GetUserNameW API:\r\nFigure 90\r\nThe malicious process is looking for a file called “PersonalID.txt” that doesn’t exist at this time:\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 23 of 42\n\nFigure 91\r\nCreateDirectoryW is utilized to create a directory called “C:\\SystemID”:\r\nFigure 92\r\nThe ransomware creates the file “C:\\SystemID\\PersonalID.txt” and writes the victim ID to it:\r\nFigure 93\r\nIt’s very uncommon that the malware searches the system for a file called “I:\\5d2860c89d774.jpg” (0xC0000000\r\n= GENERIC_READ | GENERIC_WRITE, 0x1 = FILE_SHARE_READ, 0x3 = OPEN_EXISTING and\r\n0x80 = FILE_ATTRIBUTE_NORMAL):\r\nFigure 94\r\nLoadCursorW is used to load the standard arrow resource from the executable (0x7F00 = IDC_ARROW):\r\nFigure 95\r\nThe binary registers a window class using the RegisterClassExW routine:\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 24 of 42\n\nFigure 96\r\nCreateWindowExW is utilized to create a new window called “LPCWSTRszTitle” (0xCF0000\r\n= WS_OVERLAPPEDWINDOW and 0x80000000 = CW_USEDEFAULT):\r\nFigure 97\r\nThe window created earlier is hided by calling the ShowWindow routine (0x0 = SW_HIDE):\r\nFigure 98\r\nWe need to analyze the window procedure defined in figure 96 (sub_16BAE0).\r\nThe malware uses the ntdllDefWindowProcW API in order to call the default window procedure whenever a\r\nparticular message needs to be processed (0x24 = WM_GETMINMAXINFO, 0x81 = WM_NCCREATE, 0x83\r\n= WM_NCCALCSIZE and 0x1 = WM_CREATE):\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 25 of 42\n\nFigure 99\r\nGetLogicalDrives is used to retrieve a bitmask that represents the available disk drives:\r\nFigure 100\r\nThe ransomware forces the system not to display the critical-error message box and sending these errors to the\r\ncalling process (0x1 = SEM_FAILCRITICALERRORS):\r\nFigure 101\r\nThe file extracts the type of the drives by calling the GetDriveTypeA API and compares it with 2\r\n(DRIVE_REMOVABLE), 3 (DRIVE_FIXED), 4 (DRIVE_REMOTE) and 6 (DRIVE_RAMDISK):\r\nFigure 102\r\nTwo new threads are created using the CreateThread function:\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 26 of 42\n\nFigure 103\r\nFigure 104\r\nThe file retrieves a message from the message queue by calling the GetMessageW routine, translates virtual-key\r\nmessages into character messages using TranslateMessage, and finally dispatches a message to a window\r\nprocedure using DispatchMessageW:\r\nFigure 105\r\nThread activity – sub_16FD80\r\nThe malware enumerates all resources on the network via a function call to WNetOpenEnumW (0x2 =\r\nRESOURCE_GLOBALNET):\r\nFigure 106\r\nWNetEnumResourceW is utilized to further enumerate the network resources:\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 27 of 42\n\nFigure 107\r\nThe message DBT_DEVICEREMOVECOMPLETE (“A device or piece of media has been removed”) is sent\r\nto the window created earlier, and its procedure will handle it:\r\nFigure 108\r\nWhen the window procedure receives the message, it calls the GetComputerNameW API in order to get the\r\nNetBIOS name of the local machine:\r\nFigure 109\r\nThread activity – sub_16F130\r\nThe ransomware creates the ransom note called “_readme.txt” in every directory that it encrypts:\r\nFigure 110\r\nThe ransom note is populated by calling the WriteFile function, as shown in figure 111:\r\nFigure 111\r\nAn example of a ransom note is highlighted below:\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 28 of 42\n\nFigure 112\r\nThe files are enumerated using the FindFirstFileW and FindNextFileW APIs:\r\nFigure 113\r\nThe directories mentioned under figure 89 will not be encrypted. The file extension is extracted by calling the\r\nPathFindExtensionW routine:\r\nFigure 114\r\nThe files and file extensions mentioned under figure 89 will be skipped. The ransomware also avoids files that\r\nhave the “.tisc” extension because this will be appended after the encryption is complete:\r\nFigure 115\r\nEach targeted file is opened using the CreateFileW routine:\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 29 of 42\n\nFigure 116\r\nThe file content is read by calling the ReadFile function:\r\nFigure 117\r\nThere is a function call to CryptAcquireContextW (as in figure 72) and another one to CryptCreateHash (as in\r\nfigure 73). The malware hashes a buffer that contains the first 5 bytes from the targeted file and the RSA public\r\nkey, as shown in figure 118:\r\nFigure 118\r\nThe MD5 hash value is extracted by calling the CryptGetHashParam routine (0x2 = HP_HASHVAL):\r\nFigure 119\r\nThe binary creates a new UUID (16 random bytes) by calling the UuidCreate API (which internally uses\r\nCryptGenRandom):\r\nFigure 120\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 30 of 42\n\nThe process converts the UUID to a string using the UuidToStringA API:\r\nFigure 121\r\nBased on the value generated above, the ransomware constructs the following Salsa20 matrix:\r\nFigure 122\r\nA snippet of the Salsa20 algorithm implemented by the malware is presented below:\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 31 of 42\n\nFigure 123\r\nThe process encrypts the file content using the Salsa20 algorithm, however the first 5 bytes from the targeted file\r\nare not encrypted. Based on the strings presented in figure 124 and our analysis of the RSA implementation, we\r\nbelieve that the malware developers have included the OpenSSL code found at https://github.com/openssl/openssl\r\n(or similar code taken from other projects):\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 32 of 42\n\nFigure 124\r\nThe binary encrypts the UUID generated before using the RSA public key embedded in the file:\r\nFigure 125\r\nThe encrypted content is written to the file using WriteFile, as shown below:\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 33 of 42\n\nFigure 126\r\nThe malicious binary writes the encrypted UUID using the same API:\r\nFigure 127\r\nThe offline ID is also added to the encrypted file:\r\nFigure 128\r\nThe value “{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}” is also added to the encrypted file:\r\nFigure 129\r\nThe encrypted file extension is changed to “.tisc” by the ransomware:\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 34 of 42\n\nFigure 130\r\nThe encrypted file has the following structure that highlights different elements:\r\nFigure 131\r\n“–AutoStart“ parameter\r\nThe activity is similar to the case discussed above.\r\n“–Admin IsNotAutoStart IsNotTask“ parameters\r\nThe binary establishes a connection to the service control manager by calling the OpenSCManagerW routine (0x1\r\n= SC_MANAGER_CONNECT):\r\nFigure 132\r\nA service called “MYSQL” is opened by the process via a function call to OpenServiceW (0x20 =\r\nSERVICE_STOP):\r\nFigure 133\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 35 of 42\n\nWhether the service would exist on a host, the ransomware would stop it using the ControlService API:\r\nFigure 134\r\nThe file decrypts another URL that will be used to download more malicious files,\r\nhttp[:]//znpst[.]top/dl/build2.exe:\r\nFigure 135\r\nA new thread is created by calling the CreateThread function:\r\nFigure 136\r\nThread activity – StartAddress (sub_16DBD0)\r\nUuidCreate is utilized to generate a new UUID:\r\nFigure 137\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 36 of 42\n\nThe UuidToStringA routine is used to convert the UUID to a string:\r\nFigure 138\r\nThe malicious process creates a new directory based on the UUID generated above:\r\nFigure 139\r\nThe binary performs a GET request to http[:]//znpst[.]top/dl/build2.exe using InternetOpenUrlA:\r\nFigure 140\r\nAccording to the analysis from\r\nhttps://any.run/report/cd6bf2f554a9aa446cb36d28e374e1010268cbda8f55eb0043fbe6e2724128be/152e55c2-5e8f-4fe2-a764-7876ba00f03e, the above executable is a malware called Ursnif (banking Trojan).\r\nThe status code is extracted by calling the HttpQueryInfoW routine (0x20000013 =\r\nHTTP_QUERY_FLAG_NUMBER | HTTP_QUERY_STATUS_CODE):\r\nFigure 141\r\nA file called “build2.exe” is created in the new directory:\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 37 of 42\n\nFigure 142\r\nThe InternetReadFile routine is utilized to read the executable from the server, as displayed in figure 143:\r\nFigure 143\r\nShellExecuteA is used to run the newly created executable:\r\nFigure 144\r\nFigure 145\r\nThe binary performs a GET request to http[:]//securebiz[.]org/files/1/build3.exe using InternetOpenUrlA:\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 38 of 42\n\nFigure 146\r\nAccording to multiple online resources, the above file is supposed to be an infamous info-stealer called Vidar. The\r\nprocess of reading data from the server, creating the malicious file, etc. is the same as above and isn’t explained\r\nagain.\r\nFor completeness, we will also provide details about the other parameters that can be used, as displayed at\r\nhttps://app.any.run/tasks/635cd7df-e4b7-4d1a-a937-e8d8599e6c72/.\r\n“–ForNetRes “jwvfPPgZoQyg6Q6he8weP7iDsH9FKc74ICjysAt2″\r\nr77yXePcnmrctJPWrZCcbJgUlAtOa1FC9Na710t1 IsNotAutoStart IsNotTask” parameters\r\nThe binary creates a mutex called “{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}” using the CreateMutexA\r\nAPI:\r\nFigure 147\r\nAccording to online sources, the first parameter can be considered as a Key and the second one as a Personal ID.\r\nThe malware performs a hashing operation (MD5) on the Key:\r\nFigure 148\r\nThe hash value is extracted using the CryptGetHashParam function (0x2 = HP_HASHVAL):\r\nFigure 149\r\nThe execution flow is similar to the one starting with figure 90 and will not be reiterated.\r\n“–Service 4904 “jwvfPPgZoQyg6Q6he8weP7iDsH9FKc74ICjysAt2”\r\nr77yXePcnmrctJPWrZCcbJgUlAtOa1FC9Na710t1” parameters\r\nThe above value represents the parent process ID, which is converted from string to a long integer value:\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 39 of 42\n\nFigure 150\r\nThe ransomware opens the local process object using the OpenProcess routine (0x100000 = SYNCHRONIZE):\r\nFigure 151\r\nAfter the parent process enters the signaled state, the file dispatches incoming sent messages, checks for posted\r\nmessages, and then retrieves the messages:\r\nFigure 152\r\nThe malicious binary retrieves the exit code of the current process and then kills itself using TerminateProcess:\r\nFigure 153\r\nFinally, we describe the case when the country code belongs to the following list: “RU”, “BY”, “UA”, “AZ”,\r\n“AM”, “TJ”, “KZ”, “KG”, “UZ” and “SY”.\r\nCreateMutexA is utilized to create a mutex called “{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}”:\r\nFigure 154\r\nA batch file called “delself.bat” is created in the %TEMP% directory:\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 40 of 42\n\nFigure 155\r\nThe above file is populated using the WriteFile API, and its content is displayed below:\r\nFigure 156\r\nFigure 157\r\nAfter the batch file finishes its execution, the malicious file and the script are deleted:\r\nFigure 158\r\nReferences\r\nMSDN: https://docs.microsoft.com/en-us/windows/win32/api/, https://docs.microsoft.com/en-us/windows/win32/taskschd/time-trigger-example–c—\r\nFakenet: https://github.com/fireeye/flare-fakenet-ng\r\nAny.run: https://app.any.run/tasks/635cd7df-e4b7-4d1a-a937-e8d8599e6c72/\r\nVirusTotal:\r\nhttps://www.virustotal.com/gui/file/4380c45fd46d1a63cffe4d37cf33b0710330a766b7700af86020a936cdd09cbe\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 41 of 42\n\nMalwareBazaar:\r\nhttps://bazaar.abuse.ch/sample/4380c45fd46d1a63cffe4d37cf33b0710330a766b7700af86020a936cdd09cbe/\r\nOpenSSL: https://github.com/openssl/openssl\r\nINDICATORS OF COMPROMISE\r\nC2 domains:\r\nsecurebiz[.]org\r\nznpst[.]top\r\nSHA256: 4380c45fd46d1a63cffe4d37cf33b0710330a766b7700af86020a936cdd09cbe\r\nScheduled Task: “Time Trigger Task”\r\nRegistry key: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\SysHelper\r\nUser-agent: “Microsoft Internet Explorer”\r\nPDB paths:\r\n“C:\\xudihiguhe\\jegovicatusoca\\jijetogez\\winucet\\xusev\\kucor.pdb”\r\n“e:\\doc\\my work (c++)_git\\encryption\\release\\encrypt_win_api.pdb”\r\nURLs:\r\nhttp[:]//securebiz[.]org/fhsgtsspen6/get.php\r\nhttp[:]//securebiz.org/files/1/build3.exe\r\nhttp[:]//znpst.top/dl/build2.exe\r\nhttps[:]//api.2ip.ua/geo.json\r\nSource: https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/\r\nPage 42 of 42",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/"
	],
	"report_names": [
		"a-detailed-analysis-of-the-stop-djvu-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434055,
	"ts_updated_at": 1775791257,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ecefeb3b7b6de10812d6eb45b2edc4ee9088541a.pdf",
		"text": "https://archive.orkl.eu/ecefeb3b7b6de10812d6eb45b2edc4ee9088541a.txt",
		"img": "https://archive.orkl.eu/ecefeb3b7b6de10812d6eb45b2edc4ee9088541a.jpg"
	}
}