{ "id": "e1445fe8-3af3-47dd-8280-bb6e17b50051", "created_at": "2026-04-06T00:06:14.176017Z", "updated_at": "2026-04-10T13:11:58.113586Z", "deleted_at": null, "sha1_hash": "f72d876bd3a93c141e706aa1c9f21646ab2f2b92", "title": "The blame game - about false flags and overwritten mbrs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 958200, "plain_text": "The blame game - about false flags and overwritten mbrs\r\nBy f0wL\r\nPublished: 2020-04-13 ยท Archived: 2026-04-05 20:55:26 UTC\r\nMon 13 April 2020 in Ransomware\r\nMBR Lockers have become popular again with Skids. Let's look at a sample that was spread yesterday and caught\r\na lot of attention.\r\nLet's start right off with a short introduction: The Malware analyzed here is a so-called MBR (Master Boot\r\nRecord) Locker. It is targeting (like most of the time) only PCs running Windows. The good news is: in this case\r\nthere is neither encryption nor deletion happening on the file system so there's a good chance for victims to\r\nrecover their files. A possible mitigation for suers woulds be running MBRFilter which is developed by Talos\r\nIntelligence. Now to the Message displayed in the VM below: Pressing CTRL+ALT+ESC for a possible bypass /\r\nfailsafe to boot the OS (described in this BleepingComputer article) doesn't seem to work for this sample.\r\nAfter Vitali published the tweet below a whole crowd formed in the emerging thread to please unlock their PCs.\r\nBoth Vitali Kremez and MalwareHunterTeam made it clear multiple times that they are not affiliated with this\r\ncampaign in any way, but some of the victims still seemed to miss this fact and got quite worked up about their\r\nhttps://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html\r\nPage 1 of 8\n\nPCs being compromised. Unfortunately this was not the first and won't be the last time that respected ethical\r\nresearchers are targeted in such decreditation acts. I'm not qualified to talk about any psychological reasoning\r\nbehind such actions, but it's either an attempt to a Denial of Service (Vitalis Twitter DMs and Mentions were filled\r\nwith complaints and accusations) or looking for attention (not in this case because there were no hints on the\r\nmalware actors) like the Maze Team.\r\nAfter talking to a victim to clarify the infection method and origin of the malware I received a link to this pirated\r\nVersion of Adobe Illustrator. Lures like this one are often trojanized with malware or straight-up malicious from\r\nthe start like in this case. Obviously this cannot be considered common knowledge for every user and this is what\r\ncriminals are taking advantage of for years and years to come.\r\nA quick check confirmed my suspicion that every download on this site is \"spiked\" with malware. The Filenames\r\nof the executables contain a unique-per-download string. The victim will be redirected to a second site where a\r\nuser agent check for Windows and matching Browsers (IE, Edge) is performed. The executable is downloaded\r\nfrom another URL from a directory called ru53332 which might give us a hint as to where the malware originated\r\nfrom (this looks like a client subfolder, this host might spread other strains as well).\r\nBelow you can see a process graph of the Glupteba Infection generated by Any.Run. This is just a subsection of\r\nthe whole graph and since there was so much going on it was pretty difficult to make out if the MBR Locker\r\nactually was delivered with this installer. None of my tests in VMs or on a physical test machine resulted in a\r\nhttps://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html\r\nPage 2 of 8\n\ncorrupted MBR, so at the moment I can neither confirm nor deny that the Locker was actually delivered via\r\ncrackedion[.]com.\r\nInterestingly all the executables named WinmonX.sys had broken certificate chains which should be a red flag for\r\nAVs running on the vicitims system. There were startup tasks scheuduled for all three of these files.\r\nWinMonProcessManager contains a list of ca. 600 Anti-Virus executable names and it's only purpose is to disable\r\nall AV services while the trojan does its \"magic\":\r\nexantivirus-cnet.exe, zonealarm.exe, ldnetmon.exe, norton_internet_secu_3.0_407.exe, antivirus.exe, n\r\nThe Detection Signatures from different engines on VT and the Intezer Analysis declared the dropped executables\r\nas parts of the Glupteba Trojan, which has been around for some time now. Additionally there were hints to\r\nhttps://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html\r\nPage 3 of 8\n\nanother Strain called RanumBot that I have not ivestigated further up until now. In the screenshot you can see the\r\nwindefender.exe sample that was submitted to Intezer. It was written in Go, packed with UPX and was stuffed\r\nwith strings. I did not investigate this executable further, but at first I thought that this could have been the MBR\r\nLocker because it contains strings related to Poly1305/ChaCha20.\r\nTo show the effect of the MBR Locker on the OS Drive I simply used a live system to write the first sector of the\r\nDisk to a file ( sudo dd if=/dev/sdX of=mbrdump.bin bs=512 count=1 ). The top dump shows the standard MBR\r\ncontents and below is the corrupted version displaying only the message to the user.\r\nReading the imports with Rabin2 there's nothing out of the ordinary, but there are a few things I wanted to see\r\nhere. I expected to see CreateFile, which would be used to write the MBR Text playload to the first sector of the\r\ndisk (\\\\.\\PhysicalDrive0) later. Unlike Petya, which checked whether the PartitionStyle of the drive is actually an\r\nMBR (via DeviceIoControl), this MBR Locker isn't too concerned about that. There is also some generic anti-debugging via IsDebuggerPresent, but I didn't expect any further measures since the overall design of the malware\r\nis very poor.\r\nhttps://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html\r\nPage 4 of 8\n\nTaking a look at the sections of the binary we can spot a .upx section. This looks suspicious because a sample\r\npacked with UPX would have three sections named upx0 (packed), upx1 (stub) and optionally upx2 (unpacked)\r\nlike in the image below.\r\nPrinting the contents of the .upx section we can see that the text payload is encrypted.\r\nThe decryption routine is found very quickly since the executable only contains three functions in total. As one\r\nmight have guessed already the text payload is XORed and therefore has to be decrypted before writing to the\r\nhttps://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html\r\nPage 5 of 8\n\nMBR. The screenshot below shows the decryption function and south of that you can see the text extraction out of\r\nthe .upx section we discussed earlier.\r\nThe good-ish news is, that in this case the changes made to the Master Boot Record are reversible with a Backup\r\nof the MBR Sector. Alternatively victims can try to repair the MBR with Microsoft's bootrec /fixmbr and /fixboot.\r\nSucess in this case depends on the partition style of the Windows install (since the MBR in GPT layouts is\r\nreserved for protective Reasons; on MBR installs bootrec may not be able to recover the Partition table because\r\nthe whole sector is overwritten. See Vitalis Tweet here). I verified on a physical GPT install that LBA 1 and\r\nfollowing is not affected by the MBRLocker and should keep the GPT recoverable. TestDisk is theoretically\r\ncapable of recovering both partitioning layouts. I'd advise victims to use File Recovery software like Photorec as\r\nan option for data recovery if a clean install is necessary.\r\nhttps://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html\r\nPage 6 of 8\n\nIn one case a victim contacted me about an additional STOP Ransomware Infection (.mpaj extension, online\r\nkeyed), but at the moment I can't confirm that this incident happend in conjunction with the pirated Software\r\nInstaller / MBRLocker.\r\nAs there is currently no public sample of the second version of the MBR Locker I will update this article\r\nonce it is available. Stay tuned :)\r\nMITRE ATT\u0026CK\r\nT1059 --\u003e Command-Line Interface --\u003e Execution\r\nT1179 --\u003e Hooking --\u003e Persistence\r\nT1215 --\u003e Kernel Modules and Extensions --\u003e Persistence\r\nT1179 --\u003e Hooking --\u003e Privilege Escalation\r\nT1112 --\u003e Modify Registry --\u003e Defense Evasion\r\nT1179 --\u003e Hooking --\u003e Credential Access\r\nT1012 --\u003e Query Registry --\u003e Discovery\r\nIOCs\r\nVK-Wiper MBR Locker\r\nGlupteba related:\r\n=================\r\nAdobe+Illustrator+CS6+Full+Crack+With+Serial+Keygen+{Latest+2019}+Free-UNIQUESTRING.exe --\u003e SHA256: 5\r\n SSDEEP: 9\r\nwindefender.exe --\u003e SHA256: 28e8776a07789daf08629815da0a6eb69613410912447c189a51002f54d956ca\r\n SSDEEP: 49152:mFeWvXwa1xkJrwBskK0CCD/ozKc3k8HxmYfJpz4U+TiAGTeI6h6gHquAb7/i:CvXwae\r\nWinmon.exe --\u003e SHA256: 889fb266c4c01bb4ef67635249c8daeb641fc86ce62fc280b34beec415fb6129\r\n SSDEEP: 96:/XAUM8mqN18vwLvVfjm3ZAeyRYOiRIfad/WrJ37CgES:7pNuv2LSZA1fEWrR7vES\r\nWinmonFS.exe --\u003e SHA256: eb0be2ac3833c843214a55b14c31125a7b600d5272bdf322c4871f42627576e4\r\n SSDEEP: 384:WVYr1nH9XRl8iueNYUaNhuqO3t6PsPJVPswHEvDdvHqciss+E96Vg:vrRlFpaNhuqO3njovp\r\nWinmonProcessMonitor.exe --\u003e SHA256: f609c6656a0c451dafa5173df0cd848f7cb7f22c4f150f8d16716c12593de66c\r\n SSDEEP: 384:s+B62cfu4RaQNDEiULv/oGUOY1wR7OLwOMEP5PkdkQE:sOmu4RLNAiUL/oGG\r\nMBR Locker V1:\r\n==============\r\nhttps://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html\r\nPage 7 of 8\n\nsentinelone.scr --\u003e SHA256: 4cd23a989a8f196b1f49e5e66c6ecfa0cebf63f04950ae4d64127aaedda9e89c\r\n SSDEEP: 48:Zvt+BLdtWU2ew9FRCfH8BArSXXmzdh4vMASG2HvzqEsG8V:Z1+9dtWU2ew9rC/8Kiidh4v\r\nURLs\r\nhxxp://crackedion[.]com\r\nhxxp://dataf0ral1[.]com\r\nhxxp://1podcast[.]best/ru53332/\r\nRansomnote V1\r\n~SentinelOne Labs Ransomware~\r\nYour system was unprotected, so we locked down access to Windows.\r\nYou need to buy SentinelOne antivirus in orer to restore your computer.\r\nMy name is Vitali Kremez. Contacts are below.\r\nPhone: [Redacted]\r\nE-mail 1: [Redacted]\r\nE-mail 2: [Redacted]\r\nAfter you buy my antivirus I will send you unlock code.\r\nEnter Unlock code:\r\nSource: https://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html\r\nhttps://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html" ], "report_names": [ "the-blame-game-about-false-flags-and-overwritten-mbrs.html" ], "threat_actors": [ { "id": "e9f85280-337c-4321-b872-0919f8ef64a6", "created_at": "2022-10-25T16:07:24.261761Z", "updated_at": "2026-04-10T02:00:04.914455Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "Gold Village", "Maze Team", "TA2101", "Twisted Spider" ], "source_name": "ETDA:TA2101", "tools": [ "7-Zip", "Agentemis", "BokBot", "Buran", "ChaCha", "Cobalt Strike", "CobaltStrike", "Egregor", "IceID", "IcedID", "Mimikatz", "PsExec", "SharpHound", "VegaLocker", "WinSCP", "cobeacon", "nmap" ], "source_id": "ETDA", "reports": null }, { "id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8", "created_at": "2023-01-06T13:46:39.071873Z", "updated_at": "2026-04-10T02:00:03.203749Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "GOLD VILLAGE", "Storm-0216", "DEV-0216", "UNC2198", "TUNNEL SPIDER", "Maze Team", "TWISTED SPIDER" ], "source_name": "MISPGALAXY:TA2101", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775433974, "ts_updated_at": 1775826718, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f72d876bd3a93c141e706aa1c9f21646ab2f2b92.pdf", "text": "https://archive.orkl.eu/f72d876bd3a93c141e706aa1c9f21646ab2f2b92.txt", "img": "https://archive.orkl.eu/f72d876bd3a93c141e706aa1c9f21646ab2f2b92.jpg" } }