Keypoints
- The sample uses multi-stage shellcodes: initial loaders allocate executable memory and chain into subsequent stages until the final encryptor runs.
- Long, repeated time-delay loops are used throughout execution to evade time-limited sandboxes and detection mechanisms.
- APIs are dynamically resolved by constructing function names on the stack rather than calling them directly, complicating static analysis and detection.
- The second stage performs process hollowing: it creates a suspended process, unmaps its sections, writes new sections via NtWriteVirtualMemory, adjusts thread context, and resumes the thread.
- The malware copies its binary to C:UsersAppDataLocal, modifies file ACLs using icacls to deny deletion, and creates a scheduled task that re-launches the payload every five minutes for persistence.
- Encrypted files receive the .msjd extension and each encrypted folder contains a ransom note named _readme.txt.
- SonicWall detects this threat as GAV: StopCrypt.RSM and via Capture ATP w/RTDMI and Capture Client endpoint solutions.
MITRE Techniques
- [T1055.012] Process Hollowing – The shellcode performs process hollowing by creating a suspended process, unmapping and writing sections, setting thread context, then resuming execution (‘In this stage, the primary task of the shellcode is to perform process hollowing.’).
- [T1053.005] Scheduled Task/Job – The ransomware establishes persistence by adding a scheduled task that runs a copy of the final payload every five minutes (‘creates a scheduled task that executes a copy of the final payload with a command line argument –Task, every five minutes.’).
- [T1497] Virtualization/Sandbox Evasion – Uses long, iterative time-delay loops to thwart time-sensitive sandboxes and detection (‘a long, time-delaying loop of 65,18,40,312 iterations wherein the same data is copied to a location and the count is incremented’).
- [T1027] Obfuscated Files or Information – Evades analysis by dynamically constructing API function names on the stack instead of calling APIs directly (‘constructing the function names or strings containing API names directly on the stack’).
- [T1057] Process Discovery – Takes snapshots of the current process modules using CreateToolhelp32Snapshot and Module32First to extract module information (‘CreateToolhelp32Snapshot is utilized to take a snapshot of the current process that includes all its modules… The Ransomware extracts information about the first module of the process using the Module32First API.’).
- [T1222] File and Directory Permissions Modification – Alters ACLs using icacls to deny deletion permissions (icacls.exe /deny “s-1-1-0:(OI)(CI)(DE,DC)” to deny Everyone delete permissions). (‘The command icacls.exe <path> /deny “s-1-1-0:(OI)(CI)(DE,DC) is used to deny permissions…’).
- [T1547] Boot or Logon Autostart Execution (persistence via file copy + scheduled task) – Copies its binary to AppData Local and uses recurring scheduled tasks to ensure execution across reboots/session changes (‘creates a new directory in C:Users<user_name>AppDataLocal and copies the current malware image(binary) into it’ and schedules recurring execution).
Indicators of Compromise
- [File Extension] encrypted files – .msjd (extension appended to encrypted files)
- [File Names] ransom note and markers – _readme.txt (ransom note in every encrypted folder), apfHQ (checked via GetFileAttributesA as a potential marker)
- [File Path] persistence/copy location – C:UsersAppDataLocal (malware copies itself here)
- [Commands/Parameters] execution/persistence commands – launch parameter “–Admin IsNotAutoStart IsNotTask” and scheduled-task argument “–Task” (used when launching/rescheduling the payload)
- [System Utility] ACL modification command – icacls.exe usage: icacls.exe <path> /deny “s-1-1-0:(OI)(CI)(DE,DC)” (denies deletion permissions on files/directories)
- [Detection Signature] SonicWall detection – GAV: StopCrypt.RSM (Trojan)
The malware begins by loading a benign-looking DLL name (msim32.dll) onto the stack, then allocates memory with LocalAlloc/VirtualAlloc and changes permissions to READ|WRITE|EXECUTE via VirtualProtect to stage shellcode execution. Multiple deliberate time-delay loops are used early and throughout execution to evade sandboxes; the first-stage shellcode dynamically resolves APIs by constructing API name strings on the stack (examples include GlobalAlloc, VirtualAlloc, CreateToolhelp32Snapshot, Module32First, CloseHandle) and uses CreateToolhelp32Snapshot/Module32First to enumerate module information before allocating executable regions for the next stage.
The second stage focuses on process hollowing and in-memory replacement: it again constructs API names dynamically, checks for a marker file (“apfHQ”), registers a window class, then creates a suspended process (CreateProcessA). It retrieves the thread context (GetThreadContext), reads the target image base (ReadProcessMemory), unmaps the original sections (NtUnmapViewOfSection), allocates space in the remote process (VirtualAllocEx), writes new section data via NtWriteVirtualMemory, updates the remote thread context (SetThreadContext), and resumes the thread (ResumeThread) to transfer execution to the injected payload.
After resuming the injected process with parameters such as “–Admin IsNotAutoStart IsNotTask,” the malware copies its binary to C:UsersAppDataLocal, uses icacls to deny delete permissions to the Everyone SID on its files, and creates a scheduled task that repeatedly launches a copy of the final payload every five minutes (argument “–Task”). The final payload encrypts files (appending .msjd) and drops a _readme.txt ransom note in each encrypted folder. SonicWall lists protection for this threat under GAV: StopCrypt.RSM and via Capture ATP w/RTDMI and Capture Client.
Read more: https://blog.sonicwall.com/en-us/2024/03/new-multi-stage-stopcrypt-ransomware/