In one of the enterprise incidents, we came across an interesting ransomware issue. Unfortunately we could not recover the sample and on further research we could only find this following tweet. In this blog we will look at the behaviour of this ransomware.

Figure 0 : Tweet about the hashes of the ransomware

The initial vector is a 10KB obfuscated Smart assembly .Net executable. This file has an ip address embedded to download a file with an extension ‘bmp’ which can be seen in the below figure.

Figure 1 : Address of the payload

The bmp file is the ransomware payload that gets downloaded when the parent file is executed. The payload does not get dropped on the disk rather it will be in the memory of the parent file.

Figure 2 : Loading the payload in memory

What makes it interesting is that when initially downloaded, the bytes of the payload are in reverse order.

Figure 3 : Reversed bytes of the payload

After the payload gets loaded in the memory, the parent file uses BinaryReader ( Figure2 ) and Dictionary Classes to read and reverse the bytes to finally put them together as an obfuscated dll.

Figure 4 : Dictionary class that reverses the bytes


Figure 5 : After reordering the bytes

Then the parent file calls the ‘Refrgqnrmuf’ method from the obfuscated payload.

Figure 6 : Method of the reversed payload that gets invoked

Then a bat file with a huge number of commands gets created in the temp folder and a copy of the parent file is created in the Appdata directory whose path is set into the Run registry key to achieve persistence.

Figure 7: Bat file creation and achieving persistence

The payload uses the legitimate MSBuild.exe for further activity. It uses vssadmin to delete all the shadow copies and using bcdedit to avoid error recovery screen and to disable windows automatic repair.

Figure 8 : Vssadmin and Bcdedit

The bat commands also start executing parallely. Initially it deletes the Autorun key that belongs to the HKLM\Software\Microsoft\Command processor so that it can successfully execute the subsequent commands without any interruption. Then it is owning the cmd.exe using the takeown command. It then tries to edit the ACL(access control list) using certain processes such as cmd.exe, net.exe, mshta.exe, ftp.exe, wscript.exe, cscript.exe, powershell etc through cacls.

Figure 9 : Trying to change ACL

It further tries to delete/kill a list of services that are mentioned in the bat file by using sc.exe and taskkill. The list contains many popular AVs services such as Trend Micro, Sophos, Kaspersky etc.

Figure 10 : Processes that are not found in the machine


Figure 11 : Commands in the bat file


Figure 12 : Finding the PID of AVs to terminate them

After executing all the commands, the bat file deletes itself. In the meantime the Msbuild.exe is doing the main nasty activity of encrypting the files with an extension ‘bozon3’.

Figure 13: Encrypted files

The ransomware is not encrypting the exes and dlls. Also it does not infect files under Program files and Windows directory. It drops the ransom note in all the folders in the name of Recovery Information.txt.

Figure 14 : Ransom note

We at K7 Labs provide detection against this Bozon Ransomware and all latest threats. Users are advised to use a reliable security product such as K7 Total Security and keep it up-to-date so as to safeguard their devices


Initial Vector : 5bc9ff525b50716a94b938f4bdf89cb1

Payload (Tflkgvhk_Fvsatqfv.bmp) : ee545b1d06afdee5bd06c28318a8fb89

Detection Name : Trojan-Downloader ( 00592c421 )



Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “Bozon Ransomware”