Sep 07, 2020

Malware Analysis: Snake Ransomware

Snake Ransomware is a Golang ransomware reportedly containing obfuscation not typically seen in Golang ransomware. This malware will remove shadow copies and kill processes related to SCADA/ICS devices, virtual machines, remote management tools, network management software, and others. After this, encryption of files on the device commences, while skipping Windows system folders and various system files. A random 5 character string is appended to encrypted files. According to Bleeping Computer, this ransomware takes an especially long time to encrypt files on a targeted machine. This ransomware is reported to target an entire network, rather than individual workstations.

This blog contains the analysis of snake ransomware. The sample used in analysis was downloaded from

Basic Static Analysis

First the sample was submitted to virus total to see if it is identified as malicious

Image for post


We can see that 60 out of 72 AV engines detect this sample as malicious.

Using coff explorer tool, we observe that there are very few number of imports, and there is a presence of .symtab section. These both are signs of a binary written and compiled using the GO programming language.

Image for post
Image for post


After string analysis, it is confirmed that this is a go binary.

Image for post

GO build id

Go compiler adds the project used by the malware author

Image for post

Project Path

Running yara rule in the binary with the rules found in this public repository we get the following results.

Image for post
network connection
Image for post

AES encryption data

We can see that the malware has possible CnC traffic, and that malware is capable of performing AES encryption.

Basic Dynamic Analysis

For basic dynamic analysis, the malware was already run in, so i observed the data from there.

Image for post sandbox data

The malware is touted as malicious, but i do not see any network connection. So I ran the malware in a VM, the malware encrypted most of the data, but i could not file any help text, as to how to recover them.

Image for post
Running in VM.

Code Reversing

Unlike regular golang binaries, there were no regular function names. The malware author has thus attempted to obfuscate the various function names.

Image for post

Code Obfuscation

So in order to de-obfuscate the function names a tool called idagolang helper was used

Image for post

Using IDA Golang Helper tool

Now we are going in a right direction. There are a lot of golang builtin functions that we can see. But looking at function name, I was trying to get a hint of the purpose the various main functions , but the function names itself is weird and was most likely obfuscated/randomized to slow down reversing process.

Image for post

Golang built in functions renamed, but main names are garbage

So I started analyzing the main functions, eventually it led me to the syscall function call from the golangs built in function.

Image for post


So after referring to the golang documentation at, it seemed that it was used to call a function from a windows dll file. Here’s a snippet.

Image for post

Golang documentation

I could not determine the exact function being called via static analysis, so had to run the sample inside a debugger.

It seems the function that was being called is CreateMutexW.

Image for post
Image for post

By observing that the value esp+0x18 being used in error condition check we can assume that it is the lastErr value and the rest is the returned pointer. Looking at this, we can safely assume, that the function main_bhjfpdopjclepflkbeoj is responsible for calling the windows function CreateMutexW and returning its value. Renaming the function to sycall_function. Renamed main_ienocpmdijcihngapkhe to calls_function_Creating_global_and_sycall_create_mutex.

Continuing further analysis, the function at 0054E480 was responsible for key extraction.

Image for post

Key extraction

I did not see network communication for getting key, and after running the malware multiple times, the key seems to be the same “ — — -BEGIN RSA PUBLIC KEY — — -\nMIIBCgKCAQEAyQ+M5ve829umuy9+BSsUX/krgdF83L3m8/uxRvKX5EZbSh1+buON\nZYr5MjfhrdiOGnrbB1j0Fy31U/uzvWcy7VvK/zcsO/5aAhujhHB/qMAVpZ8zT5BB\nujT1Bvsith/BXgtM99MixD8oZ67VDZaRM9TPE89WuAjnaBZORrk48wFcn1DOAAHD\nZ9z9komtqIH1fm3Y0Q6P76nUscLsYOme082L217Th/lTMoqqs4cF2rn9O9Vp4V9U\naCs4XVxGSpcuqbIscfpf0cm44P2eOEk+sbZdahO9C6fezt7YF4OCJ4Vz3qqMD6z4\n+6d7FRxUu6k3Te2T2bWBZnsDO30pYFi/gwIDAQAB\n — — -END RSA PUBLIC KEY — — -\n”.

After in depth analysis, it seems function with name pattern main_ffhlhdmhalodcojcaeok_*** seems to be junk function, because the function just converts slice of byte to string or vice versa, and the value is not useful at all.

Digging further, function sub_0053A060 is responsible for looping through each files and encrypting them and finally the function main_amgmhoeegchpnnaljano 00539C30 eventually calls io_ioutil_WriteFile. I thought it could be possibly help file, so i debugged it and trying to find what it actually wrote.

Image for post
Static Analysis
Image for post


The file is at C:\\Fix-Your-Files.txt. but I could not find the file. The ransomware seems to have failed to write the file. So i thought may be it needed admin privileges to write the help file. I ran the sample again with admin privileges, and now it has written the file.

Image for post

Help Message

This just seems extremely odd. I do not understand why the author chose to write the help file in such a specific location where the user had to search for it. Other ransomware seem to have changed the wallpaper itself, or drop the help file in each file. It just seems like a bad choice to keep the help file in a specific location where to write admin privileges was required.

Yara rule for this ransomware:

rule SnakeRansomware{meta:Author = "Nishan Maharjan"Description = "A yara rule to catch snake ransomware"Data = "15th May 2020"strings:$go_build_id = "Go build ID: \"X6lNEpDhc_qgQl56x4du/fgVJOqLlPCCIekQhFnHL/rkxe6tXCg56Ez88otHrz/Y-lXW-OhiIbzg3-ioGRz\""$math_rand_seed_calling = { 89 C8 BB 00 CA 9A 3B 89 D1 F7 E3 81 E1 FF FF FF 3F 89 C3 01 C8 89 C6 05 00 00 1A 3D 89 04 24 69 ED 00 CA 9A 3B 01 EA 89 CD C1 F9 1F 01 EB 11 CA 81 C6 00 00 1A 3D 81 D2 EB 03 B2 A1 89 54 24 04 E8 10 62 F6 FF }$encryption_function = {64 8B 0D 14 00 00 00 8B 89 00 00 00 00 3B 61 08 0F 86 38 01 00 00 83 EC 3C E8 32 1A F3 FF 8D 7C 24 28 89 E6 E8 25 EA F0 FF 8B 44 24 2C 8B 4C 24 28 89 C2 C1 E8 1F C1 E0 1F 85 C0 0F 84 FC 00 00 00 D1 E2 89 CB C1 E9 1F 09 D1 89 DA D1 E3 C1 EB 1F 89 CD D1 E1 09 D9 89 CB 81 C1 80 7F B1 D7 C1 ED 1F 81 C3 80 7F B1 D7 83 D5 0D 89 C8 BB 00 CA 9A 3B 89 D1 F7 E3 81 E1 FF FF FF 3F 89 C3 01 C8 89 C6 05 00 00 1A 3D 89 04 24 69 ED 00 CA 9A 3B 01 EA 89 CD C1 F9 1F 01 EB 11 CA 81 C6 00 00 1A 3D 81 D2 EB 03 B2 A1 89 54 24 04 E8 10 62 F6 FF 31 C0 EB 79 89 44 24 20 8B 4C 24 40 8D 14 C1 8B 1A 89 5C 24 24 8B 52 04 89 54 24 1C C7 04 24 05 00 00 00 E8 48 FE FF FF 8B 44 24 08 8B 4C 24 04 C7 04 24 00 00 00 00 8B 54 24 24 89 54 24 04 8B 5C 24 1C 89 5C 24 08 89 4C 24 0C 89 44 24 10 E8 EC DD EF FF 8B 44 24 18 8B 4C 24 14 89 4C 24 08 89 44 24 0C 8B 44 24 24 89 04 24 8B 44 24 1C 89 44 24 04 E8 68 BB F3 FF 8B 44 24 20 40}condition:all of them}