Mamba Ransomware Analysis

Mamba Ransomware Background

In September of 2016, a strain of ransomware was found in the wild which performed full disk encryption. According to Kaspersky Lab researchers1, this ransomware strain named “Mamba” now appears to be re-circulating, primarily in Brazil and Saudi Arabia.

The ransomware includes a DiskCryptor tool capable of using strong encryption algorithms to make recovering the encrypted disk content next to impossible unless the victim is able to obtain a decryption key from the ransom authors.

The resurgence of this malware has prompted analysis efforts by LogRhythm Labs researchers to ensure users are prepared to protect their systems and help prevent infection of this malware variant in the future. In-depth analysis of this latest Mamba sample follows. Signatures in support of detection are included at the end of this report.

Mamba Ransomware Analysis

The Mamba dropper sample analyzed has the following respective MD5 and SHA256 hashes, and will be referred to as “b9b60.exe” for the remainder of this report:

MD5: 79ed93df3bec7cd95ce60e6ee35f46a1
SHA256: b9b6045a45dd22fcaf2fc13d39eba46180d489cb4eb152c87568c2404aecac2f

Upon executing the dropper, Mamba creates the folders “C:\xampp\http”. This would appear to mimic the open source XAMPP application distribution2, which is a cross-platform package containing the web server Apache, database MariaDB, and the PHP and Perl programming languages. The directory mimicked by the malware is specifically the Apache web server component directory configured by XAMPP.


Figure 1: Files Dropped in C:\xampp\http

dcapi.dllCryptor libraryb4c9a8deb15e312aecaec27d5fbc898f7fc78f3e1a6963185dac4af949fb76fd79b429148f9f61d429054e94f7a8ba32
dccon.exeConsole version of DiskCryptor1a1222101c499eb15f5c91774583d24d2dd5dd9aa62a9072753fdf82a2d4b386401c00f59755a755d68cb6bbb608203c
dcinst.exeCryptor installer support88f25e2f08c90b3bbe253d0d64ab1d3e9136ee4e2b73dd617d116fc28e6673931043f03e94a6ee4f0b57a29609f96749
dcrypt.sysCryptor driveredb72f4a46c39452d1a5414f7d26454a0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6
log.txtCreated by malware, logs codes indicating malware activity1395dbadb21547be726872e3206d0e2304f0e45b35a21d060d8d2324541739bc1c550ee0e6526b2685ae0b6bdd379447

Table 1: Description of Dropped Files

In the case of the log.txt file created by the malware, this appears to track the activity of the malware. While the code references are still being analyzed, the value “107” in the log indicates successful creation of the service used for persistence, called “DefragmentService.”


Figure 2: log.txt File Contents

The malware contains the DiskCryptor cryptography tool3 embedded as resources in the main malware binary as shown below. According to the DiskCryptor documentation, the tool supports AES, TwoFish, and Serpent encryption algorithms. Analysis is still ongoing in order to determine the specific encryption algorithm used by Mamba.


Figure 3: 32- and 64-Bit DiskCryptor Binary Resources

Note that further analysis and correlation of the dropped files and the publicly available versions is still underway. Although the hashes of the dropped files do not directly match those of the publicly available versions, static analysis suggests that the functionality is nearly identical. Although analysis of these files is ongoing, it is likely that the malware authors simply recompiled the available DiskCryptor source code for inclusion in Mamba.

After dropping the DiskCryptor files, Mamba additionally performs the following:

  • Runs “C:\xampp\http\dcinst.exe -setup”
  • dcinst.exe moves the cryptographic driver to %WinDir%\System32\drivers\dcrypt.system
  • Two services are created named “dcrypt” and “DefragmentService” with the following registry values:
DisplayNameDiskCryptor driver
ErrorControl0x3 (Record the current startup as a failure)5
Start0x0 (Boot)
Type0x1 (Kernel-mode driver)

Table 2: KLM\System\CurrentControlSet\services\dcrypt

DisplayNameDefragment service
ImagePath<2nd parameter>6
ErrorControl0x0 (Ignore)
Start0x2 (Automatic)
Type0x10 (16: A Win32 program that runs in a process by itself.)

Table 3: HKLM\System\CurrentControlSet\services\DefragmentService

ResetPeriod0x78Reset failure count to zero after 120 (0x78) seconds if there have been no failures
RebootMsg0x1Unknown value
Command0x0Command line of the process is unchanged
Actions0x2Number of elements in SC Actions array below
SC Action ptr0x14Pointer to SC Action array
SC Action 10x1 0x3E8Restart the service after 1000 (0x3E8) ms
SC Action 20x1 0x3E8Restart the service after 1000 (0x3E8) ms

Table 4: HKLM\System\CurrentControlSet\services\DefragmentService\FailureActions

  • If the “DefragmentService” service is successfully created, the malware forces a reboot of the infected host, ensuring persistence for the malware.
  • After the reboot, the malware runs the command-line encryption tool dccon.exe to encrypt the file system.
    • This task runs under the original malware process name registered as a service in the above step.

While the encryption process is running, entering the command “dccon.exe –info pt0” from a command-prompt will allow one to view the encryption progress, encryption type, and other details:


Figure 4: Sample Output of “dconn.exe -info pt0”

Once the encryption process completes, and after a further reboot, the victim is presented with the following ransom note, which requests that the user email one of two email addresses with an ID number, presumably to retrieve the decryption key. Note that there is no indication of what the actual ransom fee is.

Click images to expand


Figure 5: Mamba Ransom Message Following Successful Encryption

Base64 Encoded Strings for Mamba Ransomware

The analyzed Mamba sample utilizes Base64 encoding in order to obfuscate strings in the binary which reveal the malware’s functionality. Following are the decoded strings extracted from the binary. Note that some of the strings listed below are commands that were not observed to be used during execution.

Encoded Base64 StringDecoded Base64 String
ICYgc2h1dGRvd24gL2YgL3IgL3QgMA==& shutdown /f /r /t 0
& taskkill /im Mount.exe & Del “C:\Users\ABCD\Mount.exe” & Del “C:\Users\ABCD\netpass.txt” & Del “C:\Users\ABCD\netuse.txt” & Del “C:\Users\ABCD\netpass.exe” & net user /del mythbusters
/C ping -n 1 -w 3000 > Nul & sc delete DefragmentService & Del “-boot -setmbr hd0
LWJvb3QgLXNldG1iciBoZDA=-boot -setmbr hd0
LWVuY3J5cHQgcHQ0IC1wIA==-encrypt pt4 -p
LWVuY3J5cHQgcHQ1IC1wIA==-encrypt pt5 -p
LWVuY3J5cHQgcHQ2IC1wIA==-encrypt pt6 -p
LWVuY3J5cHQgcHQ3IC1wIA==-encrypt pt7 -p
LWVuY3J5cHQgcHQ4IC1wIA==-encrypt pt8 -p
LWVuY3J5cHQgcHQ5IC1wIA==-encrypt pt9 -p
LWVuY3J5cHQgcHQwIC1wIA==-encrypt pt0 -p
LWVuY3J5cHQgcHQyIC1wIA==-encrypt pt1 -p
LWVuY3J5cHQgcHQyIC1wIA==-encrypt pt2 -p
LWVuY3J5cHQgcHQzIC1wIA==-encrypt pt3 -p

Table 5: Base64 Encoded Strings

Mamba Ransomware Network Artifacts

This variant of Mamba does not exhibit any notable network functionality. Unlike the recent ransomware outbreaks of WannaCry and NotPetya, this variant of Mamba does not contain any inherent exploitation or spreading functionality. The malware is executed solely on the infected host and will not self-replicate.

LogRhythm Signatures for Mamba Ransomware

We created four LogRhythm AI Engine rules to detect some of the main indicators that we observed in our internal lab environment.


Figure 6: Labs Mod – Mamba – Command – DiskCryptor Installation


Figure 7: Labs Mod – Mamba – DiskCryptor Driver Creation


Figure 8: Labs Mod – Mamba – DiskCryptor File Creation


Figure 9: Labs Mod – Mamba – Registry Key Creation

Instructions for Importing AI Engine Rules

Download AI Engine Rules

LogRhythm Labs has created Mamba AI Engine Rules to help you detect Mamba. Please find the download above.

Now onto the instructions:

Open the LogRhythm Console.

Navigate to the AI Engine Tab via Deployment Manager > AI Engine Tab.


Figure 10: AI Engine Tab

Select the pull-down menu “Actions,” and then select “Import.”


Figure 11: Pull-Down Menu > Actions > Import

Select the .airx (AI Rules File Format) files you wish to import, and select “Open.”


Figure 12: Import .airx Files

Upon a successful import, you will be presented with the following pop-up window:


Figure 13: Confirmation

It is possible that an error will appear stating that the KB version is out of date with the AI Engine Rules selected for import. If this occurs, upgrade your KB to the latest version, and perform this procedure again.

Reference List

1 Kaspersky Labs, “The return of Mamba ransomware,”

2 XAMPP Apache Distribution,

3 DiskCryptor Open Source Partition Encryption Solution,

4 Note that the DependOnService makes use of the Filter Manager by installing a mini filter driver which can be viewed when running the command “fltmc instances.”

5 An ErrorControl value 0x3 as seen in dynamic analysis is unusual and requires further analysis to determine whether this is intentional behavior of the malware or a side effect of execution.

6 The first parameter is a password for the encryption and can be any value; the original value is unknown. The second parameter is required, and (reportedly) expected to be “/accepteula” (due to the typical execution via the Sysinternals tool psexec), but the malware will execute as long as any 2 arguments are passed in.

7 This value is binary data in the format of a SERVICE_FAILURE_ACTIONS structure as documented in