OphionLocker Analysis: Proof Anyone Really Can Write Malware

OphionLocker is supposedly the new ransomware on the block and is already being compared with sophisticated operations such as CryptoLocker and CryptoWall, so i decided to take a look and what I found is nothing short of hilarious.

That’s right, the ransomware is actually a console application, Instead of writing the Win32 application. The developer has opted to use a console application, which implies he is either writing command line tools (he’s not), or that he has absolutely no damn idea what he’s doing.

If there is even any shadow of doubt that this was written by a competent C++ developer, this should set the record straight:


That’s the PDB path of this application: “ConsoleApplicationX” is the name chosen by Visual Studio when automatically creating a new C++ console project, ConsoleApplication1 implies that this is the first Visual Studio project created; either the developer has just moved from another development environment, or more likely he’s never coded C++ before.

This is a hack to make the console window invisible, as a result the console window will open and then disappear a second later when running the application.

If you’re new to programming, writing your own cryptographic library is obviously quite a challenge, as you can see he’s opted to just use the Crypto++.

“But MalwareTech, even using a public cryptographic library, he’d need to know how to implement it.”

Well if we look through the strings in the application, we find the following string: “ecies.private.key”, which is the name of the file that the application uses to store the private key; this is consistent with the example ECIES (Elliptic Curve Integrated Encryption Scheme) code on the Crypto++ wiki.

The C&C communicated mechanism is much of the same story, although it could have been implemented with a few lines of code using the WinInet library, the developer has opted to use the insanely bulky HTTP Client library WinHTTPClient, which uses the WinHTTP api (should only be used for service and not client applications).

Obviously, no application is complete without some error handling, so here’s what happens if the locker fails to connect to the C&C.

Error handling is love, error handling is life.
GUI programming tends to be quite tricky, but it’s nothing you cant achieve with a message box and 300 text files that all say the same thing.
  This is why we can’t have nice things.


Q: Can you code functional ransomware with absolutely no programming experience whatsoever?
A: Yes.

MD5: e17da8702b71dfb0ee94dbc9e22eed8d
SHA1: eb78b7079fabecbec01a23c006227246e78126ab
SHA256: c1a0173d2300cae92c06b1a8cb344cabe99cf4db56fa9dca93629101c59ce68f