typeanalysisfamilychacha8confidencehighcreated2026-05-26updated2026-05-26pex64ransomwarechachafile-encryptorin-placeno-c2masqueradestatic-analysis

SHA-256: 3485419b7a85123f50512ee04e29dfe1ad6d973118b073f16a57565251a4d2f0

chacha8: svchost.exe — ChaCha20 stream-cipher file encryptor with in-place overwrite, no C2

Executive Summary

A 53,760-byte PE32+ x64 binary masquerading as svchost.exe and compiled with MinGW-w64 GCC 15.1.0. The sample is a file-encryptor / wiper that walks the current working directory, encrypts files in-place using what appears to be a ChaCha20 stream cipher, overwrites the originals, and deletes them. It uses a single-instance mutex (Global\Not_Avaris) to prevent multiple executions.

No network C2 communication, no kill-switch domain, no ransom note payload inside the binary. All logic is self-contained. The "Avaris" mutex string suggests this may be related to or a variant of a ransomware family or builder calling itself "Avaris", with the not_avaris label indicating the uploader disagrees with that attribution.

The chacha8 OpenCTI label is the primary family identifier in the corpus.

What It Is

Property	Value
SHA256	`3485419b7a85123f50512ee04e29dfe1ad6d973118b073f16a57565251a4d2f0`
Original filename	`svchost.exe` (masquerading)
File type	PE32+ executable (GUI) x86-64, 10 sections, stripped to external PDB
Size	53,760 bytes (small)
Compiler / linker	GCC 15.1.0 (MinGW-W64, Brecht Sanders build, r1)
Compilation timestamp	2026-05-21 04:12:41 UTC (very recent)
Subsystem	`WINDOWS_GUI` (0x2)
ASLR / DEP	Yes (`DYNAMIC_BASE`, `HIGH_ENTROPY_VA`, `NX_COMPAT`)
Imports	`KERNEL32.dll`, `msvcrt.dll` only
YARA	`PE_File_Generic`
Tier	deep

Behavior

Execution Flow (inferred from static analysis)

Mutex check — Opens Global\Not_Avaris.
- If the mutex already exists, the program exits silently.
- This is standard single-instance behavior.
Directory walk — Opens the current working directory with FindFirstFileA / FindNextFileA.
File encrypt — For each file found, prints:
```
Encrypting: %s -> %s
```
- Encrypts the file in-place or writes the encrypted contents under a new name.
- Deletes the original file (remove from msvcrt.dll).
- Prints status lines including - Original deleted or - WARNING: Could not delete original.
String artifacts: Bexpand 32-byte k is the canonical ChaCha20 quarter-round / key-expansion constant string (expand 32-byte k), confirming the cipher.
No ransom note output: No README.txt, .hta, or .html generation strings found. No Bitcoin wallet address, TOR URL, or contact email is embedded.

Technical Details

Imports Table

Only two DLLs are imported directly. All other APIs are resolved by walking the PEB or are satisfied by the CRT.

DLL Key APIs

KERNEL32.dll CreateMutexA, FindFirstFileA, FindNextFileA, CloseHandle, Sleep, VirtualProtect, VirtualQuery, MultiByteToWideChar, WideCharToMultiByte, LoadLibraryA, GetProcAddress, GetModuleHandleA, SetUnhandledExceptionFilter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, TlsGetValue, GetLastError, FreeLibrary, IsDBCSLeadByteEx

msvcrt.dll __getmainargs, __initenv, __set_app_type, _amsg_exit, _cexit, _commode, _errno, _fmode, _initterm, _onexit, _unlock, calloc, fclose, fflush, fprintf, fwrite, localeconv, malloc, memcpy, memset, remove, signal, strcmp, strerror, strlen, strncmp, vfprintf, wcslen

DLL	Key APIs
`KERNEL32.dll`	`CreateMutexA`, `FindFirstFileA`, `FindNextFileA`, `CloseHandle`, `Sleep`, `VirtualProtect`, `VirtualQuery`, `MultiByteToWideChar`, `WideCharToMultiByte`, `LoadLibraryA`, `GetProcAddress`, `GetModuleHandleA`, `SetUnhandledExceptionFilter`, `EnterCriticalSection`, `LeaveCriticalSection`, `InitializeCriticalSection`, `DeleteCriticalSection`, `TlsGetValue`, `GetLastError`, `FreeLibrary`, `IsDBCSLeadByteEx`
`msvcrt.dll`	`__getmainargs`, `__initenv`, `__set_app_type`, `_amsg_exit`, `_cexit`, `_commode`, `_errno`, `_fmode`, `_initterm`, `_onexit`, `_unlock`, `calloc`, `fclose`, `fflush`, `fprintf`, `fwrite`, `localeconv`, `malloc`, `memcpy`, `memset`, `remove`, `signal`, `strcmp`, `strerror`, `strlen`, `strncmp`, `vfprintf`, `wcslen`

Section Layout & Entropy

Section	Entropy	Notes
`.text`	5.78	Code — contains ChaCha20 quarter-round, file I/O, and loop logic
`.data`	1.04	RW initialized globals
`.rdata`	5.26	Constant data — `expand 32-byte k`, mutex name, format strings
`.eh_fram`	0.00	Exception handler frame data
`.pdata`	3.90	Procedure data (unwind)
`.xdata`	3.45	Exception unwinding data
`.bss`	0.00	Uninitialized data
`.idata`	3.98	Import descriptor table
`.tls`	0.00	Thread-local storage directory exists but zero content
`.reloc`	1.55	Relocation table

No .rsrc section — no embedded resources (no icons, no ransom notes, no config blobs).
Text entropy of 5.78 is moderate; this is un-obfuscated C code compiled with MinGW, not a packed or compressed payload.

Masquerading

Artifact	Value
Internal string	`svchost`
Internal string	`svchost.exe`
Filename as uploaded	`svchost.exe`

The sample deliberately copies the Windows Service Host binary name to blend into Task Manager and casual inspection.

Cryptographic Indicators

ChaCha20 quarter-round constant: Bexpand 32-byte k (line 19 of strings output)
- This is the ASCII string expand 32-byte k used in the ChaCha20 key setup.
Key size implication: ChaCha20 uses a 256-bit (32-byte) key and a 96-bit nonce.
The binary likely hard-codes or derives its key from somewhere in .rdata or .data.

Mutex & Family Attribution

Mutex name: Global\Not_Avaris
Labels include both chacha8 and not_avaris.
OpenCTI family: chacha8.
The name "Not Avaris" suggests this sample was not the "Avaris" ransomware (or was uploaded to distinguish it from an earlier, similar variant), but the chacha8 label was the consensus family attribution.

No Ransom Note / No Extortion Mechanism

No embedded wallet address, email, or TOR URL.
No README_DECRYPT / HOW_TO_RECOVER strings.
No .onion or .txt ransom note generation.
The binary is purely a file encryptor/wiper.

Assessment

Verdict: High-confidence ransomware / file-encryptor. The chacha8 family is a ransomware (or ransomware-builder variant) that uses the ChaCha20 stream cipher for fast in-place file encryption, masquerades as system processes, and relies on a single-instance mutex to avoid self-infection.

Impact: Destructive — encrypts and deletes originals in the execution directory.
Network footprint: None observed in static analysis.
P Persistence: None — runs once, no scheduled task or registry strings found.
Detection opportunities:
- File create/delete pairs with identical base names in quick succession.
- Global\Not_Avaris mutex creation.
- svchost.exe executing outside %SystemRoot%\System32.
- MinGW-w64 compiled PE with expand 32-byte k in .rdata.

IOCs

Type	Value
SHA256	`3485419b7a85123f50512ee04e29dfe1ad6d973118b073f16a57565251a4d2f0`
ssdeep	`1536:ZVhxJM9lq5Bc9W5lrVBRxNsBEY+K0Uj+wsTLtFVA8OlmlCXYLjcJP5L5`
Import hash (imphash)	(not computed — only 2 DLLs imported)
Mutex	`Global\Not_Avaris`
Embedded string	`svchost.exe`
Cipher artifact	`expand 32-byte k` (ChaCha20 setup)

References

MalwareBazaar entry (sha256): 3485419b7a85123f50512ee04e29dfe1ad6d973118b073f16a57565251a4d2f0
OpenCTI labels: c, chacha8, exe, malware-bazaar, not_avaris, ransomware

Report generated from static analysis of triage artifacts — strings, pefile, metadata, yara — on 2026-05-26.

> Analysis · 3485419b7a85_