Here is my analysis of the Darkside ransomware.
Will attach more screenshot regarding of my analysis this time 😏
Didn’t connect to the C2 during the analysis
Dynamically Resolve Windows API
Elevate Privilege (If running in Non-Admin privilege)
Utilizing COM bypass UAC privilege (When Access Token Method Failed)
Elevation:Administrator!new:%sGet access token from admin process (e.g. Explorer.exe)
Hash Generation File Extention, Mutex, Victim’s ID
File Drop
Drop ransomware icon file in %APPDATA% and create Regkey for it.
Service Enumeration and Delete
Enumerate and compare with these services,
vss,sql,svc$,memtas,mepocs,sophos,veeam,backup
If found then delete the service.
Gather Victim Info
Get DriverType & Size
Language
HKCU = HKEY_CURRENT_USER = 0x80000001 Details
HKCU/Control Panel/Desktop/MuiCached/MachinePreferredUILanguage
Encrypt Victim’s Info
URL Path Generator
Internet connection
securebestapp20[.]com/<URL Path Generator>
Encrypted Powershell runs “delete shadow copy”
Salsa session key generation & RSA encryption on Salsa session key
The session key generated from the RtlRandomEx function which feeds with a hard coded seed value. The when the length == 5 it will leave 0 bytes there. (Refer to “Custom Salsa key state arrangement”)
How to identify Salsa encryption algorithm?
Found these pattern inside the code instead of its constant.
b ^= (a + d) <<< 7;
c ^= (b + a) <<< 9;
d ^= (c + b) <<< 13; (0xd in Hex)
a ^= (d + c) <<< 18; (0x12 in Hex)
Let’s check out the key generated. Hmm… There is no constant found for the Salsa Key generated.
Usually “expa”, “nd 3”, “2-by”, “te k” were seen in Salsa implementation but this seems like a custom one.
RSA Public Ley Encryption
How to determine RSA?
- Knowing the exponential (010010h LE) (10001h BE)
- Guessing the Exponential function (Here is good explanation regarding to the RSA algo)
As for details like exponential and modulo function, I still cant figure it out yet. However, feels like the rcl, sbb and adc plays an important role both exponential and modulo operation. Maybe someone can figure this out. 🤔
Generates 16 bytes block hash by using RtlComputeCrc32.
After encrypted the byte. It will append the byte with the encrypted key and its CRC32 hash.
Excluded Folder, File and Extension
$recycle.bin config.msi $windows.~bt $windows.~ws windows appdata application data boot google mozilla program files program files (x86) programdata system volume information tor browser windows.old intel msocache perflogs x64dbg public all users default
autorun.inf boot.ini bootfont.bin bootsect.bak desktop.ini iconcache.db ntldr ntuser.dat ntuser.dat.log ntuser.ini thumbs.db
386 adv ani bat bin cab cmd com cpl cur deskthemepack diagcab diagcfg diagpkg dll drv exe hlp icl icns ico ics idx ldf lnk mod mpa msc msp msstyles msu nls nomedia ocx prf ps1 rom rtp scr shs spl sys theme themepack wpx lock key hta msi pdb
Ransomnote
Sha256
afb22b1ff281c085b60052831ead0a0ed300fac0160f87851dacc67d4e158178
