Evasive Technique
This sample contains Windows shellcode that loads few of the windows api function and relevant dlls that will generate the malicious payload. Also, there are repeat calling of VirtualAlloc & VirtualProtect & ZwAllocateMemory& ZwFreeMemory& VirtualFree in order to load, erase and repeat the functions that will use in its malicious act (Encrypt file system etc.). It creates multiple threads to perform different task too.
During initial analysis, there is bunch of useless code keeps loop around, find a way to redirect the code that leads to CreateTimerQueueTimer Windows API call. CreateTimerQueueTimer use the callback function to redirect the sample to execute the malicious shellcode.
Program Functionalities
Detect & Terminate running processes related with analysis tools
Save the running process in the system -> Iterate these processes & Calculate hash from the process name -> Compare it with the hash list in the binary -> Terminate all the process (hash of the process) that matches the hash list in the binary
During the analysis, it was found that the sample terminates
procmon.exe&xdbg32.exe
Relevant functions involved:
1) CreateToolhelp32Snapshot
2) Process32NextW
Create Mutex
Create Mutex with Global\%s (Global namespace)
Delete Shadow Copy
Search wmic.exe -> Generate some random strings -> Concatenate them together -> Code execution
Relevant functions involved:
1) lstrcatw
2) CreateProcessW
Search For Antivirus Product
Using WMI namespace with WQL to search for any antivirus product (not sure whether it will terminate it as I didn’t try to install antivirus in it).
Get user pc name, and windows version.
Relevant functions involved:
1) GetSystemName
2) GetVersion
Enumerate system driver & shared driver
Relevant functions involved:
1) DsRoleGetPrimaryDomainInformation
2) WNetOpenEnumW
3) WNetEnumResource
4) WNetCloseEnum
Find Available Logical Drive & find files in system
Relevant functions involved:
1) GetLogicalDriveStringsW
2) FindFirstFile
3) FindNextFile
Encryption process
Relevant functions involved:
1) CryptAcquireContextW
2) CryptGenKey
3) CryptExportKey
4) CryptDestroyKey
5) CryptReleaseContext
6) CryptImportKey
7) CryptGenRandom
8) CryptEncrypt (Here starts encrypt the file bytes)
Excluded folder from being encrypted
Writing encrypted bytes into files
Before encrpytion starts, it will drop foo.db and ransom note at C:\Program Data+ Drop <Random string>.dat in main logical drive (e.g. C:\)
Relevant functions involved:
1) CreateFile
2) GetFileSize
3) CreateFileMapping
4) MapViewOfFile
5) UnmapViewOfFile
6) CloseHandle
7) SetFilePointerEx
8) WriteFile
Connect to IOC lists
Relevant functions involved:
1) InternetCrackUrlA
2) InternetConnectA
3) HttpOpenRequestA
4) HttpSendRequestA
5) InternetCloseHandle
Formation of full IOC url
Strings that used to replace the placeholder of the IOC url.http://<IOC>/<PATH>/random_strings<EXTENSION>
IOCs:
URLs
92[.]63.8.47
92[.]63.32.2
92[.]63.37.100
92[.]63.194.20
92[.]63.17.245
92[.]63.32.55
92[.]63.11.151
92[.]63.194.3
92[.]63.15.8
92[.]63.29.137
92[.]63.32.57
92[.]63.15.56
92[.]63.11.151
92[.]63.32.52
92[.]63.15.6
Ransomnote
Drop in every folder before the encryption starts.
Ransomnote name: DECRYPT-FILES.html
Email address
- koreadec@tutanota.com
- yourrealdecrypt@airmail.cc
*My analysis might miss out something. Feel free to comment if there is any :)
Sha256: e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684
Small Tips
Using break point counter control the number of counts to step over the same line of code repeatly. In this case it is quite useful to determine the next function call as the sample keep loops from beginning until the function to be called.
Breakpoint -> Edit -> In row breakpoint condition, put$breakpointcounter==<HEX VALUE>
