Dynamic analysis is used here first because it is already actively running on victim's machine, so we might as well start from there.
- Launch Process Hacker on the victim VM; an anomaly named
5D85C2C17D.exe
can be found in the process list. - The process is launched with the system, suggesting a daemon service or autorun registry is keeping the process persistent.
- The process clearly has a name with a description of
Microsoft Windows Auto Update
, yet it does not behave like any default Windows applications bundled by Microsoft.- The process is not signed by Microsoft, further confirming the previous suspicion.
- A signed process will contain a CA similar to the following,
CN = Microsoft Windows Production PCA 2011 O = Microsoft Corporation L = Redmond S = Washington C = US
- From Process Hacker's automatic executable categorization, we can see that this process is a .NET assembly.
- trid (similar to
file
on Linux) further affirms the type of application.
- The file is seen constantly probing the victim's storage system.
- Common .NET assemblies can be found in the thread stack.
Since we know that the malicious executable is a .NET program, the program could typically be easily reversed via ildasm or any third-party decompilers (e.g. RedGate Reflector, JetBrains dotPeek, dnSpy, etc.).
Unfortunately for us, upon opening the file, we discover that the file had been heavily obfuscated by Confuser.
Fortunately for us, Confuser is a known obfuscation application, and is supported by the de4dot deobfuscator.
./de4dot 5D85C2C17D.exe
The application will pick up the pattern created by Confuser and begin deobfuscation.
pestudio is a tool that is designed to gather quick information about a malware. It will gather information such as the target application's manifest, certificate, file header, imported libraries, string table, and more.
Hash type | Value |
---|---|
md5 | F472B4AE02E5956F4F25CCFD6ECFDA4B |
sha1 | F11665C8721466F78A96C106B08F17FC29A12F6C |
sha256 | BFDF5E72651B4EC588BD5FC6A9F17E9E0972248146BBACC10478F48D72F29B81 |
Property | Value |
---|---|
signature | 0x50450000 |
machine | Intel |
sections | 3 |
compiler-stamp | 0x52DCF9B5 (Mon Jan 20 18:25:57 2014) |
pointer-symbol-table | 0x00000000 |
number-of-symbols | 0 |
size-of-optional-header | 224 (bytes) |
processor-32bit | true |
relocation-stripped | false |
large-address-aware | false |
uniprocessor | false |
system-image | false |
dynamic-link-library | false |
executable | true |
debug-stripped | false |
media-run-from-swap | false |
network-run-from-swap | false |
pestudio lists out some of the indicators that it finds concerning/interesting for us. Here are some of them that seem to fit this application and may aid us in the analysis.
Indicator | Severity |
---|---|
The file seems to be a fake Microsoft executable | 1 |
The file references (69) file extensions like a Ransomware (or a Wiper) | 1 |
The file expects Administrative permission | 2 |
The original file name is "Microsoft Windows Auto Update.exe" | 3 |
The file signature is 'Microsoft Visual C# v7.0 / Basic .NET' | 5 |
The file references (20) blacklisted string(s) | 5 |
The file does not contain a digital Certificate | 7 |
The file is managed by .NET | 9 |
As we can see, pestudio already picked up some traits that a typical ransomware would exhibit, such as the fact that an extensive list of extension names can be found in the executable.
Upon opening the deobfuscated application, we can already see major red flags in the string table.
Some of these strings indicate that we are dealing with a ransomware:
Payments are processed manually, therefore, the expectation of activation may take up to 48 hours.
This software will be deleted after files decryption, make sure that all important files are decrypted! If software crashes during decryption process, don't panic it will auto restart and your files will be decrypted without making addidional payment, just click Next>>. After all, software will auto remove itself from your computer!
Make sure that all important files have been decrypted! If part of the files had not been decrypted - move them to the desktop and click <<Retry>> button. Otherwise, press <<Cancel>> button - this will delete the software from this computer. Please restart your computer to completely destroy this software!
Without doing any of the code analysis, we can already find several questionable methods used by the malware thanks to pestudio's automatic flagging:
As mentioned before, we could use any .NET reflector to decompile the .NET application to see what the file does now. For this example, we'll opt to use dnSpy, an open-source debugger and .NET assembly editor. Other decompilers can be used if you are interested in further analysis (RedGate Reflector will drill down to lower-level implementation detail and compiler generated code; JetBrain dotPeek is somewhere in-between).
// to be continued...