Skip to content

Instantly share code, notes, and snippets.

@Still34
Last active July 31, 2019 08:32
Show Gist options
  • Save Still34/48c5df23dd1e098082ee87d1a177e0b4 to your computer and use it in GitHub Desktop.
Save Still34/48c5df23dd1e098082ee87d1a177e0b4 to your computer and use it in GitHub Desktop.
Ransomware Analysis for AIS3 2019 Forensics

Analysis of Malware Sample (AIS3 2019)

Dynamic analysis

Dynamic analysis is used here first because it is already actively running on victim's machine, so we might as well start from there.

Discovering malicious executable

  • Launch Process Hacker on the victim VM; an anomaly named 5D85C2C17D.exe can be found in the process list.
  • The process is launched with the system, suggesting a daemon service or autorun registry is keeping the process persistent.
    • WhatsInStartup confirms our suspicion
  • The process clearly has a name with a description of Microsoft Windows Auto Update, yet it does not behave like any default Windows applications bundled by Microsoft.
    • The process is not signed by Microsoft, further confirming the previous suspicion.
    • A signed process will contain a CA similar to the following,
        CN = Microsoft Windows Production PCA 2011
        O = Microsoft Corporation
        L = Redmond
        S = Washington
        C = US
    

Determining the type of executable

  • From Process Hacker's automatic executable categorization, we can see that this process is a .NET assembly.
  • trid (similar to file on Linux) further affirms the type of application.

Behavior analysis

  • The file is seen constantly probing the victim's storage system.
  • Common .NET assemblies can be found in the thread stack.

Static analysis

Deobfuscation

Since we know that the malicious executable is a .NET program, the program could typically be easily reversed via ildasm or any third-party decompilers (e.g. RedGate Reflector, JetBrains dotPeek, dnSpy, etc.).

Unfortunately for us, upon opening the file, we discover that the file had been heavily obfuscated by Confuser.

  • ConfusedBy attribute
  • Garbage code spat out by decompilers

Fortunately for us, Confuser is a known obfuscation application, and is supported by the de4dot deobfuscator.

./de4dot 5D85C2C17D.exe

The application will pick up the pattern created by Confuser and begin deobfuscation.

Analysis via pestudio

pestudio is a tool that is designed to gather quick information about a malware. It will gather information such as the target application's manifest, certificate, file header, imported libraries, string table, and more.

Hashes

Hash type Value
md5 F472B4AE02E5956F4F25CCFD6ECFDA4B
sha1 F11665C8721466F78A96C106B08F17FC29A12F6C
sha256 BFDF5E72651B4EC588BD5FC6A9F17E9E0972248146BBACC10478F48D72F29B81

File header

Property Value
signature 0x50450000
machine Intel
sections 3
compiler-stamp 0x52DCF9B5 (Mon Jan 20 18:25:57 2014)
pointer-symbol-table 0x00000000
number-of-symbols 0
size-of-optional-header 224 (bytes)
processor-32bit true
relocation-stripped false
large-address-aware false
uniprocessor false
system-image false
dynamic-link-library false
executable true
debug-stripped false
media-run-from-swap false
network-run-from-swap false

Indicators

pestudio lists out some of the indicators that it finds concerning/interesting for us. Here are some of them that seem to fit this application and may aid us in the analysis.

Indicator Severity
The file seems to be a fake Microsoft executable 1
The file references (69) file extensions like a Ransomware (or a Wiper) 1
The file expects Administrative permission 2
The original file name is "Microsoft Windows Auto Update.exe" 3
The file signature is 'Microsoft Visual C# v7.0 / Basic .NET' 5
The file references (20) blacklisted string(s) 5
The file does not contain a digital Certificate 7
The file is managed by .NET 9

As we can see, pestudio already picked up some traits that a typical ransomware would exhibit, such as the fact that an extensive list of extension names can be found in the executable.

String table

Upon opening the deobfuscated application, we can already see major red flags in the string table.

Some of these strings indicate that we are dealing with a ransomware:

  • Payments are processed manually, therefore, the expectation of activation may take up to 48 hours.
  • This software will be deleted after files decryption, make sure that all important files are decrypted! If software crashes during decryption process, don't panic it will auto restart and your files will be decrypted without making addidional payment, just click Next>>. After all, software will auto remove itself from your computer!
  • Make sure that all important files have been decrypted! If part of the files had not been decrypted - move them to the desktop and click <<Retry>> button. Otherwise, press <<Cancel>> button - this will delete the software from this computer. Please restart your computer to completely destroy this software!

Without doing any of the code analysis, we can already find several questionable methods used by the malware thanks to pestudio's automatic flagging:

Analysis via Decompilation

As mentioned before, we could use any .NET reflector to decompile the .NET application to see what the file does now. For this example, we'll opt to use dnSpy, an open-source debugger and .NET assembly editor. Other decompilers can be used if you are interested in further analysis (RedGate Reflector will drill down to lower-level implementation detail and compiler generated code; JetBrain dotPeek is somewhere in-between).

// to be continued...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment