# Apostle Ransomware Analysis **[cyberpunkleigh.wordpress.com/2021/05/27/apostle-ransomware-analysis/](https://cyberpunkleigh.wordpress.com/2021/05/27/apostle-ransomware-analysis/)** ## Here we go another ransomware writeup 🙂 May 27, 2021 Small note sorry if not the best quality I am new to blogging and working on improving! ## What is this Ransomware? ----- Apostle ransomware appears to be a ransomware connected with attacks on israel with IOC’s many reports pointing towards Iran APTs but also a group formed in 2020 dubbed “Agrius“. This ransomware is another one developed in .NET which as seen recently is starting to become a trend which is very good for us not so good for the bad guy. Filename(s): Apostle.exe / alldata-3.5.exe File Hash: 19DBED996B1A814658BEF433BAD62B03E5C59C2BF2351B793D1A5D4A5216D27E Sample Download: [https://vxug.fakedoma.in/samples/Exotic/NonAPTs/Agrius/Agrius.zip](https://vxug.fakedoma.in/samples/Exotic/NonAPTs/Agrius/Agrius.zip) Scan Online: https://www.malwares.com/report/file? [hash=19DBED996B1A814658BEF433BAD62B03E5C59C2BF2351B793D1A5D4A521](https://www.malwares.com/report/file?hash=19DBED996B1A814658BEF433BAD62B03E5C59C2BF2351B793D1A5D4A5216D27E) 6D27E ## We got the sample, and now what? The first thing I did upon getting the sample was to look on VirusTotal to try and identify some key information such as what language was used to write the malware, In this case we discovered that it has been identified by a few of the detection’s on VirusTotal as shown below. The above image displays some great news about the malware, .NET is normally very trivial to decompile and get a understanding of what is actually going on with tools such as: [https://github.com/icsharpcode/ILSpy](https://github.com/icsharpcode/ILSpy) [https://github.com/dnSpy/dnSpy](https://github.com/dnSpy/dnSpy) ----- ## Decompiling the executable Using the tool “ILSpy” I loaded my fresh sample to see what we could find inside the code maybe some juicy details or maybe we can look at the methods involved or just pull some juicy information. What a surprise its obfuscated ## OH NO ITS OBFUSCATED!?! Lets give it a good ol’ rub with de4dot and see if it detects and deobfuscates it, there is no way this is going to work right all these AdVaNcEd ThReAt AcToRs would be using custom obfuscation to prevent an ancient tool from working?!? ----- OH NO IT WORKED Its just free code for us to look at ## Okay we are deobfuscated let take a look around First of all lets take a look and see if we can find any kind of unique strings or indicators. Ugh the strings are obfuscated lets find how strings are used ----- Here is a simple XOR string function inside that references SC SC is just a XOR index table with SC being a cached version assuming to be StringCache ## Thanks for the string method Now lets yoink this method and put it all together in a simple C# app ----- As you can see here it has worked ## Self Deletion Here is the way that it deletes itself after run it creates a .bat file to bypass file locks ## Setting process tokens This method attempts to set token privs to one that allows SeShutdownPrivilege ## File Destruction ----- A way to flag for files also would be using this timestamp as identifier: 2037, 1, 1, 0, 0, 0 “Y,M,D,H,M,S” ## Making sure it only runs once This function is called and generates a MUTEX for preventing multiple runs ## Encryption Key ----- line argument ## Stopping SQL services Encryption key is passed in as a command This is the stop function which the below screenshot uses v\u0096ï turns into “SQL” ## RSA Encryption ----- This function handles RSA Encryption ## Damaging data blocks Function to literally damage data blocks ## I hope maybe you learned something or just enjoyed looking at the pretty screenshots <333 Credits: SentinelOne – For great research and publication regarding this malware [https://twitter.com/SentinelOne](https://twitter.com/SentinelOne) [https://labs.sentinelone.com/from-wiper-to-ransomware-the-evolution-of-agrius/](https://labs.sentinelone.com/from-wiper-to-ransomware-the-evolution-of-agrius/) vx-underground – Hosting the samples and generally having an awesome community [https://twitter.com/vxunderground](https://twitter.com/vxunderground) [https://vx-underground.org/samples.html](https://vx-underground.org/samples.html) -----