# Exorcist Ransomware analysis writeup | Medium

**[medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81](https://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81)**

Leandro Velasco July 24, 2020

[Leandro Velasco](https://medium.com/@velasco.l.n?source=post_page-----5b7da4263d81--------------------------------)

Jul 24, 2020


11 min read

## Exorcist Ransomware — From triaging to deep dive

 TL;DR

On Monday 20th while hunting for some REvil samples I stumbled upon a newly introduced
ransomware as a service called Exorcist. This ransomware is distributed via Pastebin
embedded in a powershell script that loads it directly in memory. This script is based on
“Invoke-ReflectivePEInjection.ps1” script by Joe Bialek (@JosephBialek), but it is optimised
with an additional function to pass a base64 encoded executable to the main function. This
powershell script is possibly generated using the Empire framework. The same technique is
used by some of the Sodinokibi/REvil affiliates, and in the past by Buran.

The ransomware is not obfuscated and the majority of the strings are in plaintext stored in
the “.rdata” section of the executable. The first thing that the malware does is to check the
geo location of the system using the language and the keyboard layout. If the results yield
one of the Commonwealth of Independent States (CIS) it quits on the spot. Then the
ransomware execute a series of commands to disable and remove backups and kill
processes that might interfere with the system encryption. Once it is done with the
commands, it writes to disk the RSA public key, the session private key and the extension.
This information is not written into a file in a straightforward manner, instead it is written in
different [Alternate Data Streams on the file “%temp%\\boot.sys”.Then it extracts information](https://www.howtogeek.com/howto/windows-vista/stupid-geek-tricks-hide-data-in-a-secret-text-file-compartment/)
from the system such as username, hostname, OS version, keyboard layout, etc. and sends
them via http to the server “http://217.8.117[.]26/gateinfo”. Next it gets the amount of cpu on
the systems and starts multiple threats to encrypt the system files. Some directories and file
extensions are excluded to avoid rendering the system unusable. Once done with the
encryption another http packet is sent to the same server this time to the url
“http://217.8.117[.]26/gatedrivers”. Lastly, the wallpaper of the system is changed and the


-----

ransom notes are dropped in the form of hta scripts with the name convention <extension>decrypt.hta”. In these notes we can find the instructions to recover the system that consist of
the urls “http://217.8.117[.]26/pay”. “http://4dnd3utjsmm2zcsb[.]onion/pay”, and the
“Authorization Key”.

Exorcist Ransom Note
This information will be needed to “sign in” the payment portal shown in the following
screenshot:

For the IOCs go to the bottom of the page =D

## Exorcist Ransomware Triaging

Once the payload is extracted (base64 encoded) from the powershell loader, we get a PE32
[executable. From a quick scan of the file using Assemblyline we get the following interesting](https://github.com/CybercentreCanada/assemblyline-core)
insights:


-----

So at a first glance we can see that there are some well known executable names extracted,
normally seen in ransomware and coin miners either to prevent processes from allowing
access to files that will be encrypted or to free resources to mine more effectively.

Based on the API names extracted from the sample we can say it has some network
capabilities as well as some cryptography ones. This is looking more and more like a
ransomware!

Lastly we see there is a url extracted from the sample “http://217.8.117[.]26/pay”. If we check
what we found on that website (in a secure manner ;) ) we find the following:


-----

Our suspicion was correct, it was ransomware after all!! But what else does this ransomware
[do? Let’s take a look at its capabilities using the newest tool from Fireeye capa.](https://github.com/fireeye/capa)


-----

So, it seems that indeed this ransomware sends data via http and executes some tricks to
check the system to not run on the wrong country ;). Now we are ready for a more serious
deep dive!

## Exorcist Ransomware Deep Dive


-----

Now it is time to get into the details of this malware. First we are going to take a look at the
file from a static point of view by analysing its strings, API calls, and code. And then to
complete our analysis and better understand the inner workings of the malware we are going
to study it from a dynamic point of view.

## Static analysis

Loading the executable on PEstudio helps us to confirm some of the hypothesis we made
during the triage and also shows us some interesting aspect of the sample that we haven’t
seen so far.


-----

-----

-----

So, some quick takeaways from the analysis so far:

1. Samples does not obfuscate strings.
2. It will exclude given directories and files with the extensions shown above to not render

the system unusable.
3. As expected, the ransomware will get rid of the Shadow copies of the files to avoid the

easy restoring of files.
4. It most likely will attempt to stop processes in a predefined list.

Let’s get our hands dirty and look at the code to discover some more capabilities of this
ransomware. For this we are going to load the sample to the free version of IDA.


-----

So, one of the first thing is does is creating a mutex to avoid running multiple times on the
system. Let’s check what else we find next to the hardcoded mutex string.


-----

Here we can see some interesting strings that we have overlooked before. Seems that there
are some countries listed that are most likely used together with the “get keyboard layout”
capability seen before to decide if this sample should run or quit. Let’s confirm this theory!


-----

-----

[The Ransomware uses the API “GetLocaleInfo” and “GetKeyboardLayoutList” to determine](https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-getlocaleinfoa)
the geo location of the system and check if it should continue running or not. Let’s verify
another hypothesis we had. Does the ransomware kill the processes displayed in the strings
before start encrypting? For this we are going to pivot from the un-obfuscated strings to the
code.


-----

-----

From analysing the routine we see that it is divided in two main sections, the first one running
a set of predefined commands to disabled and remove shadow copies and backups, and a
second one that goes through the list of processes and calls “taskkill” for each of them.


-----

-----

Another way to browse through the code is to use the IDA feature Xref from graph. This can
be done because the sample is not obfuscated, and the windows API calls are been referred
explicitly. Using this tool we can guide our analysis following the Windows API calls of
interest

Well…I said we could use it, not that it was small nor easy ;). However, if we zoom into it, we
can have a good understating of the different functions and have a gist of their purpose. For
example:


-----

Here we see the “ShellExecuteW ”API call (always interesting to see what the sample might
try to execute) that is called right before exiting. If we go where it is called, we end up in the
following routine :

[The routine consists of calling the API “GetModuleFileName” with “hmodule” Null to get the](https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulefilenamea)
path of the executable file of the current process. Then, it prepares a command line that
would look like execute the command and then exits.


-----

By looking at the XRef graph we also notice some classic Windows API calls used to send
http packets over the network. If we follow the references we find the following routine :


-----

By exploring this routine, we see that a post request is done. But now the question is what
information is been sent. In the next section we are going to find out exactly what is been
sent via the post http request.

In order to fast forward the analysis, confirm some hypothesis, and discover new
[functionality, we will start the sample in the x32/64 debugger while having Procmon and](https://x64dbg.com/#start)
[FakeNet running next to it to get more insights.](https://github.com/fireeye/flare-fakenet-ng)

## Dynamic analysis

Now that our ransomware is running in a controlled environment we can see in more details
how the different commands and processes are been killed by it.


-----

Let’s continue where we left trying to understand what is sent to the server over an http post
request. In the following screenshot we can see how the IP and Port are decoded from the
string stored in the “.rdata” section of the executable.

Once it has that information the malware will start preparing the request. This means setting
up the headers and the content that will be sent. Once done it will call the API call
“HttpSendRequest” to send the http request. Using FakeNet we received that request and
respond with a fake site to emulate the “C2”.


-----

As the picture shows the ransomware sends a big blob encoded in base64 to the c2 server
at “http://217.8.117[.]26/gateinfo”. But where is this information coming from? For this we
need to go back to the code an analyse what happened so far.


-----

In this function we see that there is a template for a json file were some details about the
system are gathered and later appended to the json temple string. Examples of details that
are gathered include but are not limited to:

GetCurrentHwProfileA


-----

Gen_token (some crypto API calls are involved)
Query the registry key “”
GetUsername
GetComputername
GetLocale
Etc.

Once it finished querying the system it generates a json that looks as follows:

After the information is gathered, we see that some encryption is initialised (creating
encryption keys, specifying algorithms, etc) but some of the information used is queried from
a file that was written in “%temp%\\boot.sys” in an earlier stage. The most interesting aspect
of this, is that the information is not read from the file itself, instead it queries the file using
the convention “filename.ext:string”. This means that this ransomware is using Alternate
[Data Streams to hide information. Using the ADS-spy tool we can inspect the content that is](https://www.bleepingcomputer.com/download/ads-spy/)
been read by the malware.


-----

-----

Hidden in this file we can find the generated unique extension, the RSApublic key, and the
Private Session Key. Once these values are retrieved the encryption of the json string takes
place.


-----

-----

The json string is encrypted with AES CBC and the symmetric key encrypted the with the
public RSA key. In the following screenshot we can see the json string in plaintext and then
encrypted.


-----

After encryption, the json is base6 4encoded and then added to the http post request as
already shown.

What about the file encryption? After all, this is a ransomware, right? So once the first
beacon is sent to the server the ransomware starts the file encryption in a multithreaded
fashion. This can be seen in the following screenshots:


-----

-----

-----

Once it finished it sends yet again another beacon with data to the server but this time to
“http://217.8.117[.]26/gatedrivers”. In the following picture we can find an example of a
ransom note that is left in every directory. The name convention for them is “<extension>decrypt.hta”

So this will be all for now, there are quite some more interesting aspects to research into like
how the file encryption is performed at a cryptographic level, how are some of the other
interesting strings (powershell get host by address) used, does this ransomware implement
persistence mechanisms, etc. Feel free to contact me for comments and questions.
Constructive feedback is always welcomed!

## IOCs


-----

Samples:
```
https://bazaar.abuse.ch/sample/a7e27cc38a39ff242da39d05e04b95ea9b656829dfe2e90e8226351

```
MD5:
```
79385ed97732aee0036e67824de18e28f4009abe9f41da41e48340c96e29d62cfa4c4ac8b9c1b14951ae8a

```
SHA256:
```
8d684a790a5683b8decde9fb5a819c4a164d3032723a151a30ff26d3c2b1aabf6db3aae21a6d80857c85f5

```
URLs:
```
http://217.8.117[.]26/gateinfohttp://217.8.117[.]26/gatedrivershttp://4dnd3utjsmm2zcsb

```
IPs:
```
217.8.117[.]26

```
[Tria.ge Sandbox reports:](https://tria.ge/)
```
https://tria.ge/reports/200724-gmz55kbvr2/behavioral1https://tria.ge/reports/2007242v2mzfsjwx/behavioral1https://tria.ge/reports/200724kfjg2xf1b2/behavioral1https://tria.ge/reports/20072464rls1gjl2/behavioral1https://tria.ge/reports/200724b5zwteacds/behavioral1https://tria.ge/reports/20072415z7parj4x/behavioral1https://tria.ge/reports/200724-zxydprrjys/behavioral1

## Acknowledgements:

```
[Special thanks to @rikvduijn and](https://twitter.com/rikvduijn) [@ValthekOn for helping me figure some of the details out](https://twitter.com/ValthekOn)
and my team at [@kpnsecurity for supporting my crazy projects and reviewing this writeup =D](https://twitter.com/kpnsecurity)


-----