1/33 Leandro Velasco July 24, 2020 Exorcist Ransomware analysis writeup | Medium medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81 Leandro Velasco Jul 24, 2020 · 11 min read Exorcist Ransomware — From triaging to deep dive TL;DR On Monday 20th while hunting for some REvil samples I stumbled upon a newly introduced ransomware as a service called Exorcist. This ransomware is distributed via Pastebin embedded in a powershell script that loads it directly in memory. This script is based on “Invoke-ReflectivePEInjection.ps1” script by Joe Bialek (@JosephBialek), but it is optimised with an additional function to pass a base64 encoded executable to the main function. This powershell script is possibly generated using the Empire framework. The same technique is used by some of the Sodinokibi/REvil affiliates, and in the past by Buran. The ransomware is not obfuscated and the majority of the strings are in plaintext stored in the “.rdata” section of the executable. The first thing that the malware does is to check the geo location of the system using the language and the keyboard layout. If the results yield one of the Commonwealth of Independent States (CIS) it quits on the spot. Then the ransomware execute a series of commands to disable and remove backups and kill processes that might interfere with the system encryption. Once it is done with the commands, it writes to disk the RSA public key, the session private key and the extension. This information is not written into a file in a straightforward manner, instead it is written in different Alternate Data Streams on the file “%temp%\\boot.sys”.Then it extracts information from the system such as username, hostname, OS version, keyboard layout, etc. and sends them via http to the server “http://217.8.117[.]26/gateinfo”. Next it gets the amount of cpu on the systems and starts multiple threats to encrypt the system files. Some directories and file extensions are excluded to avoid rendering the system unusable. Once done with the encryption another http packet is sent to the same server this time to the url “http://217.8.117[.]26/gatedrivers”. Lastly, the wallpaper of the system is changed and the https://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81 https://medium.com/@velasco.l.n?source=post_page-----5b7da4263d81-------------------------------- https://medium.com/@velasco.l.n?source=post_page-----5b7da4263d81-------------------------------- https://www.howtogeek.com/howto/windows-vista/stupid-geek-tricks-hide-data-in-a-secret-text-file-compartment/ 2/33 ransom notes are dropped in the form of hta scripts with the name convention “- decrypt.hta”. In these notes we can find the instructions to recover the system that consist of the urls “http://217.8.117[.]26/pay”. “http://4dnd3utjsmm2zcsb[.]onion/pay”, and the “Authorization Key”. Exorcist Ransom Note This information will be needed to “sign in” the payment portal shown in the following screenshot: For the IOCs go to the bottom of the page =D Exorcist Ransomware Triaging Once the payload is extracted (base64 encoded) from the powershell loader, we get a PE32 executable. From a quick scan of the file using Assemblyline we get the following interesting insights: https://github.com/CybercentreCanada/assemblyline-core 3/33 So at a first glance we can see that there are some well known executable names extracted, normally seen in ransomware and coin miners either to prevent processes from allowing access to files that will be encrypted or to free resources to mine more effectively. Based on the API names extracted from the sample we can say it has some network capabilities as well as some cryptography ones. This is looking more and more like a ransomware! Lastly we see there is a url extracted from the sample “http://217.8.117[.]26/pay”. If we check what we found on that website (in a secure manner ;) ) we find the following: 4/33 Our suspicion was correct, it was ransomware after all!! But what else does this ransomware do? Let’s take a look at its capabilities using the newest tool from Fireeye capa. https://github.com/fireeye/capa 5/33 So, it seems that indeed this ransomware sends data via http and executes some tricks to check the system to not run on the wrong country ;). Now we are ready for a more serious deep dive! Exorcist Ransomware Deep Dive 6/33 Now it is time to get into the details of this malware. First we are going to take a look at the file from a static point of view by analysing its strings, API calls, and code. And then to complete our analysis and better understand the inner workings of the malware we are going to study it from a dynamic point of view. Static analysis Loading the executable on PEstudio helps us to confirm some of the hypothesis we made during the triage and also shows us some interesting aspect of the sample that we haven’t seen so far. 7/33 El pestudio 8.56 - Malware Initial Assessment - www.winitor.com File Help ahd x Ba? i> ooooa ooga Ht unicode unicode unicode miele Ef] c:\users\rem\desktop\wbfned1e.dill indicators (3/13) virustetal (offline) dos-stub (128 bytes) file-header (20 bytes) optional-header (224 bytes) directories (4) sections (4) libraries (6/12) imports (115) exports (n/a) exceptions (n/a) tls-callbacks (nya) resources (n/a) debug (invalid) manifest (n'a) file-version (ma) certificate (n'a) overlay (m/a) 47 : " - 14 - a - type ascii ascii ascii ascil ascii unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode size location blacklisted (211) — itern (626) 19 . x GetCurrentHwProfile 12 - x RegOpenKeyEx 15 : x RegQuenValueEx 12 - x ShellExecute Ti " x SHEmptyRecycleBin 6 - x SHA256 12 - x -decrypt.hta W - x \ntuser.dat 13 - x \bootfont.bin 9 - x \bootini 12 . x \desktop.ini 13 . x \bootsect.bak 1 - x \ntuser.ini 12 - x \autorun.inf 4 - x ene 4 = x adil 4 : 4 SYS 4 . 4 -hta 4 . x 86 4 - x -omd 4 - x ani 4 = x msi 4 : « amsp 4 . x com 4 . x nls 4 - x OOK 4 - x cpl 4 - x -prf 4 . x dp 4 ” x s:bin 4 - x chip 4 = x shs 4 - x dry 4 - x sbat 4 . x mse 4 : x spl 4 - x key 4 - x nk 4 - x ata) 4 - x Our 4 . x «ini 4 . x eg 7 - x emd /C 7 - x cmd.exe 39 - x wssadmin.exe Delete Shadows /All /Quiet 29 = x C:A\Windows\system32\vssvc.exe 12 - x waServerexe 16 . x waServerView.exe 12 : x sqlmangr.exe 9 - x RAgui.exe 13 - x SUpErvise.exe VW - « Culture.exe 12 - x Defwatch.exe 11 . x winword.exe 9 . x QOBW32. exe powershell (Systermn.Net.Dns)::GetHostByAddress(’ ).hostname Exception call Hark Tisardl anh 7/33 8/33 tar eee unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode unicode Bee EE PO oe hin ke Bw ow om & = 6 a ie | c=) ee ea RSAPUBLICBLOEB RSAPRIVATEBLOB ChainingModeCBC ChainingMode \Swindows.~bt\, \intel, \Wmsocache\, \Srecycle.bin\, \Swindows.~ws\, \tor browser\, \boot\, \windows\, \windows nt, \msbuild\, \microsoft\ \all users, \system volume information’, \google’ \windows. old), \nozilla’, \appdata\ local, \appdata\ locallow’, \appdata\ roaming), SystemDrive \programdata', \perflags\, \program files\, \program files (x86)\, \iconcache.db \ntldr \thumbs.db \bootmgr adv theme themepack .deskthemepack nomedia diagpkg diag¢eab dlieck .mpa smeod cms tp diagecfg msstyles Wp rom -psl .msu bes bebe publicsessionkey extension orvatesessionkey 8/33 9/33 So, some quick takeaways from the analysis so far: 1. Samples does not obfuscate strings. 2. It will exclude given directories and files with the extensions shown above to not render the system unusable. 3. As expected, the ransomware will get rid of the Shadow copies of the files to avoid the easy restoring of files. 4. It most likely will attempt to stop processes in a predefined list. Let’s get our hands dirty and look at the code to discover some more capabilities of this ransomware. For this we are going to load the sample to the free version of IDA. 10/33 So, one of the first thing is does is creating a mutex to avoid running multiple times on the system. Let’s check what else we find next to the hardcoded mutex string. 11/33 Here we can see some interesting strings that we have overlooked before. Seems that there are some countries listed that are most likely used together with the “get keyboard layout” capability seen before to decide if this sample should run or quit. Let’s confirm this theory! 12/33 ; Attributes: noreturn public start start prac near push asi push edi eall ds:Freeconsole call sub_4aag 702 best €ax, 9% war_ic [mz short lacyar_1e 7 vwar_id ush all est var_18 offset akgexangjyxququ ; “KpexAmgd yon sub_4@47A0 ecx can, coe short loc_4@331E var_B var_4 Gu= eall push call push push push eall add nov eall test jz Sub_403002 offset atop 5ub_461319 1 offset asc_4p72 eax sub_465238 esp, 16h edi, eax sub_dad74g Bak, GAN short loc 46325 ‘t 7 7 offset aBootSys ’ edi i sub_4@5236 ep, @ch edi, eax push call push call oy push push call push call push call add call call loc_4BS2EC : t edi sub_4g19E2 adi sub_4g4ae1 esi, eax esi LPCSTR 7 offset aGatedrives ; “pgatedrives” sub_4iBD6 esi } lpHem sub_se1aca edi y lpHen sub_4a1ac4 esp, 18h sub_4AG4AFG sub_4e4B65 = dword dword dword dward dword dword = dword push now sub push push push push lea push push push call lea AoW push aor nov now mow now now AoW ow nov ao eall PoP now Ao ptr -1th ptr -15h ptr -idh ptr -1@h ptr -BCh ptr -8 ptr -4 ebp ebp, esp esp, Beh ebx esi edd 55h ; tchData eax, [ebp+LCData] aK 5 lplcdata leaih s LEType 4deeh 7; Locale ds:GetLocaleInfoAd eax, [ebp+LOData] [ebpever_26], offset akussian ; “russian” nak 5 lpstring edi, edi [ebpever_24], offset aArmenian ; “armenian” [ebpevar_28), offset aBelarusian ; “belarusian™ [ebpevar_1C], offset aGeorgiam ; “georgian” [ebpever_16], offset akazakh ; “xazakh’ [ebprvar_14], offset aTajik ; “tajik” [ebpevar_1a], offset aTurkmen ; “turkmen® [ebpever_C], offset alkraindam j “ukrainian” [ebprvar_8)], offset alizbek 5 “uzbek” [ebpevar_4], offset aAzerbaijand ; “azerbaijani” sub 483936 eck pbx, eax esi, edi 12/33 13/33 The Ransomware uses the API “GetLocaleInfo” and “GetKeyboardLayoutList” to determine the geo location of the system and check if it should continue running or not. Let’s verify another hypothesis we had. Does the ransomware kill the processes displayed in the strings before start encrypting? For this we are going to pivot from the un-obfuscated strings to the code. https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-getlocaleinfoa https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getkeyboardlayoutlist 14/33 .fdata .Pdata .rdata .Pdata .rdata .rdata .Pdata .Pdata .fdata .Pdata .Pdata .rdata -Pdata .Pdata .rdata .Pdata .Pdata .rdata rdata .Pdata .rdata .Pdata .Pdata .fdata .Pdata .rdata :ee4e7ac4a :884078C4 88407 8DE :OG84078E0 :BO4078E8 786487982 86487984 86407904 :B8G48791E 786407926 884079208 788487934 86407934 88407958 780487956 86407968 :BB407968 :B8487982 88407984 : 88407984 :8848799C :8840799C : 88407988 88487988 :884079C8 :BB4079C8 aWxserverExe: ; DATA XREF: text "UTF-16LE", ‘wxServer.exe',@ align 18h aWxserverviewEx: ; DATA XREF: text "UTF-16LE", ‘wxServerView.exe',@ align 4 aSqlmangreExe: ; DATA XREF: text "UTF-16LE", 'sqlmangr.exe',@ align 18h aRaguiExe: ; DATA XREF: text "UTF-16LE", 'RAgui.exe',d aSuperviseExe: ; DATA XREF: text "UTF-16LE", ‘supervise.exe',@ aCultureExe: ; DATA XREF: text "UTF-16LE", ‘Culture.exe',@ aDefwatchExe: ; DATA XREF: text "UTF-16LE", ‘'Defwatch.exe',@ align 4 aWinwordExe: ; DATA XREF: text "UTF-16LE", ‘winword.exe',@ aQbw32Exe: + DATA XREF: text "UTF-16LE", ‘QBW32.exe’,@ aQbdbmgrExe: ; DATA XREF: text "UTF-16LE", ‘'QBDBMgr.exe',@ aQbupdateExe: ; DATA XREF: text "UTF-16LE", ‘qbupdate.exe',@ sub_463B802+5CTo sub_4038D2+66To sub_403BD2+78To sub_4638D247ATo sub_4038D2+84To sub _ 403BD2+8ETo sub_4638024+98To sub_463B02+A2To sub_4038D2+ACTo sub _4038D2+B6To sub_403802+COTo 14/33 15/33 From analysing the routine we see that it is divided in two main sections, the first one running a set of predefined commands to disabled and remove shadow copies and backups, and a second one that goes through the list of processes and calls “taskkill” for each of them. 16/33 Pero orev E4+osr aL SLVSE PAGIASASO4OIF BD mov ecx, Offset aPowershell ; “powershell “ POPAGASROR4O3F92 push ebx 3 int BHGGG8G808403F93 push [ebp+arg_@] ; LPCWSTR BGedeReReR4e3F96 stosd BGBAORGRBR4IESFOY stosd RAAAOAGRR4E3F98 stosd PAPA RRRRBAABIFS9 mov eax, offset aCedc ; “cmd fc " PGGAGRSRSR4E3F SE cmavnz eax, ecx BBGGSRG8OR4O3F41 push eax ; lpstring RBRBReHORGR4BIFA2 call Str_concat RIAA RROROR4BIFA? add esp, 18h RIBARAGRBER4BIFAA mov edi, eax RAGARAGAOR4BIFAC lea eax, [ebpt+ProcessInformation] BGG0G8G800403F AF push eax ; lpProcessInfarmation BBGRSROROR4OIFBG lea eax, [ebp+Startupinfo] BBG8G8GROR403FB3 push eax ; ipStartupiInfa HOROSRRHSR483FB4 push ebx 3 lpCurrentDirectory PIGASAGASA4BIFBS push ebx 3 lpenvironsent BAGUS8G00R403F RG push Bagaaeoh 3 dwlreationF lags BEGGG8G808403F BB push ebx ; bInheritHandles BBGGSBG8OR4O3FBC push ebx ) ipThreadattributes BBGBRBGEOR4O3FBD push ebx 5 IpProcessAttributes MIGIRASASR4O3FBE push edi 3 lpCommandline PAGASAGAGA4EIFBF push ebx 3 lpApplicationName RGGRORGRGR483FCe call ds:CreateProcessW BBGRGRGRGR483FC6 test eax, @aX baedeReReeiesrca jz short loc_4@3FE5 iw= j BRBBAOGAdG4O3FC4 push OFFFFFFFEA ; dwMilliseconds BEGRBRGGIE4A3FCC push BRIRBOGeGe4O3FCF call BEVRBOVeIe4OS5FO5 push s [ebp+PrecessInfermation.hPrecess] ; hHandle ds:WaitForSingleObject [ebp+ProcessiInformation.hProcess] ; hObject 16/33 17/33 Another way to browse through the code is to use the IDA feature Xref from graph. This can be done because the sample is not obfuscated, and the windows API calls are been referred explicitly. Using this tool we can guide our analysis following the Windows API calls of interest Well…I said we could use it, not that it was small nor easy ;). However, if we zoom into it, we can have a good understating of the different functions and have a gist of their purpose. For example: 18/33 Here we see the “ShellExecuteW ”API call (always interesting to see what the sample might try to execute) that is called right before exiting. If we go where it is called, we end up in the following routine : The routine consists of calling the API “GetModuleFileName” with “hmodule” Null to get the path of the executable file of the current process. Then, it prepares a command line that would look like execute the command and then exits. https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulefilenamea 19/33 By looking at the XRef graph we also notice some classic Windows API calls used to send http packets over the network. If we follow the references we find the following routine : 20/33 By exploring this routine, we see that a post request is done. But now the question is what information is been sent. In the next section we are going to find out exactly what is been sent via the post http request. In order to fast forward the analysis, confirm some hypothesis, and discover new functionality, we will start the sample in the x32/64 debugger while having Procmon and FakeNet running next to it to get more insights. Dynamic analysis Now that our ransomware is running in a controlled environment we can see in more details how the different commands and processes are been killed by it. https://x64dbg.com/#start https://docs.microsoft.com/en-us/sysinternals/downloads/procmon https://github.com/fireeye/flare-fakenet-ng 21/33 Let’s continue where we left trying to understand what is sent to the server over an http post request. In the following screenshot we can see how the IP and Port are decoded from the string stored in the “.rdata” section of the executable. Once it has that information the malware will start preparing the request. This means setting up the headers and the content that will be sent. Once done it will call the API call “HttpSendRequest” to send the http request. Using FakeNet we received that request and respond with a fake site to emulate the “C2”. 22/33 As the picture shows the ransomware sends a big blob encoded in base64 to the c2 server at “http://217.8.117[.]26/gateinfo”. But where is this information coming from? For this we need to go back to the code an analyse what happened so far. 23/33 In this function we see that there is a template for a json file were some details about the system are gathered and later appended to the json temple string. Examples of details that are gathered include but are not limited to: GetCurrentHwProfileA 24/33 Gen_token (some crypto API calls are involved) Query the registry key “” GetUsername GetComputername GetLocale Etc. Once it finished querying the system it generates a json that looks as follows: After the information is gathered, we see that some encryption is initialised (creating encryption keys, specifying algorithms, etc) but some of the information used is queried from a file that was written in “%temp%\\boot.sys” in an earlier stage. The most interesting aspect of this, is that the information is not read from the file itself, instead it queries the file using the convention “filename.ext:string”. This means that this ransomware is using Alternate Data Streams to hide information. Using the ADS-spy tool we can inspect the content that is been read by the malware. https://www.howtogeek.com/howto/windows-vista/stupid-geek-tricks-hide-data-in-a-secret-text-file-compartment/ https://www.bleepingcomputer.com/download/ads-spy/ 25/33 GA) ADS Spy w.11 - Written by Mengn Sliemete Date Streams [40S] ae pieces of info hidden as metecista on files on NTFS dives, They ane mot visible in Explorer and the size thep take up is mot reported bp Windows. Flecent browser hijackers started using ADS bo hide: thear files, and very few anti-malware acenners dehect this, Ua ADS Spy to find and remove: Pies shears: Note this apo can leo cisplay legitimate ADS steams, Don't ddete ainame you aoe mot completely cine thy ant: malicious ” Quick scan [windows base bolder ori * Full scan[sl NTFS dives] + Scan ony this folder, |C\Users\REM\ApoD ata\Loceal\T emp [ral] grore safe system info data steams [encipptable, ‘Summer lnformador, etc] Calculate MOS checksums of steams! coments Scan lhe syugtem for aleenete dale tlearne | Wed TYME By CRM ALS epee einSaLcoNebT aver? SDE RAF MIN Rkgpvol + FO SleMbPbh FlGodkaAgE 1 4Brerrdek atGcell DacGe ay Aer tS 4S SMMFOSnz/Fohuml Fol FAL eA yr fig ?GF9ebH PynheDa ck FyiPeO khgP LeHIZ6FP Tues Sard MEMTURS 2227 QT HE McA SIA P2rSl0gIBLbdc CAF RIED OLNMDIAG wed P18 Py paidedPrgT alee Sdtl+? PUFPLOPSER bn Rew S.oINSUt AE] abe dyzeto3Csd DIF PYLON SSI be Ams pe SIP IM Ib Oe PBA uP OMCOnLdS4biceig ZT SO Se sDiEuG reyTMFo Lr Sau pLUPOW Shor +e Mba hic OCS Om00T SoyOuFulidw'Sd+F Mico AmimACS SE Biqha(LeGigS Pak Sm hySUipavl wey! | Se SNNGL per thee CpP be Zagved 1BlotechopnggylUitrclG bays “wikvd IBPYL liege sh60GcrrObY RG IY mipPhSh Rac G7 4d Ho Bact ctl 2K aE DN Bh kepL iit 10 2u3y001G TOO IIHuR C+ 5G che) 0ocSGU01 pFbF 1 o0mS2E MuPP ae Gail 21 Owhdge AAD nA SALEM TSG IgE Sour Oy bY ledoUSH ee TR evo Ayal 0 SE oF gDemiLOey Tel+Gel yy nbed ve 20S 7LomHLerSmi HG le goUT 1 yDNKESFMAQPM Shier TP awbil ule LS cmivigdP LL epHvieeT nda Gypecwer WMIME dk Thee JeeyotdgeLT LUG SnprldbsE DOUdS SC pork WB ahdHyd wsSRiOwGokdswE Oc8S 2g2 5c 7SC2gk 0 sqenv Hd TKN CHS whDF hE 7) cK IL bbw Jv KGa Eyie'gich!'2vooH fool eSUAndmiezpe0PUOLYEAT TkeO eg? QicbhpHyF leg bMYLARPERB gry Sr reby PoP +lmd +m RAg Gee +516 McA baz teg sy beOKS SMV ywLCPPE TES S aS NHS 740k hate gl Safga0 pay Pid ry bbe? By ashtE Migtoo 9010S heb Set Mbeki O BevidlG 12 v3 eNORAR GF Der PDVede Dela evubib)Osdeesy dS aera 05 DM s|Bog bs 2C0S0DeSg 1 ME) Odboo 80/2260 3Hreo LD Ry 8303427 RipkUCoO hau Aare ED bye gh NO phogd ySrldeew Moh Duolited = TpS ell me ah wihF BT ey GE dF ELT DO fe biodtghkkAdF Ske) Gk ergalmgn HE U1 of GS pel] 2-5 Sector Piz nO Ligh SOR BBU SB cVAR FO KBRNA od oko bly OCS Sh bg Saf acGeTL Mak jLeeh 20 LIER Hoch LipgCkGMe-F rfl Bk 2tidteP A get 4yPTSeSudlH4scPY Lidia Diez Pe Pi 2200 1a lombegGGcuAB le MSO W080 v2 JSD C7 Sige GF AL SOxSHENVIE bth aF ay TtebeP irc e roe HySeD By OMA cDimbaiL kimk TR Gg Soh wetSG TealkGLbketcful TpgSeryy eV TmGk 22 00000 20d OQ BBR ES by chu ried De 0 pmaq] Fmojogt OmiPaUPUbU DM gp Ec AC ry og B41 plece =p BURG ORO mPa HiC+ Copy Save bo dick... Edi in‘Wodpad Back [Viewing contents of CWU2ee\ AEM petite Local T emp boot apa: bqgawsimaneqhrawag, LA) ADS Spy v1.11 - Written by Merjn _ q 5% Altemate Data Streams (AD'S) are pieces of info hidden as metadata on files on NTFS drives. They are not visible in Explorer and the size they take up is not reported by Windows. Recent browser hijackers started using ADS: to fide: thei flles. and very few antiinalware scanners detect this, Use ADS Spy to find and remove these streams. Note: thie app can also display legitimate ADS streame. Don't delate sheams F you are mot completely eure they are malicious! © Quick sean [Windows base bolder ontyl C Full scan (all NTFS crves] ( Scan only this folder: [CAUsets\REM\AppDiata\LocaltT emp EI Iv lonore safe system info data steams [encryptable’, ‘Summaiyintornation’, etc) [ Cakulate MD5 checksums of streams’ contents Scan the aystem for akemabe data streams | UNBMOAGASADAAAAAAIAAABAAASAASAAADABtS|Mn2aR5T Sieeb000eiMsDEMvhg kTaCCaG 2572806 GU ud avpide7 Hla2yaMnglp22o4LmBLdl 44U egPF agi 42pekJ ASQ GbOse yd6NGL ipl bl 5.41 syawecpPiFodnQzedzE wOmthE HER ay Svnwneghert Fm 7invO) meate] AAFGUM de s|HHipFwCSLeghim?GuSkkSILAlumsdo+ TbAGOES J chox 0GtPOlwCD G1 3uBM 3u8T SPA OmAM Psy 70 pS bg nKE Sy 20 HJrOBindazySVhoSHIG SCs Teg NMiB OSS Fa5G shu DZE g/DSuyn eM LERB gyCKSM 3kAadtor Sil gsneT sPGe5h"/hSI9NG 64 AauuG 7 +PpG NFSMNSbSIL) VWweord4/CSF GZ aPECSD gS Gviq"45 nagF EyboHHiule+6 pisCcA hd HAGY 2lzet LU i CRAY b2208 490 /nzo+gaCltoF dF OES LU ndiedeers\w2/Fhelh2Pbnel qsge 2P1 GmarsipZpal 72 VIP BEG wbE vhe67 1 Sa2+Se1 2Rinctlykel vonpBS2EM go Ey /Shta+c0.42F Gaqy2hiize=END GS M1 el pad2Ficue MI Gy+2eDCT 4/20 Wwe Het AO? Lazmgua hhre= I Copy Save bo dick... Edit in Wordpad Back Miewing contents of C\UsersSREMAppDstalLocals emotboot. sys lawebeylzumgkqu. 25/33 26/33 Hidden in this file we can find the generated unique extension, the RSApublic key, and the Private Session Key. Once these values are retrieved the encryption of the json string takes place. 27/33 vuCuVeUVUUUySeoe)T DY B8G0000000404F BS BBEG80600C404FB6 G89GG00000404FB9 BO8C800000404F BC 8000000000404F BF GG8CE00000404FC1 BBeG808008404FC2 BO9GE0G000404FC3 GBOGGB0G000404F C6 G8Q90800000404FCB B8GG80G00C404FCE B8eG800008404FD3 B8eG80G000404FD4 8800000000404 FD6 BEQ8G00000404FDS 88G0806000404FDB G8880800000404F DC 8880000000404FDF BEOCC0E000404FE2 BO9GB0O000404F E3 BBGOEEGOOC404FES BOACBORROCB404F E6 BeQEe00000404F ES BBGGEEG00C464FE9 BOGOBOG0O0404F EF BOGGGOOOO404F FO G800800000404FF1 B88C808000404F F4 BBGGEEG00C404F FO BBG0800000404F FB BOGGBOGOO0404F FC G8Q0800000404F FF 88G0000000405002 eeeeeeeeee4e5ees eeeeeeeo9e4e5o06 880000000040500B BEACG0E00040500E 8880006000405010 8000000000405013 9e90800000405016 8880000000405019 B8EGBEG09G40501E pus push mov mov mov call push push push call push call pop push mov lea push push lea push push push push push call push push push call xor push push push push push call mov mov add push mov call push ELA ) PraeuuL.iipganiy esi 3; ipString [ebp+var_38], ecx [ebp+var_34], ecx [ebp+var_30], ecx ebx ; lstrlenA eax 3 cbInput esi 3 pbInput [ebp+hKey] 3; hKey BCryptEncrypt [ebp+pcbResult] ; dwBytes Get_heap ecx 1 3; dwFlags ebx, eax eax, [ebp+pcbResult] eax > pcbResult febp+pcbResult] ; cbOutput eax, [ebp+pbIV] ebx > pbOutput 1@h 3 cbIV eax 3 pbIv 2] 3 pPaddingInfo esi 3 lpString ds:lstrlenA eax 3 cbInput esi 3 pbInput [ebp+hKey ] 3; hKey BCryptEncrypt esi, esi esi 3 int [ebp+var_20] 3 int [ebp+lpMem] 3 int [ebp+pcbResult] ; int ebx 3; lpMem sub_401047 ecx, [ebp+pcbResult] edi, eax ecx, [ebp+var_26] [ebp+lpMem] 3; lpMem [ebp+cbBinary], ecx Free heap ebx 3; 1lpMem 27/33 28/33 The json string is encrypted with AES CBC and the symmetric key encrypted the with the public RSA key. In the following screenshot we can see the json string in plaintext and then encrypted. 29/33 After encryption, the json is base6 4encoded and then added to the http post request as already shown. What about the file encryption? After all, this is a ransomware, right? So once the first beacon is sent to the server the ransomware starts the file encryption in a multithreaded fashion. This can be seen in the following screenshots: 30/33 GeG8BeR88888402786 push offset szObjectName ; “gateinfo" GG8BeR8G8E840778B mov [ebp+lpMem], eax GG8BE8G8E8402778E call Prep _C? Wraper_? eeeeegeeee4e7793 add esp, 44h eeeeeeeeee4e272796 push ebx ; lpMem eeeeegeeee4e2797 call Free heap BBGBbEGERER482779C pop ecx eegeeceeee4e779D lea eax, [ebp+SystemInfo] eeeeeegeeee4e27748 push eax ; lpSystemInfo eeegeeegeeee4e7741 call ds:GetSystemInfo GGGBeR8G8ER407747 mov eax, [ebp+SystemInfo. dwNumberOfProcessors ] GGGBERGCER407 744 xor ebx, ebx eeeeegeeee4e77AC lea edi, [eax+eax] GG8BEGG8884027274F push edi ; NumberOfConcurrentThreads Geeeeeeeee8407788 push ebx ; CompletionKkey e888888888402781 push ebx ; ExistingCompletionPort eeeeeee8e8402782 push @FFFFFFFFA ; FileHandle eeeeeeeeee4e7784 mov [ebp+enCount], edi eegeegeeee4e27787 call ds:CreateloCompletionPort eeegeegeeee4e77BD mov [ebp+CompletionPort], eax eeegeeegeeee4e77Ce mov esi, ebx ebebeeenee4e2z7C2 test edi, edi GeGbGG8G80884827C4 jz short loc_4@27E5 i Boeoeseoee4e27C6 Boeoeseoee4e27C6 Boeoeseoee4e27C6 eoeoesenee4e27C7 eoeneseoee4e27Cs eoeneseaee4e27C9 eoeoeseoee4e27CE eoeoeseoee4e27CF Boeoeseoee84027D8 BGe0ese0e04027D6 eoeoeseoee4e27DD 8680808080402 7DE eoeneseoee4e27E1 eoeoeseoee4e27E3 loc_4027C6: ; lpThreadId push ebx push ebx ; dwCreationFlags push eax ; lpParameter push offset StartAddress ; IpStartAddress push ebx ; dwStackSize push ebx ; lpThreadAttributes call ds:CreateThread mov [ebpt+esi*4+Handles], eax inc esi mov eax, [ebp+CompletionPort ] cmp esi, edi jb short loc_4@27C6 30/33 31/33 See ee Dies Pe od QGGR80000R402980 push edi 3 Context SGGG88G00R497981 push offset sub_4@1FD7 ; Function SGGSR00GRR407986 mav [edi+ach)], eax geeeeseeneda2989 call ds :QueuellserWorkItem SGSRRRe00840298F push esi > lpMem eeeeRgeeeR4a29C8 call Free_heap saeeanaeeedaz9C5 push [ebp+1lpMem] ; ipMem aeeee9eeeR4e29cs call Free_heap BSBRRRGGRR4BI9CD pop ece PAGSHGORB4929CE pop ecx BSSRRRGeRRABISCF jmp short loc_462909 — if re GeeRReebRa4e2 900 BepRaeeRRa4e2909 loc_402909: BEGEBORRRR402909 cmp dword_48Cee8, ebx) 29DF ja short loc_462901 wuz * waz : egoRHeeeee4e29D1 egeoeReeeRse29E1 push [ebprhkey] 3 hKey 98080800004029D1 loc 4429D1: ; dwhtilliseconds| #aeeReee@eede29E4 call BCryptDestroykey §8000008004025D1 push 1 QGGSRHBGEB4E79E9 push ebx ; dwF lags aeeeeaees4e29D3 call ds:Sleep asepeeeeeese29EA push [ebp+hAlgorithm] ; hAlgorithm QGGGRHRGRR84829ED call BCryptCloseAlporithmProvider Q8GORHGGRR84E29F2 mov edi, [ebp+CompletionPort] BOGRRRAGGR4A79F5 push ebx ; lpoverlapped Q8GORRGGRG4029F6 push offset sub_402015 ; dwCompletionkey SGGRRHAGRR4R29FER push ebx ; dwiumberOfBytesTransferred HeepRHReee4e29FC push edi ; CompletionPort QaeeReeeee4e29FD call ds: PostQuevedCompletionStatus HGGGRRRAGR4A7483 mav esi, [ebptnCount] G8GGRHGGRE4a7A06 lea eax, [ebp+Handles] QSGGRR8GRR49748C push OFFFFFFFFh ; dwHilliseconds GPGGGRRGORR4E24BE push 1 3 bwaitall eaeeneeaeedazAie push eax } ipHandles Q8G0009008402411 push esi ; MCount eeeepeeenedazA1? call ds:WaitForMultipleobjects QSGGRHGGHO4E7418 test esi, esd Q2OORRGIORsO2A1A mav esi, de:closeHandle aseppeganesezA7e jz short loc_462436 Pres ; | leapeaeeneesa2422 mov edi, [ebp+nCount]| 7 aae BAGGGRRHOG4H 2475 eaaeeeneaesde2A35 loc 4e2A25: 3 hObject POSBORRHAS4E2A95 push [ebprebx*4+Handles] RaODORRRBaR4OZA2C call esi ; CloseHandle BaaeORREaEda249EF inc ebx BOGGRRRORR4H2A2F cmp ebx, edi BSGGORB8G0482A31 jb short loc_4a2A25 TT au ; BG8G08H00G492A33 mov | edi, [ebp+CompletionPort | die = QGORRGGRO407436 eseoaeeaeese2A36 loc_ 402436: ; hObject BGGRRRABBR487436 push edi BPAORRHAORR4O2437 call esi ; CloseHandle aaeneaeaease2A39 pop edi BOSRRRABRBABIAIA pap esi BGORRBOORAABIAIB pop ebx eaaneaaeaesa72a3C leave GGBGURORRR402A3D retn QGGGRR9GRG49243D Start_encrypt_1_? endp BGSRREOBER40243D 31/33 32/33 Once it finished it sends yet again another beacon with data to the server but this time to “http://217.8.117[.]26/gatedrivers”. In the following picture we can find an example of a ransom note that is left in every directory. The name convention for them is “- decrypt.hta” So this will be all for now, there are quite some more interesting aspects to research into like how the file encryption is performed at a cryptographic level, how are some of the other interesting strings (powershell get host by address) used, does this ransomware implement persistence mechanisms, etc. Feel free to contact me for comments and questions. Constructive feedback is always welcomed! IOCs 33/33 Samples: https://bazaar.abuse.ch/sample/a7e27cc38a39ff242da39d05e04b95ea9b656829dfe2e90e8226351 MD5: 79385ed97732aee0036e67824de18e28f4009abe9f41da41e48340c96e29d62cfa4c4ac8b9c1b14951ae8a SHA256: 8d684a790a5683b8decde9fb5a819c4a164d3032723a151a30ff26d3c2b1aabf6db3aae21a6d80857c85f5 URLs: http://217.8.117[.]26/gateinfohttp://217.8.117[.]26/gatedrivershttp://4dnd3utjsmm2zcsb IPs: 217.8.117[.]26 Tria.ge Sandbox reports: https://tria.ge/reports/200724-gmz55kbvr2/behavioral1https://tria.ge/reports/200724- 2v2mzfsjwx/behavioral1https://tria.ge/reports/200724- kfjg2xf1b2/behavioral1https://tria.ge/reports/200724- 64rls1gjl2/behavioral1https://tria.ge/reports/200724- b5zwteacds/behavioral1https://tria.ge/reports/200724- 15z7parj4x/behavioral1https://tria.ge/reports/200724-zxydprrjys/behavioral1 Acknowledgements: Special thanks to @rikvduijn and @ValthekOn for helping me figure some of the details out and my team at @kpnsecurity for supporting my crazy projects and reviewing this writeup =D https://tria.ge/ https://twitter.com/rikvduijn https://twitter.com/ValthekOn https://twitter.com/kpnsecurity https://twitter.com/kpnsecurity