# A Deep Dive into AvosLocker Ransomware **SecurityScorecard.com** info@securityscorecard.com ©2022 SecurityScorecard Inc. 244 Fifth Avenue, Suite 2035, New York, NY 10001 1.212.222.7061 ----- ## Table of Contents ### Executive Summary 2 Analysis and Findings 2 Thread activity – sub_CBB930 function 10 Thread activity – sub_CBBAD0 function 13 Running with the -h (--help) parameter 21 Running with the -p (--path) parameter 21 Running with the -l (--disabledrives) parameter 21 Running with the --hide parameter 21 Running with the -t (--threads) parameter 22 Running with the -n (--enablesmb) parameter 22 Running with the -b (--brutesmb) -n (--enablesmb) parameters 23 Running with the --nomutex parameter 24 Indicators of Compromise 25 **www securityscorecard com | 1** ----- ## Executive Summary AvosLocker is a ransomware-as-a-service (RaaS) group that appeared in 2021. The malware can run with one of the following parameters: “--help”, “--path”, “--disabledrives”, “--hide”, “--threads”, “--enablesmb”, “--brutesmb”, and “--nomutex.” The ransomware kills a list of targeted processes, deletes all Volume Shadow Copies using two commands, and clears all Windows event logs. The binary can target the logical drives as well as network shares by specifying proper arguments. The encryption is done using multithreading with I/O completion ports. AvosLocker uses a combination of RSA and Salsa20 algorithms during the encryption process. Finally, the ransomware creates an image based on the ransom note text that is set as the Desktop Wallpaper. ## Analysis and Findings SHA256: EC955F589F25D0D28E55964A1AA79C27492026982994CD4CA1FAF7E8A78DB4BC The malware performs a call to GetCurrentProcess and then opens the access token associated with the current process using the OpenProcessToken API (0xF01FF = TOKEN_ALL_ACCESS): Figure 1 Most of the strings are encrypted using the XOR operator. An example of a decryption algorithm is displayed in figure 2: Figure 2 The LookupPrivilegeValueA function is utilized to retrieve the LUID (locally unique identifier) corresponding to the "SeTakeOwnershipPrivilege" privilege: Figure 3 **www securityscorecard com | 2** ----- AvosLocker enables the above privilege in the access token via a function call to AdjustTokenPrivileges: Figure 4 The binary decrypts a list of processes that will be killed (figure 5): - "encsvc" "thebat" "mydesktopqos" "xfssvccon" "firefox" "infopath" "winword" "steam" "synctime" "notepad" - "ocomm" "onenote" "mspub" "thunderbird" "agntsvc" "sql" "excel" "powerpnt" "outlook" "wordpad" "dbeng50" - "isqlplussvc" "sqbcoreservice" "oracle" "ocautoupds" "dbsnmp" "msaccess" "tbirdconfig" "ocssd" "mydesktopservice" "visio" Figure 5 CreateToolhelp32Snapshot is used to take a snapshot of all processes in the system (0x2 = **TH32CS_SNAPPROCESS):** Figure 6 The ransomware extracts information about the first process from the snapshot using the Process32First routine: **www securityscorecard com | 3** ----- Figure 7 There is a comparison between the process name and the blacklisted processes: Figure 8 The malicious binary retrieves information about the next process from the snapshot via a call to Process32Next: Figure 9 AvosLocker uses the FNV (Fowler-Noll-Vo) hashing algorithm to identify and call relevant APIs at runtime: Figure 10 The executable opens a targeted process using OpenProcess (0x1 = PROCESS_TERMINATE): **www securityscorecard com | 4** ----- Figure 11 The TerminateProcess routine is utilized to kill the targeted process: Figure 12 The ransomware writes the following data in the command line output: Figure 13 We’ll explain the purpose of each parameter in the following paragraphs. The malware creates a mutex called "Zheic0WaWie6zeiy", which ensures that only one copy of the process is running at a single time: Figure 14 The process disables file system redirection by calling the Wow64DisableWow64FsRedirection API: **www securityscorecard com | 5** ----- Figure 15 The binary calls the WinExec function in order to spawn multiple processes (figure 16): - cmd /c wmic shadowcopy delete /nointeractive – delete volume shadow copies - cmd /c vssadmin.exe Delete Shadows /All /Quiet – delete volume shadow copies - cmd /c bcdedit /set {default} recoveryenabled No – disable automatic repair - cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures – ignore errors in the case of a failed boot / shutdown / checkpoint - cmd /c powershell -command \"Get-EventLog -LogName * | ForEach { ClearEventLog $_.Log }\" - clear all entries from the event logs Figure 16 The file comes with a hard-coded RSA public key: Figure 17 AvosLocker creates an input/output (I/O) completion port that is not yet associated with a file handle (0xFFFFFFFF = INVALID_HANDLE_VALUE): **www securityscorecard com | 6** ----- Figure 18 The malware creates multiple threads that will handle the files encryption. As we can see in figures 19 and 20, even if the starting address of the thread is StartAddress (sub_D0155F), the actual relevant function that will be called is sub_CBBAD0: Figure 19 Figure 20 The thread’s priority is set to 0x2 (THREAD_PRIORITY_HIGHEST) via a function call to SetThreadPriority: Figure 21 The number of created threads is 200 (default value); however, it can be modified using the -t (or --threads) parameter. FindFirstVolumeW is utilized to retrieve the first volume of the local machine: Figure 22 **www securityscorecard com | 7** ----- The ransomware extracts a list of drive letters and mounted folder paths for a volume using the GetVolumePathNamesForVolumeNameW function: Figure 23 The volume enumeration continues by calling FindNextVolumeW: Figure 24 The malware is looking for volumes that aren’t mounted using the GetDriveTypeW routine (0x1 = **DRIVE_NO_ROOT_DIR):** Figure 25 The binary associates an unmounted volume with a drive letter using SetVolumeMountPointW: Figure 26 AvosLocker obtains a bitmask representing the available disk drives: Figure 27 The process creates a thread for each drive that is found. The same method as above is utilized here, i.e., the starting address of the thread is StartAddress (sub_D0155F); however, the important function is sub_CBB930: **www securityscorecard com | 8** ----- Figure 28 Figure 29 All identified drives are written to the command line, as highlighted in figure 30. Figure 30 The new threads’ priority is also set to THREAD_PRIORITY_HIGHEST by the malicious binary. GetConsoleWindow is used to retrieve the window handle used by the console associated with the process: Figure 31 The malware calls the ShutdownBlockReasonCreate API and indicates that the machine should not be shut down during the encryption process: **www securityscorecard com | 9** ----- Figure 32 The ransomware extracts the identifier of the calling thread: Figure 33 AvosLocker blocks the calling thread until all created threads will terminate their work using the Join method: Figure 34 ## Thread activity – sub_CBB930 function The ransomware decrypts a list of extensions that will be skipped (figure 35): - "avos" "avoslinux" "avos2" "avos2j" "themepack" "nls" "diagpkg" "msi" "lnk" "exe" "cab" "scr" "bat" "drv" "rtp" "msp" - "prf" "msc" "ico" "key" "ocx" "diagcab" "diagcfg" "pdb" "wpx" "hlp" "icns" "rom" "dll" "msstyles" "mod" "ps1" "ics" "hta" - "bin" "cmd" "ani" "386" "lock" "cur" "idx" "sys" "com" "deskthemepack" "shs" "ldf" "theme" "mpa" "nomedia" "spl" "cpl" "adv" "icl" "msu" Figure 35 **www securityscorecard com | 10** ----- The malicious executable starts enumerating the drive by calling the FindFirstFileW function: Figure 36 The ransomware creates a ransom note called “GET_YOUR_FILES_BACK.txt” in every directory that will be encrypted (0x40000000 = **GENERIC_WRITE, 0x2 =** **CREATE_ALWAYS, 0x80 =** **FILE_ATTRIBUTE_NORMAL):** Figure 37 The WriteFile routine is used to populate the ransom note: Figure 38 Figure 39 The process decrypts a list of folders that will not be encrypted (figure 40): - "Program Files" "Windows" "Windows.old" "bootmgr" "ProgramData" "System Volume Information" - "AppData" "Public" "All Users" "boot" "Intel" "WinNT" "Sophos" "Microsoft." "Games" "config.msi" **www securityscorecard com | 11** ----- Figure 40 AvosLocker continues the file enumeration using FindNextFileW: Figure 41 A list of files that will be skipped is decrypted using the XOR operator (figure 42): - "GET_YOUR_FILES_BACK.txt" "desktop.ini" "autorun.inf" "ntldr" "bootsect.bak" "thumbs.db" - "boot.ini" "ntuser.dat" "iconcache.db" "bootfont.bin" "ntuser.ini" "ntuser.dat.log" "Thumbs.db" Figure 42 An example of a comparison between the file extension and one that is whitelisted is shown below: Figure 43 The ransomware sends an I/O completion packet that contains the targeted file path to the IOCP created earlier: **www securityscorecard com | 12** ----- Figure 44 ## Thread activity – sub_CBBAD0 function GetQueuedCompletionStatus is utilized to dequeue an I/O completion packet from the IOCP: Figure 45 AvosLocker retrieves file system attributes for a file or directory and avoids the **FILE_ATTRIBUTE_SYSTEM (0x4) attribute:** Figure 46 Based on the assembly code we analyzed, the ransomware uses a free C++ library of cryptographic schemes called Cryptopp (https://github.com/weidai11/cryptopp): Figure 47 The malicious process acquires a handle to a key container within a particular cryptographic service provider (0x1 = PROV_RSA_FULL, 0xF0000000 = CRYPT_VERIFYCONTEXT): **www securityscorecard com | 13** ----- Figure 48 The ransomware generates 32 random bytes via a function call to CryptGenRandom. These bytes will be used to derive a Salsa20 key and a nonce: Figure 49 Figure 50 The RSA public key is converted into an array of bytes using CryptStringToBinaryA: Figure 51 The CryptDecodeObjectEx API is utilized to decode a structure of a particular type (0x1 = **X509_ASN_ENCODING,** 0x8 = **X509_PUBLIC_KEY_INFO,** 0x8000 = **CRYPT_DECODE_ALLOC_FLAG):** Figure 52 **www securityscorecard com | 14** ----- The process converts and imports the RSA public key information into the provider and returns a handle (0x1 = X509_ASN_ENCODING): Figure 53 The Salsa20 key (32 bytes) and a nonce (8 bytes) that were derived from the randomly generated buffer are encrypted using the RSA public key: Figure 54 Figure 55 The above buffer is reversed and converted to Base64 format (0x40000001 = **CRYPT_STRING_NOCRLF | CRYPT_STRING_BASE64):** Figure 56 **www securityscorecard com | 15** ----- Figure 57 The AllocateAndInitializeSid function is utilized to allocate and initialize a security identifier (SID) with 2 subauthorities: Figure 58 The malware creates a new ACL by calling the SetEntriesInAclA routine: Figure 59 SetNamedSecurityInfoW is utilized to modify the DACL of the targeted file (0x1 = **SE_FILE_OBJECT, 0x4 = DACL_SECURITY_INFORMATION):** Figure 60 **www securityscorecard com | 16** ----- The ransomware opens the file via a call to CreateFileW (0xc0000000 = **GENERIC_READ |** **GENERIC_WRITE, 0x3 = OPEN_EXISTING, 0x80 = FILE_ATTRIBUTE_NORMAL):** Figure 61 The file size is retrieved using the GetFileSizeEx API: Figure 62 AvosLocker reads 1MB at a time: Figure 63 The process moves the file pointer to the beginning of the file by calling SetFilePointer (0x0 = **FILE_BEGIN):** Figure 64 The binary passes a pointer to the file content to the encryption function: Figure 65 **www securityscorecard com | 17** ----- The file content is encrypted using the Salsa20 algorithm. The implementation below is very similar to the one presented at https://github.com/weidai11/cryptopp/blob/master/salsa.cpp: Figure 66 Figure 67 **www securityscorecard com | 18** ----- The encrypted file content and the encrypted Salsa20 key and nonce are written to the file using WriteFile: Figure 68 The “.avos2” extension is appended to the encrypted files: Figure 69 An example of an encrypted file is displayed in figure 70. Figure 70 We continue with the analysis of the main thread. AvosLocker displays some statistics regarding encryption in the command line window: **www securityscorecard com | 19** ----- Figure 71 The ransomware decrypts and runs a PowerShell script (see figure 72): - powershell -Command "$a = [System.IO.File]::ReadAllText(\"Z:\GET_YOUR_FILES_BACK.txt\");Add-Type AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Heig ht);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;" Figure 72 The script’s purpose is to create an image that contains the ransom note and set that as the Desktop Wallpaper. The final image that will be set is highlighted below: Figure 73 **www securityscorecard com | 20** ----- ## Running with the -h (--help) parameter AvosLocker displays the help menu: Figure 74 ## Running with the -p (--path) parameter The ransomware only encrypts this specific directory: Figure 75 ## Running with the -l (--disabledrives) parameter AvosLocker doesn’t encrypt the logical drives: Figure 76 ## Running with the --hide parameter The malicious executable retrieves the window handle used by the console: Figure 77 The console window is hidden by calling the ShowWindow function (0x0 = SW_HIDE): **www securityscorecard com | 21** ----- Figure 78 ## Running with the -t (--threads) parameter This parameter represents the number of threads that will concurrently encrypt the files: Figure 79 ## Running with the -n (--enablesmb) parameter The ransomware starts enumerating all resources on the network via a function call to WNetOpenEnumA (0x2 = RESOURCE_GLOBALNET, 0x0 = RESOURCETYPE_ANY): Figure 80 WNetEnumResourceA is utilized to continue the enumeration of network resources: Figure 81 AvosLocker connects to a network share by calling the WNetAddConnection2A routine (0x4 = **CONNECT_TEMPORARY):** **www securityscorecard com | 22** ----- Figure 82 The network share name that will be encrypted is written to the command line: Figure 83 A similar thread that has enumerated logical drives is also created in order to traverse the network shares: Figure 84 ## Running with the -b (--brutesmb) -n (--enablesmb) parameters The process of discovering all network shares is identical to the above. The main idea, in this case, is that the malware is looking to extract the hostname/IP address from an available network share and trying to find logical drives based on it. The binary makes a connection to a potential logical drive using the WNetAddConnection2A function (0x4 = CONNECT_TEMPORARY): Figure 85 **www securityscorecard com | 23** ----- For all logical drives that can be found using the above method, the process creates a new thread that will enumerate them: Figure 86 Finally, AvosLocker writes the logical drives that were found to the command line: Figure 87 ## Running with the --nomutex parameter The ransomware doesn’t create the mutex in this case. **www securityscorecard com | 24** ----- ## Indicators of Compromise ### Mutex Zheic0WaWie6zeiy ### AvosLocker Ransom Note GET_YOUR_FILES_BACK.txt ### Processes spawned cmd /c wmic shadowcopy delete /nointeractive cmd /c vssadmin.exe Delete Shadows /All /Quiet cmd /c bcdedit /set {default} recoveryenabled No cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures cmd /c powershell -command \"Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }\" **www securityscorecard com | 25** -----