- Dec 19, 2017
- Operating System
Ransomware is a type of malware which usually acts as a trojan horse, the user mistakes it for a legitimate file and when he activates the “program, it begins encrypting files on the computer. when the task is completed it demands a ransom, usually in bitcoins.
in most cases you have two options:
- pay the ransom
- lose your files for ever
surprisingly a lot of people choose to pay the ransom to get their files back, as seen with CryptoLocker back in 2013.
Today we will be reviewing a sample I randomly picked up at Here, a pretty good malware collection.
Opening the file in IDA reveals that this malware is written in .NET
IDA is unable to make this file readable, expose is imports or exports but before moving on to a .NET decompiler I decide to explore the Strings and Names view.
String view seems empty:
The strings raise my suspicious since the program does not seem to hide its intentions.
This was enough. I headed to the decompiler, I am using the .NET Reflector for this one how ever it is not free, you should use dotPeek.
The program contains the following structure:
Fields and Methods:
I would be curios why he chose to create the constructor like this:
full registry path - “Software\Microsoft\Windows\CurrentVersion\Policies\System"
This constructor disables the task manager and blacks out the wall paper.
This was the most interesting function, I will expand on it and explain how Symmetric encryption works.
This encryption works with one key, to encrypt a piece of plain text. both of the parties need to know the key.
The AES encryption is an iterative algorithm. which means we will need the following to construct it:
The key - passwordBytes
ECB (electronic code book) is basically raw cipher. For each block of input, you encrypt the block and get some output. The problem with this transform is that any resident properties of the plaintext might well show up in the ciphertext – possibly not as clearly – that's what blocks and key schedules are supposed to protect againt, but analyzing the patterns you may be able to deduce properties that you otherwise thought were hidden.
CBC mode is short for cipher block chaining. You have an initialization vector which you XOR the first block of plaintext against. You then encrypt that block of plaintext. The next block of plaintext is xor'd against the last encrypted block before you encrypt this block.
IV or Initialization Vector - since the AES is iterative, each encpytion block is dependant on the previous block but the first block does not have a previous block, to solve this problem the IV was born.
Block Size - The plain text will be split into blocks, each in block size. that means that if the block size is 64 bits and the text is 130 bit size then you'll get 3 blocks, two blocks with plain text in size of 64 bits and another block with 2 bits of plain text and another 28 bits of padded bits.
You can read all about it here:
ECB OR CBC
What is a block chiper
Why use IV's
Regarding on how AES works, I wont get into it. lets see what happens in the code
First the function accepts two parameters, the bytes we will encrypt and the key.
It creates a salt.
We can see also that it creates a random generated key and a IV using the DeriveBytes class.
“Rfc2898DeriveBytes is an implementation of PBKDF2. What it does is repeatedly hash the user password along with the salt.” the third parameter is the number of iterations.
The GetBytes function returns the pseudo-random key for this object.
So the key and the IV are fully randomized based on the size of the key and the block size.
Finishing it up with setting the chiper to CBC mode since AES is CBC.
So as we can see, this is not just AES encryption, first we use one key to generate a key. from that key we generate two more keys(Key for AES and the IV), then and only then we encrypt bytesToBeEncrypted.
the function translates the stream to a byte buffer and returns it .
Keep in mind, this is not complex. With a proper crypter this lame ass .NET program can bypass most AV detection.
The function accepts a string file, probably the path. then it generates another another pass key, hashes it and encrypts it with the AES_Encrypt. it changes the file extension and overwrites it.
The message creator drops a readme file onto the desktop upon function call
Basically, a random password generator.
I am confused for what this function is doing seems like nothing, more on the dynamic analysis.
Encrypts all the files in the directory, it gets all the extensions to the files in the directory and if the current file has one of the extensions the malware is looking for, it encrypts the file.
The main functionality:
It seems the malware is only encrypting files on the desktop, since it is hard coded as a function parameter.
The rest of the forms don't have anything special, except from this :
Found on form3, this is very worrying. I also did not see any decryption methods that could be triggered.
The malware generates a new password, or a key. then it uses that key to encrypt all the files on the directory which is the desktop in this malware’s case. when this task is completed it drops a readme file and pops up a window with payment options and warning options.
Running Process explorer and Process monitor, I filtered unrelated process events out of the program.
The program indeed, dropped a read_it file and encrypted only the files located on the desktop and disabled the task manager.
Attempt to black out the wallpaper as seen in Process Monitor:
Disable Task Manager:
Drop READ_IT file:
But it's easy to revert most of its effects.
The desktop has not been changed, and we simply need to remove the registry key that I showed above to restore the Task Manager operations.
The program has suspected made no contact with any server or IP if your files are encrypted with this program you cannot revert the files back, EVER.
When you click that you paid for the decryption the program prompts this message:
Clicking “OK” will always result in the following message as seen in the code:
But the money will not be refunded as there are no other function triggers to this button click as seen in the code
The program adds the .WINDOWS extension to all files it encrypts on the desktop (It only encrypts files on the desktop), removing that extension back to the original one will show a messed up file.
This program is dangerous, but not the most dangerous. you can't run it unless you have the correct version of .NET installed on your computer.
It only encrypts files on the desktop and not to mention that it does not encrypt all file extensions.
It does disable the task manager and attempts to change the desktop background but you can revert those effects back.
The only thing that you won't get back is your files.
This example shows how easy it is to construct ransomware, how easy it is to steal money and even in 2017 (this sample was caught in june 2017) people still download and double click on files called “VapeHacksLoader” and run them.
Be careful out there
This is my first malware analysis report any feedback would be welcome!