The document is an overview about the most used and effective anti-spam techniques based on adding suitable fields in the header of an email message. There are described the most used standards for preventing/recognising spam messages, like DKIM, SPF and DMARC and also some possible non-standard implementations deployed by relevant players (e.g., Google, Yahoo, Microsoft...).
iGUARD: An Intelligent Way To Secure - ReportNandu B Rajan
Using Smartphone control the Door Lock.
LOCKING FEATURE Lock and Unlock the Door Lock by Pattern,PIN or Fingerprint. Also show the status of Door Lock.
OPEN LOCK AUTOMATICALY Automatically open the door when the authenticated devices come near the door using bluetooth and ultrasonic sensor.
VISITOR Capture the image and sent as alert when someone press the calling bell. Provide a provision to unlock the door for the visitor remotely.
FAMILY TRACKING Track the current location of family members.
MESSAGE ALERT Give Broadcast messages to all members or specific members of the family.
THREAT ALERT Alert the family members in any case of threat like someone tries to break the door using vibration sensor. Alert with image captured.
VISITOR'S HISTORY Store the Door accessing history.
The document is an overview about the most used and effective anti-spam techniques based on adding suitable fields in the header of an email message. There are described the most used standards for preventing/recognising spam messages, like DKIM, SPF and DMARC and also some possible non-standard implementations deployed by relevant players (e.g., Google, Yahoo, Microsoft...).
iGUARD: An Intelligent Way To Secure - ReportNandu B Rajan
Using Smartphone control the Door Lock.
LOCKING FEATURE Lock and Unlock the Door Lock by Pattern,PIN or Fingerprint. Also show the status of Door Lock.
OPEN LOCK AUTOMATICALY Automatically open the door when the authenticated devices come near the door using bluetooth and ultrasonic sensor.
VISITOR Capture the image and sent as alert when someone press the calling bell. Provide a provision to unlock the door for the visitor remotely.
FAMILY TRACKING Track the current location of family members.
MESSAGE ALERT Give Broadcast messages to all members or specific members of the family.
THREAT ALERT Alert the family members in any case of threat like someone tries to break the door using vibration sensor. Alert with image captured.
VISITOR'S HISTORY Store the Door accessing history.
Auditoría de TrueCrypt: Informe final fase IIChema Alonso
Informe con los resultados de la fase II del proceso de auditoría del software de cifrado de TrueCrypt que buscaba bugs y posibles puertas traseras en el código.
Comparative Analysis of Personal FirewallsAndrej Šimko
This thesis describes the analysis of 18 personal firewalls. It discovers the differences in their behaviour while they are under various techniques of port scanning and Denial of Service (DoS) attacks. With port scanning, the detection ability, time consumption, leaked port states and obfuscation techniques are analysed. With using different DoS attacks, performance measurements of CPU and network adapter are taken. The potential of firewall fingerprinting based on the different behaviour across multiple products is also addressed.
Master of Science in Communication Technology by Torstein Bjørnstad
With the growth of the Internet a lot of dierent services has emerged. These services
are often accompanied by some kind of security system. Since most of these services
are stand-alone systems, a whole range of dierent authentication systems have been
developed. Each using one of several kinds of authentication, with one or more proofs
of identity. The SIM card used in mobile phones is an identifying token, containing
strong authentication mechanisms. If services could utilize the SIM for authentication
it would provide both a more secure solution, in addition to increased simplicity for
the user.
This master thesis builds on a project that investigated how the security properties of
a system can be improved by adding an extra factor to the authentication process
something the user has, or more specically the GSM SIM card. That project
concluded by suggesting an overall design for a VPN Authentication System based on
the security mechanisms in GSM. This thesis continues that work by analyzing that
design, and describing the implementation of a prototype utilizing the mechanisms
available.
Overview of the fundamental roles in Hydropower generation and the components involved in wider Electrical Engineering.
This paper presents the design and construction of hydroelectric dams from the hydrologist’s survey of the valley before construction, all aspects and involved disciplines, fluid dynamics, structural engineering, generation and mains frequency regulation to the very transmission of power through the network in the United Kingdom.
Author: Robbie Edward Sayers
Collaborators and co editors: Charlie Sims and Connor Healey.
(C) 2024 Robbie E. Sayers
Auditoría de TrueCrypt: Informe final fase IIChema Alonso
Informe con los resultados de la fase II del proceso de auditoría del software de cifrado de TrueCrypt que buscaba bugs y posibles puertas traseras en el código.
Comparative Analysis of Personal FirewallsAndrej Šimko
This thesis describes the analysis of 18 personal firewalls. It discovers the differences in their behaviour while they are under various techniques of port scanning and Denial of Service (DoS) attacks. With port scanning, the detection ability, time consumption, leaked port states and obfuscation techniques are analysed. With using different DoS attacks, performance measurements of CPU and network adapter are taken. The potential of firewall fingerprinting based on the different behaviour across multiple products is also addressed.
Master of Science in Communication Technology by Torstein Bjørnstad
With the growth of the Internet a lot of dierent services has emerged. These services
are often accompanied by some kind of security system. Since most of these services
are stand-alone systems, a whole range of dierent authentication systems have been
developed. Each using one of several kinds of authentication, with one or more proofs
of identity. The SIM card used in mobile phones is an identifying token, containing
strong authentication mechanisms. If services could utilize the SIM for authentication
it would provide both a more secure solution, in addition to increased simplicity for
the user.
This master thesis builds on a project that investigated how the security properties of
a system can be improved by adding an extra factor to the authentication process
something the user has, or more specically the GSM SIM card. That project
concluded by suggesting an overall design for a VPN Authentication System based on
the security mechanisms in GSM. This thesis continues that work by analyzing that
design, and describing the implementation of a prototype utilizing the mechanisms
available.
Overview of the fundamental roles in Hydropower generation and the components involved in wider Electrical Engineering.
This paper presents the design and construction of hydroelectric dams from the hydrologist’s survey of the valley before construction, all aspects and involved disciplines, fluid dynamics, structural engineering, generation and mains frequency regulation to the very transmission of power through the network in the United Kingdom.
Author: Robbie Edward Sayers
Collaborators and co editors: Charlie Sims and Connor Healey.
(C) 2024 Robbie E. Sayers
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)MdTanvirMahtab2
This presentation is about the working procedure of Shahjalal Fertilizer Company Limited (SFCL). A Govt. owned Company of Bangladesh Chemical Industries Corporation under Ministry of Industries.
Water scarcity is the lack of fresh water resources to meet the standard water demand. There are two type of water scarcity. One is physical. The other is economic water scarcity.
Cosmetic shop management system project report.pdfKamal Acharya
Buying new cosmetic products is difficult. It can even be scary for those who have sensitive skin and are prone to skin trouble. The information needed to alleviate this problem is on the back of each product, but it's thought to interpret those ingredient lists unless you have a background in chemistry.
Instead of buying and hoping for the best, we can use data science to help us predict which products may be good fits for us. It includes various function programs to do the above mentioned tasks.
Data file handling has been effectively used in the program.
The automated cosmetic shop management system should deal with the automation of general workflow and administration process of the shop. The main processes of the system focus on customer's request where the system is able to search the most appropriate products and deliver it to the customers. It should help the employees to quickly identify the list of cosmetic product that have reached the minimum quantity and also keep a track of expired date for each cosmetic product. It should help the employees to find the rack number in which the product is placed.It is also Faster and more efficient way.
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Dr.Costas Sachpazis
Terzaghi's soil bearing capacity theory, developed by Karl Terzaghi, is a fundamental principle in geotechnical engineering used to determine the bearing capacity of shallow foundations. This theory provides a method to calculate the ultimate bearing capacity of soil, which is the maximum load per unit area that the soil can support without undergoing shear failure. The Calculation HTML Code included.
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdffxintegritypublishin
Advancements in technology unveil a myriad of electrical and electronic breakthroughs geared towards efficiently harnessing limited resources to meet human energy demands. The optimization of hybrid solar PV panels and pumped hydro energy supply systems plays a pivotal role in utilizing natural resources effectively. This initiative not only benefits humanity but also fosters environmental sustainability. The study investigated the design optimization of these hybrid systems, focusing on understanding solar radiation patterns, identifying geographical influences on solar radiation, formulating a mathematical model for system optimization, and determining the optimal configuration of PV panels and pumped hydro storage. Through a comparative analysis approach and eight weeks of data collection, the study addressed key research questions related to solar radiation patterns and optimal system design. The findings highlighted regions with heightened solar radiation levels, showcasing substantial potential for power generation and emphasizing the system's efficiency. Optimizing system design significantly boosted power generation, promoted renewable energy utilization, and enhanced energy storage capacity. The study underscored the benefits of optimizing hybrid solar PV panels and pumped hydro energy supply systems for sustainable energy usage. Optimizing the design of solar PV panels and pumped hydro energy supply systems as examined across diverse climatic conditions in a developing country, not only enhances power generation but also improves the integration of renewable energy sources and boosts energy storage capacities, particularly beneficial for less economically prosperous regions. Additionally, the study provides valuable insights for advancing energy research in economically viable areas. Recommendations included conducting site-specific assessments, utilizing advanced modeling tools, implementing regular maintenance protocols, and enhancing communication among system components.
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxR&R Consult
CFD analysis is incredibly effective at solving mysteries and improving the performance of complex systems!
Here's a great example: At a large natural gas-fired power plant, where they use waste heat to generate steam and energy, they were puzzled that their boiler wasn't producing as much steam as expected.
R&R and Tetra Engineering Group Inc. were asked to solve the issue with reduced steam production.
An inspection had shown that a significant amount of hot flue gas was bypassing the boiler tubes, where the heat was supposed to be transferred.
R&R Consult conducted a CFD analysis, which revealed that 6.3% of the flue gas was bypassing the boiler tubes without transferring heat. The analysis also showed that the flue gas was instead being directed along the sides of the boiler and between the modules that were supposed to capture the heat. This was the cause of the reduced performance.
Based on our results, Tetra Engineering installed covering plates to reduce the bypass flow. This improved the boiler's performance and increased electricity production.
It is always satisfying when we can help solve complex challenges like this. Do your systems also need a check-up or optimization? Give us a call!
Work done in cooperation with James Malloy and David Moelling from Tetra Engineering.
More examples of our work https://www.r-r-consult.dk/en/cases-en/
Final project report on grocery store management system..pdfKamal Acharya
In today’s fast-changing business environment, it’s extremely important to be able to respond to client needs in the most effective and timely manner. If your customers wish to see your business online and have instant access to your products or services.
Online Grocery Store is an e-commerce website, which retails various grocery products. This project allows viewing various products available enables registered users to purchase desired products instantly using Paytm, UPI payment processor (Instant Pay) and also can place order by using Cash on Delivery (Pay Later) option. This project provides an easy access to Administrators and Managers to view orders placed using Pay Later and Instant Pay options.
In order to develop an e-commerce website, a number of Technologies must be studied and understood. These include multi-tiered architecture, server and client-side scripting techniques, implementation technologies, programming language (such as PHP, HTML, CSS, JavaScript) and MySQL relational databases. This is a project with the objective to develop a basic website where a consumer is provided with a shopping cart website and also to know about the technologies used to develop such a website.
This document will discuss each of the underlying technologies to create and implement an e- commerce website.
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Malware Analysis: Ransomware
1. Facolt`a di
Ingegneria dell’Informazione, Informatica e Statistica
MSc in Engineering in Computer Science
Systems and Enterprise Security
Final project
A.Y. 2016/2017
Malware Analysis
Professor:
Leonardo Querzoni
Student:
Davide Piccardi 1379602
4. 1 Abstract
The main objective of this project is to exploit the knowledge gained in the theoretical
part of the course of System and Enterprise Security and go into detail of one of the
most important issues in the field of cybersecurity: the Malware Analysis. The approach
used to treat a subject so vast, has been to focus on the study of a particular aspect of a
malware in order to understand different techniques used by them to achieve the same
result. The proposals were:
• Persistence (creation or modification of registry keys, file in startup locations,
Windows Services, Master Boot Record [MBR] or BIOS)
• Command & Control (Domain, Internet Relay Chat, Peer-to-Peer)
• Data Exfiltration (transmission over the C&C communication channel, over
alternative protocol, like FTP, SMTP, HTTP/S and DNS)
• Simple Binary Modifications (packing, encryption, self-modifying code)
• Debugger Techniques Detection (hardware breakpoints, operating system in
debug mode, CPU flags)
The direction taken by my work has been driven by self-interest to a particular category
of malware: the ransomware. As I shall explain later, this type of malware, in addition
to marry very well with the first point of the list above, has a number of features that
make it very interesting from my point of view. For example because it uses encryption,
bitcoin and Tor is evident that concerns many aspects of security. More in general,
just by reading reports of the main cybersecurity companies it’s clear that this is a real
problem which affects thousands of companies (even in Italy) and causing damage for
millions of dollars
1
5. 2 Introduction
This report is divided into two main sections. The first one describes several general
aspects about ransomware: how they work, how they propagate, what are their targets
and what are the most important cases in the last years. The second one consists in the
static and dynamic analysis of two samples selected by me. Before going into detail, we
see some information about the samples and the tools used.
2.1 Malware samples
All the samples that I have used in this project, are taken from the web. In my case, I
found very useful resources as:
• https://github.com/ytisf/theZoo
• https://www.hybrid-analysis.com/
• https://virusshare.com/
• http://malwaredb.malekal.com/
They allow to perform different types of searching over a large set of malware and
to download them (some requires registration). In some cases, they provide also a
proprietary sandbox or there is a reference to a more important service like VirusTotal.
2.2 Utilities
In order to perform the analysis described in this project, I used some tools and pro-
grams. For example:
• PEframe: used to produce the static analysis part of the report.
• Virtualbox: used to virtualize a Linux and a Windows system. The first allows
us to use the cuckoo sandbox and other tools while the second is used to run the
malware.
• Cuckoo Sandbox: used to produce a report about various aspects of the chosen
malware.
• Process Monitor: used to monitor Windows and show real-time file system,
Registry and process/thread activity.
2
6. 3 Ransomware
Ransom malware or ransomware is a threat that prevents users from accessing their
system or personal files and demands ransom payment in order to regain access. We
can distinguish two main forms of ransomware in circulation today:
• Locker(computer locker): Denies access to the computer or device.
• Crypto(data locker): Prevents access to files or data.
They have similar objectives,but the approaches taken by each type are quite different.
Obviously, big security companies are interested about ransomware therefore we can
find a lot of useful documentation [2].
3.1 Types
3.1.1 Locker Ransomware
Locker ransomware is designed to deny access to computing resources. This typically
takes the form of locking the computer’s or device’s user interface and then asking the
user to pay a fee in order to restore access to it. Locked computers will often be left
with limited capabilities, such as only allowing the user to interact with the ransomware
and pay the ransom.
The most important feature is that it prevents access to the computer’s interface but it
leaves the underlying system and files untouched. This means that the malware could
potentially be removed without damage. Therefore, locker ransomware are less effective
at extracting ransom payments compared with the other type.
Because locker ransomware can usually be removed cleanly, it tends to be the type of
ransomware that goes to great lengths to incorporate social-engineering techniques to
pressure victims into paying. Often it masquerades as law enforcement authorities and
claims to issue fines to users for alleged on-line indiscretions or criminal activities.
3.1.2 Crypto Ransomware
Crypto ransomware is designed to find and encrypt valuable data stored on the com-
puter, making the data useless unless the user obtains the decryption key. The creators
of crypto ransomware know that data stored on personal computers is likely to be im-
portant to users and they also know that many users are not aware of the need to create
backups.
After installation, a typical crypto ransomware threat quietly searches for and encrypts
3
7. files. Its goal is to stay below the radar until it can find and encrypt all of the files that
could be of value to the user. By the time the victim is presented with the malware’s
message that informs them that their data is encrypted, the damage is already done.
With most crypto ransomware infections, the affected computer continues to work nor-
mally, as the malware does not target critical system files or deny access to the computers
functionality. This means that users can still use the computer to perform a range of
activities apart from accessing the data that has been encrypted.
3.2 Techniques
While all ransomware types are designed to extort money from their victims, they can
be quite different both operationally and technically. Despite this, now we will see a
description of the operation which characterizes the two types of ransomware described
above.
3.2.1 Screen locking
The main operation performed by a locker ransomware is the screen locking. It can be
implemented in very different ways but the most important is the windows locker.
Windows locker
The ransomware displays a full screen window that covers the entire desktop to display
its message. It may create the window itself or use a browser window in full screen mode
to show their ransom message. The window is usually shown as the only window on a
new virtual desktop that the ransomware creates and makes active. The ransomware
may use a background thread to monitor the systems desktops and ensure that their
one is kept active and on top.
The contents of the messages are occasionally included in the ransomware executable
itself but it is more common for the ransomware to download the contents from the
attackers server. This allows the attackers to serve localized messages using language
and law-enforcement images relevant to the country where the infection has occurred.
3.2.2 File encryption
The main operation performed by a crypto ransomware is file encryption. It can be
implemented by using three different schemes: symmetric key, asymmetric key, a com-
bination of the previous.
Symmetric key
A single key is used to encrypt the data and the same key is used to decrypt the en-
crypted data. Knowing the key allows the user to decrypt data that has been encrypted
with the same key.
Ransomware using symmetric encryption will usually generate a key on the infected
computer and send this to the attacker or request a key from the attacker before en-
crypting the user’s files. From the attacker point of view, it is important to ensure that
the key is not available to the user after encrypting their files, otherwise the user might
be able to decrypt them without paying.
The advantage of using symmetric encryption algorithms is that they are generally much
faster than asymmetric algorithms and they use small keys (typically 256-bit). A typical
crypto ransomware has to quickly search and encrypt a large number of files, so perfor-
mance is essential to encrypt files before the victim can discover the threats activities.
4
8. Asymmetric key
A public key is used to encrypt the data and a private key is used to decrypt the en-
crypted data. Knowing the public key does not allow you to decrypt files encrypted
with this key.
Ransomware using asymmetric encryption will usually encrypt the user’s files with the
public key while the private key is kept secret by the attacker. From the attacker point
of view, it is not important to be protective of the public key because knowing it does
not allow the affected users to decrypt their files. As said before, the main drawback
of asymmetric encryption is that the process is slow then it may requires a lot of time
and this is not good because introduces the risk that the activity is discovered before
its completion.
Symmetric and asymmetric key
More advanced crypto ransomware typically uses a combination of symmetric and asym-
metric encryption techniques. The variants that use asymmetric encryption may also
generate specific public-private key pairs for each infected computer. This allows the
attacker to decrypt files on one infected computer without revealing the private key that
could potentially also be used to decrypt files on every other computer infected by using
the same pubic key.
3.3 Timeline
The previous picture is a good representation of the ransomware’s evolution in the last
years. As we can imagine, there is a huge number of ransomware’s variants but those
reported here are surely the most interested in terms of diffusion.
5
9. 3.4 Propagation
One of the first questions many victims ask is ”how did I get infected with ransomware?”
While it is not always immediately clear, the infection method for ransomware follows
the same modus operandi used by cybercriminals to infect victims with any malware.
Let’s see some of them:
3.4.1 Traffic distribution system
A common method used by these distribution services is to buy redirected web traffic
from a Traffic Distribution Service (TDS) vendor and point it to a site hosting an
exploit kit. In a lot of cases, the redirected traffic originates from adult content-related
websites. If the exploit kit is successful in exploiting a vulnerability in the visiting
victims computer, it can lead to what is commonly referred to as the drive-by-download
of malware.
3.4.2 Malvertisement
Similarly, malicious advertisements known as malvertisments can get pushed onto legit-
imate websites in order to redirect traffic to a site hosting an exploit kit.
3.4.3 Spam email
The spam usually comes in the form of an email containing a malicious attachment or
a link leading to a site hosting an exploit kit. The spam may also involve the download
of malware through other social-engineering means. The spam emails embody a whole
range of social-engineering and psychological levers to trick users into installing the
ransomware.
3.4.4 Downloaders & botnets
Once the downloader infects a computer, its job is to download secondary malware onto
the compromised system. The cybercriminals behind downloaders earn money by offer-
ing, to other malware authors, a malware-installation service onto already compromised
computers.
Trojan botnets have also been known to download ransomware onto computers they
have infected.
3.4.5 Social engineering and self-propagation
Some ransomware also contain functionality to spread. Self-propagation is potentially
an effective way for the ransomware to spread itself, but it does cause problems for the
cybercriminals who are hoping for a ransom to be paid. This is because nobody will be
willing to pay if the same gang continues to demand ransom payment after payment.
3.4.6 Affiliate schemes
Cybercriminals who have paid attention to the growing interest in ransomware have
started to provide services to those who wish to carry out these attacks, effectively
providing ransomware-as-a-service (RaaS). They offer a way to buy into the growing
ransomware scene without needing to have the skills to create a ransomware or to main-
tain and run the operations.
Affiliate schemes can offer members a substantial cut of the profits from each ransomware
6
10. infection, making it a strong incentive. The task of an affiliate member is to spread the
ransomware as far and wide as possible to maximize the chances of extracting a ran-
som. This offers the RaaS vendor a better opportunity to get their ransomware to a
wider group of potential victims, letting them focus on developing and enhancing the
ransomware and leaving the propagation to others.
3.5 Targets
The cybercriminals behind ransomware do not particularly care who their victims are,
as long as they are willing to pay the ransom. With this in mind, it is easy to see why
the cybercriminals tend to take a scatter-gun approach to propagating the ransomware,
casting a wide net across targeted regions and types of users.
3.5.1 Home users
Ransomware is perhaps the most effective against individuals who are not fluent with
computers or are not familiar with ransomware and how it works. The most common
group that we see impacted by ransomware is the home user, who often has the least
amount of access to technical assistance.
Home users often have sensitive information, files, and documents that are personally
valuable stored on the computer, such as college projects, photos, and video game save
files. Despite these things being of value to users,they are still unlikely to have an
effective backup strategy. This means users are potentially leaving themselves exposed
in the event of a ransomware attack.
3.5.2 Private Company
For many businesses, information and the technology to use it is their life blood, with-
out which the act of conducting day-to-day business is impossible. Consider a retailer
running a computerized point-of-sale (POS) system. If the POS system was unavailable
due to a ransomware infection, the retailer would not be in a position to transact sales.
Business computers are also more likely to contain sensitive data and documents of crit-
ical importance, such as customer databases, business plans, proposals, reports, source
code, forms, and tax compliance documents.
The loss of this information could have a catastrophic impact on the business. While
many companies have backup and disaster recovery plans, there are still many who do
not.
3.5.3 Public agencies
Public agencies such as educational institutes and even law enforcement entities are not
excluded from the attention of these cybercriminals and in some cases, they may be
specifically targeted.
7
11. 4 JigSaw
4.1 Description
JigSaw is a crypto ransomware which behaviour and aspect are inspired to the famous
horror film Saw. It ”plays” with users by encrypting and deleting their files every hour
until they pay the ransom. This is the classic case in which the attacker is concerned
not only to carry out the attack but also to act on the user’s psychology to induce him
to pay.
As we can see from the picture above, the screen shown by the ransomware once encryp-
tion is complete, is quite particular. In fact, in addition to the classic message explaining
to the victim what happened and how to solve, there are also a clock and an image of
the film’s protagonist.
4.2 Sample
In my analysis I have used the sample which is available at the fol-
lowing url: https://github.com/ytisf/theZoo/tree/master/malwares/Source/
Original/Ransomware.Jigsaw . These are some of the basic information about the
file:
File name: jigsaw.exe
File size: 290304 bytes
File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
CRC32: 3C351D58
MD5: 2773e3dc59472296cb0024ba7715a64e
SHA1: 27d99fbca067f478bb91cdbcb92f13a828b00859
SHA256: 3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
4.3 Static Analysis
Usually, in case of a ransomware, dynamic analysis is more important with respect to
static analysis. Nevertheless, for this particular sample, also the static part is useful
because it reveals some relevant information.
4.3.1 PE Information
Compile Time: 2016-03-31 08:28:14
From this we know that the file is not so recent.
8
12. 4.3.2 Version Info
LegalCopyright: Copyright 1999-2012 Firefox and Mozzilla developers.
InternalName: BitcoinBlackmailer.exe
ProductName: Firefox
OriginalFileName: BitcoinBlackmailer.exe
From these we start to suspect something also if we don’t know that the file is a malware.
In fact, it is quite strange that a regular Firefox’s product has ”BitcoinBlackmailer” as
real name.
4.3.3 Strings
Operations: BitcoinBlackmailer.exe, Jigsaw, Hacking, Locker, Windows, RansomUsd,
DeleteFiles, GetBitcoinAddess, EncryptionFileExtension, MaxFilesizeToEncryptIn-
Bytes, EncryptionPassword, EncryptedFileListPath, EncryptedFiles, EncryptFile,
DecryptFile, SymmetricAlgorithm, CryptoStream, CryptoStreamMode, StartupMethod,
SetStartupFolder, SetStartupRegistry, RemoveStartupRegistry.
From these we can deduce that the file works with: bitcoin, encryption, files, startup
folder and registry.
Messages: ”Your computer files have been encrypted. Your photos, videos, doc-
uments, etc...”, ”But, don’t worry! I have not deleted them, yet.”, ”You did not sent
me enough! Try again!”, ”Are you connected to the internet? Try again!”, ”Great job,
I’m decrypting your files...”, ”Decrypting your files. It will take for a while. After done
I will close and completely remove myself from your computer.”
From these we can see that all the strings used on the screen shown by the malware
are stored in clear (For simplicity, I reported only some of them). There are also other
interesting strings which regards the messages shown after the payment procedure. By
reading them we can think that the malware will decrypt our files if the pay the ransom
but in most cases this is not the best solution.
4.3.4 Antivirus
AVG: Ransom.Jighead
Avira: TR/FileCoder.aqne
Kaspersky: Trojan-Ransom.Win32.Agent.iqf
Malwarebytes : Ransom.Jigsaw
McAfee: Generic.ys
Microsoft: Ransom:MSIL/JigsawLocker.A
Symantec : Ransom.Jigsaw
TrendMicro: Ransom JIGSAW.SM
From this we can see that file is recognized as a ransomware by the most common
antivirus.
4.4 Dynamic Analysis
4.4.1 Behavioural analysis
In this part of the analysis we reconstruct how the malware works by inspecting the
”Behavioural Analysis” section of the report obtained by submitting the sample to the
9
13. Cuckoo Sandbox. The first thing that we can see is that we obtain the following process
tree:
Therefore is clear that the malware replicates itself but this is only a partial picture of
the story.
jigsaw.exe
In order to see what really happens, we have to inspect the filesystem and the registry
keys. By analysing them, the most important information we obtain are the following:
jigsaw.exe replicates itself in the directory C:/Users/cuckoo/AppData/Roaming/Frfx
with the name ”firefox.exe”. It also sets a specific registry key that allows to install
itself for autorun at windows startup.
jigsaw.exe replicates itself in the directory C:/Users/cuckoo/AppData/Local/Drpbx
with the name ”drpbx.exe”.
Thanks to this we know that firefox.exe and drpbx.exe are the same replica of
the malware but the first is activated only after a system reboot while the second is
launched immediately and it executes the encryption process. We can see this by go
down in the process tree.
drpbx.exe
For this process, we have a lot of crypto operations as the following:
10
14. By looking the second row of the table, we can notice that, in this case, the file which
is going to be encrypted is some file belonging to the python library.
The result of the malware execution is that all non essential files are encrypted and
they have a ”.fun” extension. Obviously, they are no more accessible by the victims.
firefox.exe
We could ask ourselves why ”firefox.exe” is not in the process tree shown before. This is
because this specific process is performed only when the system restarts which however
is not expected in the test procedure performed by the cuckoo sandbox. In this case it
is useless to use other tools to analyse also the behaviour after the reboot of the sys-
tem because we know that firefox.exe and drpbx.exe are the same replica of the malware.
4.5 Analysis outcome
In conclusion, we can resume what the malware does with the following points:
• It replicates itself with two files: ”drpbx.exe” and ”firefox.exe”
• It modifies registry keys to launch itself at windows’ startup.
• It uses CryptEncrypt API to perform the encryption operations.
By reading some articles [3] [6] we can say that our analysis covers all the main feature
of this particular malware.
11
15. 5 Mamba
5.1 Description
Mamba is a crypto ransomware which encrypts every disk sector including the MFT,
the operating system, your apps, any shared files and all your personal data. As we will
see later in the analysis, it does all of this with very little programming effort in fact it
simply installs and activates a pirated copy of the open source software DiskCryptor.
In the picture above there is the screen shown to the victims by the ransomware once
encryption is complete and the system is restarted. By simply reading the message, in
particular the part ”Missing operating system”, we can realize that the damage caused
by the malware is significant.
This malware is also famous for the infection of the San Francisco Municipal Trans-
portation Agency (SFMTA); we can find other details about this fact in the following
interesting article:
https://krebsonsecurity.com/2016/11/san-francisco-rail-system-hacker-
hacked/
5.2 Sample
In my analysis I have used the sample which is available at the fol-
lowing url: https://github.com/ytisf/theZoo/tree/master/malwares/Binaries/
Ransomware.Mamba . These are some of the basic information about the file:
File name: 131.exe
File size: 2415104 bytes
File type: PE32 executable (console) Intel 80386, for MS Windows
CRC32: F29D4FCE
MD5: 409d80bb94645fbc4a1fa61c07806883
SHA1: 4080bb3a28c2946fd9b72f6b51fe15de74cbb1e1
SHA256: 2ecc525177ed52c74ddaaacd47ad513450e85c01f2616bf179be5b576164bf63
5.3 Static Analysis
As said before, for ransomware, dynamic analysis is more important with respect to
static analysis. Nevertheless, also in this case the static part reveals some useful infor-
mation.
12
16. 5.3.1 PE Information
Compile Time: 2016-04-24 08:00:40
From this we know that the file is not so recent.
5.3.2 Resources
Name: 32DCAPI.DLL, 64DCAPI.DLL
Description: DiskCryptor api.
Name: 32DCCON.EXE, 64DCCON.EXE
Description: DiskCryptor console.
Name: 32DCRYPT.EXE, 64DCRYPT.EXE
Description: DiskCryptor installer support.
Name: 32DCRYPT.SYS, 64DCRYPT.SYS
Description: DiskCryptor driver.
Name: 32NETPASS.EXE, 64NETPASS.EXE
Description: used to get some credentials from the machine.
Name: MOUNT.EXE
Description: used to manage shared drive.
Note: if we submit them to VirusTotal we obtain that: dcapi.dll is detected as Ran-
som HDDCRYPTOR.SM1, netpass.exe is detected as Ransom HKTL NETPASS and
mount.exe is detected as Ransom HDDCRYPTOR.C .
5.3.3 Strings
Operations: DiskCryptor, http://diskcryptor.net/, Booting Method, HDD master boot
record, Config Bootloader, Update bootloader, -boot -setmbr hd0, Delete bootloader, you
can only use AES to encrypt the boot partition!, Encryption mode, Encrypt Volume,
-encrypt pt0 -p , Encryption Progress, Use Hardware Cryptography Support, Decryption,
DefragmentService, C://DC22.
From these we can deduce that the file works with: a program called DiskCryptor,
master boot record, bootloader, encryption, windows services, a specific folder called
DC22.
Messages: ”You are Hacked !!!! Your H.D.D Encrypted , Contact Us For De-
cryption Key (w889901665@yandex.com) YOURID: 123139”.
From these we can see that the string used on the bootloader installed by the malware
is stored in clear.
5.3.4 Antivirus
AVG: Generic38.CQB
Avira: TR/Crypt.ZPACK.Gen8
Kaspersky: Trojan-Ransom.Win32.Dcryptor.b
Malwarebytes : Ransom.HDDCryptor
McAfee: GenericR-IJR!409D80BB9464
Microsoft: Ransom:Win32/Mambretor.A
Symantec : Ransom.HDDCryptor
TrendMicro: Ransom HDDCRYPTOR.A
13
17. From this we can see that file is recognized as a ransomware by the most common
antivirus.
5.4 Dynamic Analysis
5.4.1 Practical Execution
Due to the fact that malware is articulated, before going into a deep analysis is useful
to understand how the it works by showing an high level practical execution of it in a
Windows system.
Step1
We execute the malware from the cmd with the command ”131.exe 123456”. We have
to do this because it needs an argument to work in a correct way. The first thing it
does is to create the folder ”C:/DC22” which contains eight files (some of them are
described before in the Resource section of the static analysis part).
Then, system is forced to restart by the malware.
Step2
After the system reboot, the encryption process performed by DiskCryptor starts in
stealth mode. We can see this by performing on the cmd the command ”dccon -info
pt0” and ”dccon -info pt1” or directly by opening DiskCryptor GUI with the executable
”dcrypt.exe”.
14
18. From the picture above we can note that the algorithm used for encryption is AES-512
with XTS mode. At a certain point, a system error occurs (sometimes it takes form of
a BSOD). This corresponds to the fact that the encryption process completed its work
and if we start again the system, we obtain the message shown at the beginning of the
analysis.
If we stop the encryption process before the system’s crash, we can use DiskCryptor
GUI to obtain other useful information in particular about bootloader.
As we can see in the two pictures above, the bootloader is placed in the HDD master
boot record in particular in a device called ”HardDisk 0”. Simply by opening its
configuration file, we can discover that this bootloader is a modified version installed
by the malware.
Log
A very useful information, in terms of analysis, is provided by a file called ”log file”
located in ”DC22” folder seen before. Here we can find a sort of log report produced
by malware during its execution.
15
19. These are important information for us because we can understand roughly how the
malware works without using other analysis tools. In fact, from this file we know also
that the malware:
• installs a driver.
• creates and launches a service.
• detects shared drive.
• starts the encryption process.
5.4.2 Behavioural analysis
In this part of the analysis we reconstruct how the malware works by inspecting the
”Behavioural Analysis” section of the report obtained by submitting the sample to the
Cuckoo Sandbox.
The first thing that we can see is that we obtain the following process tree:
131.exe
This is the main process of the malware. Without going into details, only by seeing the
process tree we can see that it performs the following operations:
• it launches dcinst.exe
• it uses the cdm and schtasks to: create and run a service called DefragmentService,
performs the operation ”net use” and writes the results on a file called ”netuse.txt”,
launches netpass.exe and writes its results on a file called ”netpass.txt”
16
20. Let’s go to see a detailed behavioural analysis by reporting the most important steps
performed by the malware:
First of all, it creates a directory with the path ”C:/DC22” and inside this, it adds a file
called dcrypt.sys. Here it is not reported but the malware adds in the same way also
the other files described previously.
It writes on ”C:/DC22/log file.txt” a log message ”installing drivers...”.
It gets some information about the mounted partitions and creates a file to manage it.
It launches the process dcinst.exe. We proceed with a quick analysis of it and then we
continue with the analysis of 131.exe.
dcinst.exe
In practice, it installs a driver but in order to see this, we can report the most important
steps performed by this process:
17
21. It creates in ”C:/Windows/system32/drivers” a copy of the file dcrypt.sys which is a
DiskCryptor driver.
It creates a Windows service called dcrypy which refers to ”C:/Windows/system32/
drivers/drypt.sys”. The attribute SERVICE BOOT START means that the the service
is started by the system loader and this value is valid only for driver services.
131.exe continue
It writes on ”C:/DC22/log file.txt” two log messages: the first is ”installing driver
successfully...” which tell us that installation of the driver went well. The second is
”getting share drive information...” which tell us that a new phase starts.
It uses cmd with the parameter ”/c” which carries out the command specified by string
and then terminates. This string contains ”schtasks /create” which is used to create a
task on the local or remote computer. In particular, we have two parameters:
• ”/TN DefragmentService” which specifies a name that uniquely identifies the
scheduled task.
• ”/TR cmd.exe /c net use >> C:/DC22/netuse.txt” which specifies the path and
file name of the task to be run. In this case, it uses another cmd to perform a ”net
use” operation and writes the results into the file ”C:/DC22/netuse.txt”. This
operation retrieves a list of network connections.
• ”/SC DAILY” which specifies the schedule frequency.
18
22. In a similar way, it uses cmd and schtasks to run and then to delete the task ”Defrag-
mentService” created before.
It uses cmd and schtasks to launch netpass.exe and writes the results into
”C:/DC22/netpass.txt”. Netpass is a freeware network password recovery which ex-
tracts credentials of the current session.
It writes on ”C:/DC22/log file.txt” a log message ”Trying to create a service...”.
It creates a Windows service called DefragmentService which refers to
”C:/Users/cuckoo/ AppData/Local/Temp/131.exe 123456”. The attribute SER-
VICE AUTO START means that the the service is started automatically by the service
control manager during system startup.
It writes on ”C:/DC22/log file.txt” a log message ”creating service successfully. reboot-
ing windows... ”.
19
23. It forces the system to reboot.
At this point, we have a problem with the analysis because cuckoo sandbox does
not work well when there is a system reboot. For this reason we continue by using
another tool called ProcessMonitor. In particular, from the previous steps we know
there is a specific service which restarts the malware by running the process 131.exe
after the reboot. Therefore we start from it.
As we can see in the picture above, it writes some log information on ”log file.txt”, it
creates one process for Mount.exe and several other processes with different parame-
ters for dccon.exe. Now, it is interesting to see also what is done by these other processes.
Mount.exe essentially uses the information contained in two files created before:
netpass.txt and netuse.txt. In our case it does not execute any particular action
because in our virtualized system there are not shared drive. Obviously, it writes some
log messages on ”log file.txt.
20
24. Dccon.exe performs the most important operations which characterize this malware as
a ransomware. In fact, first of all it changes the Master Boot Record to display the
ransom note. This is done by the first operation shown above which takes as parameter
”-boot setmbr hd0” and subsequently creates some files in that particular location. After
that, the encryption process starts through several instances of dccon which takes as
parameter ”-encrypt ptX -p 123456” where ”X” is the partition’s number and ”123456”
is the parameter inserted at the beginning when we launch the malware.
5.5 Analysis outcome
In conclusion, we can resume what the malware does with the following points:
• It creates a folder containing some tools that it needs.
• It installs a driver.
• It creates two windows services: ”dcrypt” and ”DefragmentService”.
• It uses DiskCryptor to modify the bootloder and to perform the encryption oper-
ations.
By reading some articles [4][1][5]we can say that our analysis covers all the main feature
of this particular malware.
21
25. 6 Conclusions
In this report, we have seen a particular family of malware called ransomware by de-
scribing their general characteristics and by focusing our analysis on how they operates
with respect to the persistence. We have covered all the persistence’s aspects proposed
in fact:
With the first sample, Jigsaw, we have seen:
• creation or modification of registry keys
• file in startup locations
With the second sample, Mamba, we have seen:
• Windows Services
• Master Boot Record
In addition to those, we have addressed other aspects which are outside the field of
persistence but are relevant in the case of ransomware:
• use of psychological techniques to induce the victim to pay the ransom (JigSaw)
• use of modified freeware and legal tools to perform illegal operations (Mamba)
From my point of view, another interesting aspect, which comes out with our analysis,
is about the cuckoo sandbox. In particular, I have tried several versions but none has
been able to continue its dynamic analysis after a system reboot. I think this is an
important problem because nowadays malware often use advanced techniques to reboot
the system. I bypassed this problem by continuing the analysis with other tools as
Process monitor but in my opinion it would be very good if the developers will solve
this problem in the future.
In conclusion, we have to say that in case of ransomware there are also other in-
teresting topics that can be analyzed, but they were not the focus of this report, for
example:
• Command and Control: to study whether and how malware communicates with a
C&C in order to exchange keys or other information.
• Payment of the ransom: to understand the relationship between type of ran-
somware and payment method, or whether there is some connection between the
number of encrypted files and amount of the ransom.
• File decryptor tool: to try an available decryptor tool in order to know if and how
it works.
22
26. References
[1] Paul Ducklin. Mamba ransomware strikes at your whole disk, not just your files.
Ed. by nakedsecurity.sophos.com. url: https://nakedsecurity.sophos.com/
2016/09/27/mamba-ransomware-strikes-at-your-whole-disk-not-just-
your-files/.
[2] Hon Lau Kevin Savage Peter Coogan. The evolution of ransomware. Ed. by Syman-
tec. url: http://www.symantec.com/content/en/us/enterprise/media/
security_response/whitepapers/the-evolution-of-ransomware.pdf.
[3] Daniele Mondelli. Ransomware Jigsaw, unanalisi tecnica e comportamentale. Ed.
by Ransomware.it. url: http : / / www . ransomware . it / ransomware - jigsaw -
analisi-tecnica-comportamentale.
[4] Pierluigi Paganini. Mamba: The new Full Disk Encryption Ransomware Family
Member. Ed. by securityaffairs.co. url: http://securityaffairs.co/wordpress/
51314/malware/mamba-ransomware.html.
[5] William Gamazo Sanchez Stephen Hilt. BkSoD by Ransomware: HDDCryptor
Uses Commercial Tools to Encrypt Network Shares and Lock HDDs. Ed. by
blog.trendmicro.com. url: http://blog.trendmicro.com/trendlabs-security-
intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-
to-encrypt-network-shares-and-lock-hdds/.
[6] Jasen Sumalapao. New Crypto-Ransomware JIGSAW Plays Nasty Games. Ed. by
blog.trendmicro.com. url: http://blog.trendmicro.com/trendlabs-security-
intelligence/jigsaw-ransomware-plays-games-victims/.
23