SlideShare a Scribd company logo

Malware Analysis: Ransomware

davidepiccardi
davidepiccardi

What is a ransomware and how it works. Practical analysis: Jigsaw, Mamba. Linkedin: https://it.linkedin.com/in/davide-piccardi-8b3950105

Engineering
1 of 26
Download to read offline
Facolt`a di Ingegneria dell’Informazione, Informatica e Statistica MSc in Engineering in Computer Science Systems and Enterprise Security Final project A.Y. 2016/2017 Malware Analysis Professor: Leonardo Querzoni Student: Davide Piccardi 1379602
Contents 1 Abstract 1 2 Introduction 2 2.1 Malware samples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2.2 Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 3 Ransomware 3 3.1 Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1.1 Locker Ransomware . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1.2 Crypto Ransomware . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.2 Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.2.1 Screen locking . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.2.2 File encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.3 Timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.4 Propagation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.4.1 Traffic distribution system . . . . . . . . . . . . . . . . . . . . . . 6 3.4.2 Malvertisement . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.4.3 Spam email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.4.4 Downloaders & botnets . . . . . . . . . . . . . . . . . . . . . . . 6 3.4.5 Social engineering and self-propagation . . . . . . . . . . . . . . 6 3.4.6 Affiliate schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.5 Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.5.1 Home users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.5.2 Private Company . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.5.3 Public agencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4 JigSaw 8 4.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.2 Sample . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.3 Static Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.3.1 PE Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.3.2 Version Info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4.3.3 Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4.3.4 Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4.4 Dynamic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4.4.1 Behavioural analysis . . . . . . . . . . . . . . . . . . . . . . . . . 9 4.5 Analysis outcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 5 Mamba 12 5.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 5.2 Sample . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 5.3 Static Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 5.3.1 PE Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 5.3.2 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 5.3.3 Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 5.3.4 Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 5.4 Dynamic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 5.4.1 Practical Execution . . . . . . . . . . . . . . . . . . . . . . . . . 14 5.4.2 Behavioural analysis . . . . . . . . . . . . . . . . . . . . . . . . . 16 1
5.5 Analysis outcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 6 Conclusions 22 i
1 Abstract The main objective of this project is to exploit the knowledge gained in the theoretical part of the course of System and Enterprise Security and go into detail of one of the most important issues in the field of cybersecurity: the Malware Analysis. The approach used to treat a subject so vast, has been to focus on the study of a particular aspect of a malware in order to understand different techniques used by them to achieve the same result. The proposals were: • Persistence (creation or modification of registry keys, file in startup locations, Windows Services, Master Boot Record [MBR] or BIOS) • Command & Control (Domain, Internet Relay Chat, Peer-to-Peer) • Data Exfiltration (transmission over the C&C communication channel, over alternative protocol, like FTP, SMTP, HTTP/S and DNS) • Simple Binary Modifications (packing, encryption, self-modifying code) • Debugger Techniques Detection (hardware breakpoints, operating system in debug mode, CPU flags) The direction taken by my work has been driven by self-interest to a particular category of malware: the ransomware. As I shall explain later, this type of malware, in addition to marry very well with the first point of the list above, has a number of features that make it very interesting from my point of view. For example because it uses encryption, bitcoin and Tor is evident that concerns many aspects of security. More in general, just by reading reports of the main cybersecurity companies it’s clear that this is a real problem which affects thousands of companies (even in Italy) and causing damage for millions of dollars 1
2 Introduction This report is divided into two main sections. The first one describes several general aspects about ransomware: how they work, how they propagate, what are their targets and what are the most important cases in the last years. The second one consists in the static and dynamic analysis of two samples selected by me. Before going into detail, we see some information about the samples and the tools used. 2.1 Malware samples All the samples that I have used in this project, are taken from the web. In my case, I found very useful resources as: • https://github.com/ytisf/theZoo • https://www.hybrid-analysis.com/ • https://virusshare.com/ • http://malwaredb.malekal.com/ They allow to perform different types of searching over a large set of malware and to download them (some requires registration). In some cases, they provide also a proprietary sandbox or there is a reference to a more important service like VirusTotal. 2.2 Utilities In order to perform the analysis described in this project, I used some tools and pro- grams. For example: • PEframe: used to produce the static analysis part of the report. • Virtualbox: used to virtualize a Linux and a Windows system. The first allows us to use the cuckoo sandbox and other tools while the second is used to run the malware. • Cuckoo Sandbox: used to produce a report about various aspects of the chosen malware. • Process Monitor: used to monitor Windows and show real-time file system, Registry and process/thread activity. 2
3 Ransomware Ransom malware or ransomware is a threat that prevents users from accessing their system or personal files and demands ransom payment in order to regain access. We can distinguish two main forms of ransomware in circulation today: • Locker(computer locker): Denies access to the computer or device. • Crypto(data locker): Prevents access to files or data. They have similar objectives,but the approaches taken by each type are quite different. Obviously, big security companies are interested about ransomware therefore we can find a lot of useful documentation [2]. 3.1 Types 3.1.1 Locker Ransomware Locker ransomware is designed to deny access to computing resources. This typically takes the form of locking the computer’s or device’s user interface and then asking the user to pay a fee in order to restore access to it. Locked computers will often be left with limited capabilities, such as only allowing the user to interact with the ransomware and pay the ransom. The most important feature is that it prevents access to the computer’s interface but it leaves the underlying system and files untouched. This means that the malware could potentially be removed without damage. Therefore, locker ransomware are less effective at extracting ransom payments compared with the other type. Because locker ransomware can usually be removed cleanly, it tends to be the type of ransomware that goes to great lengths to incorporate social-engineering techniques to pressure victims into paying. Often it masquerades as law enforcement authorities and claims to issue fines to users for alleged on-line indiscretions or criminal activities. 3.1.2 Crypto Ransomware Crypto ransomware is designed to find and encrypt valuable data stored on the com- puter, making the data useless unless the user obtains the decryption key. The creators of crypto ransomware know that data stored on personal computers is likely to be im- portant to users and they also know that many users are not aware of the need to create backups. After installation, a typical crypto ransomware threat quietly searches for and encrypts 3
files. Its goal is to stay below the radar until it can find and encrypt all of the files that could be of value to the user. By the time the victim is presented with the malware’s message that informs them that their data is encrypted, the damage is already done. With most crypto ransomware infections, the affected computer continues to work nor- mally, as the malware does not target critical system files or deny access to the computers functionality. This means that users can still use the computer to perform a range of activities apart from accessing the data that has been encrypted. 3.2 Techniques While all ransomware types are designed to extort money from their victims, they can be quite different both operationally and technically. Despite this, now we will see a description of the operation which characterizes the two types of ransomware described above. 3.2.1 Screen locking The main operation performed by a locker ransomware is the screen locking. It can be implemented in very different ways but the most important is the windows locker. Windows locker The ransomware displays a full screen window that covers the entire desktop to display its message. It may create the window itself or use a browser window in full screen mode to show their ransom message. The window is usually shown as the only window on a new virtual desktop that the ransomware creates and makes active. The ransomware may use a background thread to monitor the systems desktops and ensure that their one is kept active and on top. The contents of the messages are occasionally included in the ransomware executable itself but it is more common for the ransomware to download the contents from the attackers server. This allows the attackers to serve localized messages using language and law-enforcement images relevant to the country where the infection has occurred. 3.2.2 File encryption The main operation performed by a crypto ransomware is file encryption. It can be implemented by using three different schemes: symmetric key, asymmetric key, a com- bination of the previous. Symmetric key A single key is used to encrypt the data and the same key is used to decrypt the en- crypted data. Knowing the key allows the user to decrypt data that has been encrypted with the same key. Ransomware using symmetric encryption will usually generate a key on the infected computer and send this to the attacker or request a key from the attacker before en- crypting the user’s files. From the attacker point of view, it is important to ensure that the key is not available to the user after encrypting their files, otherwise the user might be able to decrypt them without paying. The advantage of using symmetric encryption algorithms is that they are generally much faster than asymmetric algorithms and they use small keys (typically 256-bit). A typical crypto ransomware has to quickly search and encrypt a large number of files, so perfor- mance is essential to encrypt files before the victim can discover the threats activities. 4
Asymmetric key A public key is used to encrypt the data and a private key is used to decrypt the en- crypted data. Knowing the public key does not allow you to decrypt files encrypted with this key. Ransomware using asymmetric encryption will usually encrypt the user’s files with the public key while the private key is kept secret by the attacker. From the attacker point of view, it is not important to be protective of the public key because knowing it does not allow the affected users to decrypt their files. As said before, the main drawback of asymmetric encryption is that the process is slow then it may requires a lot of time and this is not good because introduces the risk that the activity is discovered before its completion. Symmetric and asymmetric key More advanced crypto ransomware typically uses a combination of symmetric and asym- metric encryption techniques. The variants that use asymmetric encryption may also generate specific public-private key pairs for each infected computer. This allows the attacker to decrypt files on one infected computer without revealing the private key that could potentially also be used to decrypt files on every other computer infected by using the same pubic key. 3.3 Timeline The previous picture is a good representation of the ransomware’s evolution in the last years. As we can imagine, there is a huge number of ransomware’s variants but those reported here are surely the most interested in terms of diffusion. 5
3.4 Propagation One of the first questions many victims ask is ”how did I get infected with ransomware?” While it is not always immediately clear, the infection method for ransomware follows the same modus operandi used by cybercriminals to infect victims with any malware. Let’s see some of them: 3.4.1 Traffic distribution system A common method used by these distribution services is to buy redirected web traffic from a Traffic Distribution Service (TDS) vendor and point it to a site hosting an exploit kit. In a lot of cases, the redirected traffic originates from adult content-related websites. If the exploit kit is successful in exploiting a vulnerability in the visiting victims computer, it can lead to what is commonly referred to as the drive-by-download of malware. 3.4.2 Malvertisement Similarly, malicious advertisements known as malvertisments can get pushed onto legit- imate websites in order to redirect traffic to a site hosting an exploit kit. 3.4.3 Spam email The spam usually comes in the form of an email containing a malicious attachment or a link leading to a site hosting an exploit kit. The spam may also involve the download of malware through other social-engineering means. The spam emails embody a whole range of social-engineering and psychological levers to trick users into installing the ransomware. 3.4.4 Downloaders & botnets Once the downloader infects a computer, its job is to download secondary malware onto the compromised system. The cybercriminals behind downloaders earn money by offer- ing, to other malware authors, a malware-installation service onto already compromised computers. Trojan botnets have also been known to download ransomware onto computers they have infected. 3.4.5 Social engineering and self-propagation Some ransomware also contain functionality to spread. Self-propagation is potentially an effective way for the ransomware to spread itself, but it does cause problems for the cybercriminals who are hoping for a ransom to be paid. This is because nobody will be willing to pay if the same gang continues to demand ransom payment after payment. 3.4.6 Affiliate schemes Cybercriminals who have paid attention to the growing interest in ransomware have started to provide services to those who wish to carry out these attacks, effectively providing ransomware-as-a-service (RaaS). They offer a way to buy into the growing ransomware scene without needing to have the skills to create a ransomware or to main- tain and run the operations. Affiliate schemes can offer members a substantial cut of the profits from each ransomware 6
infection, making it a strong incentive. The task of an affiliate member is to spread the ransomware as far and wide as possible to maximize the chances of extracting a ran- som. This offers the RaaS vendor a better opportunity to get their ransomware to a wider group of potential victims, letting them focus on developing and enhancing the ransomware and leaving the propagation to others. 3.5 Targets The cybercriminals behind ransomware do not particularly care who their victims are, as long as they are willing to pay the ransom. With this in mind, it is easy to see why the cybercriminals tend to take a scatter-gun approach to propagating the ransomware, casting a wide net across targeted regions and types of users. 3.5.1 Home users Ransomware is perhaps the most effective against individuals who are not fluent with computers or are not familiar with ransomware and how it works. The most common group that we see impacted by ransomware is the home user, who often has the least amount of access to technical assistance. Home users often have sensitive information, files, and documents that are personally valuable stored on the computer, such as college projects, photos, and video game save files. Despite these things being of value to users,they are still unlikely to have an effective backup strategy. This means users are potentially leaving themselves exposed in the event of a ransomware attack. 3.5.2 Private Company For many businesses, information and the technology to use it is their life blood, with- out which the act of conducting day-to-day business is impossible. Consider a retailer running a computerized point-of-sale (POS) system. If the POS system was unavailable due to a ransomware infection, the retailer would not be in a position to transact sales. Business computers are also more likely to contain sensitive data and documents of crit- ical importance, such as customer databases, business plans, proposals, reports, source code, forms, and tax compliance documents. The loss of this information could have a catastrophic impact on the business. While many companies have backup and disaster recovery plans, there are still many who do not. 3.5.3 Public agencies Public agencies such as educational institutes and even law enforcement entities are not excluded from the attention of these cybercriminals and in some cases, they may be specifically targeted. 7
4 JigSaw 4.1 Description JigSaw is a crypto ransomware which behaviour and aspect are inspired to the famous horror film Saw. It ”plays” with users by encrypting and deleting their files every hour until they pay the ransom. This is the classic case in which the attacker is concerned not only to carry out the attack but also to act on the user’s psychology to induce him to pay. As we can see from the picture above, the screen shown by the ransomware once encryp- tion is complete, is quite particular. In fact, in addition to the classic message explaining to the victim what happened and how to solve, there are also a clock and an image of the film’s protagonist. 4.2 Sample In my analysis I have used the sample which is available at the fol- lowing url: https://github.com/ytisf/theZoo/tree/master/malwares/Source/ Original/Ransomware.Jigsaw . These are some of the basic information about the file: File name: jigsaw.exe File size: 290304 bytes File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows CRC32: 3C351D58 MD5: 2773e3dc59472296cb0024ba7715a64e SHA1: 27d99fbca067f478bb91cdbcb92f13a828b00859 SHA256: 3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7 4.3 Static Analysis Usually, in case of a ransomware, dynamic analysis is more important with respect to static analysis. Nevertheless, for this particular sample, also the static part is useful because it reveals some relevant information. 4.3.1 PE Information Compile Time: 2016-03-31 08:28:14 From this we know that the file is not so recent. 8
4.3.2 Version Info LegalCopyright: Copyright 1999-2012 Firefox and Mozzilla developers. InternalName: BitcoinBlackmailer.exe ProductName: Firefox OriginalFileName: BitcoinBlackmailer.exe From these we start to suspect something also if we don’t know that the file is a malware. In fact, it is quite strange that a regular Firefox’s product has ”BitcoinBlackmailer” as real name. 4.3.3 Strings Operations: BitcoinBlackmailer.exe, Jigsaw, Hacking, Locker, Windows, RansomUsd, DeleteFiles, GetBitcoinAddess, EncryptionFileExtension, MaxFilesizeToEncryptIn- Bytes, EncryptionPassword, EncryptedFileListPath, EncryptedFiles, EncryptFile, DecryptFile, SymmetricAlgorithm, CryptoStream, CryptoStreamMode, StartupMethod, SetStartupFolder, SetStartupRegistry, RemoveStartupRegistry. From these we can deduce that the file works with: bitcoin, encryption, files, startup folder and registry. Messages: ”Your computer files have been encrypted. Your photos, videos, doc- uments, etc...”, ”But, don’t worry! I have not deleted them, yet.”, ”You did not sent me enough! Try again!”, ”Are you connected to the internet? Try again!”, ”Great job, I’m decrypting your files...”, ”Decrypting your files. It will take for a while. After done I will close and completely remove myself from your computer.” From these we can see that all the strings used on the screen shown by the malware are stored in clear (For simplicity, I reported only some of them). There are also other interesting strings which regards the messages shown after the payment procedure. By reading them we can think that the malware will decrypt our files if the pay the ransom but in most cases this is not the best solution. 4.3.4 Antivirus AVG: Ransom.Jighead Avira: TR/FileCoder.aqne Kaspersky: Trojan-Ransom.Win32.Agent.iqf Malwarebytes : Ransom.Jigsaw McAfee: Generic.ys Microsoft: Ransom:MSIL/JigsawLocker.A Symantec : Ransom.Jigsaw TrendMicro: Ransom JIGSAW.SM From this we can see that file is recognized as a ransomware by the most common antivirus. 4.4 Dynamic Analysis 4.4.1 Behavioural analysis In this part of the analysis we reconstruct how the malware works by inspecting the ”Behavioural Analysis” section of the report obtained by submitting the sample to the 9
Cuckoo Sandbox. The first thing that we can see is that we obtain the following process tree: Therefore is clear that the malware replicates itself but this is only a partial picture of the story. jigsaw.exe In order to see what really happens, we have to inspect the filesystem and the registry keys. By analysing them, the most important information we obtain are the following: jigsaw.exe replicates itself in the directory C:/Users/cuckoo/AppData/Roaming/Frfx with the name ”firefox.exe”. It also sets a specific registry key that allows to install itself for autorun at windows startup. jigsaw.exe replicates itself in the directory C:/Users/cuckoo/AppData/Local/Drpbx with the name ”drpbx.exe”. Thanks to this we know that firefox.exe and drpbx.exe are the same replica of the malware but the first is activated only after a system reboot while the second is launched immediately and it executes the encryption process. We can see this by go down in the process tree. drpbx.exe For this process, we have a lot of crypto operations as the following: 10
By looking the second row of the table, we can notice that, in this case, the file which is going to be encrypted is some file belonging to the python library. The result of the malware execution is that all non essential files are encrypted and they have a ”.fun” extension. Obviously, they are no more accessible by the victims. firefox.exe We could ask ourselves why ”firefox.exe” is not in the process tree shown before. This is because this specific process is performed only when the system restarts which however is not expected in the test procedure performed by the cuckoo sandbox. In this case it is useless to use other tools to analyse also the behaviour after the reboot of the sys- tem because we know that firefox.exe and drpbx.exe are the same replica of the malware. 4.5 Analysis outcome In conclusion, we can resume what the malware does with the following points: • It replicates itself with two files: ”drpbx.exe” and ”firefox.exe” • It modifies registry keys to launch itself at windows’ startup. • It uses CryptEncrypt API to perform the encryption operations. By reading some articles [3] [6] we can say that our analysis covers all the main feature of this particular malware. 11
5 Mamba 5.1 Description Mamba is a crypto ransomware which encrypts every disk sector including the MFT, the operating system, your apps, any shared files and all your personal data. As we will see later in the analysis, it does all of this with very little programming effort in fact it simply installs and activates a pirated copy of the open source software DiskCryptor. In the picture above there is the screen shown to the victims by the ransomware once encryption is complete and the system is restarted. By simply reading the message, in particular the part ”Missing operating system”, we can realize that the damage caused by the malware is significant. This malware is also famous for the infection of the San Francisco Municipal Trans- portation Agency (SFMTA); we can find other details about this fact in the following interesting article: https://krebsonsecurity.com/2016/11/san-francisco-rail-system-hacker- hacked/ 5.2 Sample In my analysis I have used the sample which is available at the fol- lowing url: https://github.com/ytisf/theZoo/tree/master/malwares/Binaries/ Ransomware.Mamba . These are some of the basic information about the file: File name: 131.exe File size: 2415104 bytes File type: PE32 executable (console) Intel 80386, for MS Windows CRC32: F29D4FCE MD5: 409d80bb94645fbc4a1fa61c07806883 SHA1: 4080bb3a28c2946fd9b72f6b51fe15de74cbb1e1 SHA256: 2ecc525177ed52c74ddaaacd47ad513450e85c01f2616bf179be5b576164bf63 5.3 Static Analysis As said before, for ransomware, dynamic analysis is more important with respect to static analysis. Nevertheless, also in this case the static part reveals some useful infor- mation. 12
5.3.1 PE Information Compile Time: 2016-04-24 08:00:40 From this we know that the file is not so recent. 5.3.2 Resources Name: 32DCAPI.DLL, 64DCAPI.DLL Description: DiskCryptor api. Name: 32DCCON.EXE, 64DCCON.EXE Description: DiskCryptor console. Name: 32DCRYPT.EXE, 64DCRYPT.EXE Description: DiskCryptor installer support. Name: 32DCRYPT.SYS, 64DCRYPT.SYS Description: DiskCryptor driver. Name: 32NETPASS.EXE, 64NETPASS.EXE Description: used to get some credentials from the machine. Name: MOUNT.EXE Description: used to manage shared drive. Note: if we submit them to VirusTotal we obtain that: dcapi.dll is detected as Ran- som HDDCRYPTOR.SM1, netpass.exe is detected as Ransom HKTL NETPASS and mount.exe is detected as Ransom HDDCRYPTOR.C . 5.3.3 Strings Operations: DiskCryptor, http://diskcryptor.net/, Booting Method, HDD master boot record, Config Bootloader, Update bootloader, -boot -setmbr hd0, Delete bootloader, you can only use AES to encrypt the boot partition!, Encryption mode, Encrypt Volume, -encrypt pt0 -p , Encryption Progress, Use Hardware Cryptography Support, Decryption, DefragmentService, C://DC22. From these we can deduce that the file works with: a program called DiskCryptor, master boot record, bootloader, encryption, windows services, a specific folder called DC22. Messages: ”You are Hacked !!!! Your H.D.D Encrypted , Contact Us For De- cryption Key (w889901665@yandex.com) YOURID: 123139”. From these we can see that the string used on the bootloader installed by the malware is stored in clear. 5.3.4 Antivirus AVG: Generic38.CQB Avira: TR/Crypt.ZPACK.Gen8 Kaspersky: Trojan-Ransom.Win32.Dcryptor.b Malwarebytes : Ransom.HDDCryptor McAfee: GenericR-IJR!409D80BB9464 Microsoft: Ransom:Win32/Mambretor.A Symantec : Ransom.HDDCryptor TrendMicro: Ransom HDDCRYPTOR.A 13
From this we can see that file is recognized as a ransomware by the most common antivirus. 5.4 Dynamic Analysis 5.4.1 Practical Execution Due to the fact that malware is articulated, before going into a deep analysis is useful to understand how the it works by showing an high level practical execution of it in a Windows system. Step1 We execute the malware from the cmd with the command ”131.exe 123456”. We have to do this because it needs an argument to work in a correct way. The first thing it does is to create the folder ”C:/DC22” which contains eight files (some of them are described before in the Resource section of the static analysis part). Then, system is forced to restart by the malware. Step2 After the system reboot, the encryption process performed by DiskCryptor starts in stealth mode. We can see this by performing on the cmd the command ”dccon -info pt0” and ”dccon -info pt1” or directly by opening DiskCryptor GUI with the executable ”dcrypt.exe”. 14
From the picture above we can note that the algorithm used for encryption is AES-512 with XTS mode. At a certain point, a system error occurs (sometimes it takes form of a BSOD). This corresponds to the fact that the encryption process completed its work and if we start again the system, we obtain the message shown at the beginning of the analysis. If we stop the encryption process before the system’s crash, we can use DiskCryptor GUI to obtain other useful information in particular about bootloader. As we can see in the two pictures above, the bootloader is placed in the HDD master boot record in particular in a device called ”HardDisk 0”. Simply by opening its configuration file, we can discover that this bootloader is a modified version installed by the malware. Log A very useful information, in terms of analysis, is provided by a file called ”log file” located in ”DC22” folder seen before. Here we can find a sort of log report produced by malware during its execution. 15
These are important information for us because we can understand roughly how the malware works without using other analysis tools. In fact, from this file we know also that the malware: • installs a driver. • creates and launches a service. • detects shared drive. • starts the encryption process. 5.4.2 Behavioural analysis In this part of the analysis we reconstruct how the malware works by inspecting the ”Behavioural Analysis” section of the report obtained by submitting the sample to the Cuckoo Sandbox. The first thing that we can see is that we obtain the following process tree: 131.exe This is the main process of the malware. Without going into details, only by seeing the process tree we can see that it performs the following operations: • it launches dcinst.exe • it uses the cdm and schtasks to: create and run a service called DefragmentService, performs the operation ”net use” and writes the results on a file called ”netuse.txt”, launches netpass.exe and writes its results on a file called ”netpass.txt” 16
Let’s go to see a detailed behavioural analysis by reporting the most important steps performed by the malware: First of all, it creates a directory with the path ”C:/DC22” and inside this, it adds a file called dcrypt.sys. Here it is not reported but the malware adds in the same way also the other files described previously. It writes on ”C:/DC22/log file.txt” a log message ”installing drivers...”. It gets some information about the mounted partitions and creates a file to manage it. It launches the process dcinst.exe. We proceed with a quick analysis of it and then we continue with the analysis of 131.exe. dcinst.exe In practice, it installs a driver but in order to see this, we can report the most important steps performed by this process: 17
It creates in ”C:/Windows/system32/drivers” a copy of the file dcrypt.sys which is a DiskCryptor driver. It creates a Windows service called dcrypy which refers to ”C:/Windows/system32/ drivers/drypt.sys”. The attribute SERVICE BOOT START means that the the service is started by the system loader and this value is valid only for driver services. 131.exe continue It writes on ”C:/DC22/log file.txt” two log messages: the first is ”installing driver successfully...” which tell us that installation of the driver went well. The second is ”getting share drive information...” which tell us that a new phase starts. It uses cmd with the parameter ”/c” which carries out the command specified by string and then terminates. This string contains ”schtasks /create” which is used to create a task on the local or remote computer. In particular, we have two parameters: • ”/TN DefragmentService” which specifies a name that uniquely identifies the scheduled task. • ”/TR cmd.exe /c net use >> C:/DC22/netuse.txt” which specifies the path and file name of the task to be run. In this case, it uses another cmd to perform a ”net use” operation and writes the results into the file ”C:/DC22/netuse.txt”. This operation retrieves a list of network connections. • ”/SC DAILY” which specifies the schedule frequency. 18
In a similar way, it uses cmd and schtasks to run and then to delete the task ”Defrag- mentService” created before. It uses cmd and schtasks to launch netpass.exe and writes the results into ”C:/DC22/netpass.txt”. Netpass is a freeware network password recovery which ex- tracts credentials of the current session. It writes on ”C:/DC22/log file.txt” a log message ”Trying to create a service...”. It creates a Windows service called DefragmentService which refers to ”C:/Users/cuckoo/ AppData/Local/Temp/131.exe 123456”. The attribute SER- VICE AUTO START means that the the service is started automatically by the service control manager during system startup. It writes on ”C:/DC22/log file.txt” a log message ”creating service successfully. reboot- ing windows... ”. 19
It forces the system to reboot. At this point, we have a problem with the analysis because cuckoo sandbox does not work well when there is a system reboot. For this reason we continue by using another tool called ProcessMonitor. In particular, from the previous steps we know there is a specific service which restarts the malware by running the process 131.exe after the reboot. Therefore we start from it. As we can see in the picture above, it writes some log information on ”log file.txt”, it creates one process for Mount.exe and several other processes with different parame- ters for dccon.exe. Now, it is interesting to see also what is done by these other processes. Mount.exe essentially uses the information contained in two files created before: netpass.txt and netuse.txt. In our case it does not execute any particular action because in our virtualized system there are not shared drive. Obviously, it writes some log messages on ”log file.txt. 20
Dccon.exe performs the most important operations which characterize this malware as a ransomware. In fact, first of all it changes the Master Boot Record to display the ransom note. This is done by the first operation shown above which takes as parameter ”-boot setmbr hd0” and subsequently creates some files in that particular location. After that, the encryption process starts through several instances of dccon which takes as parameter ”-encrypt ptX -p 123456” where ”X” is the partition’s number and ”123456” is the parameter inserted at the beginning when we launch the malware. 5.5 Analysis outcome In conclusion, we can resume what the malware does with the following points: • It creates a folder containing some tools that it needs. • It installs a driver. • It creates two windows services: ”dcrypt” and ”DefragmentService”. • It uses DiskCryptor to modify the bootloder and to perform the encryption oper- ations. By reading some articles [4][1][5]we can say that our analysis covers all the main feature of this particular malware. 21
6 Conclusions In this report, we have seen a particular family of malware called ransomware by de- scribing their general characteristics and by focusing our analysis on how they operates with respect to the persistence. We have covered all the persistence’s aspects proposed in fact: With the first sample, Jigsaw, we have seen: • creation or modification of registry keys • file in startup locations With the second sample, Mamba, we have seen: • Windows Services • Master Boot Record In addition to those, we have addressed other aspects which are outside the field of persistence but are relevant in the case of ransomware: • use of psychological techniques to induce the victim to pay the ransom (JigSaw) • use of modified freeware and legal tools to perform illegal operations (Mamba) From my point of view, another interesting aspect, which comes out with our analysis, is about the cuckoo sandbox. In particular, I have tried several versions but none has been able to continue its dynamic analysis after a system reboot. I think this is an important problem because nowadays malware often use advanced techniques to reboot the system. I bypassed this problem by continuing the analysis with other tools as Process monitor but in my opinion it would be very good if the developers will solve this problem in the future. In conclusion, we have to say that in case of ransomware there are also other in- teresting topics that can be analyzed, but they were not the focus of this report, for example: • Command and Control: to study whether and how malware communicates with a C&C in order to exchange keys or other information. • Payment of the ransom: to understand the relationship between type of ran- somware and payment method, or whether there is some connection between the number of encrypted files and amount of the ransom. • File decryptor tool: to try an available decryptor tool in order to know if and how it works. 22
References [1] Paul Ducklin. Mamba ransomware strikes at your whole disk, not just your files. Ed. by nakedsecurity.sophos.com. url: https://nakedsecurity.sophos.com/ 2016/09/27/mamba-ransomware-strikes-at-your-whole-disk-not-just- your-files/. [2] Hon Lau Kevin Savage Peter Coogan. The evolution of ransomware. Ed. by Syman- tec. url: http://www.symantec.com/content/en/us/enterprise/media/ security_response/whitepapers/the-evolution-of-ransomware.pdf. [3] Daniele Mondelli. Ransomware Jigsaw, unanalisi tecnica e comportamentale. Ed. by Ransomware.it. url: http : / / www . ransomware . it / ransomware - jigsaw - analisi-tecnica-comportamentale. [4] Pierluigi Paganini. Mamba: The new Full Disk Encryption Ransomware Family Member. Ed. by securityaffairs.co. url: http://securityaffairs.co/wordpress/ 51314/malware/mamba-ransomware.html. [5] William Gamazo Sanchez Stephen Hilt. BkSoD by Ransomware: HDDCryptor Uses Commercial Tools to Encrypt Network Shares and Lock HDDs. Ed. by blog.trendmicro.com. url: http://blog.trendmicro.com/trendlabs-security- intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools- to-encrypt-network-shares-and-lock-hdds/. [6] Jasen Sumalapao. New Crypto-Ransomware JIGSAW Plays Nasty Games. Ed. by blog.trendmicro.com. url: http://blog.trendmicro.com/trendlabs-security- intelligence/jigsaw-ransomware-plays-games-victims/. 23

Recommended

Cuaderno de-ejercicios-y-practicas-php
Cuaderno de-ejercicios-y-practicas-phpCuaderno de-ejercicios-y-practicas-php
Cuaderno de-ejercicios-y-practicas-php
BrandonJesusGomezCas
 
Cuestionario 2
Cuestionario 2Cuestionario 2
Cuestionario 2
Roberto Carlos Flores Gomez
 
SELJE - VFP Advanced.pdf
SELJE - VFP Advanced.pdfSELJE - VFP Advanced.pdf
SELJE - VFP Advanced.pdf
Eric Selje
 
E.M._Poot
E.M._PootE.M._Poot
E.M._PootEdward Poot
 
Security in mobile banking apps
Security in mobile banking appsSecurity in mobile banking apps
Security in mobile banking apps
Alexandre Teyar
 
Investigation in deep web
Investigation in deep webInvestigation in deep web
Investigation in deep web
MichaelRodriguesdosS1
 
Anti-spam techniques
Anti-spam techniquesAnti-spam techniques
Anti-spam techniques
Florin D. Tanasache
 
iGUARD: An Intelligent Way To Secure - Report
iGUARD: An Intelligent Way To Secure - ReportiGUARD: An Intelligent Way To Secure - Report
iGUARD: An Intelligent Way To Secure - Report
Nandu B Rajan
 

Recommended

Cuaderno de-ejercicios-y-practicas-php
Cuaderno de-ejercicios-y-practicas-phpCuaderno de-ejercicios-y-practicas-php
Cuaderno de-ejercicios-y-practicas-php
BrandonJesusGomezCas
 
Cuestionario 2
Cuestionario 2Cuestionario 2
Cuestionario 2
Roberto Carlos Flores Gomez
 
SELJE - VFP Advanced.pdf
SELJE - VFP Advanced.pdfSELJE - VFP Advanced.pdf
SELJE - VFP Advanced.pdf
Eric Selje
 
E.M._Poot
E.M._PootE.M._Poot
E.M._PootEdward Poot
 
Security in mobile banking apps
Security in mobile banking appsSecurity in mobile banking apps
Security in mobile banking apps
Alexandre Teyar
 
Investigation in deep web
Investigation in deep webInvestigation in deep web
Investigation in deep web
MichaelRodriguesdosS1
 
Anti-spam techniques
Anti-spam techniquesAnti-spam techniques
Anti-spam techniques
Florin D. Tanasache
 
iGUARD: An Intelligent Way To Secure - Report
iGUARD: An Intelligent Way To Secure - ReportiGUARD: An Intelligent Way To Secure - Report
iGUARD: An Intelligent Way To Secure - Report
Nandu B Rajan
 
Report_Ruag-Espionage-Case
Report_Ruag-Espionage-CaseReport_Ruag-Espionage-Case
Report_Ruag-Espionage-CaseAlexander Rogan
 
Agentless Monitoring with AdRem Software's NetCrunch 7
Agentless Monitoring with AdRem Software's NetCrunch 7Agentless Monitoring with AdRem Software's NetCrunch 7
Agentless Monitoring with AdRem Software's NetCrunch 7Hamza Lazaar
 
Malware Analysis
Malware Analysis Malware Analysis
Malware Analysis
MichaelRodriguesdosS1
 
Auditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase IIAuditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase II
Chema Alonso
 
Computing security
Computing securityComputing security
Computing securityseung hyun Seo
 
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...UltraUploader
 
DM_DanielDias_2020_MEI.pdf
DM_DanielDias_2020_MEI.pdfDM_DanielDias_2020_MEI.pdf
DM_DanielDias_2020_MEI.pdf
Muthusankaranarayana1
 
Comparative Analysis of Personal Firewalls
Comparative Analysis of Personal FirewallsComparative Analysis of Personal Firewalls
Comparative Analysis of Personal Firewalls
Andrej Šimko
 
Stuxnet under the_microscope
Stuxnet under the_microscopeStuxnet under the_microscope
Stuxnet under the_microscope
hiepnhatrang
 
Software bill of materials: strumenti e analisi di progetti open source dell’...
Software bill of materials: strumenti e analisi di progetti open source dell’...Software bill of materials: strumenti e analisi di progetti open source dell’...
Software bill of materials: strumenti e analisi di progetti open source dell’...
FedericoBoni3
 
Anomaly_Analysis_of_OpenStack_Firewall_Polices_Report
Anomaly_Analysis_of_OpenStack_Firewall_Polices_ReportAnomaly_Analysis_of_OpenStack_Firewall_Polices_Report
Anomaly_Analysis_of_OpenStack_Firewall_Polices_ReportCiaran McDonald
 
business
businessbusiness
businessGajendra Saini
 
Using gsm sim authentication in vp ns
Using gsm sim authentication in vp nsUsing gsm sim authentication in vp ns
Using gsm sim authentication in vp ns
Jamal Meselmani
 
Srs
SrsSrs
Srs
Sumit Sinha
 
bonino_thesis_final
bonino_thesis_finalbonino_thesis_final
bonino_thesis_finalDario Bonino
 
AWS Pentesting
AWS PentestingAWS Pentesting
AWS Pentesting
MichaelRodriguesdosS1
 
Nominum 2017 Spring Data Revelations Security Report
Nominum 2017 Spring Data Revelations Security ReportNominum 2017 Spring Data Revelations Security Report
Nominum 2017 Spring Data Revelations Security Report
Yuriy Yuzifovich
 
Report on e-Notice App (An Android Application)
Report on e-Notice App (An Android Application)Report on e-Notice App (An Android Application)
Report on e-Notice App (An Android Application)Priyanka Kapoor
 
Challenges in VoIP Systems - Mostafa Ahmed Mostafa El Beheiry - First Draft F...
Challenges in VoIP Systems - Mostafa Ahmed Mostafa El Beheiry - First Draft F...Challenges in VoIP Systems - Mostafa Ahmed Mostafa El Beheiry - First Draft F...
Challenges in VoIP Systems - Mostafa Ahmed Mostafa El Beheiry - First Draft F...Mostafa El-Beheiry
 
Master's Thesis
Master's ThesisMaster's Thesis
Master's Thesis
Sridhar Mamella
 
power quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptxpower quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptx
ViniHema
 
HYDROPOWER - Hydroelectric power generation
HYDROPOWER - Hydroelectric power generationHYDROPOWER - Hydroelectric power generation
HYDROPOWER - Hydroelectric power generation
Robbie Edward Sayers
 

More Related Content

Similar to Malware Analysis: Ransomware

Report_Ruag-Espionage-Case
Report_Ruag-Espionage-CaseReport_Ruag-Espionage-Case
Report_Ruag-Espionage-CaseAlexander Rogan
 
Agentless Monitoring with AdRem Software's NetCrunch 7
Agentless Monitoring with AdRem Software's NetCrunch 7Agentless Monitoring with AdRem Software's NetCrunch 7
Agentless Monitoring with AdRem Software's NetCrunch 7Hamza Lazaar
 
Malware Analysis
Malware Analysis Malware Analysis
Malware Analysis
MichaelRodriguesdosS1
 
Auditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase IIAuditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase II
Chema Alonso
 
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...UltraUploader
 
DM_DanielDias_2020_MEI.pdf
DM_DanielDias_2020_MEI.pdfDM_DanielDias_2020_MEI.pdf
DM_DanielDias_2020_MEI.pdf
Muthusankaranarayana1
 
Comparative Analysis of Personal Firewalls
Comparative Analysis of Personal FirewallsComparative Analysis of Personal Firewalls
Comparative Analysis of Personal Firewalls
Andrej Šimko
 
Stuxnet under the_microscope
Stuxnet under the_microscopeStuxnet under the_microscope
Stuxnet under the_microscope
hiepnhatrang
 
Software bill of materials: strumenti e analisi di progetti open source dell’...
Software bill of materials: strumenti e analisi di progetti open source dell’...Software bill of materials: strumenti e analisi di progetti open source dell’...
Software bill of materials: strumenti e analisi di progetti open source dell’...
FedericoBoni3
 
Anomaly_Analysis_of_OpenStack_Firewall_Polices_Report
Anomaly_Analysis_of_OpenStack_Firewall_Polices_ReportAnomaly_Analysis_of_OpenStack_Firewall_Polices_Report
Anomaly_Analysis_of_OpenStack_Firewall_Polices_ReportCiaran McDonald
 
Using gsm sim authentication in vp ns
Using gsm sim authentication in vp nsUsing gsm sim authentication in vp ns
Using gsm sim authentication in vp ns
Jamal Meselmani
 
Srs
SrsSrs
Srs
Sumit Sinha
 
bonino_thesis_final
bonino_thesis_finalbonino_thesis_final
bonino_thesis_finalDario Bonino
 
AWS Pentesting
AWS PentestingAWS Pentesting
AWS Pentesting
MichaelRodriguesdosS1
 
Nominum 2017 Spring Data Revelations Security Report
Nominum 2017 Spring Data Revelations Security ReportNominum 2017 Spring Data Revelations Security Report
Nominum 2017 Spring Data Revelations Security Report
Yuriy Yuzifovich
 
Report on e-Notice App (An Android Application)
Report on e-Notice App (An Android Application)Report on e-Notice App (An Android Application)
Report on e-Notice App (An Android Application)Priyanka Kapoor
 
Challenges in VoIP Systems - Mostafa Ahmed Mostafa El Beheiry - First Draft F...
Challenges in VoIP Systems - Mostafa Ahmed Mostafa El Beheiry - First Draft F...Challenges in VoIP Systems - Mostafa Ahmed Mostafa El Beheiry - First Draft F...
Challenges in VoIP Systems - Mostafa Ahmed Mostafa El Beheiry - First Draft F...Mostafa El-Beheiry
 
Master's Thesis
Master's ThesisMaster's Thesis
Master's Thesis
Sridhar Mamella
 

Similar to Malware Analysis: Ransomware (20)

Report_Ruag-Espionage-Case
Report_Ruag-Espionage-CaseReport_Ruag-Espionage-Case
Report_Ruag-Espionage-Case
 
Agentless Monitoring with AdRem Software's NetCrunch 7
Agentless Monitoring with AdRem Software's NetCrunch 7Agentless Monitoring with AdRem Software's NetCrunch 7
Agentless Monitoring with AdRem Software's NetCrunch 7
 
Malware Analysis
Malware Analysis Malware Analysis
Malware Analysis
 
Auditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase IIAuditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase II
 
Computing security
Computing securityComputing security
Computing security
 
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
 
DM_DanielDias_2020_MEI.pdf
DM_DanielDias_2020_MEI.pdfDM_DanielDias_2020_MEI.pdf
DM_DanielDias_2020_MEI.pdf
 
Comparative Analysis of Personal Firewalls
Comparative Analysis of Personal FirewallsComparative Analysis of Personal Firewalls
Comparative Analysis of Personal Firewalls
 
Stuxnet under the_microscope
Stuxnet under the_microscopeStuxnet under the_microscope
Stuxnet under the_microscope
 
Software bill of materials: strumenti e analisi di progetti open source dell’...
Software bill of materials: strumenti e analisi di progetti open source dell’...Software bill of materials: strumenti e analisi di progetti open source dell’...
Software bill of materials: strumenti e analisi di progetti open source dell’...
 
Anomaly_Analysis_of_OpenStack_Firewall_Polices_Report
Anomaly_Analysis_of_OpenStack_Firewall_Polices_ReportAnomaly_Analysis_of_OpenStack_Firewall_Polices_Report
Anomaly_Analysis_of_OpenStack_Firewall_Polices_Report
 
business
businessbusiness
business
 
Using gsm sim authentication in vp ns
Using gsm sim authentication in vp nsUsing gsm sim authentication in vp ns
Using gsm sim authentication in vp ns
 
Srs
SrsSrs
Srs
 
bonino_thesis_final
bonino_thesis_finalbonino_thesis_final
bonino_thesis_final
 
AWS Pentesting
AWS PentestingAWS Pentesting
AWS Pentesting
 
Nominum 2017 Spring Data Revelations Security Report
Nominum 2017 Spring Data Revelations Security ReportNominum 2017 Spring Data Revelations Security Report
Nominum 2017 Spring Data Revelations Security Report
 
Report on e-Notice App (An Android Application)
Report on e-Notice App (An Android Application)Report on e-Notice App (An Android Application)
Report on e-Notice App (An Android Application)
 
Challenges in VoIP Systems - Mostafa Ahmed Mostafa El Beheiry - First Draft F...
Challenges in VoIP Systems - Mostafa Ahmed Mostafa El Beheiry - First Draft F...Challenges in VoIP Systems - Mostafa Ahmed Mostafa El Beheiry - First Draft F...
Challenges in VoIP Systems - Mostafa Ahmed Mostafa El Beheiry - First Draft F...
 
Master's Thesis
Master's ThesisMaster's Thesis
Master's Thesis
 

Recently uploaded

power quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptxpower quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptx
ViniHema
 
HYDROPOWER - Hydroelectric power generation
HYDROPOWER - Hydroelectric power generationHYDROPOWER - Hydroelectric power generation
HYDROPOWER - Hydroelectric power generation
Robbie Edward Sayers
 
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
MdTanvirMahtab2
 
WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234
AafreenAbuthahir2
 
block diagram and signal flow graph representation
block diagram and signal flow graph representationblock diagram and signal flow graph representation
block diagram and signal flow graph representation
Divya Somashekar
 
MCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdfMCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdf
Osamah Alsalih
 
ASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdfASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdf
AhmedHussein950959
 
ethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.pptethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.ppt
Jayaprasanna4
 
Cosmetic shop management system project report.pdf
Cosmetic shop management system project report.pdfCosmetic shop management system project report.pdf
Cosmetic shop management system project report.pdf
Kamal Acharya
 
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Dr.Costas Sachpazis
 
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
bakpo1
 
weather web application report.pdf
weather web application report.pdfweather web application report.pdf
weather web application report.pdf
Pratik Pawar
 
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&BDesign and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Sreedhar Chowdam
 
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdfAKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
SamSarthak3
 
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdfHybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
fxintegritypublishin
 
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxCFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
R&R Consult
 
Final project report on grocery store management system..pdf
Final project report on grocery store management system..pdfFinal project report on grocery store management system..pdf
Final project report on grocery store management system..pdf
Kamal Acharya
 
road safety engineering r s e unit 3.pdf
road safety engineering r s e unit 3.pdfroad safety engineering r s e unit 3.pdf
road safety engineering r s e unit 3.pdf
VENKATESHvenky89705
 
Gen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdfGen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdf
gdsczhcet
 
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
AJAYKUMARPUND1
 

Recently uploaded (20)

power quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptxpower quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptx
 
HYDROPOWER - Hydroelectric power generation
HYDROPOWER - Hydroelectric power generationHYDROPOWER - Hydroelectric power generation
HYDROPOWER - Hydroelectric power generation
 
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
 
WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234
 
block diagram and signal flow graph representation
block diagram and signal flow graph representationblock diagram and signal flow graph representation
block diagram and signal flow graph representation
 
MCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdfMCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdf
 
ASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdfASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdf
 
ethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.pptethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.ppt
 
Cosmetic shop management system project report.pdf
Cosmetic shop management system project report.pdfCosmetic shop management system project report.pdf
Cosmetic shop management system project report.pdf
 
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
 
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
一比一原版(SFU毕业证)西蒙菲莎大学毕业证成绩单如何办理
 
weather web application report.pdf
weather web application report.pdfweather web application report.pdf
weather web application report.pdf
 
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&BDesign and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
 
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdfAKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
 
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdfHybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
 
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxCFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
 
Final project report on grocery store management system..pdf
Final project report on grocery store management system..pdfFinal project report on grocery store management system..pdf
Final project report on grocery store management system..pdf
 
road safety engineering r s e unit 3.pdf
road safety engineering r s e unit 3.pdfroad safety engineering r s e unit 3.pdf
road safety engineering r s e unit 3.pdf
 
Gen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdfGen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdf
 
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
 

Malware Analysis: Ransomware

  • 1. Facolt`a di Ingegneria dell’Informazione, Informatica e Statistica MSc in Engineering in Computer Science Systems and Enterprise Security Final project A.Y. 2016/2017 Malware Analysis Professor: Leonardo Querzoni Student: Davide Piccardi 1379602
  • 2. Contents 1 Abstract 1 2 Introduction 2 2.1 Malware samples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2.2 Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 3 Ransomware 3 3.1 Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1.1 Locker Ransomware . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1.2 Crypto Ransomware . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.2 Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.2.1 Screen locking . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.2.2 File encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.3 Timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.4 Propagation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.4.1 Traffic distribution system . . . . . . . . . . . . . . . . . . . . . . 6 3.4.2 Malvertisement . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.4.3 Spam email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.4.4 Downloaders & botnets . . . . . . . . . . . . . . . . . . . . . . . 6 3.4.5 Social engineering and self-propagation . . . . . . . . . . . . . . 6 3.4.6 Affiliate schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.5 Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.5.1 Home users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.5.2 Private Company . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.5.3 Public agencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4 JigSaw 8 4.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.2 Sample . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.3 Static Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.3.1 PE Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.3.2 Version Info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4.3.3 Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4.3.4 Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4.4 Dynamic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4.4.1 Behavioural analysis . . . . . . . . . . . . . . . . . . . . . . . . . 9 4.5 Analysis outcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 5 Mamba 12 5.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 5.2 Sample . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 5.3 Static Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 5.3.1 PE Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 5.3.2 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 5.3.3 Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 5.3.4 Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 5.4 Dynamic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 5.4.1 Practical Execution . . . . . . . . . . . . . . . . . . . . . . . . . 14 5.4.2 Behavioural analysis . . . . . . . . . . . . . . . . . . . . . . . . . 16 1
  • 3. 5.5 Analysis outcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 6 Conclusions 22 i
  • 4. 1 Abstract The main objective of this project is to exploit the knowledge gained in the theoretical part of the course of System and Enterprise Security and go into detail of one of the most important issues in the field of cybersecurity: the Malware Analysis. The approach used to treat a subject so vast, has been to focus on the study of a particular aspect of a malware in order to understand different techniques used by them to achieve the same result. The proposals were: • Persistence (creation or modification of registry keys, file in startup locations, Windows Services, Master Boot Record [MBR] or BIOS) • Command & Control (Domain, Internet Relay Chat, Peer-to-Peer) • Data Exfiltration (transmission over the C&C communication channel, over alternative protocol, like FTP, SMTP, HTTP/S and DNS) • Simple Binary Modifications (packing, encryption, self-modifying code) • Debugger Techniques Detection (hardware breakpoints, operating system in debug mode, CPU flags) The direction taken by my work has been driven by self-interest to a particular category of malware: the ransomware. As I shall explain later, this type of malware, in addition to marry very well with the first point of the list above, has a number of features that make it very interesting from my point of view. For example because it uses encryption, bitcoin and Tor is evident that concerns many aspects of security. More in general, just by reading reports of the main cybersecurity companies it’s clear that this is a real problem which affects thousands of companies (even in Italy) and causing damage for millions of dollars 1
  • 5. 2 Introduction This report is divided into two main sections. The first one describes several general aspects about ransomware: how they work, how they propagate, what are their targets and what are the most important cases in the last years. The second one consists in the static and dynamic analysis of two samples selected by me. Before going into detail, we see some information about the samples and the tools used. 2.1 Malware samples All the samples that I have used in this project, are taken from the web. In my case, I found very useful resources as: • https://github.com/ytisf/theZoo • https://www.hybrid-analysis.com/ • https://virusshare.com/ • http://malwaredb.malekal.com/ They allow to perform different types of searching over a large set of malware and to download them (some requires registration). In some cases, they provide also a proprietary sandbox or there is a reference to a more important service like VirusTotal. 2.2 Utilities In order to perform the analysis described in this project, I used some tools and pro- grams. For example: • PEframe: used to produce the static analysis part of the report. • Virtualbox: used to virtualize a Linux and a Windows system. The first allows us to use the cuckoo sandbox and other tools while the second is used to run the malware. • Cuckoo Sandbox: used to produce a report about various aspects of the chosen malware. • Process Monitor: used to monitor Windows and show real-time file system, Registry and process/thread activity. 2
  • 6. 3 Ransomware Ransom malware or ransomware is a threat that prevents users from accessing their system or personal files and demands ransom payment in order to regain access. We can distinguish two main forms of ransomware in circulation today: • Locker(computer locker): Denies access to the computer or device. • Crypto(data locker): Prevents access to files or data. They have similar objectives,but the approaches taken by each type are quite different. Obviously, big security companies are interested about ransomware therefore we can find a lot of useful documentation [2]. 3.1 Types 3.1.1 Locker Ransomware Locker ransomware is designed to deny access to computing resources. This typically takes the form of locking the computer’s or device’s user interface and then asking the user to pay a fee in order to restore access to it. Locked computers will often be left with limited capabilities, such as only allowing the user to interact with the ransomware and pay the ransom. The most important feature is that it prevents access to the computer’s interface but it leaves the underlying system and files untouched. This means that the malware could potentially be removed without damage. Therefore, locker ransomware are less effective at extracting ransom payments compared with the other type. Because locker ransomware can usually be removed cleanly, it tends to be the type of ransomware that goes to great lengths to incorporate social-engineering techniques to pressure victims into paying. Often it masquerades as law enforcement authorities and claims to issue fines to users for alleged on-line indiscretions or criminal activities. 3.1.2 Crypto Ransomware Crypto ransomware is designed to find and encrypt valuable data stored on the com- puter, making the data useless unless the user obtains the decryption key. The creators of crypto ransomware know that data stored on personal computers is likely to be im- portant to users and they also know that many users are not aware of the need to create backups. After installation, a typical crypto ransomware threat quietly searches for and encrypts 3
  • 7. files. Its goal is to stay below the radar until it can find and encrypt all of the files that could be of value to the user. By the time the victim is presented with the malware’s message that informs them that their data is encrypted, the damage is already done. With most crypto ransomware infections, the affected computer continues to work nor- mally, as the malware does not target critical system files or deny access to the computers functionality. This means that users can still use the computer to perform a range of activities apart from accessing the data that has been encrypted. 3.2 Techniques While all ransomware types are designed to extort money from their victims, they can be quite different both operationally and technically. Despite this, now we will see a description of the operation which characterizes the two types of ransomware described above. 3.2.1 Screen locking The main operation performed by a locker ransomware is the screen locking. It can be implemented in very different ways but the most important is the windows locker. Windows locker The ransomware displays a full screen window that covers the entire desktop to display its message. It may create the window itself or use a browser window in full screen mode to show their ransom message. The window is usually shown as the only window on a new virtual desktop that the ransomware creates and makes active. The ransomware may use a background thread to monitor the systems desktops and ensure that their one is kept active and on top. The contents of the messages are occasionally included in the ransomware executable itself but it is more common for the ransomware to download the contents from the attackers server. This allows the attackers to serve localized messages using language and law-enforcement images relevant to the country where the infection has occurred. 3.2.2 File encryption The main operation performed by a crypto ransomware is file encryption. It can be implemented by using three different schemes: symmetric key, asymmetric key, a com- bination of the previous. Symmetric key A single key is used to encrypt the data and the same key is used to decrypt the en- crypted data. Knowing the key allows the user to decrypt data that has been encrypted with the same key. Ransomware using symmetric encryption will usually generate a key on the infected computer and send this to the attacker or request a key from the attacker before en- crypting the user’s files. From the attacker point of view, it is important to ensure that the key is not available to the user after encrypting their files, otherwise the user might be able to decrypt them without paying. The advantage of using symmetric encryption algorithms is that they are generally much faster than asymmetric algorithms and they use small keys (typically 256-bit). A typical crypto ransomware has to quickly search and encrypt a large number of files, so perfor- mance is essential to encrypt files before the victim can discover the threats activities. 4
  • 8. Asymmetric key A public key is used to encrypt the data and a private key is used to decrypt the en- crypted data. Knowing the public key does not allow you to decrypt files encrypted with this key. Ransomware using asymmetric encryption will usually encrypt the user’s files with the public key while the private key is kept secret by the attacker. From the attacker point of view, it is not important to be protective of the public key because knowing it does not allow the affected users to decrypt their files. As said before, the main drawback of asymmetric encryption is that the process is slow then it may requires a lot of time and this is not good because introduces the risk that the activity is discovered before its completion. Symmetric and asymmetric key More advanced crypto ransomware typically uses a combination of symmetric and asym- metric encryption techniques. The variants that use asymmetric encryption may also generate specific public-private key pairs for each infected computer. This allows the attacker to decrypt files on one infected computer without revealing the private key that could potentially also be used to decrypt files on every other computer infected by using the same pubic key. 3.3 Timeline The previous picture is a good representation of the ransomware’s evolution in the last years. As we can imagine, there is a huge number of ransomware’s variants but those reported here are surely the most interested in terms of diffusion. 5
  • 9. 3.4 Propagation One of the first questions many victims ask is ”how did I get infected with ransomware?” While it is not always immediately clear, the infection method for ransomware follows the same modus operandi used by cybercriminals to infect victims with any malware. Let’s see some of them: 3.4.1 Traffic distribution system A common method used by these distribution services is to buy redirected web traffic from a Traffic Distribution Service (TDS) vendor and point it to a site hosting an exploit kit. In a lot of cases, the redirected traffic originates from adult content-related websites. If the exploit kit is successful in exploiting a vulnerability in the visiting victims computer, it can lead to what is commonly referred to as the drive-by-download of malware. 3.4.2 Malvertisement Similarly, malicious advertisements known as malvertisments can get pushed onto legit- imate websites in order to redirect traffic to a site hosting an exploit kit. 3.4.3 Spam email The spam usually comes in the form of an email containing a malicious attachment or a link leading to a site hosting an exploit kit. The spam may also involve the download of malware through other social-engineering means. The spam emails embody a whole range of social-engineering and psychological levers to trick users into installing the ransomware. 3.4.4 Downloaders & botnets Once the downloader infects a computer, its job is to download secondary malware onto the compromised system. The cybercriminals behind downloaders earn money by offer- ing, to other malware authors, a malware-installation service onto already compromised computers. Trojan botnets have also been known to download ransomware onto computers they have infected. 3.4.5 Social engineering and self-propagation Some ransomware also contain functionality to spread. Self-propagation is potentially an effective way for the ransomware to spread itself, but it does cause problems for the cybercriminals who are hoping for a ransom to be paid. This is because nobody will be willing to pay if the same gang continues to demand ransom payment after payment. 3.4.6 Affiliate schemes Cybercriminals who have paid attention to the growing interest in ransomware have started to provide services to those who wish to carry out these attacks, effectively providing ransomware-as-a-service (RaaS). They offer a way to buy into the growing ransomware scene without needing to have the skills to create a ransomware or to main- tain and run the operations. Affiliate schemes can offer members a substantial cut of the profits from each ransomware 6
  • 10. infection, making it a strong incentive. The task of an affiliate member is to spread the ransomware as far and wide as possible to maximize the chances of extracting a ran- som. This offers the RaaS vendor a better opportunity to get their ransomware to a wider group of potential victims, letting them focus on developing and enhancing the ransomware and leaving the propagation to others. 3.5 Targets The cybercriminals behind ransomware do not particularly care who their victims are, as long as they are willing to pay the ransom. With this in mind, it is easy to see why the cybercriminals tend to take a scatter-gun approach to propagating the ransomware, casting a wide net across targeted regions and types of users. 3.5.1 Home users Ransomware is perhaps the most effective against individuals who are not fluent with computers or are not familiar with ransomware and how it works. The most common group that we see impacted by ransomware is the home user, who often has the least amount of access to technical assistance. Home users often have sensitive information, files, and documents that are personally valuable stored on the computer, such as college projects, photos, and video game save files. Despite these things being of value to users,they are still unlikely to have an effective backup strategy. This means users are potentially leaving themselves exposed in the event of a ransomware attack. 3.5.2 Private Company For many businesses, information and the technology to use it is their life blood, with- out which the act of conducting day-to-day business is impossible. Consider a retailer running a computerized point-of-sale (POS) system. If the POS system was unavailable due to a ransomware infection, the retailer would not be in a position to transact sales. Business computers are also more likely to contain sensitive data and documents of crit- ical importance, such as customer databases, business plans, proposals, reports, source code, forms, and tax compliance documents. The loss of this information could have a catastrophic impact on the business. While many companies have backup and disaster recovery plans, there are still many who do not. 3.5.3 Public agencies Public agencies such as educational institutes and even law enforcement entities are not excluded from the attention of these cybercriminals and in some cases, they may be specifically targeted. 7
  • 11. 4 JigSaw 4.1 Description JigSaw is a crypto ransomware which behaviour and aspect are inspired to the famous horror film Saw. It ”plays” with users by encrypting and deleting their files every hour until they pay the ransom. This is the classic case in which the attacker is concerned not only to carry out the attack but also to act on the user’s psychology to induce him to pay. As we can see from the picture above, the screen shown by the ransomware once encryp- tion is complete, is quite particular. In fact, in addition to the classic message explaining to the victim what happened and how to solve, there are also a clock and an image of the film’s protagonist. 4.2 Sample In my analysis I have used the sample which is available at the fol- lowing url: https://github.com/ytisf/theZoo/tree/master/malwares/Source/ Original/Ransomware.Jigsaw . These are some of the basic information about the file: File name: jigsaw.exe File size: 290304 bytes File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows CRC32: 3C351D58 MD5: 2773e3dc59472296cb0024ba7715a64e SHA1: 27d99fbca067f478bb91cdbcb92f13a828b00859 SHA256: 3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7 4.3 Static Analysis Usually, in case of a ransomware, dynamic analysis is more important with respect to static analysis. Nevertheless, for this particular sample, also the static part is useful because it reveals some relevant information. 4.3.1 PE Information Compile Time: 2016-03-31 08:28:14 From this we know that the file is not so recent. 8
  • 12. 4.3.2 Version Info LegalCopyright: Copyright 1999-2012 Firefox and Mozzilla developers. InternalName: BitcoinBlackmailer.exe ProductName: Firefox OriginalFileName: BitcoinBlackmailer.exe From these we start to suspect something also if we don’t know that the file is a malware. In fact, it is quite strange that a regular Firefox’s product has ”BitcoinBlackmailer” as real name. 4.3.3 Strings Operations: BitcoinBlackmailer.exe, Jigsaw, Hacking, Locker, Windows, RansomUsd, DeleteFiles, GetBitcoinAddess, EncryptionFileExtension, MaxFilesizeToEncryptIn- Bytes, EncryptionPassword, EncryptedFileListPath, EncryptedFiles, EncryptFile, DecryptFile, SymmetricAlgorithm, CryptoStream, CryptoStreamMode, StartupMethod, SetStartupFolder, SetStartupRegistry, RemoveStartupRegistry. From these we can deduce that the file works with: bitcoin, encryption, files, startup folder and registry. Messages: ”Your computer files have been encrypted. Your photos, videos, doc- uments, etc...”, ”But, don’t worry! I have not deleted them, yet.”, ”You did not sent me enough! Try again!”, ”Are you connected to the internet? Try again!”, ”Great job, I’m decrypting your files...”, ”Decrypting your files. It will take for a while. After done I will close and completely remove myself from your computer.” From these we can see that all the strings used on the screen shown by the malware are stored in clear (For simplicity, I reported only some of them). There are also other interesting strings which regards the messages shown after the payment procedure. By reading them we can think that the malware will decrypt our files if the pay the ransom but in most cases this is not the best solution. 4.3.4 Antivirus AVG: Ransom.Jighead Avira: TR/FileCoder.aqne Kaspersky: Trojan-Ransom.Win32.Agent.iqf Malwarebytes : Ransom.Jigsaw McAfee: Generic.ys Microsoft: Ransom:MSIL/JigsawLocker.A Symantec : Ransom.Jigsaw TrendMicro: Ransom JIGSAW.SM From this we can see that file is recognized as a ransomware by the most common antivirus. 4.4 Dynamic Analysis 4.4.1 Behavioural analysis In this part of the analysis we reconstruct how the malware works by inspecting the ”Behavioural Analysis” section of the report obtained by submitting the sample to the 9
  • 13. Cuckoo Sandbox. The first thing that we can see is that we obtain the following process tree: Therefore is clear that the malware replicates itself but this is only a partial picture of the story. jigsaw.exe In order to see what really happens, we have to inspect the filesystem and the registry keys. By analysing them, the most important information we obtain are the following: jigsaw.exe replicates itself in the directory C:/Users/cuckoo/AppData/Roaming/Frfx with the name ”firefox.exe”. It also sets a specific registry key that allows to install itself for autorun at windows startup. jigsaw.exe replicates itself in the directory C:/Users/cuckoo/AppData/Local/Drpbx with the name ”drpbx.exe”. Thanks to this we know that firefox.exe and drpbx.exe are the same replica of the malware but the first is activated only after a system reboot while the second is launched immediately and it executes the encryption process. We can see this by go down in the process tree. drpbx.exe For this process, we have a lot of crypto operations as the following: 10
  • 14. By looking the second row of the table, we can notice that, in this case, the file which is going to be encrypted is some file belonging to the python library. The result of the malware execution is that all non essential files are encrypted and they have a ”.fun” extension. Obviously, they are no more accessible by the victims. firefox.exe We could ask ourselves why ”firefox.exe” is not in the process tree shown before. This is because this specific process is performed only when the system restarts which however is not expected in the test procedure performed by the cuckoo sandbox. In this case it is useless to use other tools to analyse also the behaviour after the reboot of the sys- tem because we know that firefox.exe and drpbx.exe are the same replica of the malware. 4.5 Analysis outcome In conclusion, we can resume what the malware does with the following points: • It replicates itself with two files: ”drpbx.exe” and ”firefox.exe” • It modifies registry keys to launch itself at windows’ startup. • It uses CryptEncrypt API to perform the encryption operations. By reading some articles [3] [6] we can say that our analysis covers all the main feature of this particular malware. 11
  • 15. 5 Mamba 5.1 Description Mamba is a crypto ransomware which encrypts every disk sector including the MFT, the operating system, your apps, any shared files and all your personal data. As we will see later in the analysis, it does all of this with very little programming effort in fact it simply installs and activates a pirated copy of the open source software DiskCryptor. In the picture above there is the screen shown to the victims by the ransomware once encryption is complete and the system is restarted. By simply reading the message, in particular the part ”Missing operating system”, we can realize that the damage caused by the malware is significant. This malware is also famous for the infection of the San Francisco Municipal Trans- portation Agency (SFMTA); we can find other details about this fact in the following interesting article: https://krebsonsecurity.com/2016/11/san-francisco-rail-system-hacker- hacked/ 5.2 Sample In my analysis I have used the sample which is available at the fol- lowing url: https://github.com/ytisf/theZoo/tree/master/malwares/Binaries/ Ransomware.Mamba . These are some of the basic information about the file: File name: 131.exe File size: 2415104 bytes File type: PE32 executable (console) Intel 80386, for MS Windows CRC32: F29D4FCE MD5: 409d80bb94645fbc4a1fa61c07806883 SHA1: 4080bb3a28c2946fd9b72f6b51fe15de74cbb1e1 SHA256: 2ecc525177ed52c74ddaaacd47ad513450e85c01f2616bf179be5b576164bf63 5.3 Static Analysis As said before, for ransomware, dynamic analysis is more important with respect to static analysis. Nevertheless, also in this case the static part reveals some useful infor- mation. 12
  • 16. 5.3.1 PE Information Compile Time: 2016-04-24 08:00:40 From this we know that the file is not so recent. 5.3.2 Resources Name: 32DCAPI.DLL, 64DCAPI.DLL Description: DiskCryptor api. Name: 32DCCON.EXE, 64DCCON.EXE Description: DiskCryptor console. Name: 32DCRYPT.EXE, 64DCRYPT.EXE Description: DiskCryptor installer support. Name: 32DCRYPT.SYS, 64DCRYPT.SYS Description: DiskCryptor driver. Name: 32NETPASS.EXE, 64NETPASS.EXE Description: used to get some credentials from the machine. Name: MOUNT.EXE Description: used to manage shared drive. Note: if we submit them to VirusTotal we obtain that: dcapi.dll is detected as Ran- som HDDCRYPTOR.SM1, netpass.exe is detected as Ransom HKTL NETPASS and mount.exe is detected as Ransom HDDCRYPTOR.C . 5.3.3 Strings Operations: DiskCryptor, http://diskcryptor.net/, Booting Method, HDD master boot record, Config Bootloader, Update bootloader, -boot -setmbr hd0, Delete bootloader, you can only use AES to encrypt the boot partition!, Encryption mode, Encrypt Volume, -encrypt pt0 -p , Encryption Progress, Use Hardware Cryptography Support, Decryption, DefragmentService, C://DC22. From these we can deduce that the file works with: a program called DiskCryptor, master boot record, bootloader, encryption, windows services, a specific folder called DC22. Messages: ”You are Hacked !!!! Your H.D.D Encrypted , Contact Us For De- cryption Key (w889901665@yandex.com) YOURID: 123139”. From these we can see that the string used on the bootloader installed by the malware is stored in clear. 5.3.4 Antivirus AVG: Generic38.CQB Avira: TR/Crypt.ZPACK.Gen8 Kaspersky: Trojan-Ransom.Win32.Dcryptor.b Malwarebytes : Ransom.HDDCryptor McAfee: GenericR-IJR!409D80BB9464 Microsoft: Ransom:Win32/Mambretor.A Symantec : Ransom.HDDCryptor TrendMicro: Ransom HDDCRYPTOR.A 13
  • 17. From this we can see that file is recognized as a ransomware by the most common antivirus. 5.4 Dynamic Analysis 5.4.1 Practical Execution Due to the fact that malware is articulated, before going into a deep analysis is useful to understand how the it works by showing an high level practical execution of it in a Windows system. Step1 We execute the malware from the cmd with the command ”131.exe 123456”. We have to do this because it needs an argument to work in a correct way. The first thing it does is to create the folder ”C:/DC22” which contains eight files (some of them are described before in the Resource section of the static analysis part). Then, system is forced to restart by the malware. Step2 After the system reboot, the encryption process performed by DiskCryptor starts in stealth mode. We can see this by performing on the cmd the command ”dccon -info pt0” and ”dccon -info pt1” or directly by opening DiskCryptor GUI with the executable ”dcrypt.exe”. 14
  • 18. From the picture above we can note that the algorithm used for encryption is AES-512 with XTS mode. At a certain point, a system error occurs (sometimes it takes form of a BSOD). This corresponds to the fact that the encryption process completed its work and if we start again the system, we obtain the message shown at the beginning of the analysis. If we stop the encryption process before the system’s crash, we can use DiskCryptor GUI to obtain other useful information in particular about bootloader. As we can see in the two pictures above, the bootloader is placed in the HDD master boot record in particular in a device called ”HardDisk 0”. Simply by opening its configuration file, we can discover that this bootloader is a modified version installed by the malware. Log A very useful information, in terms of analysis, is provided by a file called ”log file” located in ”DC22” folder seen before. Here we can find a sort of log report produced by malware during its execution. 15
  • 19. These are important information for us because we can understand roughly how the malware works without using other analysis tools. In fact, from this file we know also that the malware: • installs a driver. • creates and launches a service. • detects shared drive. • starts the encryption process. 5.4.2 Behavioural analysis In this part of the analysis we reconstruct how the malware works by inspecting the ”Behavioural Analysis” section of the report obtained by submitting the sample to the Cuckoo Sandbox. The first thing that we can see is that we obtain the following process tree: 131.exe This is the main process of the malware. Without going into details, only by seeing the process tree we can see that it performs the following operations: • it launches dcinst.exe • it uses the cdm and schtasks to: create and run a service called DefragmentService, performs the operation ”net use” and writes the results on a file called ”netuse.txt”, launches netpass.exe and writes its results on a file called ”netpass.txt” 16
  • 20. Let’s go to see a detailed behavioural analysis by reporting the most important steps performed by the malware: First of all, it creates a directory with the path ”C:/DC22” and inside this, it adds a file called dcrypt.sys. Here it is not reported but the malware adds in the same way also the other files described previously. It writes on ”C:/DC22/log file.txt” a log message ”installing drivers...”. It gets some information about the mounted partitions and creates a file to manage it. It launches the process dcinst.exe. We proceed with a quick analysis of it and then we continue with the analysis of 131.exe. dcinst.exe In practice, it installs a driver but in order to see this, we can report the most important steps performed by this process: 17
  • 21. It creates in ”C:/Windows/system32/drivers” a copy of the file dcrypt.sys which is a DiskCryptor driver. It creates a Windows service called dcrypy which refers to ”C:/Windows/system32/ drivers/drypt.sys”. The attribute SERVICE BOOT START means that the the service is started by the system loader and this value is valid only for driver services. 131.exe continue It writes on ”C:/DC22/log file.txt” two log messages: the first is ”installing driver successfully...” which tell us that installation of the driver went well. The second is ”getting share drive information...” which tell us that a new phase starts. It uses cmd with the parameter ”/c” which carries out the command specified by string and then terminates. This string contains ”schtasks /create” which is used to create a task on the local or remote computer. In particular, we have two parameters: • ”/TN DefragmentService” which specifies a name that uniquely identifies the scheduled task. • ”/TR cmd.exe /c net use >> C:/DC22/netuse.txt” which specifies the path and file name of the task to be run. In this case, it uses another cmd to perform a ”net use” operation and writes the results into the file ”C:/DC22/netuse.txt”. This operation retrieves a list of network connections. • ”/SC DAILY” which specifies the schedule frequency. 18
  • 22. In a similar way, it uses cmd and schtasks to run and then to delete the task ”Defrag- mentService” created before. It uses cmd and schtasks to launch netpass.exe and writes the results into ”C:/DC22/netpass.txt”. Netpass is a freeware network password recovery which ex- tracts credentials of the current session. It writes on ”C:/DC22/log file.txt” a log message ”Trying to create a service...”. It creates a Windows service called DefragmentService which refers to ”C:/Users/cuckoo/ AppData/Local/Temp/131.exe 123456”. The attribute SER- VICE AUTO START means that the the service is started automatically by the service control manager during system startup. It writes on ”C:/DC22/log file.txt” a log message ”creating service successfully. reboot- ing windows... ”. 19
  • 23. It forces the system to reboot. At this point, we have a problem with the analysis because cuckoo sandbox does not work well when there is a system reboot. For this reason we continue by using another tool called ProcessMonitor. In particular, from the previous steps we know there is a specific service which restarts the malware by running the process 131.exe after the reboot. Therefore we start from it. As we can see in the picture above, it writes some log information on ”log file.txt”, it creates one process for Mount.exe and several other processes with different parame- ters for dccon.exe. Now, it is interesting to see also what is done by these other processes. Mount.exe essentially uses the information contained in two files created before: netpass.txt and netuse.txt. In our case it does not execute any particular action because in our virtualized system there are not shared drive. Obviously, it writes some log messages on ”log file.txt. 20
  • 24. Dccon.exe performs the most important operations which characterize this malware as a ransomware. In fact, first of all it changes the Master Boot Record to display the ransom note. This is done by the first operation shown above which takes as parameter ”-boot setmbr hd0” and subsequently creates some files in that particular location. After that, the encryption process starts through several instances of dccon which takes as parameter ”-encrypt ptX -p 123456” where ”X” is the partition’s number and ”123456” is the parameter inserted at the beginning when we launch the malware. 5.5 Analysis outcome In conclusion, we can resume what the malware does with the following points: • It creates a folder containing some tools that it needs. • It installs a driver. • It creates two windows services: ”dcrypt” and ”DefragmentService”. • It uses DiskCryptor to modify the bootloder and to perform the encryption oper- ations. By reading some articles [4][1][5]we can say that our analysis covers all the main feature of this particular malware. 21
  • 25. 6 Conclusions In this report, we have seen a particular family of malware called ransomware by de- scribing their general characteristics and by focusing our analysis on how they operates with respect to the persistence. We have covered all the persistence’s aspects proposed in fact: With the first sample, Jigsaw, we have seen: • creation or modification of registry keys • file in startup locations With the second sample, Mamba, we have seen: • Windows Services • Master Boot Record In addition to those, we have addressed other aspects which are outside the field of persistence but are relevant in the case of ransomware: • use of psychological techniques to induce the victim to pay the ransom (JigSaw) • use of modified freeware and legal tools to perform illegal operations (Mamba) From my point of view, another interesting aspect, which comes out with our analysis, is about the cuckoo sandbox. In particular, I have tried several versions but none has been able to continue its dynamic analysis after a system reboot. I think this is an important problem because nowadays malware often use advanced techniques to reboot the system. I bypassed this problem by continuing the analysis with other tools as Process monitor but in my opinion it would be very good if the developers will solve this problem in the future. In conclusion, we have to say that in case of ransomware there are also other in- teresting topics that can be analyzed, but they were not the focus of this report, for example: • Command and Control: to study whether and how malware communicates with a C&C in order to exchange keys or other information. • Payment of the ransom: to understand the relationship between type of ran- somware and payment method, or whether there is some connection between the number of encrypted files and amount of the ransom. • File decryptor tool: to try an available decryptor tool in order to know if and how it works. 22
  • 26. References [1] Paul Ducklin. Mamba ransomware strikes at your whole disk, not just your files. Ed. by nakedsecurity.sophos.com. url: https://nakedsecurity.sophos.com/ 2016/09/27/mamba-ransomware-strikes-at-your-whole-disk-not-just- your-files/. [2] Hon Lau Kevin Savage Peter Coogan. The evolution of ransomware. Ed. by Syman- tec. url: http://www.symantec.com/content/en/us/enterprise/media/ security_response/whitepapers/the-evolution-of-ransomware.pdf. [3] Daniele Mondelli. Ransomware Jigsaw, unanalisi tecnica e comportamentale. Ed. by Ransomware.it. url: http : / / www . ransomware . it / ransomware - jigsaw - analisi-tecnica-comportamentale. [4] Pierluigi Paganini. Mamba: The new Full Disk Encryption Ransomware Family Member. Ed. by securityaffairs.co. url: http://securityaffairs.co/wordpress/ 51314/malware/mamba-ransomware.html. [5] William Gamazo Sanchez Stephen Hilt. BkSoD by Ransomware: HDDCryptor Uses Commercial Tools to Encrypt Network Shares and Lock HDDs. Ed. by blog.trendmicro.com. url: http://blog.trendmicro.com/trendlabs-security- intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools- to-encrypt-network-shares-and-lock-hdds/. [6] Jasen Sumalapao. New Crypto-Ransomware JIGSAW Plays Nasty Games. Ed. by blog.trendmicro.com. url: http://blog.trendmicro.com/trendlabs-security- intelligence/jigsaw-ransomware-plays-games-victims/. 23