After last week's analysis on GermanWiper I thought it would be about time to have a Look at Sodinokibi aka REvil, the new weird kid on the block.
According to Cybereason the Sodinokibi Ransomware was written by the same guys who created GandCrab, which is a pretty big deal after GandCrab retired recently. The samples that I'll be looking at today were first dropped in Asia, but it did not take long to reach other continents as well.
A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live.
Running it through VirusTotal we get a pretty good detection rate, but that is to be expected since REvil is around for a few days already. Here's a direct Link to the VT Analysis.
Looking at Detect it easy we don't see anything special either. The PE seems to be built with MS Visual Studio 2015 (Linker Version 14).
Entropy-wise we can observe a huge drop near the end of the binary.
The imports definitely indicate that somethings is wrong here. Only loading kernel32.dll with 3 entries is a bit minimalistic for ransomware.
For one to get his/her Hands on the actual PE with an intact/complete IAT there are a couple of possible ways. Sergei Frankoff explained a very fast, but slightly "messy" Method on OALive. I'll try to replay this technique and plan to come back to this sample soon to try and script my way out of this hole.
A dump of the strings in the binary file can be found here. Likewise a sample of the ransomnote dropped as a textfile by the malware is available here.
The Decryptor
Thanks to a businessman who shall remain nameless but decided to pay the ransom we can take a look at the Decryptor V1.3 as well. My feeling about this executable is, that it is being built to order rather than prepared in case a decryption is requested. The tool feels relatively unpolished because of the active debugging, no obfuscation or anti-evasion.
Running it through Detect it Easy there is nothing spectacular going on here. Consistent with the ransomware itself the decryptor was built with Visual Studio 2015 as well. Entropy-wise there are no surprises either at 4.64889.
and you constantly have to apply for jobs. A partial analysis of the "GermanWiper" Ransomware
Today someone posted about a Ransomware attack on the local chat plaform Jodel (don't judge please, as you know the sketchy corners of the web get you the best samples :D) which instantly peaked my interest. What I got was this email and the two attached files. The two attached files Applicant Name - Lebenslauf Aktuell.doc.lnk and Applicant Name - Arbeitszeugnisse Aktuell.doc.lnk are made to look like Microsoft Office...
Back in 2016 Locky was (one of) the first to commercialize the "art" of holding data for ransom. I picked this strain because I would like a bit more of a challenge in terms of obfuscation and anti-disassembly techniques, so strap in for this OG Ransomware
Locky (at least the first few versions) is said to be created by the makers of the Dridex/Cridex banking trojans. For example the spreading mechanism via macros in Word or Excel documents sent out via carefully crafted spear-phishing emails is exactly the same for both of these strains. A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with...
After over two years since the inital spread of the ransomware and Malwaretechs sentencing last week I got a bit nostalgic and took a second look at different samples
Since the first wave of infections in May 2017 WannaCry is basically the goto example for the whole ransomware scheme and that is actually a good thing. The potential damage that WannaCry and the variants following the original version would have been massive if it wouldn't have been for Malwaretech, 2sec4u and all the other researchers who helped to contain the spread of ransomware powered by...
Just another collection of links, videos, books and other materials related to RE and Malware Research
I'll update this list regularly to keep it somewhat relevant, so be sure to bookmark this page if you like the contents so far. Books "Reversing: Secrets of Reverse Engineering" by Eldad Eilam "Reversing: secrets of reverse engineering practical reverse engineering: x86, x64, ARM, Windows kernel, Reversing tools, and obfuscation" by Bruce Dang, Alexandre Gazet and Elias Bachaalany "The Shellcoder's Handbook: Discovering and Exploiting Security Holes" by Chris Anley, John Heasman, Felix Lindner and Gerardo Richarte "Hacker Dissassembling Uncovered" by...
Hey there, looks like you somehow found your way onto my new site. If you are into malware analysis, reverse engineering and that sort of jazz have a look around and stay awhile!
Hey there! My Name is Marius Genheimer aka f0wL and I'm a Computer Science Student from Germany. As you can probably tell I like to analyse malware (especially Ransomware) in my spare time.
Looking at Detect it easy we don't see anything special either. The PE seems to be built with MS Visual Studio 2015 (Linker Version 14).
The imports definitely indicate that somethings is wrong here. Only loading kernel32.dll with 3 entries is a bit minimalistic for ransomware.
For one to get his/her Hands on the actual PE with an intact/complete IAT there are a couple of possible ways. Sergei Frankoff explained a very fast, but slightly "messy" Method on OALive. I'll try to replay this technique and plan to come back to this sample soon to try and script my way out of this hole.
