Malware Analysis Report
Introduction
Objectives
The objective of this project is to realize a complete analysis of a malware. The sample we have analyzed is a ransomware called "Urausy".
We will find out how the ransomware works and describe each part of its functionalities.
We'll begin by introducing it, in explaining what a ransomware is, how this one has been caught in the wind and how it spreads over the Internet.
Then we will make a complete analysis of the malware, in explaining
- the anti-forensic part : the crypter, the anti debugging tricks, how it injects itself into other processes;
- how it achieves its persistence;
- the network part : how it communicates with its Command & Control server (C&C);
- the network part : how it communicates with its Command & Control server (C&C);
- the forensic part : how to prevent and "cure" an infected system;
- the encryption routine.
I send my thanks to 0x00 which help me a lot to understand some concepts that I didn't know before.
This is a first try, so don't hesitate to criticize (:
Stage 1 : Packed File
MD5 : 6f8128f6f69e9a14f0e16264fcb880d1
VirusTotal : Detection ratio = 40/46
Stage 2 : Crypted File
MD5 : 842264477730402f311c16575d102f8a
SHA1 : 3a6c18e7ba205ad4ebf7cd675d01220c43e8b6d9
SHA256 : 5309234ee7a2ba5f0c642895b39fb94852cc19a89b1648315e87e27a0ccff93f
File type : PE32 executable (GUI) Intel 80386, for MS Windows
VirusTotal : Detection ratio = 15/45
A crypter is used to make the malware more difficult to be detectable from the antivirus and also to slow down the job of analysts.
It takes an executable and encrypts it so that its contents can't be examined, a stub will be added, the OEP (the entry point of the program, indicating the first instruction to be executed when we execute the program) will be located into that stub.
Once our executable launched, the stub will decrypt the encrypted payload and the original program will run.
In our case, we have a section .code which contains both .data and .text section.
The first step will be to get the new executable file with the correct sections, then the second one will be to get the decrypted part of the payload and finally begin to analyze our malware.
The first step is to have a PE with the good sections, as we have seen above, our first file contains a section .code, and the OEP point on this one.
In loading our malware with different packer detector (PeID, exeinfo PE, RDG Packer Detector), no one could detect one.
We'll have to find out how it works in looking into the stub.
When we load our file with our debugger, we can see nothing but junk code (useless calls, nonexistent instructions ...)
After following the different calls, we could discern the most important ones which will permit us to retrieve a new executable.
Firstly, a process is created with the flag CREATE_SUSPENDED
That means the process will be created in the suspended state, it won't be executed directly after its creation.
The handle to the process will be 0x54 (an handle is like a pointer to an open file/process/whatever...)
Then, VirtualAllocEx will be used to allocate enough space into the new process to be able to copy the whole malware (the PE heads and each section) into the allocated space of the new process.
There will be few successives calls to WriteProcessMemory. At this point, each sections of the PE will be copied into the new process.
To summarize, it makes a copy of the malware into the memory in splitting out the .code section with the good ones.
Now that we know exactly how it will produce a new executable, we have two different ways to retrieve it:
- put a breakpoint to the last call of WriteProcessMemory and dump the new process into the disk;
- put a breakpoint just before the call of ResumeThread, add the opcodes EB FE (infinite loop) in the beginning of the new process (for the payload of the malware doesn't launch when we'll resume the execution in our debugger), resume the execution and dump the new process.
After this step we finally have our new PE without the code section, and the OEP who point to the .text section
We can notice that the .data section is bigger that the .text section which is unusual. We'll understand why in the second step.
Now that we have something readable, we can begin a static analysis.
We'll use IDA, a powerfull disassembler.
To hide the call to the function of decryption, it hooks a native function "NtClose".
NtClose is a native call from ntdll.dll which is use to close an open object handle
CloseHandle() is the standard function from the api call to perform what NtClose does.
A hook can be done in two different ways:
- in overwriting the pointer(s) of the IAT (Import Address Table) by the address of our function(s);
- in modifying directly the function who want to hook by a jump to our function.
In this case, it uses the second method :
it copies the original NtClose function into the memory, it changes the access rights of NtClose in RWX, it modifies the firsts bytes by a jump to another function 0x401167 and put back the formers access rights (RX).
In that way if a function is called to close an handle (either CloseHandle from the win32 api, ZwClose/NtClose), it will jump into a different function.
Introduce the sample
During the summer 2012, a lot of our friends who were running under Windows encounter the same virus.
They didn't know how to remove it from their system. When they boot up the computer, the screen remained locked on a webpage with a fake note from the "National Police" claiming the operation system was locked due to the violation of the laws such as illegal downloading of copyright files and to pay a fine to release the computer.
The message was in french and seemed convincing enough to make some of them believe it was authentic.
The message was in french and seemed convincing enough to make some of them believe it was authentic.
Some months ago, we decided to analyze a malware for a school project and we didn't know which malware to analyze. First, we were getting some sample from malware database but we were unsatisfied because they were not interesting enough and too old.
By luck, a relative just got a virus, the same virus encounter previously.
So we thought it was a good one to analyze, we reboot the computer in safe mode with command line, look into the Windows registry in some places where usually malwares achieve its persistence and found the malicious binary. We copied it to a pen drive and finally, we were able to begin the project...
Malware authors take advantage of a zero day java vulnerability to spread the virus. In that way, just in clicking on a link and you can get infected...
A ransomware is a kind of malware who will do something bad to your computer in exchange of a ransom, in our case, it locks the computer.
There are others ransomwares which will crypt all the files on the hard drive and ask for money to decrypt the files.
There are others ransomwares which will crypt all the files on the hard drive and ask for money to decrypt the files.
File Information
Stage 1 : Packed File
MD5 : 6f8128f6f69e9a14f0e16264fcb880d1
SHA1 : 1783e775d0add63b0cb5e5747e878c772fe133d0
SHA256 : a4a9856d39643b2a337c31f53ebf2d15622c8d4aab7e1f937817660b70506915
File type : PE32 executable (GUI) Intel 80386, for MS Windows
PE Information :
Compilation date : 2012-11-28 08:53:02
Target Machine : 0x14C (Intel i386)
Entry point address : 0x1000
Sections :
VirusTotal : Detection ratio = 40/46
Stage 2 : Crypted File
MD5 : 842264477730402f311c16575d102f8a
SHA1 : 3a6c18e7ba205ad4ebf7cd675d01220c43e8b6d9
SHA256 : 5309234ee7a2ba5f0c642895b39fb94852cc19a89b1648315e87e27a0ccff93f
File type : PE32 executable (GUI) Intel 80386, for MS Windows
PE Information :
Compilation date : 2012-11-27 16:36:46
Target Machine : 0x14C (Intel i386)
Entry point address : 0x1000
Sections :
VirusTotal : Detection ratio = 15/45
Decryption
What a crypter is ?
A crypter is used to make the malware more difficult to be detectable from the antivirus and also to slow down the job of analysts.
It takes an executable and encrypts it so that its contents can't be examined, a stub will be added, the OEP (the entry point of the program, indicating the first instruction to be executed when we execute the program) will be located into that stub.
Once our executable launched, the stub will decrypt the encrypted payload and the original program will run.
In our case, we have a section .code which contains both .data and .text section.
The first step will be to get the new executable file with the correct sections, then the second one will be to get the decrypted part of the payload and finally begin to analyze our malware.
First step : unpack
The first step is to have a PE with the good sections, as we have seen above, our first file contains a section .code, and the OEP point on this one.
In loading our malware with different packer detector (PeID, exeinfo PE, RDG Packer Detector), no one could detect one.
We'll have to find out how it works in looking into the stub.
When we load our file with our debugger, we can see nothing but junk code (useless calls, nonexistent instructions ...)
After following the different calls, we could discern the most important ones which will permit us to retrieve a new executable.
Firstly, a process is created with the flag CREATE_SUSPENDED
That means the process will be created in the suspended state, it won't be executed directly after its creation.
The handle to the process will be 0x54 (an handle is like a pointer to an open file/process/whatever...)
We can verify that a new process is correctly created in memory as seen above
There is a call to the native function NtUnmapViewOfSection, which will unmap the virtual address space used by the new process (0x54 is the handle of the process created before)
There is a call to the native function NtUnmapViewOfSection, which will unmap the virtual address space used by the new process (0x54 is the handle of the process created before)
Then, VirtualAllocEx will be used to allocate enough space into the new process to be able to copy the whole malware (the PE heads and each section) into the allocated space of the new process.
There will be few successives calls to WriteProcessMemory. At this point, each sections of the PE will be copied into the new process.
SetThreadContext() and ResumeThread() are used to start the execution of the new executable
To summarize, it makes a copy of the malware into the memory in splitting out the .code section with the good ones.
Now that we know exactly how it will produce a new executable, we have two different ways to retrieve it:
- put a breakpoint to the last call of WriteProcessMemory and dump the new process into the disk;
- put a breakpoint just before the call of ResumeThread, add the opcodes EB FE (infinite loop) in the beginning of the new process (for the payload of the malware doesn't launch when we'll resume the execution in our debugger), resume the execution and dump the new process.
After this step we finally have our new PE without the code section, and the OEP who point to the .text section
We can notice that the .data section is bigger that the .text section which is unusual. We'll understand why in the second step.
Second step : uncrypt
Now that we have something readable, we can begin a static analysis.
We'll use IDA, a powerfull disassembler.
To hide the call to the function of decryption, it hooks a native function "NtClose".
NtClose is a native call from ntdll.dll which is use to close an open object handle
CloseHandle() is the standard function from the api call to perform what NtClose does.
A hook can be done in two different ways:
- in overwriting the pointer(s) of the IAT (Import Address Table) by the address of our function(s);
- in modifying directly the function who want to hook by a jump to our function.
In this case, it uses the second method :
it copies the original NtClose function into the memory, it changes the access rights of NtClose in RWX, it modifies the firsts bytes by a jump to another function 0x401167 and put back the formers access rights (RX).
In that way if a function is called to close an handle (either CloseHandle from the win32 api, ZwClose/NtClose), it will jump into a different function.
 |
| Original NtClose |
 |
| Alterated NtClose |
The decryption function which is located at 0x7ffe0300 will browse through the whole .data section (which is embedded encrypted code) and decrypt each block of 6 bytes from this section then write it at the end of the .text section.
At the end of the decryption step, there is a jump to the payload, which is located at the beginning of the decrypted code.
We can finally get to the payload. From now we'll have to proceed to a dynamic analysis to work on the deciphered code.
Anti-Debugging tricks
During the dynamic analysis, we noticed a lot of functions used to detect if the malware is being run in a debugger, a sandbox...
We will explain in that part, the different manners used by the malware authors to do that and how we can bypass very easily all these tricks.
NtQueryInformationProcess
This function has been seen twice :
at 0x0040145E and further in the code injected in svchost.dll
It's used to get informations about a process given in parameter.
In this case, it takes as first argument -1, which means an handle to the current process, 0x7 (which correspond the the constant ProcessDebugPort) as second argument (to retrieve the specific information if the process is being run in a debugger or not), the third argument is pointer which will receive the information requested.
To bypass it, we can just nop the call to the function / set eip after the call / change the second argument ...
NtSetInformationThread
This function has also been seen twice directly after the calls of NtQueryInformationProcess.
It's normally used to set the priority of a thread (from the official documentation), but actually it's used to modify thread specific data.
The first argument is a handle to the current thread and the second one 0x11 (ThreadHideFromDebugger) which is not in the official Microsoft documentation, will detach the thread from the debugger and terminate the process
We bypass it the same way as above
Anti safe boot mode
This function is used to get informations about the system, with the flag SM_CLEANBOOT, it wants to know how the system is started.
If the system is started in fail safe boot, it first retrieves an handle to the token of the current process.
A token is used to identify the user's privileges.
The system uses the token to control access to securable objects and to control the ability of the user to perform various system-related operations on the local computer
It calls the function LookupPrivilegeValue with the flag SeShutdownPrivilege (which allows the user to shutdown or reboot the PC) in order to retrieve this privilege to change it after. Then, it will call the function AdjustTokenPrivilege to enable the privilege, the malware with call the ExitWindowsEx function with REBOOT as argument. This will restart the machine.
In a nutshell, this part will force the reboot of the system if the system is started in safe boot.
We can bypass that by launching the system in "Safe Boot with Command Line" or by accessing the Windows partition from a linux partition/live cd.
Process Injection
Our malware will inject itself into explorer.exe and into svchost.exe by two different ways that we are going to describe in details.
First injection : explorer.exe
Firstly, it retrieves the identifier of the process that created the shell's desktop window (which is the PID of explorer.exe)
Then it will copy a non alterated NtClose function at the end of the .text section of the current process (the malware).
It creates a section that he fills with the code of the malware (included the copy of clean NtClose)
It maps this section into the targeted process (explorer.exe)
It creates a new section, copies the code of ntdll.dll readed from the targeted processus and modifies its code in adding some instructions. It also modifies the NtClose function to jump into those news instructions.
When NtClose will be called, it will jump to the new instructions added previously, those ones will jump to the beginning of the mapped malware.
When NtClose will be called, it will jump to the new instructions added previously, those ones will jump to the beginning of the mapped malware.
Unmap the section ntdll.dll of the targeted process to map the modified section and terminates the process.
We can resume that by this scheme :
At this point, to continue the analysis, we have different available options:
- create our own process (a compiled code as simple as while(1) sleep(5000); and change the calls arguments for it injects the code in our process instead of injecting in explorer.exe
- break into explorer.exe at the NtClose function;
- when the payload of the malware code is written into the new section, we can just set eip to the first instruction of this one.
Second injection : svchost.exe
There is a second injection into svchost.exe when the malware is runned from the explorer process, the way to inject the malware is a bit different, so we will explain how it does that.
Firstly, it creates a process "C:\Windows\System32\svchost.exe" with the flag SUSPENDED_STATE
It calls VirtualAllocEx to allocate enough space into svchost.exe at 0x00090000 and WriteProcessMemory to fill that new space with the malware.
It creates a thread which will run into the virtual address (here at the beginning of the payload : 0x00090000) of the remote process (svchost.exe)
To continue the analysis, we can attach the process svchost.exe to OllyDBG v2 (because only the v2 can attach a process in suspended state) and set eip to 0x00090000
Persistance
Once injected into the svchost process, the malware deciphers the strings:
- "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"
- "AppData"
By opening the associated register key, it can read the value of AppData which contains the value :
"C:\Documents and Settings\%username%\Application Data"
"C:\Documents and Settings\%username%\Application Data"
A new string is deciphered and contains the following value : "\skype.dat"
It copies the malware into the file "C:\Documents and Settings\%username%\Application Data\skype.dat" (if this file exists, it's deleted)
The properties (last access, last modification, ...) of the ntdll library are applied to the new file skype.dat to evade some anti-virus detection.
Indeed, some forensic tools are able to list the last modified files.
At last, the following strings are deciphered :
- "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
- "shell"
When a Windows session of the infected user will be run, explorer.exe and the malware will be launch at runtime.
Preparation of the new Desktop
It begins by preparing the window that will receive the "ransom page". To do that, it calls LoadIcon, LoadCursor to load respectively a standard icon/cursor and RegisterClass to register the class of the window that will be created.
We then have two successives calls to GetSystemMetrics to get the width/height of the screen and finally a call to CreateWindowEx which will create a window with the screen dimension.
Afterwards, we access to the COM object WebBrowser through the interface IOleObject which be use to create a browser inside the window created previously.
It will then launch three threads, we'll describe each thread in details :
The first thread will be used to avoid the access of the task manager (ctrl + alt + del) by killing the process each time it's invoking.
For that, there is an infinite loop that will retrieve the list of the processes which are currently running on the system (by a call to RtlGetNativeSystemInformation).
It browses through the processes list in order to find "taskmanager.exe", and when it finds it, it just kills it (with a call to NtOpenProcess followed by NtTerminateProcess)
A second thread will open a desktop and switch the current desktop to the new one.
A third one creates a file %appdata%\skype.ini , it writes the first four bytes from 0x008dbccc at the beginning of the file which is a random value based on the time.
After the threads, if a webcam is installed on the computer, it will take a picture using the function capCreatureCapture from the avicap32 library in hiding the capture window, save it in %TEMP%\cam.bmp and then display it on the new Windows through the sendMessage function.
Then there is a function which will retrieve the current running processes, and look if among theses processes, one of the list written below is running, if it's the case, it kills it.
| Process | Name |
|---|---|
| aawService.exe | Ad-Aware Service |
| arcamainsv.exe | ArcaVir Antivirus |
| avastsvc.exe | Avast! Service |
| avgui.exe | AVG User Interface |
| avguard.exe | AntiVirus On-Access Service |
| vsserv.exe | BitDefender Security Service |
| clamWin.exe | ClamWin AntiVirus |
| clpsls.exe | Comodo Firewall |
| dwengine.exe | Dr Web AntiVirus |
| ewidoguard.exe | Ewido AntiMalware |
| fpavserver.exe | F-PROT AntiVirus |
| fsdfwd.exe | F-Secure AntiVirus Shield Daemon |
| gdscan.exe | G-Data AntiVirus Scan Server |
| guardxservice.exe | GuardX Service |
| avp.exe | Kaspersky AntiVirus |
| mcsvhost.exe | McAfee Service Host |
| ekrn.exe | Eset Service |
| ccsvchst.exe | Symantec Service Framework |
| winssnotify.exe | Windows OneCare |
| msmpeng.exe | Microsoft AntiMalware |
| acs.exe | Agnitum Outpost Service |
| pavprsrv.exe | Panda Process Protection Service |
| coreserviceshell.exe | Trend Micro |
| vba32ldr.exe | VirusBlokAda Ltd |
| vbcmserv.exe | Vexira AntiVirus |
| iswsvc.exe | ZoneAlarm ForceField Service |
Communication with the C&C
UPDATE
waiting for a sample with the C&C server still up to write that part
waiting for a sample with the C&C server still up to write that part
Forensic
It's not difficult to cure a system infected with this virus.
You just have to access your Windows partition (from another system, by running Windows in Safe Mode with command line or launching a Windows session of another user not infected)
Once done, you can launch regedit.exe (the registry base manager), remove the value "C:\Documents and Settings\%username%\Application Data\skype.dat" from the key "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon", remove the files skype.dat and skype.ini on the disk and you will be rid of that virus.
You can also paid the "fine" (aha). As you've seen in the network part, the authors are not so bad and really clean your computer if you pay.
Decryption
retrieve_strings
Some examples of decrypted strings:
- imports : "ntdlll.dll", "kernel32.dll", "advapi32.dll", "rpcrt4.dll", "secur32.dll", "user32.dll", "gdi32.dll", "imm32.dll";
- registry keys
- "Sofware\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders";
- "AppData"
- "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
- "shell"
- Temprary
- C:\Windows\System32\svchost.exe
- MyDesktop
- "skype.dat"
- "skype.ini"
- "cam.bmp"
- "webcam"
- "http://tyfyk.ru"
- "opera/9.80 (Windows NT 5.1; U; Edition Yx; ru) Presto/2.9.168 Version/11.52"
- "C:\"
- ...
No comments:
Post a Comment