Loading...
You are here:  Home  >  Let’s Have an Honest Discussion About Ransomware Part II

Let’s Have an Honest Discussion About Ransomware Part II

We have discussed the indicators that are present in ransomware and how to look for some of them. However even though there are similar traits in the bad behavior most people exhibit, sometimes an individual will have the propensity to surprise you. Occasionally you will find something that defies the rules. Such is the case with malware. I will always remind you, malware is written by a person, so it reflects who that person is and all their creativity and dysfunction., so what if the bad behavior does not exhibit the same type of traits that would be considered the norm. What do you do?

 

Behold:

 

MD5                 FA550BE771A314484FA9E5A2046E4248

Or

Trojan-Banker.Win32.Jimmy.efu

Or

Pandora’s Angry Psychotic Box

 

Not all malware runs as a singular entity. When you purchase software that software looks like a singular entity but much like a person, there are many interoperable parts. Hence one human – many parts. Software is like this and malware is software, ergo it is logical that good malware would have many operating parts. So, if your going to hide something, what better way to do it then to confuse the hell out of the unsuspecting user. Combine ransomware with a trojan from multiple families and you have a perfect sphere of chaos

 

Section One:

Sandbox

 

Topographical overview -

Topical Overview

Part A:

 

Here is the binary launching in the sandbox. The name is not as important as to what it does. Though conceptually if your systems are static across the board one can set an alert for odd names. The malicious executable at this point launches from C:\Users\admin\AppData\Local\Temp\ .

 

PID 2844

CMD "C:\Users\admin\AppData\Local\Temp\b227c25af6e2fd5e63b36251df9ab1bd0edd32bd19ba82f10ee7dcfd7bc9f0aa.exe"

Path C:\Users\admin\AppData\Local\Temp\b227c25af6e2fd5e63b36251df9ab1bd0edd32bd19ba82f10ee7dcfd7bc9f0aa.exe

Parent process ––

User admin

Integrity Level MEDIUM

Exit code 0

 

Part B:

 

Here is where the oddities begin, our nasty entity begins working and we see it start

 

PID 3144

CMD "C:\Users\admin\AppData\Local\Temp\b227c25af6e2fd5e63b36251df9ab1bd0edd32bd19ba82f10ee7dcfd7bc9f0aa.exe" --Admin IsNotAutoStart IsNotTask

Path C:\Users\admin\AppData\Local\Temp\b227c25af6e2fd5e63b36251df9ab1bd0edd32bd19ba82f10ee7dcfd7bc9f0aa.exe

Parent process b227c25af6e2fd5e63b36251df9ab1bd0edd32bd19ba82f10ee7dcfd7bc9f0aa.exe

User admin

Integrity Level HIGH

Exit code 0

 

Integrity level has changed to high and the parent is the file which has spawned another copy of itself. Two files of the same name one spawned of the other put different processes and hash ids. At this point it is unclear where the second file of the same name came from, most likely dropped but we are getting there.

Part C:

 

Much like ransomware and other type of malware, the very functionality of the operating system is used to obtain the desired results of the person who wrote the malware. Here we have the parent process (nasty and malicious entity) start a process called icacls.exe. This is a file that is part of the windows operating system. It is located at c:\windows\system32.

 

What does this file do you may ask? Its destructive in the wrong hands. It changes file and folder permissions, modifying Access Control List. This means that someone or something is about to about to commit bedlam. Here is our patient zero that we can build an alert around.

 

PID 3944

CMD icacls "C:\Users\admin\AppData\Local\9507f5f7-15c8-493f-8b0b-11b93694371a" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Path C:\Windows\system32\icacls.exe

Parent process b227c25af6e2fd5e63b36251df9ab1bd0edd32bd19ba82f10ee7dcfd7bc9f0aa.exe

User admin

Integrity Level MEDIUM

Exit code 0

Version:

Company Microsoft Corporation

icacls being used

An unknown binary in C:\Users’admin\AppData\Local is running an executable in the c:\windows\system32 directory. This should not be. Our patient zero is now identified.

Part D:

 

The malicious binary after opening a handle to the icacls.exe file begins dropping objects. The object name of the files is “updatewin.exe”, “updatewin1.exe”, “updatewin2.exe”.

 

Notice that each object’s parent is the malicious binary that was launched from our original. We now have psychotic children on the loose

 

Psychotic Child #1 –

 

PID 1940

CMD "C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\updatewin.exe"

Path C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\updatewin.exe

Parent process b227c25af6e2fd5e63b36251df9ab1bd0edd32bd19ba82f10ee7dcfd7bc9f0aa.exe

User admin

Integrity Level HIGH

Version:

Company

Description

Version

 

No specs here, basically looks like an application being dropped or rewritten for another process. This is something that a security operations person should be able to spot.

 

Psychotic Child #2 –

 

PID 3716

CMD "C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\updatewin1.exe"

Path C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\updatewin1.exe

Parent process b227c25af6e2fd5e63b36251df9ab1bd0edd32bd19ba82f10ee7dcfd7bc9f0aa.exe

User admin

Integrity Level HIGH

Exit code 0

Version:

Company

Description

Version

No specs to be found here as well, but look at what PID 3716 does next:

 

PID 3172

CMD "C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\updatewin1.exe" --Admin

Path C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\updatewin1.exe

Parent process updatewin1.exe

User admin

Integrity Level HIGH

Exit code 0

Version:

Company

Description

Version

 

3176 is an application dropped or rewritten from another process, it then launches itself and we get 3172 – notice the way it launches itself updatewin1.exe" –Admin.  That is our user, something very bad is about to happen but follow me because we need to see the full context of what is going on.  That command is going to start another chain of events which is particularly devastating, but we need to see what else is happening.

 

Our next oddity is updatewin2.exe. We now have three files

 

PID 3740

CMD "C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\updatewin2.exe"

Path C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\updatewin2.exe

Indicators No indicators

Parent process b227c25af6e2fd5e63b36251df9ab1bd0edd32bd19ba82f10ee7dcfd7bc9f0aa.exe

User admin

Integrity Level HIGH

Exit code 0

Version:

Company

Description

Version

Psychotic Child #3-

 

PID 3740

CMD "C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\updatewin2.exe"

Path C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\updatewin2.exe

Parent process b227c25af6e2fd5e63b36251df9ab1bd0edd32bd19ba82f10ee7dcfd7bc9f0aa.exe

User admin

Integrity Level HIGH

Exit code 0

Version:

Company

Description

Version

 

Much like the other bad children save for updatewin1.exe all of them have no specs attached to them. They simply came from the parent

 

Enter the odd psychotic child with communication issues –

 

Psychotic Child #4 that Likes to talk and say nasty things –

 

PID 3360

CMD "C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\5.exe"

Path C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\5.exe

Parent process b227c25af6e2fd5e63b36251df9ab1bd0edd32bd19ba82f10ee7dcfd7bc9f0aa.exe

User admin

Integrity Level HIGH

Exit code 0

Version:

Company

Description

Version

 

Much like the other children this was dropped or rewritten from another process. The parent process will always be listed in the event log. However, this odd thing has some interesting characteristics. This freak of nature likes to talk.

 

ipDst: 94.23.168.58

ipSrc: 192.168.200.165

portDst: 80

portSrc: 49555

process: C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\5.exe

time: 25349ms

We capture the network stream in the sandbox so we get a nice granular look at what is going on with this connection. PCAP analysis is not constrained to a sandbox. Tools such as Moloch which will help capture network traffic and store the pcap files for live analysis, BRO will do this as well.

Network Capture - 1

"5.exe" is making a connection over port 80 to the IP address 94.23.168.58, this is a post command, and something is being communicated. You have no time to reverse engineer, so the priority is that this does not spread further, but it and then we find -

network capture - 2

This is an nginx server running an older version of PHP specifically 5.4.16.

What we are presented with is our machine communicating with what is called a Command and Control Server. The first network stream shows the POST where the client send an initial client-to-server communication, where the client  sends an initial checkin request and the server responds with what look like in the first stream with XOR encoded data (XOR is a binary operation which stand for “exclusive or” – we will cover encoding in another article). Regardless of the encoding this simply should not be and network connections need to be monitored. The C&C server for this example sits in the Czech Republic as seen below:

OVH - Czech

This is characteristic of Azorult, which is a Trojan. It collects data on the computer and sends it to a command and control server, items sent usually include browser history, login credentials, cookies, and file and folders as specified by the server. Now while this is going on the other psychotic child “updatewin1.exe” is busy.

PID 3172

CMD "C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\updatewin1.exe" --Admin

Path C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\updatewin1.exe

Parent process updatewin1.exe

User admin

Integrity Level HIGH

Exit code 0

Version:

Company

Description

Version

 

The original updatewin1.exe was process ID 3716. It has now launched itself as process ID 3172 and summarily shut off the task manager. We audit the registry, so we see this –

 

key:      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

name:   DisableTaskmgr

operation: write

typeValue: REG_DWORD

value: 1

time: 24078ms

 

The software writer obviously does not want you opening up task manager. There is also no reason for user to run a process to disable task manager so if alerts not set up for this, the only fault lays with the security operator for being complacent and lazy.

 

So now that this is done and there is communication with the command and control server updatewin1.exe is going to open up SEVERAL powershell sessions. At this point we are just riding this psychotic horse to its burning stable.

 

PID 2856

CMD powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned

Path C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Parent process updatewin1.exe

User admin

Integrity Level HIGH

Exit code 0

Version:

Company Microsoft Corporation

Description Windows PowerShell

Which then gives us –

 

PID 2676

CMD powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\admin\AppData\Local\script.ps1""' -Verb RunAs}"

Path C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Parent process updatewin1.exe

User admin

Integrity Level HIGH

Exit code 0

Version:

Company Microsoft Corporation

Description Windows PowerShell

 

Some PowerShell scripts are executed here and files are created in the user directory. We believe the user directory is critical to monitor as it will always be ground zero for infections. (for the most part)

 

This PowerShell execution then gives us –

 

PID 3048

CMD "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\script.ps1

Path C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Parent process powershell.exe

User admin

Integrity Level HIGH

Exit code 0

Version:

Company Microsoft Corporation

Description Windows PowerShell

 

Words are important, and it is imperative then when we analyze what this monstrosity is doing that we read. The logs tell us what is going, it wants you to know. So with that being said, what is going on with that PowerShell comanmand -NoProfile -ExecutionPolicy Bypass ?

 

This is starting a PowerShell session that allows for running scripts and keeps the lowered permissions isolated to just that current running process. This is silent and sneaky.

 

To add insult to injury “updatewin1.exe” along with these PowerShell commands ran another command to neutralize Windows Defender.

PID 4088

CMD "C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all

Path C:\Program Files\Windows Defender\mpcmdrun.exe

Parent process updatewin1.exe

User admin

Integrity Level HIGH

Exit code 2

Version:

Company Microsoft Corporation

Description Microsoft Malware Protection Command Line Utility

 

This is just plain nasty and unkind. The malware is restoring the installed security intelligence of defender to the original default set of what came on the computer.

 

From here we see a patch file executed called delself.bat

 

PID 3368

CMD cmd /c ""C:\Users\admin\AppData\Local\Temp\delself.bat""

Path C:\Windows\system32\cmd.exe

Parent process updatewin1.exe

User admin

Integrity Level HIGH

Exit code 1

Version:

Company Microsoft Corporation

Description Windows Command Processor

 

This is how it removes traces of itself.

 

Below is part of the tree to give you an overall conceptual idea of what launched what:

 

malware goes to work

Part E

 

With this malware we have bared witness to communications with a command and control server, PowerShell commands executing, Trojan like activity, etc. By definition an exploit kit is a collection of tools to exploit security holes for the purpose of spreading malware. These kits come with pre-written code and targets users for varied purposes. Some are written in an excellent manner, others are just horrible.

 

The short of it, its just not one thing, its everything bad put together. This article was about ransomware though, so where is it?

 

If you recall in Part One, we discussed the characteristics of ransomware. Besides the ability to show the user an annoying ransom message as well as enumerating the computer, one of the characteristics is the renaming of files. This is necessary when your going to steal data and lock someone out.

 

The renaming occurs due to the activity of Process ID 3144 or “b227c25af6e2fd5e63b36251df9ab1bd0edd32bd19ba82f10ee7dcfd7bc9f0aa.exe

 

created: NONE

device: DISK_FILE_SYSTEM

name: C:\Users\admin\Desktop\motiontocontinue.docx

newname: C:\Users\admin\Desktop\motiontocontinue.docx.pidon

object: FILE

operation: RENAME

status: 0x00000103

time: 61609ms

We see 23 different occurrences of this in the log because the machine had 23 documents that were located on the Desktop folder. Even OneNote gets renamed:

 

created: NONE

device: DISK_FILE_SYSTEM

name: C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms

newname: C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms.pidon

object: FILE

operation: RENAME

status: 0x00000103

time: 61703ms

 

What we witnessed is a combination of multiple categories of malware wrapped up into one package. Each piece of the puzzle achieving its own end result. That is what an exploit kit does – takes multiple strains and goes to town. Each strain exhibiting a characteristic of the malware family it finds its roots in. In the case of ransomware, the malicious binary renamed all the files, but to add insult to injury your machine is talking to another computer and data is being sent back.  If the security operator is alerted to what occurred in Part C then at the point the threat is neutralized. If not, it becomes forensics and you need to figure out who to blame to keep your job. These are behaviors and we can stop malicious acts by alerting to these behaviors.

 

Below is the attack matrix which shows how devastating an exploit kit is when it runs to completion – remember software has many parts –

Attack Matrix