Exploit Kit Deliver GandCrab Ransomware part III - Payload

Now we will go through to the payload and the SWF file. :)

The Exploitable SWF File:

for me, one of the trickiest file to analyze is the SWF, because debugger for this file type are not so often seen in public, So usually the way to analyze this as far as I know is through black-box, code decompiler and static analysis of the code.

The SWF file downloaded by this EK are compressed SWF, but nicely the jpex decompiler manage to decompile it.

some noteworthy code in the SWF show that this was related to CVE- 2015-8651.

CustomByteArray

objects are sprayed on the heap first

The Payload Gandcrab Ransomware:

The ransomware payload was packed to hide the actual code from static analysis. After unpacking the file you can see some noteworthy behavior through static analysis. I mentioned some of it below.

It tries to terminate specific process name related to Microsoft office, database application, and Anti-virus application component to avoid some open handle error during encryption process.

terminated process

It tries to check if the keyboard layout is Russian keyboard layout = 419, if yes exit the process.

keyboard layout checking

it will also gather other information that will be send to its C2C server that are shown below.

parsing the Productname of Infected machine

parse Processor description

check if disk are with following types.

how much diskspace are available

if the infected machine has the following Anti-Virus installed

and other stuff it tries to parse and send to C&C server.

this ransomware generate RSA encryption key using Crypt API.

Generate RSA Encryption key

the Encryption process and the drop .txt file for this ransomware.

encryption routine

Exploit Kit Deliver GandCrab Ransomware part II - EK Landing Page

Now we will analyze some note worthy code of the landing page that contain obfuscated VB Script.

I saved the packet into a text file and found 3 variable that are fully encrypted. we will name the as scriptA, scriptB and scriptC

1st encrypted script - scriptA

2nd encrypted script - scriptB

3rd encrypted script - scriptC

after decrypting the said script, we can see right away how this exploit kit infect the compromised machine.

1st Decrypted Script: 
   
The note worthy code I found on the decrypted scriptA is the function below that contain an RC4 decryption routine and the actual RC4 key. 

RC4 decryption routine

I create a simple VB script with this function to decrypted the blob send back by the EK server to the infected machine. In decrypted scriptB, there is a code calling to a function with 2 parameter, the URL link of the payload and a string that looks like the RC4 key.I fetched the key and put to my VB srcipt as well the encrypted blob and it was nicely decrypted and verified to be ransomware.

It also tries to drop a fake executable to the infected machine as part of its installation. Maybe to lure the analyst from its actual behavior.

creating fake win32 file

 
2nd Decrypted Script:

The decrypted scriptB also contain a shellcode that run a javascript using CreateProcessA API. The JS file will generate a random executable filename for its ransomware payload and will execute it depend on the file type of the payload that the EK server will send back.

the shellcode

the decrypted shellcode

execute the payload depend on its file type

3rd Decrypted Script:

The last decrypted scriptC is a setup for executing the exploited SWF file.

script in executing the SWF

link to part III

Exploit Kit Deliver GandCrab Ransomware part I - Network Traffic

In past few days, I decided to analyze the infection chain of the RIG exploit kit that deliver GandCrab Ransomware in the wild, in credits of  malware traffic website.

In this part, I will do a brief analysis of the network packets.(thanks to malware-traffic-analysis for a clean pcap). so lets do the analysis for fun! :)


The first interesting stuff is the HTTP GET with long URL link. This is the landing page of the Exploit kit. We can see by using Wireshark the user agent, size and etc used by this HTTP '

GET' command, the ending of the first GET download (which is in frame 27) and the next request frame happen (in frame 30).

the first GET command

The EK landing html page compose of obfuscated vbscript. (that will be discuss on the next part)

the obfuscated landing page of 2 URL served by the exploit kit.

after the infected machine engaged to the exploit kit landing page, The exploit kit server response with exploited SWF file and its malware payload which is a GandCrab ransomware in this case.

the SWF exploit response of EK server after engaging with landing page

The compressed SWF file request info

Then on frame 47 that ends in frame 157 another HTTP GET request coming from the infected machine to the exploit kit server which is the payload of the attack. The EK server response with an encrypted blob of data that will be decrypted as ransomware.

The encrypted payload of delivered by the exploit kit.

tcp stream of the payload traffic

Now we have some idea how infections happen, we will go now in analyzing the main part of the landing page of the exploit Kit. and how the landing page decrypt the blob it downloads to the infected machine.

link to part II.