Ransomware
are very prevalent nowadays and different Ransomware variants are keep on increasing in the wild
that infect so many users as well as big companies and corporation because
of good social engineering attack like spam-email, malicious macro documents,
powershell and etc…
Today I will
give some R.E. analysis of ransomware Xorist posted in malware-traffic-analysis site where you can get fresh samples of current notable malware in the wild.
Lets Do the Dance now.:)
after unpacking this malware that used upx packer, This ransomware will decrypt its strings, file extension to encrypt in the infected machine and etc.. that are place in its rsrc entry. with RsrcName = "0E" with rsrc typeid = 02 or RT_BITMAP.
this technique is really powerful to bypassed some string detection of AV product as well as IDS or IPS rules base on string signature. The malware use the common rsrc api to parse and to get the pointer of the said rsrc entry to the file.
 |
| fig. 1 - parsing the encrypted rsrc entry |
Then it will call its decryption function for that rsrc entry that do xor operation using the first 16 bytes of that rsrc entry as the decryption key.
 |
| fig. 2 - encrypted rsrc entry structure |
 |
| fig. 3 - rsrc entry decryption routine |
 |
| fig. 4 - part of the decrypted string |
It will open the explorer.exe in windows directory to parse the "creation_time", "lastaccesstime"
, and "lastwritetime" then save it to a offset variable within its malware body.
 |
| fig. 5 - parsing the timestamp of the explorer.exe |
then it will get the %temp% folder to drop copy of itself on it with filename "yw9rFERMcLTp2PS.exe". it will also modify its filestamp using the file stamp of the explorer.exe it parse earlier.
 |
| fig. 6 - modified the filestamp of its malware copy. | |
|
|
after this it will create an autorun registry to persist to the infected machine.
 |
| fig. 7 - autorun registry |
added registry as part of its installation.
 |
| fig. 8 - added registry entries |
Then it will call GetLogicalDrives to the parse all the drive within the machine and to do the file search for the files it will encrypt.
 |
| fig. 9 - finding the files within machine drives |
 |
| fig. 10 -0x768h file extensions it tries to encrypt. |
it used the "PathmatchspecA" API to check if the file found contain the file extension it wants to encrypt.
 |
| fig. 13 - checking the file extension |
if the file contains the target file extension it will generate its encryption key and do the encryption process stated below.
 |
| fig. 14 - generating encryption key |
 |
| fig. 15 - encryption routine |
Aside from the encryption of the file it will also generate other payload like the message box informing the user that he/she was infected and also an input message box to input password to make it more stressful to the user to by the key. the function for this input message box was in the CallBackProc of CreateWindowEx function that are commonly used by malware to hide its tracks from dynamic analysis..
 |
| fig. 16 -infection msg box |
|
 |
| fig 17 - input box |
 |
| fig. 18 - the call func of createWindowEx to execute the msg payload |
