Stage 1: Obfuscated Powershell:
This netwalker ransomware variant start with 3 stages as follows:1st Layer : base 64 encoded powershell
2nd Layer: (after decoding the base64) is an encrypted array of bytes using xor command with decryption key of 0xc4, that will be run in scriptblock command.
3rd Layer : (after the decrypted 2nd layer) is a 2 sets of hex bytes array which is the x86 and 64 version of Netwalker binary files that will be injected in a process by a C# code that will be loaded and compile using powershell.
figure 1: the 3 layered powershell script |
figure 2: the C# loader written in powershell using Add-Type |
Stage 2: No MZ Header Binaries
as far as we saw in the last stage of the powershell, it will inject the ransomware (x86 or x64 binaries) to the explorer.exe process. The interesting part is after I decode those hex byte array, I notice that there are no MZ header to the binary file that are one technique to evade memory forensic tools or some quick check for injected executable to a process.figure 3: NO MZ Header Files |
Stage 3: Obfuscated API Call Using Structure
This Netwalker Ransomware has no import table. It will dynamically harvest its needed API using some hashing algorithm search to all export table of all needed DLL modules to executes its malicious code then save it to a structure object. Below is the screenshot how the raw Hexray view of the import harvesting before and after resolving the API hash and the structure Array using Idapython.figure 4: API harvesting Function |
The Hashing Algorithm is really looks complicated base on its graph but actually it is just a loop of xor and rotate bit operation with specific keys.
figure 5: Hashing algorithm |
But the Obfuscation does not ends here. As we remember that it place the resolved API address into a structure object. Then this structure was initialized to a another variable by a function then do the access the member of the structure out of that which make the analysis more confusing.
figure 6: Declare multiple Structure as a obfuscation |
Thanks for IDA Python for helping me in creating a structure out of harvested API it needs to make the static analysis more easily.
figure 7: Add Structure |
Lesson Learn:
I learned that the there are so many way to obfuscate code from analysis and even the data structure can be used to make the analysis little bit confusing during analysis like what I experience. :)IOC:
https://app.any.run/tasks/6bb00be0-cd0a-4d9a-a1ea-72cd275ded0e/Powershell:
filename: powershell.ps1md5: 5bec43ea21e95a68abafa8c7f99d1e6c
sha1: 22df933f2b33f3f4ffee22b51b4f8fa0268bb327
sha256: b7c7fa9b74aacf331871a9e5438678bce46002618fa106429225161d94e22e44
x64 Netwalker Ransomware:
filename: x64.binmd5: bc96c744bd66ddfaa79d467b757b8628
sha1: a379f9e04708d773a2dec897166780b026f4c4ea
sha256: 2c245db9fb9b2c6e84832662dda3dfff3c6b21128d9fec115f5b989fb090841d
x86 Netwalker Ransomware:
filename: x86_raw.binmd5: de61b852cadac6afe307652b187ca5df
sha1: fa02c1d394bc150d8a62d3f991d0fdc042ee9724
sha256: e8c5c0b70d45a5dc80d678ed7102abf9882efb9cbc2cff20f171d60d5205051d