Analyzing Ransomware - Completing a FULL Analysis

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone my name is Michael and today we're gonna take a look at some ransomware now this one we're gonna try to do a full analysis so let's get started here so take a look at detected easy see what we're dealing with and it is a visual c or c++ executable so we're gonna have to disassemble it take a look some entropy it possibly isn't packed this isn't always guaranteed but a good indicator it's probably not packed so let's go ahead and jump straight into Ida so let's see the disassembly of this the starting point usually is just full of a lot of rabbit holes so I'm gonna ignore that the first thing I want to look into is how is it probably generating keys so to generate random functions most commonly if you're gonna do an import you're probably gonna use like get tick count or let's let's take a look at some prospects with that we see it's called from one location here okay however the function it's in it's called from a jump this in turn is called a whole lot so this could be just generating a number for anything so just from digging into some rabbit holes with this one myself that's actually not where the keygen is unfortunately so the other prospect we have is Jen random so let's take a look at where that's referenced that's referenced in one place and this looks a little more promising so we have the cryptic wire context which you have to use and already to use this function then we release it so we're generating four random bytes now these bytes we cannot reproduce it's a secure random number generator so we're only generating four bytes so that might be interesting to keep a look out for let's go ahead and rename this let's generate four bytes all right and let's see where this is being called it's called from one location which is in a loop okay designated by the thick line so let's see let's kind of figure out the how this loop is what's doing so at the end of the loop here we have the register EBX and we're subtracting one from it then what that does is it fills a flag if EBX becomes zero or the calculation becomes zero then the zero flag will be set and as long as that flag is not zero we're gonna jump back to the beginning of the loop so we're start we're gonna start from some number and subtract one each times so let's see what ABX gets set to yes I know EB X is being popped this value which is ten hex which is actually 16 so we're gonna do 16 iterations of this loop okay now let's take a look at what else is going on here so we know that this function generates four secure bytes then that's going to be in the EAX register so we're going to have that ready for our calculation so let's go ahead and push the value of 25 and we're going to put that into ECX it's what this push and then pop does we're gonna clear edx because we're probably going to use it for or something we're going to use a divide so this is going to take the ECX register and do a division with the EAX register so I think it's actually a X divided by ECX and that's gonna the results going to go to EC or go to e ax and a remainder will go into a different register so we're doing these four bytes are going to be treated as an integer we're going to divide it by 25 then we're going to come down here I'm gonna move some registers around and we're going to add 97 okay then we're going to do some push call function not quite sure what that function does but probably probably gonna add it to this variable I'm guessing so I'm gonna iterate 16 times do this little math and then at the end we should have 16 characters or 16 bytes so let's go ahead and take a look at this in the debugger let's first name this it's just called a keygen basically what we're doing with it and actually if we just check where that's called just make sure it's not like called a million times we only really call it once so let's go ahead and set a breakpoint at where that location is so we have 4 Oh yep to be 5 all right so let's go ahead and we've already broken at that point let's get down to our loop all right so push 16 onto the stack or on to the register rather all right a loop so we're gonna call our secure bytes here's the results of that we have 4 bytes and we're going to push 19 into or hex 19 into ECX I'm gonna clear EDX there it goes there's 0 divide ax by ECX then we'll watch as ei X becomes the the result of that division and EDX becomes the remainder so this is basically since we're next going to be using the the EDX register DL that means we're taking the modulus of this so let's go ahead and we moved move some registers around whatever reason alright let's add that and suddenly we see it becomes a value that actually correlates to an ASCII character so we then do some push and move and all that stuff let's take a look at this value so let's keep a watch on this register here or value rather so I go through the loop again here's our counter EPE BX as we identified all right do some math and now we have an S okay and push that and suddenly we have a we have two letters put together okay let's loop again and today we have an F okay so let's find out where this is being referenced let's just jump through a couple times all right cool let's set a breakpoint and just get to the end of it so alright so ESI now contains our full key which is currently an EI X also an ESI let's just go ahead and follow one in the dump now since this is actually we'll see we don't see our string here we see kind of part of it but actually this is being dereferenced just kind of like you'd do in C so actually this is an address this is a pointer so we need to select this as a D word four bytes and follow that and there we go here's where our actual memory is with our key so let's go ahead and let me modify these breakpoints let's see if we can just kind of verify our math that's going on here so I'm gonna restart this we're gonna get a completely different key but oh well so we're at our loop all right so let's do some math and we'll do that by creating some Python okay so what we've observed here is let's let's just do you know we have an a D word coming in so we need to take the D word we take a modulus of 25 and we add a 997 to it now that is actually because 25 is the length of how many characters are in the alphabet zero-based and then 97 is actually the ASCII character a so let's go ahead and do like let's see actually we need to convert this to a character character let's do okay and let's take an input V one base zero all right so let's kind of follow this along just as a proof of concept Python keygen alright so even though this is a number we can't predict let's predict what the what the key is gonna be as it generates it go ahead and copy that value make it hex window seven don't let you do that okay so we should get the letter C okay push through here and there's our letter C okay let's try playing that magic trick again let's copy that paste this in okay we should get the letter X and we do all righty so this is just a proof of concept of what the key jen is doing now we cannot like I said reproduce or brute force these these numbers that are being fed into this algorithm unfortunately so already we have basically a secure generation of random characters that we can't reproduce unfortunately so that's that's one one thing off the list on what we want to look at here now there's actually a bit more going on here if we go past if we go past here we'll see there's a lot more calling of functions and operations going on here so it's not just the key Jen so we actually have a bit more probably being acted on the key Jen so let's see well that's going on here let's take a look at the strings and already we see there's a public key so let's go ahead and copy that and go into crypto tester go to blob analyzer that is a PEM string so we're gonna import that way get rid of little denominators here so let's see what this public key is it is a public key blob and it is RSA 1024 so we know once again that's secure can't break that and we could you know take a look at the actual factors see if those are on factor DB which they probably aren't unless someone leaked it so all right so since we know that we're using that and we had a couple of like failed errors for some context and import okay so let's take a look at another crypto function so we've got when you've got that type of a PEM string do you need to use these two functions you have decode object which basically takes that PEM format and turns it into what the crypto API needs actually actually I think it's string to binary I might be getting these mixed up it's it's a combination of these functions so we're probably gonna have that all in one function that uses them all so yep inquiry context okay so yep decode string to binary all right so that's the first one so C 800 which is 2048 okay interesting alright so we acquire more context we import we do some crypt encrypt here actually and if we go down here again there's actually a second crypt encrypt now the reason for that is this first one if we follow this in the debugger we could see what what these get these registers get resolved to the first time you call it you're gonna basically give it null and it's gonna spit back out what what the size of your buffer needs to be so for example in here if I want to decrypt say you know our key of 16 bytes I'm gonna I'm you know we're gonna probably pass into this variable we're gonna tell it 16 and then we're gonna call this with no actual data to encrypt and it's gonna spit back how big you need to have a buffer ready to actually encrypt that data so in this case since it's RSA 1024 it's gonna spit back a hex 80 saying you need to make a buffer that big and actually if we kind of follow the rabbit hole on this stuff this function actually for all intents and purposes it's basically memset and let's see we come down here wing encrypt gonna encrypt the key so let's go ahead and follow this in the debugger so we're gonna want 404 big point four of get focus point 404 c63 6e c63 there we go alright so let's go ahead and remove our break point there actually let's let's see what our key is alright so our key this run gonna be that string let's go ahead and follow that whoops follow that back in the current dump and here's our here's our current key go ahead and do a binary copy let's just kind of save that over here oh all right so here's our key let's go in here and let's follow let's go ahead and jump to our Crypt encrypt so we can take a look at our registers here or actually we can take a look at the stack okay so saying all of that alright let's correlate with which register we're interested in so we want data length which is where we push EAX okay so we have a push EAX which is this variable let's take a look at that in the dump all right so we're passing hex 10 which is 16 so like I said we're telling it hey please please tell us what we need to allocate for encrypting 16 bytes and crypt encrypt is gonna come back with 80 hex so it says that's how many bytes you need to allocate a buffer please all right so we do some stuff and we see that our keys still in memory and EDI pointed to an EDI all right so now we probably have an actual buffer and EAX likely no wrong no okay it's yes I I missed the click all right so here's our buffer and we'll see it there's actually like a mem copy going on so we allocated a buffer that is eighty hex bytes so let's jump through here and tada it's encrypted all right so our keys been encrypted by RSA so we cannot get it back however let's go ahead and copy this and just store it for observation purposes all right so we got a key we've got an encrypted what are we gonna do now alrighty so the next thing we need to know is what's it encrypting files with so for this since we saw the Crypt all the Krypton crypts are just for RSA it's not actually used for anything else we're gonna use another tool to try to see if we can get a hint first so I'm gonna use this program called PE ID it's supposed to also kind of work like like detect it easy but it doesn't really find what it's compiled with half the time what I'm actually interested in is this plugin called crypto analyzer or canal and we'll see here it found the crypt gen random which is related to crypto and the crypt encrypt but interestingly enough it also found something for an algorithm called teen okay so it found 2d words or 32-bit variable values constants of a 32 round teen Delta and a pre computed initial sum okay so let's take a look at this this entry point now I wish there was a copy-paste here but there is not however it does take over my screen so I hit the G key on my keyboard I'm in the background there's a prompt up for me to go to address and I'm typing that in and all right so here's here's one of those constants it must be talking about we have some variables variables isn't exactly a constant but actually spoilers that it actually is an address to a constant but we have a very clear constant here push 32 so I talked about 32 rounds so that's probably gonna be yep once again we have edx acting like a counter so we pushed to 32 and then we popped it into edx all right so we're doing thirty two loops of this and we have some shift left shift right I think there's an ad in here there's some X oaring okay so yeah this looks like some type of crypto function so it's talking about teen function so that's interesting let's let's find out what that algorithm is yeah let's put in this constant and we'll see it comes up with the tiny encryption algorithm T let's take a look at the Wikipedia article on that and we'll see just a preview it's a block cipher really simple I don't understand this part of it but if we take a look down here it operates on two 32-bit unsigned integers uses a 128-bit key if you divide 128 by 8 it is 16 which coincidentally enough we have a 16 byte key uses a feistel structure blah blah blah kept oh math golden ratios all right here's our actually that is the wrong constant let's take a look here and we see some code okay I can read code here's our constant there's that see vet C value C 6ef so that is part of a decrypt function okay we see here it's that something about the sum of 32 times Delta this is actually a precomputed you don't have to this is just for speeding up to optimization you don't even have to have this in here it can be calculated in this loop but back to that canal it said it didn't say T it said T n so actually T has a couple of variants as we'll see here the first version was T block T then there was XT and if we take a look here that actually looks pretty similar and then if we go back again there's also a third time X X T where they corrected it again now this is actually looks quite a bit different I've actually not messed with this algorithm too much but it's quite different now canal said TN which is actually another name for XT however as you see here they they use the same the same constant and actually the code is very very similar it's Delta x number ounds it's actually because number rounds is going to be 32 times this constant is our other magic variable so we can't just rule out which one of these it is just by that detection so we're gonna need to take a look at the actual code so let's dig back into Ida and let's compare let's see this is our this is our round we're doing 32 rounds this is our internal for loop basically so let's see here we have a shift right I'm gonna I'm just gonna use tabbing to jump back and forth we have a shift right of 5 so order of parentheses looks like it's over here we're doing something by shifting 5 then we have a shift left of 4 which looks like it's over here then we're doing an ad of an argument okay so it's I think it's actually this one first then we're doing an XOR that's going to be one of these then load and effective do another XOR alright and we do a subtract move shift we do another five another shift left four and then we do another some more X ORS you'll see each one of these is that is an XOR and XOR and then an ad is in there and that looks like this ad then if we come down here and we look at this we have like some pop and move functions if we actually like watch that in the debug or we could actually see it's doing this part where it's basically reassigning our computed variable back to the buffer that was input so I would say safely this is actually T and not X T because XT has some extra shifts by 11 we have an end of three we don't do the shift 11 in the second one so it's it's definitely T so we know what the we know what what the encryption is however as we notice this this Verret this constant is only used as a pre computed some in the decrypt so we're not in the actual encryption function so let's go ahead and rename this this is uh T decrypt sorry my hands are frozen it's cold out so we have a decrypt function and we're iterating over eight bytes likely so we're adding eight to our counter comparing it to an argument compare that to sixteen all right so okay so T as we saw up here works on two 32-bit integers which can be derived from a 64-bit data block so that's 16 bytes so we're eight bytes re-divided 64 by eight so we're operating with 8 bytes at a time for each block so that'd be why we are incrementing our counter by 8 so I'm gonna bet what we're passing to this decrypt function is going to be our buffer and we're just pointing to it saying okay the next eight bytes now the next eight bytes doing that until we hit our four which is being passed into the function my best guess would be that's going to be like the file size and we're doing a 16 just based on we'll see this later but it's actually it's actually building like a buffer of 16 bytes and then encrypting 8 so we'll see and after math of that with files that are not even it kind of acts like padding basically so like I mentioned this is decrypt bytes okay so let's let's jump up and see where this is called so we have some decrypt and decrypt called down here again okay so we see that I just filled in a couple of variables for us so looks like they're calling the file size and setting pointers and okay here's a here's an extension that and actually since this is a decrypt function I'm guessing it's gonna remove that extension so let's go back up some reason they look for this string I guess okay let's go back up delete files for this okay so this is decrypt off this is decrypt a file ripped file let's see where that's called and we have a logic gate so it looks like we're calling the decrypt function if something equals this variable okay so there's a decrypter built into this that probably actually accepts the key so that's interesting however on the other side here we have another function call let's dive into that one so we close the handle we see some indicators if there's some number of bytes and a buffer and some variables we get a file size okay and we add our extension some reason they do the period then the email address with exclamations okay now I'm gonna cheat and find where that encrypt function is actually called because it's kind of buried in here okay so it is okay there's actually some more some more functions we need to resolve here let's see create a file might be interesting to see where that's being called and that's calling everywhere okay actually what I'm looking for is right file because it doesn't directly call this function so to say where am i I'm cross-referencing with my other screen okay so we're filling some variables here so this looks like yeah basically a wrapper for the right function let's just call that ate file zero so then we can see where this is called and we can see every time now let's we see that Ida was trying to tell us that these variables are being called in here so we have right file one I think there's another one I need to resolve real quick read file read file all right I think it's just the first one here let me confirm is FD for yep okay so this is a read file wrapper kind of alright so we see that is mostly called in the decrypt function however we also get it called over here all right so all right we got some get file sizes and all that so we're writing a file right into the file okay we have a lot more right file calls here is this mine all right let me see let me see where where that encryption is I did dig through this one quite a bit before so just a sign I am still a newbie at this I'm gonna cheat and jump to that 409 72 so what I'm trying to jump through here within maybe like a half hour to an hour video took me maybe 2 or 3 maybe 4 hours so let's take a look into this function and once again we have iterating blocks of 16 and then we're encrypting in blocks of 8 all right so jump into this function and this looks familiar so this is actually our encryption function let's go ahead and name it t encrypt jump back crypt bytes and so this is our whole logic for encryption crypt file and once again we jump back and we see there's logic for either encrypt or decrypt based on some type of variable so all right let's jump back down and confirm our encryption TN quick bytes loop into here T and crypt okay so yep once again we have that exact same shift right 5 down here shift right 5 shift left for do some add to do some X ORS flip the registers all right so we've gathered how the key is generated how it's secured and how files are encrypted now the next the last thing I want to look at is how how the format of the file is because I'll have to run them out where to actually see this but I should have a sample file from another execution that I don't know the key of actually I do we can see a pattern here since this file was nothing but zeros we'll see a pattern it's encrypting the same thing over and over and is in 8 byte blocks so that's how we can see it's a cipher block cipher of 8 bytes now if we come to the bottom here well notice our pattern stops so we have this much to figure out what is being written here so that's 91 hex or 145 bytes that are unaccounted for we don't know what that is quite yet so let's find out and let's let's jump back up to our encrypt file function so we saw there's some write files and we're pushing EAX quite a bit so if we look at the number of bytes to write it looks like we have some chunks so first off we encrypt this is probably a loop and we're writing to the file in in a loop of probably like 8 bytes looks like we check file size for some reason probably see if we're at the end of the file all right so then the next time we call write file is with yes I which if we follow es I back up here is being popped which means the previous push is 16 so we have the the file encrypted file then we have 16 bytes of something we'll find out later we write that to the file now we're going to write one bite of something from the buffer we see that one okay then we're gonna push hex 80 or 128 bytes we're gonna write that to the file which would be the rest of that hex 80 okay so we see the write operations we know where we need to break basically so let's do that let's go ahead and I want to break at this point all right so VP 409 bad short-term memory AC break and all right so we are encrypting a file under C users desktop any let's go ahead and follow that and it looks like we've already gone through and let's see this looks this well should look familiar if we look back here okay so the ransom note actually is a hex representation of our this is our encrypted key so this is the key that we're gonna use for T encrypted with RSA dumped as lower case so that's how the criminals are getting it you know you send them the key which is encrypted they use the private key they decrypt this and it becomes this so let's see whoops lost track what I was doing users why is the file not their users desktop it's a hidden file and show hidden files and unprotect that okay so if we open this it's already been scrambled now I can't open it in X or H XD because there's a file handle on it I don't know why notepad can open it though but we'll see here since it's not ASCII we can't actually prove that it hasn't written anything else to the end of the file yet but let's watch so all right so there's our key okay that's interesting it's an e ax and actually we notice there's a encrypt bytes call here now if we actually watch this this function let's see if I can do this which function is it is that I'm just going to print put a breakpoint there for o99 there it is alrighty so here's our T encrypt function again and we'll notice that we have a register or we have a couple registers with our key okay so we have it in EAX and go to here we have an EI x we also have it referenced in ESP since it is a pointer here it is alright so let's see it seems like where we might be putting that in here okay so let's go through our T encryption here jump into here and we'll see yeah actually these two variables are actually this is correlating to V the first one is our input and then we have the key so this is this actually I found it's very strange its encrypting the key with T with itself so it's encrypting this string via T with this same string even though they already encrypted it with RSA I I've never seen that before okay return return yeah okay where were we all right so we have one of these is going to be a right bytes and that's actually going to be the one at a CD so this is our right byte function the one that's repeated so many times let's go ahead and go down to it let's see what we're pushing here so EAX is our buffer let's go ahead and actually we can already see one of our one of our keys got encrypted here okay so we should be expecting that in the EAX register I guess and yep okay so we're going to write that to the file so we should we should expect this encrypted T key to be at the end of files that's very interesting okay then we're gonna push one and that's gonna be ya X is gonna be our what we're gonna push again we're gonna push a zero two to this file okay and finally we're gonna do another write with hex 80 bytes or a 128 and let me see yeah this one this one is gonna be our buffer and actually that is our RSA key or RSA encrypted key so at this point we know what the structure is let's go ahead and let it okay closed handle what's called can we open it yet we can okay so when you know the end of the file let's see we have how many bites was total bytes would have been a 91 okay so we've got these many bytes are added to the file now we see this 0c blah blah blah oops that is our encrypted T key with T and we have that 0 2 and then here's our RSA encryption key so we know what this what this file format is honestly this - I think it's derived from the file size I think they use it like a checksum kind of that's probably the only part of this ransomware that I haven't figured out 100 percent I can I can only guess it's a checksum but let's go ahead and just let this let this puppy free and running and I can't open files anymore okay so should I think it crashes Explorer actually in a sec here all right so we got some encrypted files take a look and hex viewer let's take a look at that last block here so yep we have once again we have there's our encrypted T key T with T we have our mystery checksum and we have our encrypted key with RSA now since we know that the file is T and we stole the key from memory let's try to decrypt this file as a proof of concept and I also want to show something so I've got crypto tester here my program for testing encryption which this might be running slugs I bet the ransomware is pegging my virtual machine now I've got it open here all right so we cheated we have our key its hex let's go ahead and grab one of our encrypted files ooh really pagan okay I'm gonna kill it come on don't lag out on me on video come on there we go okay so we just need to select T and decrypt right OOP not aligned okay we know that so we need to take this number and we need to minus 145 we only need to decrypt this much of the file so let's go ahead and decrypt and we'll see what happened it's doesn't look right there's actually a trick with the implementation of T so the T specification doesn't actually tell you which endianness to use so if we flip this to little-endian we get the correct values and what's actually happening is if we watch in the hex editor in the debugger when it loads this when it loads this we know that it loads four bytes at a time as a integer 32-bit integer it's actually reading these bytes in Reverse into the registers so it's reading a 5933 90-89 then doing the math of T then spitting it back out back in Reverse so that'd be why I added a little little endian feature here by default most Windows systems are big endian so if we don't have that little reversing we get the wrong decryption here and that actually honestly threw me off for a long so but we can recover our lovely lovely chrysanthemum in pictures without the extension gotta kind of love the Christ anthem um however like I said I cheated I pulled it from memory as the malware was running so unfortunately this ransomware is not decrypted without the private RSA key but we've fully analyzed how it generates the key we have a proof of concept keygen yes it got encrypted if we pull the D words from memory we can predict what the what the letters going to be we've discovered it's using the T encryption algorithm and we figured out the file format on what would all this stuff at the at the end of the file is so that's been a full analysis of a ransomware and let me know if you have any any questions or tips for me if I kind of stumbled around something too long well again I am a beginner at reverse engineering but hopefully this helped with kind of highlighting like a complete analysis of a ransomware so please tune in for more videos in the future thank you for watching
Info
Channel: Michael Gillespie
Views: 6,472
Rating: 5 out of 5
Keywords: ransomware, malware analysis
Id: rRv5vTctePE
Channel Id: undefined
Length: 48min 22sec (2902 seconds)
Published: Fri Feb 08 2019
Related Videos
The Map of Particle Physics | The Standard Model Explained
DoS - Domain of Science
473K
Java Project Tutorial - Make Login and Register Form Step by Step Using NetBeans And MySQL Database
1BestCsharp blog
14M
Analyzing Ransomware - Finding Bugs
Michael Gillespie
1.3K
Reversing WannaCry Part 1 - Finding the killswitch and unpacking the malware in #Ghidra
stacksmashing
756K
But how does bitcoin actually work?
3Blue1Brown
10M
How does a USB keyboard work?
Ben Eater
788K
Analyzing Ransomware - Recreating an LCG Keygen
Michael Gillespie
688
Don’t Wake Up to a Ransomware Attack
CISA
5.1K
Wireshark - Malware traffic Analysis
Hack eXPlorer
74K
Inside the mind of a master procrastinator | Tim Urban
TED
44M
The SOC Age Or, A Young SOC Analyst's Illustrated Primer | John Strand | 1 Hour
Black Hills Information Security
10K
Analyzing Ransomware - Reversing a CryptoAPI Decrypter
Michael Gillespie
3.1K
Reliable data transmission
Ben Eater
1M
Ryuk Ransomware: Live Demo and Analysis
The PC Security Channel
30K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.