Analyzing Ransomware - Finding Bugs

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone my name is Michael and today we're going to take a look at some ransomware now this sample is actually a pretty old ransomware from I believe 2016 ish I figured I'd kind of overview it because it's got some interesting bugs that I want to go over that actually back then I actually personally kind of looked into decrypting it myself and I've I've learned quite a bit since then so I can kind of figure out why I couldn't decrypt it back then because of the bugs so as normal I would take it into detected easy kind of see what we're dealing with we see we're dealing with dotnet specifically possibly vb.net so it might have been compiled from virtual or Visual Basic so we'll take it into dn spy and we'll see it calls itself cryptolocker with a K because K is cooler you know okay copyright 2016 alright so let's take a look at what we're dealing with here now we can also kind of tell it was from Visual Basic likely because it's got these namespaces of dot my that's usually an indicator of that with my application my computer my project all that garbage so let's go ahead and take a look at the entry point and this is pretty typical for a Visual Basic as well we'll see it just it's kind of a basic application dot run so if we were to jump into this it's not gonna it's not gonna let us like easily see where we're going from here so this is all actually like part of that so let's let's go back and actually what I'm probably interested in is the main namespace here so we have a form 1 and we have an HTTP class let's just take a look at that real quick so we see this is just kind of a quick little function for talking to a server and apparently posing as an iPhone okay and safari on iphone for some reason okay so we'll probably not mess with that let's take a look at the constructor and actually the wrong constructor this constructor so we'll see usually in dotnet you'll have a form load and that's probably gonna be where we have all our actual code and okay yeah this looks interesting so we see something goofy here with right reading reading a file reading the file itself as a string okay we have a random and we have mr. King des here with a bunch of random characters including some utf-8 or sixteen characters whatever and this dot key that sounds like something we want to watch okay and we'll take a look through here we go into a big loop and we're adding to that key so I'm gonna bet this is our key Jen alright so taking a cursory look through here we're still continuing all in the same function here it's not segmented very well we're first going to get the start up path of our application we're going to get all files so all files from wherever this is running from and apparently we're gonna crypt each file if we keep scrolling down we have copy paste code for the desktop copy paste for my pictures my music personal which is like the root user folder and that already tells us this is kind of a new person it normally actually be a little more efficient and put that in a loop so we take a look at our crypt function here alright so we read in the file all into one array which that can cause problems if the file is really big or if you ran out of RAM or something but anyway let's just pretend that this works and we're going to turn it into a string and then encrypt the string and then turn the string back to bytes and then actually write that to the file with a dot herbs so okay so it looks like if we're gonna believe they're naming here we have an aes encrypt function that we're passing our key alright and okay yep they do use Ridge and ale looks like we're using md5 let's follow the pass word okay so they're computing okay so they're taking the password doing an md5 hash of it into this variable here then allocate a 32 byte array and copy the md5 twice however as we'll see in the debugger later they make a little mistake here it's not just taking the md5 and concatenate to itself it's actually overwriting a bite because this is 15 this should be a 16 so basically it ends up where it's it's not just to md5 thrown-together it'sit's a little goofy so anyway we go into ok so we have 32 bytes to the key so that means it's going to be a AES 256 I'm gonna use ECB mode make a translator thing all right input was our string and we're gonna turn that into bytes we're going to encrypt it then we're going to turn that into base64 and return that ok that's quite a bit there that turns into a string which then goes to bytes and then writes that to the file so it looks like we're probably going to see some base64 actually in the encrypted file now I think that's pretty much it for what we have we also have a nice handy dandy decrypt function here so that kind of at least tells us the logic of how to [Music] reverse that encryption that's nice of them so let's go ahead and since we know this is where we want to kind of start debugging let's go ahead and do that so all right start debugging and like I said this is just like boilerplate stuff we can ignore that and all right here we go so we'll see location it's gonna be our path to our to our executable here all right so for whatever reason what are they doing with that to a string are they gonna like copy themselves to somewhere nope I okay they just do that for the fun of it I don't see it references anywhere else alrighty cool okay so we're gonna get a random instance here now the fun part about random is that it's based off the system clock kind of it's actually like the ticks since since the system started up so let's jump into that we'll see here by default the constructor is past environment to account let's go ahead and see what that becomes and alright so our seed for this run is this value let's just grab notepad and keep this safe and RAM where it can't be encrypted that's our seed okay let's go ahead and let this initialize the algorithm and go back up the constructor alright so we have our text here that's going to be used as a char set and we're going to use our random instance generate two numbers here from 0 to 9 billion or whatever that is and we have numbers built as our key so far so let's go ahead and let's see what our key is so far now a fun part here is that DN spy organizes not just alphabetically but like case-sensitive alphabetically so we have to go past all the capital letters which it's really struggling with and my scroll finger is really struggling with there might be an easier way to get to this if anyone knows almost there all right there we go key all right we want to watch on this now note I'm using an old version of Dan's buy because I don't care to take the time to install dotnet 4.7 on this really old vm so I can't add a watch to this it's kind of annoying but here's our key so far we have two big numbers okay so we're going to then go into our loop and we're going to generate a random number between zero and the length of our text which is mr. king des here and so basically we're going to pick a random number from that and it looks like this roll we get this kanji all right let's loop this a couple times we get a G okay a couple times we get another kanji all right let's go ahead and break to the end I want to see what the total key is and do that is a very long long long key I think is like some 5,000 characters or something so dance by it's not going to show us the whole thing let's go ahead and save that to the desktop and call it key bin just dump the binary of it let's take a look at it and here okay so there's two things that we need to note here first off as we can it's really stinkin long in this case I speak decimal 11000 all right 11,000 some now this is technically not a static length because the the first part here are two numbers that are random between 0 & 9 million or whatever so technically it could possibly get a shorter number most the time that I run it it ends up with 2 even numbered here so but the other thing is we noticed all these zeros in between that's because this is unicode so because of our fun little kanji has to actually use 2 bytes to store each character so our regular ASCII characters are just have a 0 in them but some of these characters have to be stored as 2 bytes and HX d isn't going to display that right because it's assuming an C here I'm sure there's a way to make it actually display right but I'm not gonna dig through that so all right so here we have our key that's generated cool let's let's just leave that there all right so next let's go ahead and jump into some encryption now it's gonna grab the start up path to where it's running which is running from my desktop and all right so we have our first file our first victim file step into it yes get her for the name all right cool we are here all right so Pat and we'll notice it's gonna try encrypt itself not very smart let's let's edit this I don't feel like messing with that let's go ahead and got to keep it in quotes cuz it's a string and we have to escape so let's let's encrypt a file that I want to tell it to encrypt zeros dot jpg so that is just a bait file here zeroes it is just a bunch of zero bytes so we can kind of see what's going on here so alright let's go ahead and follow this so we're gonna read the entire file into one variable there we go and we'll see expanding 10,000 child's nothing with zeros all right now we're going to turn it into a string using the default encoding okay go ahead do that and we'll see string becomes a bunch of escaped zeros so it becomes a zero string of zeros but they actually have these slashes so that's interesting because that represents a zero byte okay so we're gonna go ahead and encrypt our zeros all right so we're being passed our password now it displays okay here because it's unicode and we have our input of the slash zero slash zero chain so let's fire up a ridge and Dale instance let's fire up a md5 instance we're gonna have a destination array which is going to be end up being our actual AES key and right now it's initialized to a bunch of zero bytes let's go ahead and alright so they're taking that md5 and we're copying it into the beginning of our buffer alright so that's the first 16 bytes we're gonna watch here you would expect there to be six ten d8 right after here however notice they just over wrote the fifteen so once again that fifteen should have been a sixteen and then we have a zero bite at the end so it's a little goofy but whatever long as we can reproduce it so we assign that as our key and all right let's go ahead and I think I can grab this can I this old version let me know go ahead and should be a save there we go AES key dot bin so let's take a look at this all right so here's our AES key you'll see there's the repeating md5 but chopped off the 58 let a zero at the bottom whatever alright so let's get back to our function here all right we set our key tell ECB mode create an encrypted all right here's gonna be something interesting so we have our input which is this goofy escaped bytes array excuse me now we're going to explicitly turn into bytes assuming that it is ASCII now we'll see later on why this is a problem so all right so now we have bytes and let's take a quick look at that yes expand it and okay so since the since that string is a bunch of escaped zero bytes this terms this file turns out okay so it's okay it's a bunch of 0 bytes that's what we expect so we're gonna encrypt it with AES 256 and then we're gonna base64 encode that all right so here's our base64 of our encrypted file alright let's go ahead and return that turn that to a string then let's go ahead and turn that into bytes that's why not just do a million operations of flipping between bytes and strings and becomes I'm looking at their hung one that got me confused their bytes two bytes two is our encrypted bytes and we'll see these are ASCII characters so that's the ASCII of our base64 alright let's open up a new file with the herbs extension it took a second there's our file let's go ahead and write our bytes to it dispose and delete the original all right there gars are lovely zeros can't read it all right all right so here's our encrypted bytes here and you'll see there's a repeating pattern that's because of the ECB byte block mode so every 16 bytes of the cipher text is the same which translates into this many base 64 bytes so let's go ahead and we have enough information let's try to decrypt this since we stole the key now realistically we can brute-force the key in this case but we'll see why that's gonna cause some problems later let's go ahead and use crypto tester and let's try to decrypt this I'm gonna grab a healthy amount of data here let's go ahead and input as base64 alright so that decodes to as we see here ECB is a repeating cipher basically so we stole the key we have an aes key right here we need to go to a EES ECB by default it technically uses pkcs7 but for padding but we're not gonna care about that and decrypt alright so we have our lovely zeros back so you would think all right let's lttle the Decrypter patch it get it out the door that's what I tried to do several years ago then I ran into a bug when I tried to decrypt actual files let's find out what happens there so we are alright so we're gonna try to encrypt ourselves again I think where are we so we just encrypted a file alright let's let's loop go to the next file and yep get er all right let's change this open now it's going to try to encrypt the crypto tester alright let's let's change that let's tell it to encrypt a file we want to for speed here because this is very very very slow ransomware as you see we're switching between bytes to strings to strings to bytes to base64 reading it all on one it's a mess it's really slow so we're gonna do the DNA and Christ many times I've had to spell that alright so let's go ahead and watch that getting cryptid read the whole thing into memory alright d6 b22 that's I recognise that as the length and we'll see here this is the jpg header so these are FF d 8f FeO and then there's some zero sections some FF II that's just something I'd recognize as a JPEG so we're going to turn that into a string and we'll see our yoga that's also another that's the string version of it will see some escaped things here so we have the actual these are the actual byte values that are being escaped and with the slash u means it's a Unicode Unicode zero zero one Unicode zero zero zero two so all would be okay if they continued on this goofy path but as we'll see here let's go ahead and jump into encryption function build our key or md5 goofiness all right all right now here's the other bug note that we're using ASCII these are not ASCII characters so what happens they get turned into garbage all right what's a 3f on this up 3f I hate that 3f is literally a question mark so it gets turned into a question mark because it's not a it's not a valid ASCII character I believe you can pass a flag to tell it what to do if there's an error like actually throw an exception or return null or something but they shouldn't have done this at all so anyway let's continue so AAS encrypt that then turn it into base64 and that's some weird-looking base64 but it is valid base64 all right so this is what we're gonna see in our encrypted file all right then we turn that into bytes and write it to the file with the dot herbs delete the original okay so our beloved Christ's anthem um has been encrypted what shall we do let's try to in it let's try to decrypt it with our key we stole let's go ahead and import that as base64 alright we already have our key in place and kind of looks like the Christ anthem um file maybe maybe not really see it's a still above it's still a bug okay so I'm gonna have to save this stream let's just save it to here all right so let's compare our poor files here so we have the dump and we'll see here yep there's our question marks so each of those bytes that were not in the ASCII range got lost completely there's no recovering these values now you could probably like if you know the file format you could probably rebuild some of this like some of these bytes are like the magic header and I don't know the full spec of of that but let's compare it to a the original as I switch between here you can see what's what's missing like these BFFs and all that stuff so that poses a big problem even the criminals cannot recover some files now some file types as we saw the the zeros we're totally fine if it's a text file it's probably gonna be fine if it's like a word document the actual contents of it will be okay but it probably will lose some styling and might need some tweaking to like recover the text but it'd be it kind of okay pretty sure like a database or a virtual machine would be completely gone so it's quite a shame it's quite a shame when you run into bugs like this so we'll go ahead and let's go ahead and just let it run its course and we'll see its it's pretty darn pretty darn darn slow because it's so inefficient I think it literally takes like five or ten minutes to to run just a shame I I probably could patch out you'll see it it did do the desktop so it's at least got past the desktop I kind of do want to display the final bug if it doesn't take too long hair and the longest part is gonna be the user folder let's pause it see where it's at alright that's a yes matrix there Krypton transform all right so we are currently encrypting some type of a JPEG which is going to get some data lost no it's in my pictures alright let's see if we can mmm it might be too late for me to patch this out I'm not sure are we right there let's let it continue to hear I shouldn't have much in the pictures folder oh I've got a really big file here it's gonna have fun with especially the base64 is gonna be really slow so slow that it's gonna kill my debugger Wow okay generated the new file it is interesting to watch this in real time there we go all right come back to me hmm there we go goodness all right let's hmm kind of figure out something on the fly here let's see if we can edit this out a little it at i/o instructions I'm not super well versed in il mhm my apologies I probably should a oh that's interesting okay so it actually has one of the one of the encryptions is only okay oh it only hits the personal folder if it if it ran into an exception of nothing running okay that's rather silly so it should be almost done then uh just has to encrypt my music right I did my pictures did my music Oh yep okay alright here we go so we have some German here I do not speak or read German at all from what I understand the extension means autumn or something so okay so it did finish encrypting took forever and on big files because it's reading the entire file into one byte array which is very very inefficient especially if you're doing base64 on it then now the other fun fun part is if we take a look we saw that there's a decrypt function here so like I said I could literally just rip this and throw it into my own decryptor I made mine a little more efficient though whoops old version uses ctrl R we see the Dickert function is used by a button click hmm okay now it also looks like it only decrypts the folder that the executable is running from the startup path we see button one click I only see one button decrypt I probably should have said a breakpoint it might have already worked so here's the funny part it does decrypt on its own if you leave it running just move all your files to the folder that it it was running from and it's kind of bug out all right okay we did break all right what do we what do we decrypt in here get past the gutter and go back to our locals all right and we'll see also it encrypts multiple times because especially since I ran from the desktop it encrypted remember the first thing it encrypted was the path that it was run from so it encrypted my desktop because I'm on the desktop then it went back and explicitly encrypted the desktop so we'll see all these files have verbs right let's let it do its thing so it's gonna at least strip back oh no it does continue okay so it did it decrypted these files now some of these might be okay since that PI files are you know they're they're ASCII characters just by what they are so we probably got this file back okay like really tanking here and nope okay so I bet what they did I didn't even I'm learning some new things as I'm looking at this so they did they like strip yeah they they didn't realize that it's encrypted twice so they do a global replace of the extension instead of just stripping off the extension so this file is actually encrypted twice and they they're gonna get on me they only they they only decrypted at once so we have to do the rest of the job and you crypt it again base64 decrypt all right this looks more like our actual file so let's let's save over and reload and yeah there's actually that's what this file is is hashes aids filed a PNG there's some garbage bites here though because those are like end-of-file de limiters or something not sure anything that was not like in the English alphabet basically gets lost or the Latin alphabet technically so that was gone my poor crypto tester which I'm not sure I must have okay wasn't able to delete it but I was able to encrypt it anyway okay if we take a look at that in notepad plus plus it's probably still got the base64 right and I shall load it in the hex editor first as you can see this this thing is very very buggy Kevin okay so anyway point is it destroys a lot of files now why is that some files might be somewhat recoverable with a little TLC basically but kind of a damper when you know the victim gets encrypted by ransomware and then even the criminals can't recover some of their files which is sad kind of ridiculous but as we see there's there's a lot a lot of goofy bugs with this or hands somewhere so that's why I figured it'd be worthy of a video I may still release a decryptor just in case some victims did get hit by it several years ago I believe I can't I can't quite remember the name of the company right now but they did release say kind of a quick little blog with some of the points that I went over they didn't go into the bugs but they just showed the general logic of the encryption but they didn't release a Decrypter or anything I have seemed to my website ID ransomware some submissions actually one was pretty recently which is what kind of went on my radar and kind of remembered about this ransomware so I might release it the encrypter anyway I might have to finagle try to fix some files if I can depending on some formats like maybe JPEGs I might be able to recover some of it but at least you can recover some files better than nothing so anyway that's been a nice little quick analysis of specifically looking at bugs at ransomware if you have any questions or anything feel free to drop them in the comments otherwise I will see you next time
Info
Channel: Michael Gillespie
Views: 1,339
Rating: 5 out of 5
Keywords: ransomware, malware, analysis
Id: xXZois_JXHA
Channel Id: undefined
Length: 36min 18sec (2178 seconds)
Published: Fri Mar 15 2019
Related Videos
Analyzing Ransomware - Completing a FULL Analysis
Michael Gillespie
6.4K
Analyzing Ransomware - .NET Ransomware with a C2 Server
Michael Gillespie
808
Analyzing Ransomware - Reversing Basic .NET Ransomware
Michael Gillespie
6.6K
EMPATHY - BEST SPEECH OF ALL TIME By Simon Sinek | Inspiritory
Biograflick
3.9M
Don't Talk to the Police
Regent University School of Law
14M
Analyzing Ransomware - STOP | Getting Started
Michael Gillespie
1.9K
Analyzing Ransomware - Reversing AutoIT Ransomware
Michael Gillespie
2K
Analyzing Ransomware - Recreating an LCG Keygen
Michael Gillespie
688
But how does bitcoin actually work?
3Blue1Brown
10M
Analyzing Ransomware - Dumping a CryptoAPI Keygen
Michael Gillespie
2.1K
How Hidden Technology Transformed Bowling
Veritasium
5.3M
Inside the mind of a master procrastinator | Tim Urban
TED
44M
Billionaire Mathematician - Numberphile
Numberphile
3.4M
CG - Malware Analysis 101 - N00b to Ninja in 60 Minutes - Grecs
BSidesLV
864
Analyzing Ransomware - Decompiling Python Ransomware
Michael Gillespie
4.1K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.