Analyzing Ransomware - Reversing Basic .NET Ransomware

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone my name is Michael and today we're gonna take a look at some ransomware now today sample I've decided to go with a kind of older ransomware that has some kind of interesting quirks with it that actually may lead to its demise and hint so as before we're gonna go ahead and take a look at this executable once again links to any tools I use and the sample will be in the description and we can see that it has been detected as a dotnet executable so that will make our job typically a lot easier we don't have to disassemble to like assembly code and all that stuff dotnet actually nicely D compiles almost back to original source code so it's kind of like cheating on almost so if we can go ahead and I'm gonna use the D compiler called DN spy it is a fork off of il spy with a couple extra features now I've already got the sample loaded here because it took quite a bit to open and we can actually already see our first hint as to what ransomware this is based on the original executable name of SM RSS 32 if we go ahead and drill into this we can see even the even the name space is called SM RSS 32 so we can go ahead and drill down we can see it they've nicely organized some of their code we have the original program class that's probably going to be where the entry point is we have a crypto class which if we expand that looks like we have some nicely names functions for decrypting and encrypting some strings that seems like something we'd be very much interested in reversing a ransomware there's a class for deleting a file it's probably not too interesting here let's go ahead and we can actually right click on the executable here and go to the entry point now it will decompile here just a sec and we can see where the program would run as soon as it was executed and we'll see some garbage here with setting up some next some exception handling I guess seems like the very first thing it does is it gets an image and if we take a look through here this actually to me would look like it's possibly going to be a ransom note so right off the bat it's saving a ransom note but it looks like it's actually reading it as we see here the directory get files it's looking for a BMP in the startup path of where the application is running so this already gives us a hint that this ransomware doesn't come alone it probably comes dropped with other files and we'll see more evidence of that later here so it probably comes with a BMP and it actually sets that as the wallpaper here we see it creates a wallpaper and if it already exists it deletes it then it copies it yeah I don't know what that's all about let's go ahead and I press the backspace key to go back to where we were before so we'll take a look through here apparently if it had trouble with getting that background image it will actually abort that's kind of weird this next function here looks quite interesting we have a get public key so let's take a look into that now once again we're getting a file from the startup path of the application dot key and blah blah blah bore just reading the first file that we find with that extension and it looks like they split it by a character here with an underscore so we're probably already we can tell that we're looking for a file that's dropped with this that has an underscore in it and the extension dot key once again we abort if we have some trouble with that so here we can look into what they're doing with this key obviously I'm very interested in this because it could be a weakness we need to see if there what type of key it is possibly and if they're handling it correctly so we'll see they're gonna take the take the name of the file replaced key take a substring of it this too actually means the starting index so starting with a string or acting like the string is an array starting from 0 1 2 so we're skipping the first two characters and they're going to use that as a shared secret so that's a very interesting terminology that they're using here so we're gonna go ahead and we're gonna read the whole file into this array so whatever's in that file is now going to be passed into this decrypting function and we'll take a look at those arguments there we have the first argument is the cipher text and then the second one is our shared secret so already we can tell how they're using this key or at least how they're decrypting this key and possibly using it later they're using the actual file contents and it's an encrypted key of some sort that's encrypted using part of the file name that's that's very odd so if we take a look into this decrypting function I can already see just some general set up now here's a couple functions that are very typical for a lot of dotnet ransomware we can already see what type of encryption it's using for this file it is written dáil which is aes and we're using a derived function to generate a key from a known password so the way this works is we have our shared secret here that that was that was part of the file name and we are deriving this typically I believe this uses internally the sha-1 if not shot 256 algorithm I can't quite remember that RFC uses but or 2898 but it's gonna hash it multiple times over this is used as an anti brute-force tactic it makes things a lot slower so each time that I have to try say if I was to attack this each time I try to guess this password I have to hash it I think the defaults like a thousand times so instead of you know guessing it in like two processor cycles it might take a couple hundred processor cycles so it greatly prevents anti it greatly pretty prevents the brute forcing unfortunately but we can take a look here so already here we're doing a from base64 strings for the cipher text so we can already tell that this key file is base64 and it's a string so it looks like we're going to decrypt that into a buffer here we derived our key here's how here's how you get the bytes take the key the key size of of this is probably going to be a a s 256 key which is 32 bytes I'm sorry 32 bits so then we're assigning the IV created decryptor so we're decrypting that string so okay so we have so basically right here we have AES and by default the ridge endale managed class will use AES in CBC mode with PC kcs seven padding so that's just good to know if you're going to like use a different language for decrypting this if you have to setup the libraries accordingly so I went back to our get public key so it basically it decrypts that key file loads it into memory and then wipes that key file so that it can't be recovered I'm guessing so we'll go back to here and we want to pay attention to this public key because this this definitely has piqued my interest because they're handling it in a very odd way it feels like feels like they're trying to protect it to be used for the it's probably used directly as a key for the files so if we take a little further look through here we have the very common pattern for ransomware with you know get get the drives go ahead and enumerate the drives it looks like this one checks to make sure the drive is not a make sure it is a fixed drive or at the network drive or removable so it's gonna it's gonna skip basically like a cd-rom hmm so this one actually checks if it's a ram drive or it's removable and disables USB write protect that's not something you see too often and actually while we're here in this delete file class we can see we can take a look at that wipe file if we wanted to see how they're deleting it which they're actually using a secure random generator to generate just garbage and that overwrites the file so that it makes it harder for say like data recovery software to possibly restore a previous version of it has been completely overwritten a couple times so let's go back and take a look where we were now this one kind of loads each file into an array most of the time ransomware will just go ahead and you know iterate over find the file and then add it to you know start encrypting it immediately but this one takes a little bit of a different approach and it actually loads all these files into an array which then if we keep going down here we can see it's start building a list of threads so it's gonna actually try to multi thread this which is not a bad idea if it wants to have better performance but you can run into race conditions with that so we'll see that this ransomware is going to use the extension dot encrypted which makes it a bit of a pain to identify from the outside there was a lot of ransomware especially this this sample is from 2016 there was a lot of ransomware in the last two years that use this extension it's very generic we'll see you down here it goes ahead and builds an encryption thread or this is a function actually it builds a parameterised thread and starts it with these parameters which would be the current file it's on will see current is the current file in the list that's the variable name and the public key this is that key that we were following from all the way up here that we were very interested in so it's actually gonna pass that key and that can already tell us that it's going to use the same key for every file which is something that's very important when you're analyzing a ransomware as telling whether the key there's a new key per file or if it's the same key for every file that can greatly change how secure it is so let's go ahead and rest of this just this this is just a way with join to wait for all the threads to finish let's go ahead and take a look at this encryption thread so this is where we're gonna actually encrypt a file that is given to us so the parameter comes in as an object we cast it into a string array and we call it this alright so if we remember from our parameters back here first parameter is the file name full path actually and second parameter is our encryption key now I hit back too many times now let's go to the so already here we have a function called encrypt file and it takes an input file which is just the file name takes an output file name which is adding the extension dot encrypted and it takes our descript tour which is actually our key so let's take a deeper look into this file now this looks pretty standard for most dotnet based ransomware kind of their code will look pretty similar so we're going to take the input file we're going to have an input stream down a file stream down here that's how we access the file and we open it up we're gonna have an output file and we're gonna create it blah blah all right so we're interested in following our decrypt door which is our key funny that they named it that way so let's see here so we get a Unicode encoding which is actually utf-16 and we use since this is incoming as a string we need to convert it to bytes in order to use it as a key for AES now what we'll see here is it takes a substring of that key that came in so that decrypted key that was dropped with the file we're only going to use 8 characters of it this already is making a lot of alarms in my head that this may not be secure so but it's going to depend on some other factors because it could still be rather hard to crack if it's 8 characters and it's you know especially if it's expecting it to be unicode it could be you know 255 characters possibly still not impossible but still could be a pain so we'll take a look down here once again we're using Ridge endale which is aes encryption and we're sorry for the scrollbars it's hard with the laptop resolution we're going to take bites is our encoded key once again just the first eight bytes and we're gonna use that as the key and the IV which is not very secure except for in the case of a ransomware it doesn't matter there are some attacks on AES with CBC if you're using the same key in IV but that's that's more of an advanced topic with padding Oracle's and doesn't apply to ransomware but I just thought I'd mention it so it's just going to very inefficiently encrypt this one bite at a time ooh ooh this ransomware is going to be very slow so already at this point we know that we have a ransomware that is dropped with other files at this point we can already assume that the malware is dropped either either by an exploit kit or more likely by RDP hacking or some type of a remote access being hacked in this case it was confirmed to be RDP with you know poor passwords connected to the internet so the malicious actors would drop you know copy the malware to the desktop with a key that they pre-prepared probably with another component of the malware that's not dropped with it and then they keep that key on there and and then of course as we saw it the malware deletes that key when it's loaded it so the question I had like I mentioned here this has 8 characters it's using for the key now it's going to depend on what those characters could possibly be that will influence how we attack this so what I would typically do then is go ahead and let's go ahead and launch the ransomware and see what it does and it asks for UAC admin privileges and sure no and we'll see actually this sample is broken for some reason I didn't take the time to figure out why but it will not run the matter what I do even if I deep bucket from here we'll see it's having some errors here that's because I renamed it but it doesn't even go to the the dotnet interpreter it seems so something's inherently wrong with this sample anymore but we can still kind of kind of play with it a bit since it's already in readable code we don't have to disassemble anything crazy we can actually just take this code and take a look at what it does by running it ourselves so I actually have a sample of one of those keys this was provided to me by a victim back in 2016 as a example so that I could see what type of key this looks like so as we confirmed we already knew it's a base64 string and once again it's a dot key it's got the underscore so going back to that code we can tell that it's actually gonna use this almost like an ID skipping the first two characters so skipping the six for we have the 8 1 a 9 9 0 4 B 3 5 is actually going to be our key to decrypt this key so since I don't feel like firing up visual studio and like compiling a whole project you can actually just use a website called dot fiddle or net fiddle I have the address correct oh no I do not dotnet I guess that would make sense so this is a cool website that just lets you compile and run dotnet code right on a website of course it's a little limited it's gonna be you know more console based but it's pretty nice for just prototyping stuff real quick so let's go ahead and go to our crypto class here and let's just copy our copier imports here so we don't get a bunch of compiler errors place that and go back to here and we only really care about this decrypt string function go ahead and import that we have missing context here because that's another function in that same class as we'll see down here blah blah blah blah just paste that code in here and let's write a little bit of code here to use it so we want to run decrypt that's it string AES or a yes string string a yes yes and our first parameter is going to be our cipher text second parameter is going to be the key let's go ahead and define those we're gonna have if you remember remember our key is just literally part of the file name so let's minimize all that and once again we're skipping the first two characters and using just that part of the file name and our cipher text is a string and that is going to be the contents here okay go ahead and run that and there's our key so this is actually the key to decrypt the files that were encrypted by this sample now if you take a look at this and of course it would be hard be bad to assume this without seeing more I did see more keys and in the time that I was working on this it's actually all hexadecimal characters so that only gives you 16 characters now once again we're only using the first eight characters of this four five six seven eight so that actually is very possible to break and break it we did back in 2016 I did write a decryptor that literally just tries every key with the letters A through F zero through nine and eight characters long and well actually also another thing that's important about the entropy here is that it's all lowercase so we don't have even have to worry about an uppercase so that drastically eliminates that drastically eliminates our possible key space so actually if we do a quick little bit of math if I math it correctly here you go to scientific mode so we have 16 possible letters and we take that to the power of 8 characters so we've only got about four point two billion passwords period so that's actually especially especially since the encryption algorithm is quite simple for the actual encrypting a file if we go look back at the encrypt file if you remember I mentioned in the decrypting function over here with the key that they used this RFC 2898 derived bytes as an anti brute force which this would using this salt would run that key through a sha level hashing function couple thousand times if we take a look back at the actual encryption for the file they don't do that so they just literally decrypt or they literally get decode that key get the first eight bytes of it and use that directly on the encrypter so since this is eight bytes this actually will default to AES 128 so I did at the time in 2014 right like I said I wrote a Decrypter that brute force that but back then I didn't quite understand block ciphers correctly so I was actually there's a couple flaws with my Decrypter and it took a couple hours to try to break a file which isn't terrible I still consider that as success you know if if you can break the encryption within a couple days that's flawed that's flawed encryption period but I did work with a researcher that goes by the pseudonym blood dolly and he wrote a much more effective Decrypter that could crack in a couple seconds goes to show just experience also he wrote his in C++ and which is of course a lot faster than dotnet doesn't have the overhead so that was just quite a little bit of an interesting story and just a way that we could see how you know just did any thing on how the key is is generated I mean if they if they used the full key this would be impossible to decrypt realistically because there's no you know the the malware is not generating that key I have no idea where this key was generated from it's not it could I mean it could be an algorithm you know write a pseudo-random generator but that's all uncontrolled by the malware author that's not something we have access to to try to re-create this you know recreate this this key other than just brute forcing and guessing every combination of eight length characters so once again this the sample will be linked in the description and I hope that was at least an entertaining sample to reverse so tune in next time for other types of samples I will you know take any request if you have any simple malware specifically ransomware that you'd like to reverse or any that you're curious on kind of their inner workings or how how they were maybe broken I any any requests for you know ransomware that either I've been involved with or I can figure out how it was broken I will only do if it's an older ransomware I don't want to reveal how current ones are broken of course if they're still active or possibly still in use so that will wrap it up for this video and thank you for watching
Info
Channel: Michael Gillespie
Views: 6,772
Rating: 5 out of 5
Keywords: ransomware, malware analysis, .net
Id: 7gCU31ScJgk
Channel Id: undefined
Length: 27min 46sec (1666 seconds)
Published: Sat Nov 17 2018
Related Videos
Analyzing Ransomware - Reversing a CryptoAPI Decrypter
Michael Gillespie
3.1K
One of the Greatest Speeches Ever | Steve Jobs
Motivation Ark
11M
How to Create a Keylogger that Sends Emails (C# 2021) | Simple Explanation + Demo
Josh Madakor - Cybersecurity and I.T. Career Advice
32K
Why was Facebook down for five hours?
Ben Eater
411K
Reversing .NET Applications with ILSpy - TryHackMe AoC2 Day 18
John Hammond
15K
C# Async / Await - Make your app more responsive and faster with asynchronous programming
IAmTimCorey
627K
Design Microservice Architectures the Right Way
InfoQ
544K
Malware Analysis: IcedID Banking Trojan JavaScript Dropper
AhmedS Kasmani
1.4K
DEF CON 27 - Alexandre Borges - NET Malware Threats Internals And Reversing
HackersOnBoard
149
NotPetya Ransomware explained
OmniNET
11K
A old man's advice
Bernard Albertson
9.2M
Learn JSON in 10 Minutes
Web Dev Simplified
1.4M
WannaCry 2.0 Ransomware
Colin Hardy
276K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.