Let’s Have an Honest Discussion About Ransomware
Part Two
We have discussed the indicators that are present in ransomware and how to look for some of them. However even though there are similar traits in the bad behavior most people exhibit, sometimes an individual will have the propensity to surprise you. Occasionally you will find something that defies the rules. Such is the case with malware. I will always remind you, malware is written by a person, so it reflects who that person is and all their creativity and dysfunction., so what if the bad behavior does not exhibit the same type of traits that would be considered the norm. What do you do?
Behold:
MD5 FA550BE771A314484FA9E5A2046E4248
Or
Trojan-Banker.Win32.Jimmy.efu
Or
Pandora’s Angry Psychotic Box
Not all malware runs as a singular entity. When you purchase software that software looks like a singular entity but much like a person, there are many interoperable parts. Hence one human — many parts. Software is like this and malware is software, ergo it is logical that good malware would have many operating parts. So, if your going to hide something, what better way to do it then to confuse the hell out of the unsuspecting user. Combine ransomware with a trojan from multiple families and you have a perfect sphere of chaos
Section One:
Sandbox
Topographical overview -
Part A:
Here is the binary launching in the sandbox. The name is not as important as to what it does. Though conceptually if your systems are static across the board one can set an alert for odd names. The malicious executable at this point launches from C:\Users\admin\AppData\Local\Temp\ .
PID 2844
CMD “C:\Users\admin\AppData\Local\Temp\b227c25af6e2fd5e63b36251df9ab1bd0edd32bd19ba82f10ee7dcfd7bc9f0aa.exe”
Path C:\Users\admin\AppData\Local\Temp\b227c25af6e2fd5e63b36251df9ab1bd0edd32bd19ba82f10ee7dcfd7bc9f0aa.exe
Parent process —
User admin
Integrity Level MEDIUM
Exit code 0
Part B:
Here is where the oddities begin, our nasty entity begins working and we see it start
PID 3144
CMD “C:\Users\admin\AppData\Local\Temp\b227c25af6e2fd5e63b36251df9ab1bd0edd32bd19ba82f10ee7dcfd7bc9f0aa.exe” — Admin IsNotAutoStart IsNotTask
Path C:\Users\admin\AppData\Local\Temp\b227c25af6e2fd5e63b36251df9ab1bd0edd32bd19ba82f10ee7dcfd7bc9f0aa.exe
Parent process b227c25af6e2fd5e63b36251df9ab1bd0edd32bd19ba82f10ee7dcfd7bc9f0aa.exe
User admin
Integrity Level HIGH
Exit code 0
Integrity level has changed to high and the parent is the file which has spawned another copy of itself. Two files of the same name one spawned of the other put different processes and hash ids. At this point it is unclear where the second file of the same name came from, most likely dropped but we are getting there.
Part C:
Much like ransomware and other type of malware, the very functionality of the operating system is used to obtain the desired results of the person who wrote the malware. Here we have the parent process (nasty and malicious entity) start a process called icacls.exe. This is a file that is part of the windows operating system. It is located at c:\windows\system32.
What does this file do you may ask? Its destructive in the wrong hands. It changes file and folder permissions, modifying Access Control List. This means that someone or something is about to about to commit bedlam. Here is our patient zero that we can build an alert around.
PID 3944
CMD icacls “C:\Users\admin\AppData\Local\9507f5f7–15c8–493f-8b0b-11b93694371a” /deny *S-1–1–0:(OI)(CI)(DE,DC)
Path C:\Windows\system32\icacls.exe
Parent process b227c25af6e2fd5e63b36251df9ab1bd0edd32bd19ba82f10ee7dcfd7bc9f0aa.exe
User admin
Integrity Level MEDIUM
Exit code 0
Version:
Company Microsoft Corporation
An unknown binary in C:\Users’admin\AppData\Local is running an executable in the c:\windows\system32 directory. This should not be. Our patient zero is now identified.
Part D:
The malicious binary after opening a handle to the icacls.exe file begins dropping objects. The object name of the files is “updatewin.exe”, “updatewin1.exe”, “updatewin2.exe”.
Notice that each object’s parent is the malicious binary that was launched from our original. We now have psychotic children on the loose
Psychotic Child #1 –
PID 1940
CMD “C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\updatewin.exe”
Path C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\updatewin.exe
Parent process b227c25af6e2fd5e63b36251df9ab1bd0edd32bd19ba82f10ee7dcfd7bc9f0aa.exe
User admin
Integrity Level HIGH
Version:
Company
Description
Version
No specs here, basically looks like an application being dropped or rewritten for another process. This is something that a security operations person should be able to spot.
Psychotic Child #2 –
PID 3716
CMD “C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\updatewin1.exe”
Path C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\updatewin1.exe
Parent process b227c25af6e2fd5e63b36251df9ab1bd0edd32bd19ba82f10ee7dcfd7bc9f0aa.exe
User admin
Integrity Level HIGH
Exit code 0
Version:
Company
Description
Version
No specs to be found here as well, but look at what PID 3716 does next:
PID 3172
CMD “C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\updatewin1.exe” — Admin
Path C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\updatewin1.exe
Parent process updatewin1.exe
User admin
Integrity Level HIGH
Exit code 0
Version:
Company
Description
Version
3176 is an application dropped or rewritten from another process, it then launches itself and we get 3172 — notice the way it launches itself updatewin1.exe” –Admin. That is our user, something very bad is about to happen but follow me because we need to see the full context of what is going on. That command is going to start another chain of events which is particularly devastating but we need to see what else is happening.
Our next oddity is updatewin2.exe. We now have three files
PID 3740
CMD “C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\updatewin2.exe”
Path C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\updatewin2.exe
Indicators No indicators
Parent process b227c25af6e2fd5e63b36251df9ab1bd0edd32bd19ba82f10ee7dcfd7bc9f0aa.exe
User admin
Integrity Level HIGH
Exit code 0
Version:
Company
Description
Version
Psychotic Child #3-
PID 3740
CMD “C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\updatewin2.exe”
Path C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\updatewin2.exe
Parent process b227c25af6e2fd5e63b36251df9ab1bd0edd32bd19ba82f10ee7dcfd7bc9f0aa.exe
User admin
Integrity Level HIGH
Exit code 0
Version:
Company
Description
Version
Much like the other bad children save for updatewin1.exe all of them have no specs attached to them. They simply came from the parent
Enter the odd psychotic child with communication issues –
Psychotic Child #4 that Likes to talk and say nasty things –
PID 3360
CMD “C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\5.exe”
Path C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\5.exe
Parent process b227c25af6e2fd5e63b36251df9ab1bd0edd32bd19ba82f10ee7dcfd7bc9f0aa.exe
User admin
Integrity Level HIGH
Exit code 0
Version:
Company
Description
Version
Much like the other children this was dropped or rewritten from another process. The parent process will always be listed in the event log. However, this odd thing has some interesting characteristics. This freak of nature likes to talk.
ipDst: 94.23.168.58
ipSrc: 192.168.200.165
portDst: 80
portSrc: 49555
process: C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\5.exe
time: 25349ms
“5.exe” is making a connection over port 80 to the IP address 94.23.168.58, this is a post command, and something is being communicated. You have no time to reverse engineer, so the priority is that this does not spread further, but it and then we find -
This is an nginx server running an older version of PHP specifically 5.4.16.
What we are presented with is our machine communicating with what is called a Command and Control Server. The first network stream shows the POST where the client send an initial client-to-server communication, where the client sends an initial checkin request and the server responds with what look like in the first stream with XOR encoded data (XOR is a binary operation which stand for “exclusive or” — we will cover encoding in another article). Regardless of the encoding this simply should not be and network connections need to be monitored. The C&C server for this example sits in the Czech Republic as seen below:
This is characteristic of Azorult, which is a Trojan. It collects data on the computer and sends it to a command and control server, items sent usually include browser history, login credentials, cookies, and file and folders as specified by the server. Now while this is going on the other psychotic child “updatewin1.exe” is busy.
PID 3172
CMD “C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\updatewin1.exe” — Admin
Path C:\Users\admin\AppData\Local\a180f6b5-ecbe-485c-af75-cd27e4be07bf\updatewin1.exe
Parent process updatewin1.exe
User admin
Integrity Level HIGH
Exit code 0
Version:
Company
Description
Version
The original updatewin1.exe was process ID 3716. It has now launched itself as process ID 3172 and summarily shut off the task manager. We audit the registry, so we see this –
key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
name: DisableTaskmgr
operation: write
typeValue: REG_DWORD
value: 1
time: 24078ms
The software writer obviously does not want you opening up task manager. There is also no reason for user to run a process to disable task manager so if alerts not set up for this, the only fault lays with the security operator for being complacent and lazy.
So now that this is done and there is communication with the command and control server updatewin1.exe is going to open up SEVERAL powershell sessions. At this point we are just riding this psychotic horse to its burning stable.
PID 2856
CMD powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
Path C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Parent process updatewin1.exe
User admin
Integrity Level HIGH
Exit code 0
Version:
Company Microsoft Corporation
Description Windows PowerShell
Which then gives us –
PID 2676
CMD powershell -NoProfile -ExecutionPolicy Bypass -Command “& {Start-Process PowerShell -ArgumentList ‘-NoProfile -ExecutionPolicy Bypass -File “”C:\Users\admin\AppData\Local\script.ps1"”’ -Verb RunAs}”
Path C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Parent process updatewin1.exe
User admin
Integrity Level HIGH
Exit code 0
Version:
Company Microsoft Corporation
Description Windows PowerShell
Some PowerShell scripts are executed here and files are created in the user directory. We believe the user directory is critical to monitor as it will always be ground zero for infections. (for the most part)
This PowerShell execution then gives us –
PID 3048
CMD “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -NoProfile -ExecutionPolicy Bypass -File “C:\Users\admin\AppData\Local\script.ps1
Path C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Parent process powershell.exe
User admin
Integrity Level HIGH
Exit code 0
Version:
Company Microsoft Corporation
Description Windows PowerShell
Words are important, and it is imperative then when we analyze what this monstrosity is doing that we read. The logs tell us what is going, it wants you to know. So with that being said, what is going on with that PowerShell comanmand -NoProfile -ExecutionPolicy Bypass ?
This is starting a PowerShell session that allows for running scripts and keeps the lowered permissions isolated to just that current running process. This is silent and sneaky.
To add insult to injury “updatewin1.exe” along with these PowerShell commands ran another command to neutralize Windows Defender.
PID 4088
CMD “C:\Program Files\Windows Defender\mpcmdrun.exe” -removedefinitions -all
Path C:\Program Files\Windows Defender\mpcmdrun.exe
Parent process updatewin1.exe
User admin
Integrity Level HIGH
Exit code 2
Version:
Company Microsoft Corporation
Description Microsoft Malware Protection Command Line Utility
This is just plain nasty and unkind. The malware is restoring the installed security intelligence of defender to the original default set of what came on the computer.
From here we see a patch file executed called delself.bat
PID 3368
CMD cmd /c “”C:\Users\admin\AppData\Local\Temp\delself.bat””
Path C:\Windows\system32\cmd.exe
Parent process updatewin1.exe
User admin
Integrity Level HIGH
Exit code 1
Version:
Company Microsoft Corporation
Description Windows Command Processor
This is how it removes traces of itself.
Below is part of the tree to give you an overall conceptual idea of what launched what:
Part E
With this malware we have bared witness to communications with a command and control server, PowerShell commands executing, Trojan like activity, etc. By definition an exploit kit is a collection of tools to exploit security holes for the purpose of spreading malware. These kits come with pre-written code and targets users for varied purposes. Some are written in an excellent manner, others are just horrible.
The short of it, its just not one thing, its everything bad put together. This article was about ransomware though, so where is it?
If you recall in Part One, we discussed the characteristics of ransomware. Besides the ability to show the user an annoying ransom message as well as enumerating the computer, one of the characteristics is the renaming of files. This is necessary when your going to steal data and lock someone out.
The renaming occurs due to the activity of Process ID 3144 or “b227c25af6e2fd5e63b36251df9ab1bd0edd32bd19ba82f10ee7dcfd7bc9f0aa.exe”
created: NONE
device: DISK_FILE_SYSTEM
name: C:\Users\admin\Desktop\motiontocontinue.docx
newname: C:\Users\admin\Desktop\motiontocontinue.docx.pidon
object: FILE
operation: RENAME
status: 0x00000103
time: 61609ms
We see 23 different occurrences of this in the log because the machine had 23 documents that were located on the Desktop folder. Even OneNote gets renamed:
created: NONE
device: DISK_FILE_SYSTEM
name: C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms
newname: C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms.pidon
object: FILE
operation: RENAME
status: 0x00000103
time: 61703ms
What we witnessed is a combination of multiple categories of malware wrapped up into one package. Each piece of the puzzle achieving its own end result. That is what an exploit kit does — takes multiple strains and goes to town. Each strain exhibiting a characteristic of the malware family it finds its roots in. In the case of ransomware, the malicious binary renamed all the files, but to add insult to injury your machine is talking to another computer and data is being sent back. If the security operator is alerted to what occurred in Part C then at the point the threat is neutralized. If not, it becomes forensics and you need to figure out who to blame to keep your job. These are behaviors and we can stop malicious acts by alerting to these behaviors.
Below is the attack matrix which shows how devastating an exploit kit is when it runs to completion — remember software has many parts –
