You probably have heard in the news the term, ransomware.
To put it simply simply, ransomware is specific type of malware that limits users from accessing their system. The most common one we’re seeing is basically the attacker encrypting every document or anything in particular and demanding a ransom.
If the ransom is not met, the data is lost or probably sold off in the Dark Web or somewhere shady. Though we should not pay ransom to the operators in any case.
Today we’ll be reviewing a case that is allegedly a ransomware activity in our domain.
Case Details
EventID: 92
Event Time: May 23, 2021, 7:32 p.m.
Rule: SOC145 — Ransomware Detected
Level: Security Analyst
Source Address :172.16.17.88
Source Hostname: MarkPRD
File Name ab.exe
File Hash 0b486fe0503524cfe4726a4022fa6a68
File Size 775.50 Kb
Device Action Allowed
Download :0b486fe0503524cfe4726a4022fa6a68.zip
PLEASE DO NOT RUN ANY MALWARE IN YOUR HOST OR DEVICES YOU DO NOT OWN.
Analysis
- First of all we should contain the host, using the source address of
172.16.17.88, we can contain it in Endpoint Management.It is a Windows 10 client. Looks like it belongs to MarkGuna under the hostname MarkPRD.
Static Analysis
- First step is always gathering intelligence and background of the malware. Let’s grab it’s md5 hash using md5sum.
0b486fe0503524cfe4726a4022fa6a68 ab.bin- That will be our hash that we are going to search around various malware scanners/analyzers such as VirusTotal. Use how many scanners you want.
- Another thing I like to do is look at the header of the file.
┌──(user㉿kali)-[~/ctf/soc]
└─$ head ab.bin
MZ����@�� �!�L�!This program cannot be run in DOS mode.- From here we can tell that with certainty this binary was compiled in a Windows environment and probably targeted towards Windows users.
- Now we can go around checking the hash of the file in VirusTotal for more details, remember hashes don’t lie.
- Checking reports by the community, they were no sign of a C2 address being contacted or a process that connects to a C2 address. Most ransomware leaves a .txt file to be contacted or bitcoin address for the ransomware to be sent.
- We can see the list of process being ran as the binary is being executed. Let’s confirm that these processes are also being ran in our victim machine.
- For this, let’s visit the Endpoint Management and access MarkPRD workstation. Let’s view their process list.
- Now let’s do some research on what these process are doing. Quick googling should reveal the answers.
wmic.exe
wmic SHADOWCOPY DELETE /nointeractivewbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUPvssadmin.exe
vssadmin Delete Shadows /All /Quiet- All these 3 share one thing in common, which is deleting shadow copies and backups of the client. Shadow copies if you’re not aware, are basically snapshots/backups of the system.
- Now we have an idea that this might be a positive ransomware activity.
- You could try to reverse engineer the binary, but that’s another topic to learn about.
Dynamic Analysis
- For dynamic analysis, we could spin up a VM of the machine that this malware was intended for. But that’s too much work. We can use a site like any.run which is an interactive malware sandbox.
- We can upload or search for the hash of our file, we’ll just search for the hash this time.
- Looks like other have already uploaded the sample to the site. Now we can just click on one of them and see how it affects the system.
- Now let’s run!
- Notice the changes? Document and pictures are encrypted into random strings file names.
- If we look at the network tabs, they are no connection being made so this confirms that the binary doesn’t contact any C2 server.
- Now let’s take a look at the files lists.
- And there is the ransom note left usually by the operators.
C:\Users\Public\Pictures\Sample Pictures\TfeboZ_readme_.txt
- Lets read what it has to say :
— — — -=== Your network has been infected! === — — — -
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .CABcdaBBCB
You are not able to decrypt it by yourself. But don’t worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
1. Download Tor browser — https://www.torproject.org/
2. Install Tor browser
3. Open link in Tor browser — avaddonbotrxmuyl.onion
4. Follow the instructions on this page
- So we have been indeed hit by ransomware, and we are asked to pay ransom. There is also a onion URL to the possible threat actor
avaddonbotrxmuyl.onion
- We can include that as our IOCs.
- Other than that we should be finished!
Conclusion
- From all the Intel and IOCs we gathered, we should be certain that this indeed is a ransomware attack. Most ransomware operators don’t operate a C2 server with the victim so it’s expected that there isn’t any C2 ransomware. But we still have a URL to the page so that might be a hint for the law enforcers. Our job should be done and we should submit a true positive report.
