LetsDefend.io SOC-145 Ransomware Detected Walkthrough

You probably have heard in the news the term, ransomware.

To put it simply simply, ransomware is specific type of malware that limits users from accessing their system. The most common one we’re seeing is basically the attacker encrypting every document or anything in particular and demanding a ransom.

If the ransom is not met, the data is lost or probably sold off in the Dark Web or somewhere shady. Though we should not pay ransom to the operators in any case.

Today we’ll be reviewing a case that is allegedly a ransomware activity in our domain.

Case Details

EventID: 92

Event Time: May 23, 2021, 7:32 p.m.

Rule: SOC145 — Ransomware Detected

Level: Security Analyst

Source Address :172.16.17.88

Source Hostname: MarkPRD

File Name ab.exe

File Hash 0b486fe0503524cfe4726a4022fa6a68

File Size 775.50 Kb

Device Action Allowed

Download :0b486fe0503524cfe4726a4022fa6a68.zip

PLEASE DO NOT RUN ANY MALWARE IN YOUR HOST OR DEVICES YOU DO NOT OWN.

Analysis

  • First of all we should contain the host, using the source address of 172.16.17.88, we can contain it in Endpoint Management.It is a Windows 10 client. Looks like it belongs to MarkGuna under the hostname MarkPRD.

Static Analysis

  • First step is always gathering intelligence and background of the malware. Let’s grab it’s md5 hash using md5sum.
0b486fe0503524cfe4726a4022fa6a68  ab.bin
  • That will be our hash that we are going to search around various malware scanners/analyzers such as VirusTotal. Use how many scanners you want.
  • Another thing I like to do is look at the header of the file.
┌──(user㉿kali)-[~/ctf/soc]
└─$ head ab.bin
MZ����@�� �!�L�!This program cannot be run in DOS mode.
  • From here we can tell that with certainty this binary was compiled in a Windows environment and probably targeted towards Windows users.
  • Now we can go around checking the hash of the file in VirusTotal for more details, remember hashes don’t lie.
59 out of 69 vendors!
  • Checking reports by the community, they were no sign of a C2 address being contacted or a process that connects to a C2 address. Most ransomware leaves a .txt file to be contacted or bitcoin address for the ransomware to be sent.
Behavior tab in VirusTotal
  • We can see the list of process being ran as the binary is being executed. Let’s confirm that these processes are also being ran in our victim machine.
  • For this, let’s visit the Endpoint Management and access MarkPRD workstation. Let’s view their process list.
Those process exists!
  • Now let’s do some research on what these process are doing. Quick googling should reveal the answers.

wmic.exe

wmic SHADOWCOPY DELETE /nointeractive

wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP

vssadmin.exe

vssadmin Delete Shadows /All /Quiet
  • All these 3 share one thing in common, which is deleting shadow copies and backups of the client. Shadow copies if you’re not aware, are basically snapshots/backups of the system.
  • Now we have an idea that this might be a positive ransomware activity.
  • You could try to reverse engineer the binary, but that’s another topic to learn about.

Dynamic Analysis

  • For dynamic analysis, we could spin up a VM of the machine that this malware was intended for. But that’s too much work. We can use a site like any.run which is an interactive malware sandbox.
  • We can upload or search for the hash of our file, we’ll just search for the hash this time.
That’s a lot
  • Looks like other have already uploaded the sample to the site. Now we can just click on one of them and see how it affects the system.
  • Now let’s run!
Before running the binary
After running the binary.
  • Notice the changes? Document and pictures are encrypted into random strings file names.
  • If we look at the network tabs, they are no connection being made so this confirms that the binary doesn’t contact any C2 server.
  • Now let’s take a look at the files lists.
The files are encrypted with an unknown extension.
  • And there is the ransom note left usually by the operators.

C:\Users\Public\Pictures\Sample Pictures\TfeboZ_readme_.txt

  • Lets read what it has to say :

— — — -=== Your network has been infected! === — — — -

***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************

All your documents, photos, databases and other important files have been encrypted and have the extension: .CABcdaBBCB

You are not able to decrypt it by yourself. But don’t worry, we can help you to restore all your files!

The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!

We have also downloaded a lot of private data from your network.

If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.

You can get more information on our page, which is located in a Tor hidden network.

1. Download Tor browser — https://www.torproject.org/

2. Install Tor browser

3. Open link in Tor browser — avaddonbotrxmuyl.onion

4. Follow the instructions on this page

  • So we have been indeed hit by ransomware, and we are asked to pay ransom. There is also a onion URL to the possible threat actor

avaddonbotrxmuyl.onion

  • We can include that as our IOCs.
  • Other than that we should be finished!

Conclusion

  • From all the Intel and IOCs we gathered, we should be certain that this indeed is a ransomware attack. Most ransomware operators don’t operate a C2 server with the victim so it’s expected that there isn’t any C2 ransomware. But we still have a URL to the page so that might be a hint for the law enforcers. Our job should be done and we should submit a true positive report.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
FarisArch

FarisArch

Student that loves FOSS and hacking