Transcript
Page 1: Flowchart - Building next gen malware behavioural analysis environment

Extract Archive

Unpack file with UPX

Load TempKey in memory

“c9e0b830ff18645849b8dbab57e477b5”

CPU Checkif (cores < 3) { Exit; }

Check resourcesIf (!filexists(base*.dat)) {exit;}

Check Windows VersionIf (!WinVistaOrGreater) {exit;}

Final Key

Key = TempKey XOR 0x03

DecoyBase8.tmp = Base8.dat XOR Key

XOR0x08

Real sampleBase16.tmp = Base16.dat XOR key

DecoyBase32.tmp = Base32.dat XOR Key

XOR0x32

DecoyBase64.tmp = Base64.dat XOR Key

XOR0x64

Clean-up:remove (base*.tmp)

Run samplecmd /c base16.tmp

Identify .NET binary Decompile binary RansomKiller: MainApp

Write Registry KeyRAND 15 char = HKLM\Software\

SergSec\Key

CPU Checkif (cores < 5) { Exit; }

Checks for MAC of Netcard Checks for debugger

Checks for malware analysis software

Detect HyperV

MainApp

Scan Buy product Update signatures Settings

goes through files, doesn’t do anything Open Register Form

Open Register Form

Checks for internet by connecting to https://cyber-europe.net

Checks the key by sending a GET request to https://cyber-europe.net/

evl/ransomkill/reg.php

If (reply == “260CA9DD8A4577FC00B7BD5810298

076") { RegisterProduct; }

Enables all buttons of MainApp

Easter Egg: checks if public key of SergSec is installed in the CA Store

Downloads https://cyber-europe.net//evl/ransomkill/update.rk

Check if it’s a Thursday

Decrypt using AES-128 update.rk to updt.exe

Gets AES Key = serial number of SergSec public certificate

Executes updt.exe

Creates Task: binary to be ran on 12th Oct 2016

Autoupdate: creates a Registry Key in HKLM\Software\SergSec\AutoUpdate

= 1

Autostart: creates a Registry Key in HKLM\Software\Microsoft\Windows\

CurrentVersion\Run\RansomKillerApp\base16.tmp

Auto schedule: creates a weekly Task in the Windows Task Scheduler named

RK_Weekly

Sign in

Easter Egg: if (user == “demo”)&(password==”demo”) {

AccessWebPanel; }

Page 2: Flowchart - Building next gen malware behavioural analysis environment

updt.exe

MainApp

Hides Window

Stalls Execution via Search Stalls Execution via Math

Calculation

Checks for debugger(Necromancy Check)

Deletes Old Logs

Anti-Forensics Checks

Username

Computer Name

Processes Running CheckChecks for debugger(Running Proccess)

Stalls Execution via Search2

Keylogger ScreenGrabber

Sends data to:10.210.1.12

Exfiltrator

Stores key strikes in:rNdfgl34f.txt

Grabs Printscreen test.jpg

500 Strikes

Persistance Deletes Logs


Recommended