Flowchart - Building next gen malware behavioural analysis environment

  • Published on
    09-Feb-2017

  • View
    21

  • Download
    5

Transcript

  • Extract Archive

    Unpack file with UPX

    Load TempKey in memory

    c9e0b830ff18645849b8dbab57e477b5

    CPU Checkif (cores < 3) { Exit; }

    Check resourcesIf (!filexists(base*.dat)) {exit;}

    Check Windows VersionIf (!WinVistaOrGreater) {exit;}

    Final Key

    Key = TempKey XOR 0x03

    DecoyBase8.tmp = Base8.dat XOR Key

    XOR0x08

    Real sampleBase16.tmp = Base16.dat XOR key

    DecoyBase32.tmp = Base32.dat XOR Key

    XOR0x32

    DecoyBase64.tmp = Base64.dat XOR Key

    XOR0x64

    Clean-up:remove (base*.tmp)

    Run samplecmd /c base16.tmp

    Identify .NET binary Decompile binary RansomKiller: MainApp

    Write Registry KeyRAND 15 char = HKLM\Software\

    SergSec\Key

    CPU Checkif (cores < 5) { Exit; }

    Checks for MAC of Netcard Checks for debugger

    Checks for malware analysis software

    Detect HyperV

    MainApp

    Scan Buy product Update signatures Settings

    goes through files, doesnt do anything Open Register Form

    Open Register Form

    Checks for internet by connecting to https://cyber-europe.net

    Checks the key by sending a GET request to https://cyber-europe.net/

    evl/ransomkill/reg.php

    If (reply == 260CA9DD8A4577FC00B7BD5810298

    076") { RegisterProduct; }

    Enables all buttons of MainApp

    Easter Egg: checks if public key of SergSec is installed in the CA Store

    Downloads https://cyber-europe.net//evl/ransomkill/update.rk

    Check if its a Thursday

    Decrypt using AES-128 update.rk to updt.exe

    Gets AES Key = serial number of SergSec public certificate

    Executes updt.exe

    Creates Task: binary to be ran on 12th Oct 2016

    Autoupdate: creates a Registry Key in HKLM\Software\SergSec\AutoUpdate

    = 1

    Autostart: creates a Registry Key in HKLM\Software\Microsoft\Windows\

    CurrentVersion\Run\RansomKillerApp\base16.tmp

    Auto schedule: creates a weekly Task in the Windows Task Scheduler named

    RK_Weekly

    Sign in

    Easter Egg: if (user == demo)&(password==demo) {

    AccessWebPanel; }

  • updt.exe

    MainApp

    Hides Window

    Stalls Execution via Search Stalls Execution via Math

    Calculation

    Checks for debugger(Necromancy Check)

    Deletes Old Logs

    Anti-Forensics Checks

    Username

    Computer Name

    Processes Running CheckChecks for debugger(Running Proccess)

    Stalls Execution via Search2

    Keylogger ScreenGrabber

    Sends data to:10.210.1.12

    Exfiltrator

    Stores key strikes in:rNdfgl34f.txt

    Grabs Printscreen test.jpg

    500 Strikes

    Persistance Deletes Logs

    Drawing1.vsdxStage1&2Stage3

Recommended

View more >