Hello World, In this Article we will gonna look through a newly version of SectopRat Its written in Dotnet So It wasn't so hard. Thanks for @Arkbird and JAMESWT For Their Original Tweets. Quick Introduction: SectopRat is a RAT Tool was Firstly Discovered by MalwareHunterTeam in November 15,2019 It has capabilities like connecting to C2 Server, Profiling the System, Steal Browser History From Browsers like Chrome and Firefox, It Sends Stolen User Data in a Json File. In Depth Reversing: Sectop Weapozies WMI ( Windows Management Instrumentation ) in Order to Collect System Information. Here it Gets OS Name and Version: Sectop Has a Class named "GetSystemInfo" that Implements most of its System Profiling. It Collects: . OS Name and Version . Graphics Card Name and Vram Size . CPU Version and Number Of Cores ...
Get link
Facebook
X
Pinterest
Email
Other Apps
Deep Dive Into Ryuk Ransomware
Get link
Facebook
X
Pinterest
Email
Other Apps
Hello World, This Will Probably be My First Malware Report Where I will Reverse Ryuk Ransomware. So Before Getting into Technical Analysis and Reverse Engineering I will Provide Some Introduction to Ryuk. So let's First Discuss the CyberKillChain of Ryuk it goes typically like this:
1- An maldoc Contains a malicious macro that will execute PowerShell.
2- The PowerShell Command then Downloads Emotet Banking Trojan.
3- Emotet Then Downloads TrickBot
4- As A Typical Lateral Movement Activity TrickBot Downloads Ryuk
5- Ryuk Then Tries to Encrypt all the Network Hosts
However in new samples it uses BazarLoader and Cobalt Strike and it goes like this. Here I analyzed a sample not old its from 2020 but that's because I analyzed this sample before ryuk last attack occured.
Who Created It ?
So Attribution is Hard However From What I have Read Threat Intel Researches Suggest that it belongs to the Authors of HERMES which is a Ransomware first was detected in October 2017 was then arrtributed to an APT Group Called Lazarus Group.
In Depth Reversing:
I Used a Combination of Cutter, IDA and x64 dbg to reverse this malware so nvm xD
When Executing the Sample It Drops a Copy From its Self and Execute it using "8 lan" Command.
By Static Code Analysis it Concats ".exe" to the name of the dropped file and executes it using ShellExecute passing a param "8 lan" to it. this command is a hardware feauture called WoL (Wakeup On Lan) which allow a computer to turned on by a network message. it works on a lan network. the way its executed is by the program for our case its ryuk sends a message to all the devices on the same lan.
The Name of the Dropped Exe are Seven Random Charachters.
The Malware Injects Into 4 Process taskeng.exe, host.exe, dwm.exe, ctfmon.exe
As You Can See a Typo Found in the First Command The Author Missed 'e' in delete.
API Resolving:
Ryuk Uses GetProcAddress and LoadLibraryA to Resolve Its APIs
And By Using the Debugger:
Due to That I don't Know Emualtion or Scripting + Scylla Didin't Dump the process correctly I managed to rename them manually :) here is the result:
Privilege Escalation:
Ryuk Escalates Privilege by Modifying the Access Token
According to MSDN The LookupPrivilegeValue function retrieves the locally unique identifier (LUID) used on a specified system to locally represent the specified privilege name. It Takes 3 Parameters lpSystemName, lpName, lpLuid. What We Care About is the Second Here the Second Param is The Name of The Privilege Looked up In this Case its " "SeDebugPrivilege" this is used to inspect and Modify the memory of other process. This Will Be Used For Process Injection.
Persistence:
Ryuk Acheives Persistence by Adding the Path of the malware under /Run Key In the Registry Makes it Run Every Time the User logs In It uses this Command
Next it Writes injects its Self using WriteProcessMemory and Creates a Thread to run the injected code
Following with the debugger we can see the exectuable in the memory dump
Encryption:
Ryuk Uses AES-256 Encryption it utilizes the CryptoAPI by Microsoft. It Encrypts the Files using ".RYK" Extension. The AES Key is Encrypted using a Public RSA Key.
It uses a Marker "HERMES" to identify if the file is encrypted or not.
Ryuk Uses MultiThreaded Approach to Encrypt the files which means it makes a thread per file which makes it very fast. It loops Through the Files using FindFirstFileA and FindNextFileA. It Avoid Encrypting Some Files
Here is a List of Them:
[+] RyukReadMe.html
[+] UNIQUE_ID_DO_NOT_REMOVE
[+] boot
[+] PUBLIC
[+] PRIVATE
[+] \Windows\
[+] sysvol
[+] netlogon
[+] bin
[+] Boot
[+] dev
[+] etc
[+] lib
[+] initrd
[+] sbin
[+] sys
[+] vmlinux
[+] run
[+] var
[+] dll
[+] lnk
[+] hrmlog
[+] ini
[+] exe
Here it builds Strings on stack for folders to avoid encrypting its files or skipping it
[+] Ahnlab
[+] Chrome
[+] Mozilla
[+] Windows
[+] $Recycle.bin
Relation to HERMES:
There is two Assumptions One is that that Who Wrote Ryuk was the same who wrote HERMES or just that Ryuk Author was having HERMES Source code. The Encryption Logic is Same as HERMES. As We Saw Ryuk Uses AES-256 and Encrypts the KEY using RSA and that is the same in HERMES. Also Checking the Code the Author Didn't Change the marker of the encrypted files. This Marker is used to check if the file was encrypted or not. Also HERMES Uses the Same Batch Script used to delete the shadows copies. Even the files/folders that are skipped are the same.
Hello World, In this Article we will gonna look through a newly version of SectopRat Its written in Dotnet So It wasn't so hard. Thanks for @Arkbird and JAMESWT For Their Original Tweets. Quick Introduction: SectopRat is a RAT Tool was Firstly Discovered by MalwareHunterTeam in November 15,2019 It has capabilities like connecting to C2 Server, Profiling the System, Steal Browser History From Browsers like Chrome and Firefox, It Sends Stolen User Data in a Json File. In Depth Reversing: Sectop Weapozies WMI ( Windows Management Instrumentation ) in Order to Collect System Information. Here it Gets OS Name and Version: Sectop Has a Class named "GetSystemInfo" that Implements most of its System Profiling. It Collects: . OS Name and Version . Graphics Card Name and Vram Size . CPU Version and Number Of Cores ...
Quick Overview: HERMES is a Ransomware which spreads by spear-phising emails. It was first detected on October 2017. Its attributed to the Lazurus APT group it has high connections to Ryuk Ransomware and its believed that they are written by the same author. Among most Ransomwares, it's common that it encrypts the files using AES and Encrypts the AES Random Key using RSA , in the upcoming parts we will include some more insights into it. In Depth-Reversing: . HERMES Drops A Copy From its Self under Name "svchosta.exe" in the Temp Folder And it executes using this command Inhibit System Recovery: . Similarly like most ransomwares it deletes shadow copies to acheive this it drops a batch file similar to the Ryuk one , which strengthens it's similarity to Ryuk And it executes using this command Unpacking and API Resolving: HERMES allocates a section in memory for the unpacked PE file , this technique can be defined as Self Injection . This image explains it very wel...
Hello World, In this Blog post I will gonna Introduce to Analyzing Malware Pcaps using Wireshark by going through a challenge from ( CyberDefenders ). Challenge Link In This Challenge we are given 14 Questions we will go through each question and seeing how to solve it in details. Intro to Exploit Kits: Before we deep dive and solve this challenge its good to know what really exploit kits are and how do they work. Exploit Kits are Collection of Exploits mostly operates by searching for vulnerable browser-based applications like websites they exploits vulnerabilities in these websites and then deliver malwares and payloads. Questions that should be answered when Analyzing a Exploit Kit PCAP is What is the Infected Website as we said there should be a website that has been infected other questions may be like what is the ip address of the infected machine ?, what is the website that redirects to the exploit kit deliverer etc... This is My First Attempt to analyze an...
