Analysis of Hackers Invasion ransomware
Today we got new ransomware for analysis and it is named as Hacker Invasion ransomware. It is referred as FTSCoder ransomware too.
Hacker Invasion variants of ransomware family are delivered by hacking in to the network by malware authors. Email campaign is the other option for the attackers to deliver these variants.
Static Analysis:MD5: B6E74930507305AC9B98A16230A5B02C
|Figure 1 Compiled in .net|
Compiler Detect -> .NET
File Type: 32-Bit Exe (Subsystem: Win GUI / 2), Size: 53760 (0D200h) Byte(s). This file got version info details and it says the original file name is ‘NIBIRU1.exe’, Product name and description as ‘NIBIRU’. We got generic results for these names in search results. We started to our static analysis work and see what this malware code is working.
This malware sample have one of a class called ‘anti’. Inside of this class, we got function called ‘killall()’.
Figure 2 Class anti (killall function)
The above snapshot gives detail of other classes apart from ‘anti’ are msnshare, skype, p2p, yahoo and usb. We will look into all these one by one.
Figure 3 killall function
Killall function does operation of comparing strings in the process names and if the process string have those strings then it get process id using GetProcess() and kill that given process. The list of strings looked by the function in the running processes:
· Av - antivirus
· Hijackthis - tool to inspects your computers browser and operating system settings to generate a log file of the current state of your computer.
· Outpost – Personal firewall (component of Agnitum Outpost Firewall Pro by Agnitum).
· Npfmsg - NPFMessenger MFC Application belongs to software NPFMessenger Application.
· Bdagent - file associated with bitdefender antivirus.
· Kavsvc – file associated with Kaspersky antivirus.
· Egui – file associated with ESET antivirus.
· Zlclient – file associated with zone lab alarms antivirus.
All these processes are related to security products. So this malware actually wants to kill these security related process to stop them functioning.
There are four forms present in the list of classes. Those classes have functionalities related to other classes like injectx, skype, yahoo, p2p, and msnshare. We checked all these classes to understand their functionalities. Let see what injectx class have:
Injectx class appears to be launching the batch script. This starts with the looking for batch file inside system32 folder (refer the following code).
The function checks for the launch.bat and if the file exist then it deletes that batch else it goes for creation of the script in the same location. Refer the following snapshot:
Figure 4 creation of launch batch script
The above snapshot is the else condition for not presence of launch.bat file. Launch batch script is getting created with the help of this function.
We accessed that url, it gives 404 error from the site and it seems they removed the show.php and modules directory. Apart from the batch file creation, this function creates another script called launch.vbs inside the system32 location.
The above code is to create the vbs which actually to executes the launch.bat file. At the final line is for the creation of process ‘launch.vbs’.
Install class is the next in the code which copies an executable file called svchost.exe in local drive. And it also set the file attributes as hidden.
Figure 5 Class Install (code)
This piece of code is very interesting to see what it actually does. After it creation of svchost file in the ‘C’ drive, the code has download file with the file name and location. Refer this code:
Further to this, there is creation html file in the windows folder as sp.htm.
This sp.htm file have iframe which actually points the install.link, which is the downloaded file in the startup path as ‘file.exe’. After the file creations and downloading, the persistence will be created for the svchost.exe using two registry key.
They are the autostart entries (run registry entry and winlogon entry) which locates the physical location. These artifacts can be utilized as IOC.
Figure 6 Lan class
Lan class is used here to collect the details of the host machine such as host address, host name and workgroup detail. We moved on to the msnshare class where it works for creation new file called ‘mypornpics.scr’ in the appdata location under the messenger folder. Refer the following snapshots:
Figure 7 File location used by MSN class
Figure 8 Checking for the existence of the file called 'mypornpics'
Except USB class, other classes like skype, yahoo where actually doing similar functionality like MSN class. Let us focus on the functionality of USB class:
This USB class retrieving the details of logical drives using Directory.GetLogicalDrives(). It does a file copying operation and the copied file is ‘ntldr.exe’. After that, autorun.inf file is created with each line is written like the following code:
This code is actual content of autorun.inf where ntldr.exe will be executed automatically and hidden attributes are applied for both the files (autorun.inf and ntldr.exe).
Interesting resource detail (string table)
|Figure 9 Panic message|
This panic message was found in the file resource. This detail actually present in the form3 of resources. It is the time to look in to the codes of all the four forms (form1, form2, form3, and form4).
this.yourmutex = Environment.UserName + "MutexXx";
Mutex is created with the combination of the username and “MutexXx”. After this only, initialize component comes with listbox and finally it calls for following:
Then goes to sleep - Form1.Sleep(1500000L). And finally starting of the process ‘svchost.exe’ -Process.Start("C:\\svchost.exe").
Now we started to analysis the code of form2 class and its functions. This contains encryption routines, targeted file types, and extension added to the encrypted files.