Goal: Unpack Locky ransomware payload using WriteProcessMemory API buffer’s dump.
Source: @tmmalanalyst
Tool: ollyDbg, CFF Explorer
Background:
Locky ransomware utilizes a loader/patcher algorithm patching and unloading the decoded payload in memory. Many other malware families use this same exact methodology.
Theory:
Locky ransomware patches itself using CreateProcessW API setting the creation flag to CREATE_SUSPENDED and writing itself into the buffer via WriteProcessMemory API. Next, the ransomware process won’t be executed immediately; it does not start until called ResumeThread. So, the ransomware has time to patch in memory.
I. CreateProcessW [ref. *]
- invoke CreateProcessW, NULL, “C:\Documents and Settings\Administrator\Desktop\osiris[.]exe”, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, 0010D8CC, 0010E354
000FBE30 00942791 /CALL to CreateProcessW from 0094278B
000FBE34 00000000 |ModuleFileName = NULL
000FBE38 0010D6C4 |CommandLine = “”C:\Documents and Settings\Administrator\Desktop\osiris[.]exe””
000FBE3C 00000000 |pProcessSecurity = NULL
000FBE40 00000000 |pThreadSecurity = NULL
000FBE44 00000000 |InheritHandles = FALSE
000FBE48 00000004 |CreationFlags = CREATE_SUSPENDED
000FBE4C 00000000 |pEnvironment = NULL
000FBE50 00000000 |CurrentDir = NULL
000FBE54 0010D8CC |pStartupInfo = 0010D8CC
000FBE58 0010E354 \pProcessInfo = 0010E354
II. WriteProcessMemory (ref. **)
- invoke WriteProcessMemory, 00000064, 0x300000, 009A0000, 190, NULL
000FBE44 009428BA /CALL to WriteProcessMemory from 009428B4
000FBE48 00000064 |hProcess = 00000064 (window)
000FBE4C 00300000 |Address = 0x300000
000FBE50 009A0000 |Buffer = 009A0000
000FBE54 00000190 |BytesToWrite = 190 (400.)
000FBE58 00000000 \pBytesWritten = NULL
III. ResumeThread (ref. ***)
- invoke ResumeThread, 00000068
000FBE54 00942E81 /CALL to ResumeThread from 00942E7E
000FBE58 00000068 \hThread = 00000068 (window)
IV. Then, click on “Backup” -> “Save data to file.”
Locky extension:
.osiris
POST requests:
- &length=..&failed=..&encrypted=
- &act=stats&path=
- &v=2..&x64=..&sp=..&os=…&serv=..&corp=..&lang=..&act=getkey&affid=..
- &act=gethtml&lang=
- ..&act=gettext&lang=..
Registry:
- Software\Microsoft\Windows\CurrentVersion\Run
Self-kill routine:
cmd.exe /C del /Q /F
Blacklist:
tmp;winnt;Application Data;AppData;Program Files (x86);Program Files;temp;thumbs.db;$Recycle.Bin;System Volume Information;Boot;Windows
Locky instructions:
/_HELP_instructions.html._HELP_instructions.bmp.._HELP_instructions.txt.._Locky_recover_instructions.bmp._Locky_recover_instructions.txt
Delete shadow copy:
vssadmin.exe Delete Shadows /Quiet /All
Targeted extensions:
yuv…ycbcra..xis…x3f…x11…wpd…tex…sxg…stx…st8…st5…srw…srf…sr2…sqlitedb..sqlite3…sqlite..sdf…sda…sd0…s3db..rwz…rwl…rdb…rat…raf…qby…qbx…qbw…qbr…qba…py..psafe3..plc…plus_muhd…pdd…p7c…p7b…oth…orf…odm…odf…nyf…nxl…nx2…nwb…ns4…ns3…ns2…nrw…nop…nk2…nef…ndd…myd…mrw…moneywell…mny…mmw…mfw…mef…mdc…lua…kpdx..kdc…kdbx..kc2…jpe…incpas..iiq…ibz…ibank…hbk…gry…grey..gray..fhd…fh..ffd…exf…erf…erbsql..eml…dxg…drf…dng…dgc…des…der…ddrw..ddoc..dcs…dc2…db_journal..csl…csh…crw…craw..cib…ce2…ce1…cdrw..cdr6..cdr5..cdr4..cdr3..bpw…bgt…bdb…bay…bank..backupdb..backup..back..awg…apj…ait…agdl..ads…adb…acr…ach…accdt…accdr…accde…ab4…3pr…3fr…vmxf..vmsd..vhdx..vhd…vbox..stm…st7…rvt…qcow..qed…pif…pdb…pab…ost…ogg…nvram…ndf…m4p…m2ts..log…hpp…hdd…groups..flvv..edb…dit…dat…cmt…bin…aiff..xlk…wad…tlg…st6…st4…say…sas7bdat..qbm…qbb…ptx…pfx…pef…pat…oil…odc…nsh…nsg…nsf…nsd…nd..mos…indd..iif…fpx…fff…fdb…dtd…design..ddd…dcr…dac…cr2…cdx…cdf…blend…bkp…al..adp…act…xlr…xlam..xla…wps…tga…rw2…r3d…pspimage..ps..pct…pcd…m4v…m…fxg…flac..eps…dxb…drw…dot…db3…cpi…cls…cdr…arw…ai..aac…thm…srt…save..safe..rm..pwm…pages…obj…mlb…md..mbx…lit…laccdb..kwm…idx…html..flf…dxf…dwg…dds…csv…css…config..cfg…cer…asx…aspx..aoi…accdb…7zip..1cd…xls…wab…rtf…prf…ppt…oab…msg…mapimail..jnt…doc…dbx…contact…n64…m4a…m4u…m3u…mid…wma…flv…3g2…mkv…3gp…mp4…mov…avi…asf…mpeg..vob…mpg…wmv…fla…swf…wav…mp3…qcow2…vdi…vmdk..vmx…wallet..upk…sav…re4…ltx…litesql…litemod…lbf…iwi…forge…das…d3dbsp..bsa…bik…asset…apk…gpg…aes…ARC…PAQ…tar.bz2…tbk…bak…tar…tgz…gz..7z..rar…zip…djv…djvu..svg…bmp…png…gif…raw…cgm…jpeg..jpg…tif…tiff..NEF…psd…cmd…bat…sh..class…jar…java..rb..asp…cs..brd…sch…dch…dip…pl..vbs…vb..js..h…asm…pas…cpp…c…php…ldf…mdf…ibd…MYI…MYD…frm…odb…dbf…db..mdb…sql…SQLITEDB..SQLITE3…011…010…009…008…007…006…005…004…003…002…001…pst…onetoc2…asc…lay6..lay…ms11(Securitycopy)..ms11..sldm..sldx..ppsm..ppsx..ppam..docb..mml…sxm…otg…odg…uop…potx..pom..pptx..pptm..std…sxd…pot…pps…sti…sxi…otp…odp…wb2…123…wks…wk1…xltx..xltm..xlsx..xlsm..xlsb..slk…xlw…xlt…xlm…xlc…dif…stc…sxc…ots…ods…hwp…602…dotm..dotx..docm..docx..DOT…3dm…max…3ds…xml…txt…CSV…uot…RTF…pdf…XLS…PPT…stw…sxw…ott…odt…DOC…pem…p12…csr…crt…key..wallet.dat..
Reference:
* BOOL CreateProcess(
LPCTSTR lpApplicationName, // pointer to name of executable module
LPTSTR lpCommandLine, // pointer to command line string
LPSECURITY_ATTRIBUTES lpProcessAttributes, // pointer to process security attributes
LPSECURITY_ATTRIBUTES lpThreadAttributes, // pointer to thread security attributes
BOOL bInheritHandles, // handle inheritance flag
DWORD dwCreationFlags, // creation flags
LPVOID lpEnvironment, // pointer to new environment block
LPCTSTR lpCurrentDirectory, // pointer to current directory name
LPSTARTUPINFO lpStartupInfo, // pointer to STARTUPINFO
LPPROCESS_INFORMATION lpProcessInformation // pointer to PROCESS_INFORMATION );
** BOOL WriteProcessMemory(
HANDLE hProcess, // handle to process whose memory is written to
LPVOID lpBaseAddress, // address to start writing to
LPVOID lpBuffer, // pointer to buffer to write data to
DWORD nSize, // number of bytes to write
LPDWORD lpNumberOfBytesWritten // actual number of bytes written );
HANDLE hThread // handle to the thread to be restarted
);
Reverse Engineering, Malware Deep Insight 