Let’s Learn: How to Unpack Locky "Osiris" Ransomware

Goal: Unpack Locky ransomware payload using WriteProcessMemory API buffer’s dump.
Source@tmmalanalyst
Tool: ollyDbg, CFF Explorer

Background
Locky ransomware utilizes a loader/patcher algorithm patching and unloading the decoded payload in memory. Many other malware families use this same exact methodology. 

Theory: 
Locky ransomware patches itself using CreateProcessW API setting the creation flag to CREATE_SUSPENDED and writing itself into the buffer via WriteProcessMemory API. Next, the ransomware process won’t be executed immediately; it does not start until called ResumeThread. So, the ransomware has time to patch in memory.


The Locky payload decoding/patching API calls are as follows:

I. CreateProcessW [ref. *]

  • invoke CreateProcessW, NULL, “C:\Documents and Settings\Administrator\Desktop\osiris[.]exe”, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, 0010D8CC, 0010E354

000FBE30   00942791  /CALL to CreateProcessW from 0094278B
000FBE34   00000000  |ModuleFileName = NULL
000FBE38   0010D6C4  |CommandLine = “”C:\Documents and Settings\Administrator\Desktop\osiris[.]exe””
000FBE3C   00000000  |pProcessSecurity = NULL
000FBE40   00000000  |pThreadSecurity = NULL
000FBE44   00000000  |InheritHandles = FALSE
000FBE48   00000004  |CreationFlags = CREATE_SUSPENDED
000FBE4C   00000000  |pEnvironment = NULL
000FBE50   00000000  |CurrentDir = NULL
000FBE54   0010D8CC  |pStartupInfo = 0010D8CC
000FBE58   0010E354  \pProcessInfo = 0010E354


II. WriteProcessMemory (ref. **)

  • invoke WriteProcessMemory, 00000064, 0x300000, 009A0000, 190, NULL

000FBE44   009428BA  /CALL to WriteProcessMemory from 009428B4
000FBE48   00000064  |hProcess = 00000064 (window)
000FBE4C   00300000  |Address = 0x300000
000FBE50   009A0000  |Buffer = 009A0000
000FBE54   00000190  |BytesToWrite = 190 (400.)
000FBE58   00000000  \pBytesWritten = NULL


III. ResumeThread (ref. ***)

  • invoke ResumeThread, 00000068

000FBE54   00942E81  /CALL to ResumeThread from 00942E7E
000FBE58   00000068  \hThread = 00000068 (window)


Practice:
I. Load Ollydbg and click “File” -> locky.exe
II. Click “Go to” -> “Expression” -> Type “WriteProcessMemory” and set up a breakpoint on it using F2.
III. Run the process using F9 and follow buffer to observe the unpacked Locky in the dump section.

IV.  Then, click on “Backup” -> “Save data to file.”

V. Verify the exported payload and IAT in CFF Explorer. Profit!

Locky extension

.osiris

POST requests:

  • &length=..&failed=..&encrypted=
  • &act=stats&path=
  • &v=2..&x64=..&sp=..&os=…&serv=..&corp=..&lang=..&act=getkey&affid=..
  • &act=gethtml&lang= 
  • ..&act=gettext&lang=..


Registry

  • Software\Microsoft\Windows\CurrentVersion\Run 


Self-kill routine: 

cmd.exe /C del /Q /F

Blacklist

tmp;winnt;Application Data;AppData;Program Files (x86);Program Files;temp;thumbs.db;$Recycle.Bin;System Volume Information;Boot;Windows

Locky instructions: 

/_HELP_instructions.html._HELP_instructions.bmp.._HELP_instructions.txt.._Locky_recover_instructions.bmp._Locky_recover_instructions.txt

Delete shadow copy:

vssadmin.exe Delete Shadows /Quiet /All  

Targeted extensions:

yuv…ycbcra..xis…x3f…x11…wpd…tex…sxg…stx…st8…st5…srw…srf…sr2…sqlitedb..sqlite3…sqlite..sdf…sda…sd0…s3db..rwz…rwl…rdb…rat…raf…qby…qbx…qbw…qbr…qba…py..psafe3..plc…plus_muhd…pdd…p7c…p7b…oth…orf…odm…odf…nyf…nxl…nx2…nwb…ns4…ns3…ns2…nrw…nop…nk2…nef…ndd…myd…mrw…moneywell…mny…mmw…mfw…mef…mdc…lua…kpdx..kdc…kdbx..kc2…jpe…incpas..iiq…ibz…ibank…hbk…gry…grey..gray..fhd…fh..ffd…exf…erf…erbsql..eml…dxg…drf…dng…dgc…des…der…ddrw..ddoc..dcs…dc2…db_journal..csl…csh…crw…craw..cib…ce2…ce1…cdrw..cdr6..cdr5..cdr4..cdr3..bpw…bgt…bdb…bay…bank..backupdb..backup..back..awg…apj…ait…agdl..ads…adb…acr…ach…accdt…accdr…accde…ab4…3pr…3fr…vmxf..vmsd..vhdx..vhd…vbox..stm…st7…rvt…qcow..qed…pif…pdb…pab…ost…ogg…nvram…ndf…m4p…m2ts..log…hpp…hdd…groups..flvv..edb…dit…dat…cmt…bin…aiff..xlk…wad…tlg…st6…st4…say…sas7bdat..qbm…qbb…ptx…pfx…pef…pat…oil…odc…nsh…nsg…nsf…nsd…nd..mos…indd..iif…fpx…fff…fdb…dtd…design..ddd…dcr…dac…cr2…cdx…cdf…blend…bkp…al..adp…act…xlr…xlam..xla…wps…tga…rw2…r3d…pspimage..ps..pct…pcd…m4v…m…fxg…flac..eps…dxb…drw…dot…db3…cpi…cls…cdr…arw…ai..aac…thm…srt…save..safe..rm..pwm…pages…obj…mlb…md..mbx…lit…laccdb..kwm…idx…html..flf…dxf…dwg…dds…csv…css…config..cfg…cer…asx…aspx..aoi…accdb…7zip..1cd…xls…wab…rtf…prf…ppt…oab…msg…mapimail..jnt…doc…dbx…contact…n64…m4a…m4u…m3u…mid…wma…flv…3g2…mkv…3gp…mp4…mov…avi…asf…mpeg..vob…mpg…wmv…fla…swf…wav…mp3…qcow2…vdi…vmdk..vmx…wallet..upk…sav…re4…ltx…litesql…litemod…lbf…iwi…forge…das…d3dbsp..bsa…bik…asset…apk…gpg…aes…ARC…PAQ…tar.bz2…tbk…bak…tar…tgz…gz..7z..rar…zip…djv…djvu..svg…bmp…png…gif…raw…cgm…jpeg..jpg…tif…tiff..NEF…psd…cmd…bat…sh..class…jar…java..rb..asp…cs..brd…sch…dch…dip…pl..vbs…vb..js..h…asm…pas…cpp…c…php…ldf…mdf…ibd…MYI…MYD…frm…odb…dbf…db..mdb…sql…SQLITEDB..SQLITE3…011…010…009…008…007…006…005…004…003…002…001…pst…onetoc2…asc…lay6..lay…ms11(Securitycopy)..ms11..sldm..sldx..ppsm..ppsx..ppam..docb..mml…sxm…otg…odg…uop…potx..pom..pptx..pptm..std…sxd…pot…pps…sti…sxi…otp…odp…wb2…123…wks…wk1…xltx..xltm..xlsx..xlsm..xlsb..slk…xlw…xlt…xlm…xlc…dif…stc…sxc…ots…ods…hwp…602…dotm..dotx..docm..docx..DOT…3dm…max…3ds…xml…txt…CSV…uot…RTF…pdf…XLS…PPT…stw…sxw…ott…odt…DOC…pem…p12…csr…crt…key..wallet.dat..


Reference:

BOOL CreateProcess(
                                   LPCTSTR lpApplicationName, // pointer to name of executable module
                                   LPTSTR lpCommandLine, // pointer to command line string
                                   LPSECURITY_ATTRIBUTES lpProcessAttributes, // pointer to process security attributes
                                   LPSECURITY_ATTRIBUTES lpThreadAttributes, // pointer to thread security attributes
                                   BOOL bInheritHandles, // handle inheritance flag
                                   DWORD dwCreationFlags, // creation flags
                                   LPVOID lpEnvironment, // pointer to new environment block
                                   LPCTSTR lpCurrentDirectory, // pointer to current directory name
                                   LPST
ARTUPINFO lpStartupInfo, // pointer to STARTUPINFO
                                   LPPROCESS_INFORMATION lpProcessInformation // pointer to PROCESS_INFORMATION );


** BOOL WriteProcessMemory(
                                               HANDLE hProcess, // handle to process whose memory is written to
                                               LPVOID lpBaseAddress, // address to start writing to
                                               LPVOID lpBuffer, // pointer to buffer to write data to
                                               DWORD nSize, // number of bytes to write
                                               LPDWORD lpNumberOfBytesWritten // actual number of bytes written );

*** BOOL ResumeThread(
  HANDLE hThread // handle to the thread to be restarted
);

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s