Shulou(Shulou.com)05/31 Report--

This article will explain in detail the example analysis of the new Anatova malware. The editor thinks it is very practical, so I share it for you as a reference. I hope you can get something after reading this article.

A new family of ransomware, Anatova, has been discovered before. Anatova was found in a private peer-to-peer (P2P) network, and we have ensured that our customers are effectively protected, and we intend to publish our research results in this article.

Considering that Anatova is developed in the form of modular extensions, we think it will evolve into a very serious security threat.

In addition, it checks whether the target device is connected to the network share and encrypts all shared files. According to our analysis, the developers behind Anatova are highly skilled because each sample we capture has a unique key and different functions, which is rare in the field of blackmail software.

Analyze the sample hash:

170fb7438316f7335f34fa1a431afc1676a786f1ad9dee63d78c3f5efd3a0ac0

The main purpose of Anatova is to encrypt all files on the target device and to extort data ransom from the target user.

Overview of Anatova

Anatova generally uses icons from games or common applications to trick users into downloading malicious software, and then asks for administrator privileges:

Anatova ransomware is a 64-bit application that was compiled on January 1, 2019. Our sample file size is 307kb, but will vary depending on the resources used by the sample. If we remove all resources, the size of the Anatova is only 32kb. For a ransomware with such a powerful mechanism, the size is really very small.

Anatova also has powerful protection mechanisms against static analysis:

1. Most strings are encrypted using Unicode or ASCII, using different decryption keys, and the data is all embedded in the executable file.

2. 90% of them are dynamic calls, using only the standard libraries of common Windows API (C language): GetModuleHandleW, LoadLibraryW, GetProcAddress, ExitProcess and MessageBoxA.

3. When we look at the code in IDA Pro and analyze the function, IDA Pro always reports an error. We are not sure whether this is the Bug of IDA Pro or the malware developer did it intentionally.

V1.0 highlight

Because this is a new type of ransomware, let's classify it as v1.0 for the time being.

The malware will first get "kernel32.dll" as the module processing library, and use the function "GetProcAddress" to get 29 functions from the processing library.

If the malware cannot obtain the kernel32 module processing library and cannot obtain other functions, it will exit execution.

Next, the malware tries to use hard-coded names (6a8c9937zFIwHPZ309UZMZYVnwScPB2pR2MEx5SY7B1xgbruoO) to create primitives, but the primitive names vary from sample to sample. After the creation is completed and the processing library is obtained, it calls the "GetLastError" function and determines whether the last error message is ERROR_ALREADY_EXISTS or ERROR_ACCESS_DENIED. These two error messages refer to "the previous primitive object instance already exists". If this happens, the malware will empty the memory, which we will cover in more detail later.

After passing this test, Anatoa uses the same mechanism to get some functions from the "advapi32.dll", "Crypt32.dll", and "Shell32.dll" libraries. All the text is encrypted and decrypted one by one, then get the function, free up memory, and then process the next request.

If the necessary module or function cannot be obtained, it will run the cleanup tool and exit.

Interestingly, Anatoa also gets the user name of the logged in / active user and searches for a list of encrypted user names:

LaViruleratesterTesteranalystAnalystlabLabMalwareMalware

This is obviously a way to avoid virtual machines and sandboxie.

Next, Anatova detects the language of the target system, that is, the regional language option used by the system, to ensure that users cannot bypass file encryption by masking a language.

The following countries will not be affected by Anatova:

All CIS countries Syria, Egypt, Morocco, Iraq, India

It is common for CIS countries to be excluded from the attack list, which also indicates that the attackers are likely to come from one of them. But it is strange that many countries are excluded.

After the language detection is complete, Anatova will look for a tag (the tag has a value of 0 in all samples), and if the tag value becomes 1, it will load two DLL files: "extra1.dll" and "extra2.dll". This also shows that Anatova is developed in a modular form and will achieve more functional extensions in the future.

Next, Anatova uses encrypted API to generate RSA key pairs. It uses the encryption API "CryptGenRandom" (Salsa20 algorithm) to create a 32-bit random key and an 8-byte value. During the file encryption process, it also decodes the primary RSA public key in the sample:

Some of the code used to implement the file encryption function is as follows:

Here is the extortion information that Anatova displays to the target user:

After the file encryption is completed, Anatova also deletes the volume hard copy on the target device. Like other blackmail software, Anatova also uses the vssadmin program:

After all the steps are completed, the blackmail software enters the code cleaning process, that is, clearing the code in memory to prevent the user from creating a decryption tool.

Intrusion threat indicator IoC

The sample uses the following attack techniques:

1. Execute via API

2. Application process discovery

3. File and directory discovery: search for files for encryption

4. Encrypt files

5. Process discovery: enumerate all processes on the terminal device and terminate specific processes

6. Create a file

7. Privilege promotion

Hash: this is the end of 2a0da563f5b88c4d630aefbcd212a35e366770ebfd096b69e5017a3e33577a949d844d5480eec1715b18e3f6472618aa61139db0bbe4937cd1afc0b818049891596ebe227dcd03863e0a740b6c605924's article on "sample Analysis of New Anatova malware". I hope the above content can be helpful to you so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.