Ransomware virus extortion Analysis Report
Sample Name |
Ransomware.exe |
class |
34 Qi |
Author |
Mei Yuan |
time |
2019 Nian 10 Yue 25 Ri |
platform |
VM Windows 7 32 Wei |
15PB Information Security Institute (protocol analysis)
1 . Sample Overview
1.1 Application Information
Application Name : Radamant extortion virus
Size : 85824 bytes
Modified : 2019-10-26 12:06:22
MD5 value : 9b7b16867eeab851d551bfa014166e1a
SHA1 value : be080d99a299a8708461efce76b524b82142fb28
Simple Features: install itself to C: \ User \ 15pb-win7 \ and rename the file attribute is set DirectX.exe under AppData \ Roaming directory to perform the hide, delete itself, modify the registry from the start, checkip.dyndns. org get request transmission, receiving instructions from the server, and perform (virus updates, the host transmits information encrypted computer file, the decrypting computer files)
1.2 Analysis of environment and tools
System environment: VM Windows 7 32 Wei
Tools: PC-Hunter, OD, IDAPro, PEID, Hash, tinder sword
1.3 Analysis of target
Virus can be updated remotely control the host, and encrypted files
2 . Specific analysis
2.1 extract samples
• Use ARK (PC-Hunter) tool to view the process can
• Use ARK (PC-Hunter) tool to view startup items
• Use tools to view the service ARK
No suspicious items
• Use tools to view ARK drive
No suspicious items
• Use tools to view the kernel ARK
• Use tools to view ARK-Fi, miscellaneous
Discover network connection abnormal behavior
• Use a packet capture tool (WSExplorer) can view traffic
No traffic operation
Take samples:
The extraction path to a local file, and modify extension is not vir
C:\Users\15pb-win7\AppData\Roaming\DirevtX.exe
C:\Users\15pb-win7\AppData\Roaming\DirevtX.vir
2.1.1 Behavior Analysis
1. File Operations
We can see a lot of file operations were first observed from less to more than the specific behavior
View delete, create, rename the file operation
Create a file found, consistent with the observed part of the file file sample size
1. registry monitoring
Check operation of the registry key \ value entry
1. Process Monitoring
Create a process
1. Network Monitoring
No valuable content
2.2 Detailed analysis
1. PEID check shell, shell-
The program first checks whether there is an infected file
If there is an infected file, the program will copy itself to C: \ Users \ directory under Roaming \ 15pb-win7, and modify the file named DirectX.exe, modify the file attributes to hide, and delete their own
Whether there Directx.exe check the registry startup entry
Create a mutex to open cmd as administrator and run the script
Then again check the registry startup items, to determine whether DirectX.exe already exists, if there is added to the registry startup items
Whether to create a mutex checks to exist, obtain a hash value, get MD5 value, the decrypted domain
Three cycles connect to the server if the connection fails, try again, if successful, receive data
Determining whether there is a registry entry, and if not, the post request to the server transmits to the server, the domain name registry key is written final manipulation information server virus
Create threads, perform a virus operation, sending post request to the server, get command, computer, perform file encryption, lock screen, and pop prompt, and determine whether the decrypted In this function, and the file is decrypted. If the server request fails, create url file on the desktop named YOUR_FILES.url entice users to click
If the request fails to update the registry key server start request, the same create a desktop file YOUR_FILES_url try to deceive the user clicks,
1. summary
Radamant extortion virus is mainly divided into two parts
Part I: self-replication
Copies itself to C: \ Users \ 15pb-win7 \ AppData \ Roaming \ DirevtX.exe, the property is set to hide file and delete the source file itself
Part II: viral infection
Add a registry startup items, send a request to the server, access to operating system commands modify a registry key encryption system source files, if you create your own connection to the server fails YOUR_FILE.url entice users to click attempts to connect to the server in order to achieve the purpose of blackmail users