Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

CTB-locker Analysis Report_V1.0

advertisement 
CTB-LOCKER ANALYSIS REPORT_V1.0
Ransomware 2015
Antiy Labs
Contents
1
OVERVIEW ............................................................................................................................................................ 2
2
SINGLE SAMPLE ANALYSIS..................................................................................................................................... 3
2.1
ANALYSIS OF CTB-LOCKER DOWNLOADER ...................................................................................................................... 3
2.2
ANALYSIS OF CTB-LOCKER .......................................................................................................................................... 5
3
SOLUTION ............................................................................................................................................................10
4
DEFENSE METHODS .............................................................................................................................................10
CTB-LOCKER Analysis Report_V1.0
1 Overview
Recently, we received a sample from our customer, which turned out to be ransomware. It spreads via
disguising as customer order email or the like. The email attachment contains a Trojan file, which is a downloader
and can download ransomware called CTB-Locker.
The software traverses the disk and encrypts the system files. Then, a pop-up message says the files in the
current system have been encrypted, requiring victims to access the specified domain by Tor browser and pay
bitcoins to decrypt the files. It is worth mentioning that the malware will first allow the victim to decrypt 5 files for
free, proving that the files can be decrypted.
Recently, ransomware is quite popular in foreign countries, CTB-Locker is the first of this kind discovered in
China. Ransomware usually uses symmetric encryption such as RSA to encrypt the victim’s files, and then asks the
victim to pay by bitcoin to decrypt them. Due to the use of the Tor network, and because Bitcoin has a certain
anonymity, it is difficult to trace the author of the software.
CTB-Locker Attack Process
2 / 12
CTB-LOCKER Analysis Report_V1.0
2 Single Sample Analysis
2.1
A.
Analysis of CTB-locker Downloader
Sample Information
Name
Trojan[Ransom]/Win32.Onion
Original Filename
sedan.scr
MD5
377E285EF1AF6026367BC400A5FBBF54
Size
33.5 KB (34,304 bytes)
Format
BinExecute/Microsoft.EXE[:X86]
Timestamp
42BD6802->2005-06-25 22:19:46
Function
Payload file
CTB-locker downloader is a section of executable code. It is released by CTB-locker sample to download and
execute the body of CTB-locker program.
B.
Behavior Analysis
a. Loads the dynamic library to obtain the desired function.
wnsprintfA
SHLWAPI.DLL
wnsprintfW
StrStrIW
SETUPAPI.DLL
SetupIterateCabinetW
SHELL32.DLL
ShellExecuteW
WinHttpQueryDataAvailable
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpSetOption
WINHTTP.DLL
WinHttpOpenRequest
WinHttpConnect
WinHttpOpen
WinHttpReadData
Table 1
b. Obtains the URL needed to download files (pack.tar.gz), the 6 URLs point to the same file.
3 / 12
CTB-LOCKER Analysis Report_V1.0
France (Business)
breteau-photographe.com/tmp/pack.tar.gz (expired)
Germany (unknown)
voigt-its.de/fit/pack.tar.gz (expired)
France (Business)
maisondessources.com/assets/pack.tar.gz
France (Business)
jbmsystem.fr/jb/pack.tar.gz
France (Business)
pleiade.asso.fr/piwigotest/pack.tar.gz
France (School)
scolapedia.org/histoiredesarts/pack.tar.gz
Table 2
c.
Releases the resource file (the cab file containing rtf files) to a temporary directory (C:\Documents and
Settings\$ current username\Local Settings\Temp\temp_cab_$ current system time.cab), calls
SetupIterateCabinetW function from Table 1, extracts Reservierungsfax.rtf from cab file and executes it,
making users think they open a normal file.
d. Creates a mutex, the mutex name is string 56730099, preventing multiple instances running at the same
time.
e. Connects to the 6 URLs in turn, trying to download the file (pack.tar.gz).
C.
a)
If the download fails, waits 5 seconds, enters the loop, re-visits the URLs listed in Table 2, downloads
the file. Adds 5 seconds of waiting time after every download failure.
b)
If the download succeeds, decrypts the downloaded file and verifies the correctness of the file using
CRC32 algorithm. If it fails, the download continues; if it succeeds, saves the decrypted file to a
temporary directory (C: \ Documents and Settings \ $ current username \ Local Settings \ Temp \
$ current system time.exe), and executes it, deletes the saved file after the program executes for 10
seconds, and terminates itself.
Analysis of pack.tar.gz decryption algorithm
Input: memory address of the data needed to decrypt and the length of the data.
Output: decrypted data
Algorithm description:
Initial KEY [16] = {20h, 21h, 5, 50h, 77h, 1Bh, 51h, 0FAh, 0Eh, 0D5h, 0E8h, 28h, 0EBh, 4Bh, 0A5h, 0DAh}
Obtains the first byte from the input address, naming it data A; obtains the first byte from the KEY list,
naming it data B. Then, A XOR B, saves the results to the first byte of the input address, and saves A to the first
byte of KEY list.
Then, obtains the second byte, and processes it in the same manner, until all the data are processed. (When
reaching the end of KEY list, return to the head of the list, i.e., looped acquisition)
As such, the original data is overwritten by the decrypted data.
4 / 12
CTB-LOCKER Analysis Report_V1.0
2.2
A.
B.
Analysis of CTB-Locker
Sample Information
Name
Trojan[Ransom]/Win32.Onion
Original Filename
$ current system time.exe
MD5
14C0558C757C93465ECCBBD77D58BBF3
Size
Trojan[Ransom]/Win32.Onion
Format
BinExecute/Microsoft.EXE[:X86]
Timestamp
548E0C0C->2014-12-15 06:15:40
Function
Encrypt the files with specified formats
Behavior Analysis
This sample uses a slightly more complex shell to protect itself. After unshelled, the sample still contains lots of
confusion codes. The shell uses the decrypted data to overwrite the data mirrored into the memory. After running
the shell, the sample drops a file with a random name in % Application Data%.
This file is encrypted, equaling a configuration file. In the later execution, the sample reads the configuration
information from the file or writes some information to the file, such as the encrypted disk path, the number of
encrypted files, etc.
Then, the sample copies itself to a temporary directory, and executes the file via adding the scheduled tasks.
5 / 12
CTB-LOCKER Analysis Report_V1.0
The sample calls COM interface to add scheduled tasks. The screenshot is as follows:
After the file located in the temporary directory executes, it traverses the processes to look for svchost
process, and write executable codes in its memory. Then, it calls function RtlCreateUserThread to enable this
remote thread.
The screenshot of injecting codes is as follows:
Then, it obtains function RtlCreateUserThread dynamically, and then starts this thread:
The extension of the file needed to encrypt is located at the beginning of the injected code:
6 / 12
CTB-LOCKER Analysis Report_V1.0
While traversing the files, the malicious code determines whether they should be encrypted based on this
list.
File encryption is mainly completed by the code injected to svchost process.
Codes injected into svchost process starts in the form of threads. It mainly performs the following tasks:
(1) Obtains API used during the execution.
(2) Sets the contents of the output information, which mainly includes German, Dutch, Italian and English.
It outputs the corresponding information according to the current language environment.
(3) Obtains the language environment. It outputs the corresponding information according to the current
language environment.
(4) Obtains MachineGUID from the registry, then calculates sha256 value of GUID, uses this value to encrypt
the released configuration file.
(5) Drops a randomly named html file in % Application Data% directory. The file contains some prompt
messages and a list of encrypted files.
(6) Reads the previously dropped configuration file (in % Application Data% directory) into memory.
(7) Traverses the disk, finds all accessible disks and saves them, as follows:
(8) Establishes a data table for the traversed disks to save the file information of each disk. Then, launches
two threads, one thread is used to save the name, path, number and other information of the files
needed to encrypt (based on extensions); the other thread encrypts the files.
(9) When traversing the files, specific directories should be excluded, such as those containing Temporary
Internet File, Comodo Downloader, C:\\Windows\\, etc. In addition, specific file should be excluded,
such as DecryptAllFiles, AllFilesAreLocked and thumbcache.
(10) The encryption is quite important, so we will explain in detail.
7 / 12
CTB-LOCKER Analysis Report_V1.0
First, it adds suffix .tmp to the target files, and calls function MoveFileEx to a temporary directory. Then, it fills
a buffer according to the file time and the current system time. Then, it calculates sha256 value of the buffer.
It takes the sha256 value as the session private key, uses Elliptic curve Diffie-Hellman (ECDH) algorithm to
generate a session public key. Then, it uses ECDH algorithm to a master public key in the configuration file,
generating a session shared key. Then, it calculates the sha256 value of the session shared key and uses the
value as AES encryption key. The relevant code is as follows:
It should be noted that the AES key is to be saved to a parameter for the caller, but the caller only saves 5 AES
keys, which is why CTB-Locker still be able to decrypt 5 files in offline mode.
(11) Then, it reads the file, uses ZLIB compression and AES encryption. Encrypted data are written to a
temporary file head from the position of offset 0x30.
(12) 0x30 encrypted data are written to the head of the temporary file, the first 0x2 bytes are the public key
byte generated in (10). The following 0x10 are: flag "CTB1", the size of the compressed data, the original
data size and constant value 1. Like "CTB1", the constant value 1 is a check mark.
(13) After encryption, the 5 AES encryption keys, the number of encrypted files, the encrypted disks and
other information are saved in the configuration file.
(14) Then, an image file named Decrypt All Files and a text file with the same name are generated in the
directory %My Documents%. Then, the image is used as the desktop background, and then the Recycle
Bin is emptied. Finally, the system is refreshed. The results are as follows:
8 / 12
CTB-LOCKER Analysis Report_V1.0
The desktop background is as follows:
9 / 12
CTB-LOCKER Analysis Report_V1.0
Here, the CTB-Locker prompts the victim to use TOR browser to access the corresponding domain name and
pay a certain amount of bitcoins to decrypt the file. Prior to this, CTB-Locker allows the victim to decrypt 5 files. In
fact, this is because it saves keys of 5 files in (10).
3 Solution
Can we decrypt CTB-Locker encrypted files without paying bitcoins?
The answer is no. There is no other way to decrypt the files right now. Although the encryption algorithm is AES,
but CTB-Locker only retains 5 AES keys. It doesn’t save session private keys, so we can’t calculate the AES
encryption key using the private key and the master public key. According to the principle of Elliptic curve
Diffie-Hellman (ECDH) algorithm, we can only calculate the AES encryption key using the session public key (stored
in the header of the file) and the master private key (stored on the server of malware author).
4 Defense Methods
A.
Do not execute the executable files in the email attachments
When receiving an email, do not open the attachments without second thought. If the attachment is a zip file,
10 / 12
CTB-LOCKER Analysis Report_V1.0
we can use compression software such as WINRAR to unzip it. After extracting the files, check whether the
files are executable ones, if they are, you need to submit them to antivirus vendors for confirmation, then try
to run them in a virtual machine.
B.
Regular backups of important data
Use encryption software to encrypt important files regularly and back them up. Modify the extensions of the
backup files to uncommon custom suffixes.
11 / 12
CTB-LOCKER Analysis Report_V1.0
Document Information
Name
Version
Level
Abstract
CTB-LOCKER Analysis Report_V1.0
V1.0
Released
Internal
Author
2015-01-29
Antiy Labs
Ransomware analysis
Revision History
Date
Version
Description
Revised
2015.01.29 12:03
V1.0
Report
Xibao Gao
12 / 12
Related documents
Electronic Data Encryption Policy 2015
Electronic Data Encryption Policy 2015
Security Questions and Answers
Security Questions and Answers
Description
Description
AES Encryption
AES Encryption
Comparison Stealthphone Soft and the competing products
Comparison Stealthphone Soft and the competing products
7-Cashless-Catering-Appendix-2-Biometric-Info
7-Cashless-Catering-Appendix-2-Biometric-Info
Mathew Gilliat-Smith, Fortium Technologies
Mathew Gilliat-Smith, Fortium Technologies
2_23
2_23
KSl Ransomware Article
KSl Ransomware Article
Download
advertisement