Jufeng Laboratory · 2016/04/14 10:11

Authors: Mr.Right, Gongmo, K0r4dji

Statement: the attack mentioned in the article is only for exposure, attack malicious network attack behavior, do not imitate, otherwise the consequences.

0 x00 preface

These days, more and more people are being blackmailed by a malicious software program that encrypts many important files on their computers and leaves them unable to open, leaving them with no choice but to pay a ransom to decrypt them.

There are many detailed analysis cases of this virus on the Internet, which will not be detailed here. In this document, WireShark is used to analyze extortion emails based on traffic analysis.

0x01 Mail Sample Is Intercepted

By monitoring a government’s mail server, found that in the near future this fraud blackmail mail received a large number of users, the sender email, as a general rule, be a stranger, the recipient to clear, with compatible with the recipient name and ZIP attachments, mail content is commonly “XX, please check the attachment in order to avoid fines, you must pay in X hours.” Fraudulent threat content.

Unzip the ZIP attachment to find virus files.

0 x02 WireShark analysis

For the analysis of mail protocol, we first model its data according to OSI seven-layer model, analyze each layer of network protocol, and finally summarize its security. (Also applicable to other agreements)

(1) Physical layer analysis

Let’s not do the analysis.

(2) Link layer analysis

Because the traffic access point is the mail server border egress, most of the traffic is SMTP data. The format of the data link layer frame is Ethernet II and consists of 14 bytes. The first 12 bytes indicate the MAC addresses of the two ends, and the last two bytes 0x0800 indicate the IPV4 protocol.

Data at this layer is normal.

(3) Network layer analysis

Starting with the network layer data, we gradually find anomalies. Of course, what this data is useful to us at the network layer is the source and destination IP addresses. The source address 10.190.3.172 is the mail server address, and the destination address 191.102.101.248 (Colombia) is the sender address.

Do a few simple tests, found that there is an exception:

  1. 191.102.101.248 TCP25 port is not opened;

  2. 191.102.101.248 not related to Elynos.com;

Preliminary determination of sender’s email address is forged.

(4) Transmission layer analysis

We make a brief statistics of the TCP25 port of the data, and find that in the area near the number of packets equal to 28, there are a large number of emails from different IP addresses, and the byte length is basically the same, so we can preliminatively judge that a large number of mailboxes receive abnormal emails with no content.

Retrieve a Follow tcpStream, which is also a blackmail email.

(5) Session layer analysis

SMTP analysis elements at the session layer include the authentication process, sending and receiving relationship, encryption negotiation, and header negotiation.

Follow TCPStream for an email session, and you can see that the sender of the email is an external “stranger”.

We summarize the sending and receiving relationships of some emails, and it can be seen that although the same extortion emails are sent, the sender’s address is forged with a large number of email addresses and domain names in order to avoid spam filtering.

(6) Presentation layer analysis

Analysis elements in the presentation layer generally include coding and list, etc. Since this email is a normal communication email, there are no abnormal factors in the presentation layer.

(7) Application layer analysis

In this case, the analysis targets at the application layer include email body security, email attachment security, and spam status.

1. Directivity: The recipient’s email address is [email protected], the body name of the email is “Dear Voice5”, and the attachment name of the email is “voice5_*.zip”. It can be seen that the blackmail email is a simple social work to get clicks.

2. Email body:

“Please check the bill in attachment.

In order to avoid fine you have to pay In 48 hours.”

Obvious fraud threats.

3. Save the content of this email and you can get the attached content. Through analysis, the attachment can be confirmed as a racketeering virus. (Not detailed in this article)

0x03 Ransomware Analysis

(Note: This section does not belong to Wireshark analysis.)

(a) virus initialization file

1) There are 6 virus files in total, among which 3 files in the red box are hidden files, and JS files are the files that guide users to open. To prevent antivirus software from detecting and killing viruses, virus files are separated according to the PE structure. The JS command combines PE files to form a completed bin file.

2) The combined virus files will be placed in c:\User\Username\Appdata\Local\temp directory, and then run in the background. In the red box below

Open the bin file in IDA. Large chunks of encrypted data files. As shown below:

(2) Virus behavior

1) The virus can be executed normally only after decryption and restoration. The virus file has gone through a lot of algorithms, such as multiplication and division, etc., using VirtualAlloc to store a piece of code in memory, and then call RtlDecompressBuffer for decompression, and restore the code in memory. All API functions are called dynamically. Below is a small portion of the restored data.

2) Decrypt in memory, apply for paging, and have execution ability.

3) The virus creates a key value for the user under HEKY_CURRENT_USER.

4) The virus will determine the system version: from Win2000, XP up to the latest Win10 and Win Server 2016;

Because our virtual machine is Win7; Win7 zh stands for China.

The virus starts making a connection, ready to be sent to the author’s server. The structure is as follows:

Id=00&act=00&affid=00&lang=00&corp=0&serv=00&os=00&sp=00&x64=00;

It is obvious that this is getting some information about the system, including ID number, version number, language, etc.

Virus ready to submit url:

The following IP address; Try to connect once.

Using wireshark intercepting data, we found that some PHP pages with IP addresses were missing.

In addition, the virus attempts to connect to some C&C server urls, including the following:

5) If the virus C&C server does not return a message; The virus remains in a waiting state.

6) Infected files. First the loop iterates over the scanned file.

Below is the file format that the virus will modify:

File name generation algorithm:

The file name modification process is divided into two parts. The first part represents the key value of the system, and the second part is generated by an algorithm. Local process of name renames encryption algorithm. A random character from “0123456789ABCDEF” is selected as the local character of the name. The random function uses CryptGenRandom().

General process of file content encryption:

First, the file is opened as read-only to prevent other files from accessing its contents, then the content is encrypted using the AES-128 algorithm, and finally the file is replaced. The file is encrypted.

File contents: Encrypted using the AES-128-bit algorithm.

Open the file

Write encrypted data back to a file:

The file is then replaced by an API function.

8) The desktop background is changed to:

0 x04 summary

  1. The title, body and attachment content of this type of extortion email are basically the same, but the recipient name is slightly modified.

  2. In order to evade the mail filtering system, the sender mailbox uses and forges a large number of different IP and email addresses.

  3. Although the ransomware can only be confirmed through analysis of attachment samples, many anomalies can be found based on traffic analysis, which can be concluded and blocked at the level of traffic communication.

  4. With a large number of Bitcoin viruses flowing into China, various extortion activities are increasing day by day. I think prevention is more than repair for this virus. Because the bitcoin virus encryption algorithm part of the file is relatively complex, the possibility of restoration is small. And each machine is inconsistent. Therefore, it is essential that we do our best to prevent. Here are a few things that need us to be more vigilant :(1) update anti-virus software in time. (2) Pay attention to guard against all kinds of ambiguous email attachments. (3) Back up important information to other storage media.