Upgrade to Pro — share decks privately, control downloads, hide ads and more …

TeslaCrypt Ransomware Analysis

Thomas Roccia
December 14, 2016
Research
0
320

TeslaCrypt Ransomware Analysis

Thomas Roccia

December 14, 2016
Tweet

More Decks by Thomas Roccia

See All by Thomas Roccia
The XZ Backdoor Story
fr0gger
0
4.2k
Prompt Engineering for Threat Intelligence
fr0gger
1
270
State-Sponsored Financially Motivated Attacks
fr0gger
0
670
Binary Instrumentation for Malware Analysis
fr0gger
2
1.5k
Conti Leaks: Practical walkthrough and what can we learn from it
fr0gger
0
960
Sharing is Caring: Sharing Threat Intelligence Notebook Edition
fr0gger
0
1.9k
Code Graphology
fr0gger
0
720
X-Ray of Malware Evasion Techniques: Analysis, Dissection, Cure?
fr0gger
3
920
AISA - Practical Threat Intelligence
fr0gger
0
1.3k

Other Decks in Research

See All in Research
SNLP2024:Planning Like Human: A Dual-process Framework for Dialogue Planning
yukizenimoto
1
320
20240918 交通くまもとーく 未来の鉄道網編(こねくま)
trafficbrain
0
220
Kaggle役立ちアイテム紹介(入門編)
k951286
14
4.6k
[CV勉強会@関東 CVPR2024] Visual Layout Composer: Image-Vector Dual Diffusion Model for Design Layout Generation / kantocv 61th CVPR 2024
shunk031
1
450
FOSS4G 山陰 Meetup 2024@砂丘 はじめの挨拶
wata909
1
110
Weekly AI Agents News! 7月号 論文のアーカイブ
masatoto
1
210
marukotenant01/tenant-20240916
marketing2024
0
490
文化が形作る音楽推薦の消費と、その逆
kuri8ive
0
150
JMED-LLM: 日本語医療LLM評価データセットの公開
fta98
5
1.2k
Global Evidence Summit (GES) 参加報告
daimoriwaki
0
140
文書画像のデータ化における VLM活用 / Use of VLM in document image data conversion
sansan_randd
2
180
Generative Predictive Model for Autonomous Driving 第61回 コンピュータビジョン勉強会@関東 (後編)
kentosasaki
0
210

Featured

See All Featured
Six Lessons from altMBA
skipperchong
27
3.5k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
Code Reviewing Like a Champion
maltzj
520
39k
Testing 201, or: Great Expectations
jmmastey
38
7.1k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
Automating Front-end Workflow
addyosmani
1366
200k
Raft: Consensus for Rubyists
vanstee
136
6.6k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
24k
Why Our Code Smells
bkeepers
PRO
334
57k
Agile that works and the tools we love
rasmusluckow
327
21k
Documentation Writing (for coders)
carmenintech
65
4.4k
Scaling GitHub
holman
458
140k

Transcript

  1. White Paper Foundstone Services TeslaCrypt Uncovered By Thomas Roccia

  2. White Paper 2 TeslaCrypt Uncovered – Thomas Roccia Table of

    Contents Introduction ............................................................................................................................................................................................................................ 3 Teslacrypt Presentation .................................................................................................................................................................................................... 3 Teslacrypt Protection ......................................................................................................................................................................................................... 4 A brief overview of TeslaCrypt capabilities ........................................................................................................................................................... 11 Conclusion ............................................................................................................................................................................................................................. 16 Table of Figures Figure 1. CreateProcess in packed TeslaCrypt .................................................................................................................... 5 Figure 2. GetThreadContext in packed TeslaCrypt .............................................................................................................. 5 Figure 3. GetThreadContext in packed TeslaCrypt .............................................................................................................. 6 Figure 4. VirtualAlloc in packed TeslaCrypt ........................................................................................................................ 7 Figure 5. Breakpoint at VirtualAlloc .................................................................................................................................... 7 Figure 6. Follow in dump the allocation of the PE ............................................................................................................... 8 Figure 7. Breakpoint on memory space .............................................................................................................................. 8 Figure 8. PE on memory space ............................................................................................................................................ 9 Figure 9. Save memory data to file ..................................................................................................................................... 9 Figure 10. PE in Buffer in WriteProcessMemory ............................................................................................................... 10 Figure 11. PE unpacked File header .................................................................................................................................. 11 Figure 12. PE packed File header ....................................................................................................................................... 11 Figure 13. SeDebugPrivilege ............................................................................................................................................. 12 Figure 14. IsDebuggerPresent ........................................................................................................................................... 13 Figure 15. FindFirstFile ...................................................................................................................................................... 14 Figure 16. FindNextFile ..................................................................................................................................................... 14 Figure 17. HttpSendRequest ............................................................................................................................................. 15

  3. White Paper 3 TeslaCrypt Uncovered – Thomas Roccia Introduction Cybercrime

    and malware are becoming more and more complex to steal more money. We recently saw an increase of ransomware cases. Ransomware is a malware that hijacks your data in exchange of a ransom. At the beginning ransomware were not sophisticated and did not use encryption. The access to the computer was only blocked but data could be recovered, we talked about “Locker Ransomware”. Then attackers improve their techniques with the use of encryption, “Crypto Ransomware”. These kind of ransomware targets specific valuable data stored on the computer and encrypt data with strong encryption algorithm. Making thereof unusable without the decryption key. Ransomware attack is a very successful attack, and allows attackers to steal lot of money with a minimal risk. Coupled with the development of anti-analysis technique, the complexity of this malware is still growing. This paper talk about a short analysis of TeslaCrypt v4, the last release of infamous ransomware. Teslacrypt Presentation TeslaCrypt is a ransomware released for the first time in February 2015. It finds and encrypt your data then print a message to inform you that your data has been encrypted and is unusable unless you pay to get the decryption key. The first releases of TeslaCrypt were not properly built. As the encryption algorithm was not correctly implemented security researchers were able to create decryption tools. In November 2015, the TeslaCrypt version 2 had also some issues, attackers released the version 3 in January 2016 to correct these issues. With this version, the data was not recoverable. Then in March 2016, the last version released: the version 4. With this version the encryption files keep their original extension and a new name is implemented to the recover files. This latest version don’t allow to decrypt files. TeslaCrypt is now stronger than ever.

  4. White Paper 4 TeslaCrypt Uncovered – Thomas Roccia Teslacrypt Protection

    Lot of malwares use protection tricks to trap the analyst and make difficult the reverse engineering and the detection. We will see in this section how to recover the original sample file. The packing technique is commonly used to protect itself the sample. Common packer could be easily to detect and to use to get the original file. However in many case attackers uses custom packer to avoid recovery. In this case, a custom packer is used with multiple decryption and the use of process hollowing technique. Process hollowing is a common technique that inject a malicious code in a suspended process. So to use process hollowing, attackers uses the following Api: x CreateProcess: in a suspended mode with the CreationFlag at 0x0000 0004. x GetThreadContext: retrieves the context of the specified thread. x ZwUnmapViewOfSection: Unmaps a view of a section from the virtual address space of a subject process. x VirtualAllocEx: allocates memory within the suspended process’s address space. x WriteProcessMemory: writes data of the PE file into the memory just allocated within the suspended process. x SetThreadContext: sets the EAX register to the entry point of the executable written. x ResumeThread: resumes the thread of the suspended process.

  5. White Paper 5 TeslaCrypt Uncovered – Thomas Roccia We can

    find these functions in the packed TeslaCrypt: Figure 1. CreateProcess in packed TeslaCrypt Figure 2. GetThreadContext in packed TeslaCrypt

  6. White Paper 6 TeslaCrypt Uncovered – Thomas Roccia The prototype

    is: BOOL WINAPI GetThreadContext( _In_ HANDLE hThread, _Inout_ LPCONTEXT lpContext ); Then we can see the call of ZwUnmapViewOfSection: Figure 3. GetThreadContext in packed TeslaCrypt The prototype is: NTSTATUS ZwUnmapViewOfSection( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress );

  7. White Paper 7 TeslaCrypt Uncovered – Thomas Roccia Then the

    VirtualAlloc function: Figure 4. VirtualAlloc in packed TeslaCrypt LPVOID WINAPI VirtualAlloc( _In_opt_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flAllocationType, _In_ DWORD flProtect ); We can here dump the unpacked file loaded in the memory after the 4th hit of VirtualAlloc. We can see the VirtualAlloc API by hit CTRL+G and enter “VirtualAlloc”: Figure 5. Breakpoint at VirtualAlloc

  8. White Paper 8 TeslaCrypt Uncovered – Thomas Roccia By pressing

    F9 we hit the breakpoint, then we return to usercode, and follow the register EAX in memory. Figure 6. Follow in dump the allocation of the PE We have now in memory pan an empty space which will be fill by the function. We can setup a hardware breakpoint to see what’s happened. Figure 7. Breakpoint on memory space

  9. White Paper 9 TeslaCrypt Uncovered – Thomas Roccia Then we

    press F9 to check the file dropped in the memory space. Here we see the memory during each hit of VirtualAlloc. The sample unpacked is the last one. Figure 8. PE on memory space We can dump this one for analysis with “save data to file”. Figure 9. Save memory data to file Invalid PE Valid PE but still packed Valid PE unpacked

  10. White Paper 10 TeslaCrypt Uncovered – Thomas Roccia At this

    point we have a valid unprotected PE. The other way to dump quickly the PE without hit each VirtualAlloc is to setup a breakpoint at WriteProcessMemory API and follow in memory the buffer. Figure 10. PE in Buffer in WriteProcessMemory BOOL WINAPI WriteProcessMemory( _In_ HANDLE hProcess, _In_ LPVOID lpBaseAddress, _In_ LPCVOID lpBuffer, _In_ SIZE_T nSize, _Out_ SIZE_T *lpNumberOfBytesWritten ); With the valid unprotected PE we can now analysis it to better understand his behavior.

  11. White Paper 11 TeslaCrypt Uncovered – Thomas Roccia A brief

    overview of TeslaCrypt capabilities After unpacked the file we can find more interesting information. The original date of compilation can be found the March 18 2016 at 09:37:49 UTC. Figure 11. PE unpacked File header The date before the unpacking was the February 22 2007 at 5:38:20 UTC. Figure 12. PE packed File header Metadata: File Name unpackTesla.mem File Size 249856 bytes File Type PE32 executable (GUI) Intel 80386, for MS Windows Md5 ea3ccdd7c69b5e1a18c473d937c68c37 Ssdeep 6144:NSMPQFF58b1H2towR74r7kLeY4U3HUck:NSJFF41H2to07475A0

  12. White Paper 12 TeslaCrypt Uncovered – Thomas Roccia Malware uses

    some trick to elevate their privilege one of this trick is to use the SeDebugPrivilege, which attribute the System privilege to the malware. The following screenshot shows how it’s working. Figure 13. SeDebugPrivilege When the sample is running, it enables the SeDebugPrivilege by setting an access token right. An access token is an object containing the security descriptor of a process. The sample uses the functions OpenProcessToken and LookupPrivilegeValue to get the LUID (Local Unique Identifier) and check the privilege SeDebugPrivilege. Then the sample used the function AdjustTokenPrivilege for setting the token. The SeDebugPrivilege is normally used for system level debugging but it is also a trick used by malware coder to gain access to system level process.

  13. White Paper 13 TeslaCrypt Uncovered – Thomas Roccia The malware

    also uses some anti-debugging technique; we can find the API IsDebuggerPresent that check if the process is being debugged or not. Figure 14. IsDebuggerPresent If the debugger is detected the sample terminate the process, and never call the rest of the code. Debugger detection Rest of the code Terminate process if debugger is detected

  14. White Paper 14 TeslaCrypt Uncovered – Thomas Roccia To browse

    the disk and find all the file to encrypt, the sample use both API, FindFirstFile and FindNextFile. Figure 15. FindFirstFile Figure 16. FindNextFile

  15. White Paper 15 TeslaCrypt Uncovered – Thomas Roccia To connect

    with the remote IP and register the infected machine, the function HttpSendRequest is used. Figure 17. HttpSendRequest The sample try to connect to the following IP. Domain Ip resumosdenovela.net 108.167.185.237 classemgmt.testbada.com 115.94.157.252 shampooherbal.com 104.128.239.91 exaltation.info 46.235.47.104 commonsenseprotection.com 50.116.109.230 ebookstoreforyou.com 87.229.77.69

  16. White Paper 16 TeslaCrypt Uncovered – Thomas Roccia During the

    analysis we found some part of code referring to a Bitcoin foundation github project (secp256k1). (https://github.com/bitcoin/secp256k1) The Secp256k1 is used in Bitcoin and defined in Standards for Efficient Cryptography. (https://en.bitcoin.it/wiki/Secp256k1) We can find the code above at this address: https://github.com/bitcoin/secp256k1/blob/master/src/secp256k1.c Conclusion This short paper briefly presents some functionalities of TeslaCrypt and brings an overview of its capacities. With the increasing development of cybercrime, ransomware gain in strength and become more complex and powerful. As we know TeslaCrypt is still active and developers continue to improve their code in order to gain more money. The best way to avoid infection is still to educate users but also to do regular backups. To be continued…