Sunday, May 1, 2016

Locky Ransomware Analysis - Analysing through Process Explorer

Picking up from where the last post left off, we noticed that the "Locky.exe" process exited. However, we also noticed that it created the file "svchost.exe".

Because of the image path we monitored in Process Monitor, we were unable to see if the "svchost.exe" process was loaded and what was done. Lets use process explorer to see if the "svchost.exe" which was created was executed and is still running.

As we launch Process Explorer, from the "view" menu deselect the "show process from all users".

Next from the "options" menu, we select "Verify Image Signatures".

From above the above we see that the "svchost.exe" does not have a verified signature.

Additionally, its  a process which does not seem to have a parent. While a system can have multiple "svchost.exe" processes, these processes in most cases are always a child of "services.exe". This "svchost.exe" stands by itself.

Now that this process is deemed suspicious. Lets dig deeper into it.

Looking at the image data below, the first thing that stood out to me was build time in year 2005.

I found this interesting as I'm using Windows 10 so I expect the build time to be more recent.

Next, from above we see the path and the command line representation of the path which was created when Locky.exe was loaded.

Additionally, we see the current directory is "c:\locky\locky". On a typical Windows system this would be " %WINDIR%\system32\"

Finally, we see the partent process is non-existent. We already know that the parent process exited.

The next item that stood out immediately was the difference between the strings on disk and the strings in memory.

Image below shows a snapshot of the strings on disk.


Image below shows the strings in memory. Simply looking at the first few lines we can see an immediate difference.


Going through the strings in memory we see some interesting information which stands out. One of the things I found interesting about this was that the malware actually attempts to delete your volume shadow copies, thus making it harder for you to restore files from previous versions.

Below we see among other things that Locky will perform a HTTP POST to the site listed in memory.

At this point, I think we have enough information to be able to draw conclusions that we can remediate. The next step would be to kill the process and try to understand what is being requested from the URL which was found in the strings.
The final step in the process was to validate the "svchost.exe" against Virus Total. Lucky for me the file was already analyzed and had a detection ratio of 49/56 as shown below.   

Now that we've reached this stage, I think it is important to understand that I was not attempting to see how my files gets encrypted. We already know this is the purpose of Locky.  However, I deliberately did not connect my VM to the Internet, thus the "Locky.exe" executable was unable to successfully download the actual ransomware as the site which is found in memory was not available. Maybe a another time I will be able to use a different lab.

SHA256:  bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3

Locky Ransomware Analysis - Understanding its execution, looking for artificats with Process Monitor

As we continue this journey looking at Locky, let's see what it looks like in actual production.

Since my AV detected it in the previous post, in this post I will disable the AV and its features.

Next I loaded up Process Monitor and set the "Image Path" to "c:\Locky\Locky\Locky.exe"

I then executed Locky and found some artifacts. Note, I compared these to a "clean" version of Windows 10 before deciding that these are good artifacts.

Looking through process monitor, we can see the following

From the above we see that the "Locky.exe" process started. It then created a thread and started attempting to open registry keys which were not found. I'm assuming it was probably checking to see if those entries existed, which may have meant it was executed before. However, those entries were "NOT FOUND"

As we move forward we see our first set of registry artifacts.

First we see the creation of registry key "HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\Locky_RASAPI32" and then we see that some values were set successfully and those values were then queried successfully.

While the items below cannot be used as artifacts, I thought it was important that I show some of the files which Locky tried to create but was unable to.

Something else that I found interesting is that Locky actually checks to see if specific Antivirus are installed. As we can see below, it is querying the registry looking for Kaspersky Lab, ESET and Avast. In the three cases shown below the values were "NOT FOUND"

Additionally, we see another registry artifacts in the successful creation of the key "HKCU\Software\Locky" and settings its value.

As we begin to look at the artifacts written to the disk, we see that the file "svchost.exe" was created in "%USERPROFILE%\AppData\Local\Temp\"

Next we see things start to get even more interesting with Locky creating a new process "cmd.exe". This process was executed with PID: "3636" and command line arguments. "cmd.exe /C del /Q /F "C:\Users\SECURI~1\AppData\Local\Temp\sysFAE3.tmp"

What the command is doing is basically "cmd.exe" is executing the specified command which is basically to delete quietly and force the deletion of some ".tmp" files in the "Temp" folder.

Finally, we see Locky process exists and closes.

At this point while we detected some artifacts, there is still information which we have not figured out. Do remember the "Locky.exe" process created other files and executed another process. Namely "svchost.exe". Let's dig a little deeper with process explorer in the next post.

Visible Artifacts
Registry Entries
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\EnableConsoleTracing: 0x00000000
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\Locky_RASAPI32\EnableFileTracing: 0x00000000
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\Locky_RASAPI32\EnableAutoFileTracing: 0x00000000
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\Locky_RASAPI32\EnableConsoleTracing: 0x00000000
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\Locky_RASAPI32\FileTracingMask: 0xFFFF0000
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\Locky_RASAPI32\ConsoleTracingMask: 0xFFFF0000
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\Locky_RASAPI32\MaxFileSize: 0x00100000
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\Locky_RASAPI32\FileDirectory: "%windir%\tracing"
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\svchost_RASAPI32\EnableFileTracing: 0x00000000
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\svchost_RASAPI32\EnableAutoFileTracing: 0x00000000
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\svchost_RASAPI32\EnableConsoleTracing: 0x00000000
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\svchost_RASAPI32\FileTracingMask: 0xFFFF0000
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\svchost_RASAPI32\ConsoleTracingMask: 0xFFFF0000
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\svchost_RASAPI32\MaxFileSize: 0x00100000
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\svchost_RASAPI32\FileDirectory: "%windir%\tracing"

Locky Ransomware Analysis - Will my AV help?

Considering there is so much about ransomware in the news and to some extent Locky, I thought I should take the opportunity to take a closer look at it to see if there is anything other than the obvious that someone may be able to do to mitigate the effects of being successfully targeted by a ransomware.

For the purpose of this post, I am using a virtual machine running Windows 10 with all the latest updates.

Additionally, I have some sample documents (.pdf, .txt, .xls, etc) and images,

One of the things I would like to know first up is if my Antivirus Comodo would be able to detect the first stage of the ransomware.

Ensure my Antivirus is up to date

Next up, I copied the ransomware from a USB into my Windows 10 VM. While copying, nothing was detected as malicious. It is quite possible that nothing was detected because Locky is contained in a password protected archive.

Once I extracted the file, it seems like Comodo detected it as a virus as I saw the file being extracted and then it disappeared. When I looked into the Comodo console, I see the file listed there as shown below.

Oh the question in my subject line is "Will my AV help?". The immediate take away from this is that an up-to-date antivirus can help with detecting Locky.

No need for me to do anything else here, time to disable the antivirus to see locky in action.

See you in the next post.


How I recovered my "lost" password - Burpsuite

Ahhhhhhhhhhhhh, sometimes the thought of having to remember your password can be frustrating, as a result we do all types of things to bring convenience. In my case I stored it in the browser for one part of the site but could not remember it for the other. So what did I do?

I opened the page for which my password was stored, similar to shown below.

Next, I loaded Burp,  enabled its listen proxy and configured my browser to use the local proxy which is now listening on as shown below.

Burp listening proxy enabled

Firefox proxy configuration

Now that the proxy is listening and my browser is configured, time to access the website where my password is currently stored. In trying to access the site, the first thing that occurs is a certificate error.

Once I acknowledge the error, my authentication attempt was sent to Burp as shown below.

Next step is to send the password to the "Decoder"

Next I navigate to the "Decoder" tab and "Decode as" URL

That's it!! I recovered my password without having to change it.