add dharma article

petikvx · Dec 17, 2023 · 2dd09df · 2dd09df
1 parent 066c2c2
commit 2dd09df
Show file tree

Hide file tree

Showing 7 changed files with 232 additions and 0 deletions.
diff --git a/_posts/Malware Analyze/2023-12-31-dharma-ransomware-family.md b/_posts/Malware Analyze/2023-12-31-dharma-ransomware-family.md
@@ -0,0 +1,232 @@
+# Dharma Ransomware family
+
+* [https://app.any.run/tasks/66d70e91-7351-484c-b222-3907f1f92925](https://app.any.run/tasks/66d70e91-7351-484c-b222-3907f1f92925)
+
+## History
+
+Dharma, also known as Crysis, is a type of ransomware, a malicious software that encrypts files on a computer or a computer network and then demands a ransom in exchange for the decryption key to restore the files. Here are some important features of the Dharma ransomware:
+
+1.  Initial Discovery: Dharma ransomware was initially discovered around October 21, 2017. Originally, it was known as Crysis before taking on the name Dharma.
+
+2.  Encryption Method: Dharma encrypts all files on an infected computer, making these files inaccessible without the appropriate decryption key. It uses a strong encryption algorithm to lock the data.
+
+3.  Ransom Demand: Once files are encrypted, attackers demand a ransom payment in Bitcoin from the victims to provide the decryption key. Victims are typically presented with a ransom demand displayed on their computer screen.
+
+4.  Variants: There are many variants of Dharma, each with its own specific file extensions used to mark the encrypted files. For example, some variants use file extensions such as .BMP, .BIP, .COMBO, etc.
+
+5.  Propagation Methods: Dharma primarily spreads through open Remote Desktop Protocol (RDP) ports, exploiting various vulnerabilities or using dictionary or brute force attacks to gain access to systems. Once access is obtained, attackers can spread laterally within the network using tools like Mimikatz to gain administrative control over other machines.
+
+6.  Activity Monitoring: The cybercriminals behind Dharma typically monitor the activities of the targeted business to assess the value of the encrypted data and adjust their strategy accordingly.
+
+
+In summary, Dharma is a dangerous ransomware that targets computer systems, encrypts victims' files, and demands a Bitcoin ransom to restore access to the data. It primarily spreads through RDP security flaws and can have numerous variants. Businesses should take measures to protect themselves against this type of threat by strengthening their computer security and regularly backing up their data.
+
+## Sample information
+
+| Information                   | Valeur                                                                             |
+| ----------------------------- | ----------------------------------------------------------------------------------|
+| File name                     | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma                       |
+| Full analysis                 | [Lien d'analyse complet](https://app.any.run/tasks/66d70e91-7351-484c-b222-3907f1f92925) |
+| Analysis date                 | 16 décembre 2023 à 06:34:52                                                       |
+| MIME                          | application/x-dosexec                                                             |
+| File info                     | PE32 executable (GUI) Intel 80386, for MS Windows                                  |
+| SHA256                        | F06EEC18F16BEBED895404D4D77863A2F157CF12695DF1B0710F865DC7A5BE4B                    |
+| SSDEEP                        | 3072:oaPFEQ/ZmQxAaZm6eHNW8V+IcTZ/tA2gr7EW2ZwPdxRT3qRnxQC6BK1/60zWsiKd            |
+
+## Behavior Activities
+
+[The report of analyze](https://any.run/report/f06eec18f16bebed895404d4d77863a2f157cf12695df1b0710f865dc7a5be4b/66d70e91-7351-484c-b222-3907f1f92925) shows the behavior activities :
+
+![behavior-activities](/images/dharma/dharma-01.png)
+
+Here is the table for better presentation; we will try to examine each of the points through the analysis of this ransomware.
+
+| Catégorie  | Description                                                | Processus affecté                                      |
+|------------|------------------------------------------------------------|--------------------------------------------------------|
+| MALICIOUS  | Drops the executable file immediately after the start    | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3876), 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3960) |
+| MALICIOUS  | Create files in the Startup directory                     | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3876), 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3960) |
+| MALICIOUS  | Deletes shadow copies                                      | cmd.exe (PID: 2320), cmd.exe (PID: 7020), cmd.exe (PID: 5220) |
+| MALICIOUS  | Creates a writable file in the system directory           | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3960) |
+| MALICIOUS  | Actions looks like stealing of personal data               | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3960) |
+| SUSPICIOUS | Starts CMD.EXE for commands execution                     | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3876), 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3960) |
+| SUSPICIOUS | Reads the date of Windows installation                     | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3876) |
+| SUSPICIOUS | Application launched itself                                | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3876) |
+| SUSPICIOUS | Executes as Windows Service                                | VSSVC.exe (PID: 6600) |
+| SUSPICIOUS | Process drops legitimate windows executable                | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3960) |
+| SUSPICIOUS | The process creates files with name similar to system file names | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3960) |
+| INFO       | Checks supported languages                                | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3876), mode.com (PID: 6288), 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3960), mode.com (PID: 6216), mode.com (PID: 5584) |
+| INFO       | Reads the computer name                                    | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3876), 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3960) |
+| INFO       | Creates files or folders in the user directory            | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3876) |
+| INFO       | Creates files in the program directory                    | 2023-12-14_d4726540ef9e6bfc0821650db0e62da3_crysis_dharma.exe (PID: 3960) |
+
+## API call
+
+With any.run, you can see that few Windows APIs are used.
+
+![api-call](/images/dharma/dharma-02.png)
+
+The studied ransomware does not directly call APIs but instead utilizes `LoadLibrary` and `GetProcAddress` functions to dynamically retrieve function addresses from dynamic-link libraries (DLLs). This approach provides increased flexibility by dynamically loading libraries, checking for the existence of functions, and handling errors gracefully, facilitating interoperability and version management of the libraries used by the ransomware.
+
+```cpp
+HMODULE __cdecl sub_4065E0(const CHAR *a1)
+{
+  HMODULE result; // eax
+  const CHAR *lpLibFileName; // [esp+0h] [ebp-Ch]
+  LPCSTR lpLibFileNamea; // [esp+0h] [ebp-Ch]
+  int v4; // [esp+4h] [ebp-8h]
+  HMODULE hModule; // [esp+8h] [ebp-4h]
+
+  result = (HMODULE)a1;
+  lpLibFileName = a1;
+  v4 = 0;
+  while ( *lpLibFileName )
+  {
+    result = LoadLibraryA(lpLibFileName);
+    hModule = result;
+    if ( !result )
+      break;
+    while ( *lpLibFileName )
+      ++lpLibFileName;
+    for ( lpLibFileNamea = lpLibFileName + 1; ; ++lpLibFileNamea )
+    {
+      result = (HMODULE)*lpLibFileNamea;
+      if ( !*lpLibFileNamea )
+        break;
+      dword_4186B8[v4++] = (int)GetProcAddress(hModule, lpLibFileNamea);
+      while ( *lpLibFileNamea )
+        ++lpLibFileNamea;
+    }
+    while ( *lpLibFileNamea )
+      result = (HMODULE)++lpLibFileNamea;
+    lpLibFileName = lpLibFileNamea + 1;
+  }
+  return result;
+}
+
+```
+
+Results in the debuger :
+
+![image](/images/dharma/dharma-03.png)
+
+![image](/images/dharma/dharma-04.png)
+
+
+**KERNEL32.DLL**:
+
+-   GetModuleHandleW (Obtains the handle of a module instance)
+-   FindNextFileW (Searches for the next file in a directory)
+-   FindClose (Closes a file search)
+-   MoveFileW (Moves or renames a file)
+-   GetFileSizeEx (Obtains the size of a file)
+-   GetModuleFileNameW (Obtains the module's file name)
+-   GetFileAttributesW (Obtains file attributes)
+-   ExitProcess (Terminates the process)
+-   GetCommandLineW (Obtains the process's command line)
+-   GetComputerNameW (Obtains the computer name in Unicode)
+-   GetComputerNameA (Obtains the computer name in ANSI)
+-   CreateMutexW (Creates a mutex object)
+-   lstrlenW (Gets the length of a Unicode string)
+-   lstrlenA (Gets the length of an ANSI string)
+-   GetCurrentProcess (Obtains the handle of the current process)
+-   GetLogicalDrives (Obtains a list of logical drives)
+-   GetTickCount (Obtains the number of milliseconds since system startup)
+-   DeleteFileW (Deletes a file)
+-   WideCharToMultiByte (Converts a Unicode string to ANSI)
+-   Sleep (Suspends thread execution for a specified number of milliseconds)
+-   ReadFile (Reads data from a file or file handle)
+-   CreateFileW (Creates or opens a file)
+-   OpenMutexW (Opens a mutex object)
+-   WaitForMultipleObjects (Waits for one of the specified objects to be signaled)
+-   lstrcmpiW (Compares two Unicode strings without regard to case)
+-   lstrcmpiA (Compares two ANSI strings without regard to case)
+-   DeleteCriticalSection (Deletes a critical section)
+-   ReleaseMutex (Releases a mutex object)
+-   CloseHandle (Closes an object handle)
+-   GetVersion (Obtains the Windows version)
+-   CreateThread (Creates a new thread)
+-   ExpandEnvironmentStringsW (Expands environment variables in a string)
+-   QueryPerformanceCounter (Obtains the performance counter)
+-   QueryPerformanceFrequency (Obtains the performance counter frequency)
+-   GetCurrentProcessId (Obtains the current process ID)
+-   SetFileAttributesW (Sets file attributes)
+-   GetVolumeInformationW (Obtains disk volume information)
+-   WriteFile (Writes data to a file or file handle)
+-   SetFilePointerEx (Sets file pointer position)
+-   SetEndOfFile (Sets the end of a file)
+-   FindFirstFileW (Searches for the first file in a directory)
+-   GetProcessHeap (Obtains the process heap handle)
+-   HeapReAlloc (Reallocates a block of memory from the heap)
+-   HeapAlloc (Allocates a block of memory from the heap)
+-   HeapFree (Frees a block of memory from the heap)
+-   CreatePipe (Creates a named pipe)
+-   SetHandleInformation (Modifies handle information)
+-   CreateProcessW (Creates a new process)
+-   CompareStringW (Compares Unicode strings)
+-   CompareStringA (Compares ANSI strings)
+-   OpenProcess (Opens a handle to a process)
+-   TerminateProcess (Terminates a process)
+-   GetSystemTime (Obtains system time)
+-   SystemTimeToFileTime (Converts system time to file time)
+-   GetLastError (Obtains the error code of the last call)
+-   CreateToolhelp32Snapshot (Creates a tool help snapshot)
+-   Process32NextW (Obtains information about the next process)
+-   Process32FirstW (Obtains information about the first process)
+
+**ADVAPI32.DLL**:
+
+-   RegOpenKeyExW (Opens a registry key)
+-   RegQueryValueExW (Reads a registry value)
+-   RegCloseKey (Closes a registry key)
+-   RegSetValueExW (Writes a registry value)
+-   OpenProcessToken (Obtains process access token)
+-   GetTokenInformation (Obtains token information)
+-   OpenSCManagerW (Opens the service control manager)
+-   OpenServiceW (Opens a service)
+-   CloseServiceHandle (Closes a service handle)
+-   ControlService (Controls a service)
+-   QueryServiceStatus (Obtains service status)
+-   EnumDependentServicesW (Enumerates dependent services)
+-   EnumServicesStatusExW (Enumerates services)
+
+**USER32.DLL**:
+
+-   SystemParametersInfoW (Obtains or sets system parameters)
+
+**SHELL32.DLL**:
+
+-   ShellExecuteExW (Executes or opens a file or object)
+
+**NETDLL.DLL**:
+
+-   NtQuerySystemInformation (Obtains system information)
+
+**MPR.DLL**:
+
+-   WNetCloseEnum (Closes a network enumeration)
+-   WNetOpenEnumW (Opens a network enumeration)
+-   WNetEnumResourceW (Enumerates network resources)
+
+**WS2_32.DLL**:
+
+-   WSAStartup (Initializes the Windows Sockets library)
+-   socket (Creates a socket)
+-   send (Sends data on a socket)
+-   recv (Receives data on a socket)
+-   connect (Establishes a connection on a socket)
+-   closesocket (Closes a socket)
+-   gethostbyname (Obtains host information by name)
+-   inet_addr (Converts an IP address to binary format)
+-   ntohl (Converts a network unsigned integer to host format)
+-   htonl (Converts a host unsigned integer to network format)
+-   htons (Converts a host unsigned short to network format)
+
+## Replication process
+
+Le malware se réplique dans les dossiers suivants :
+
+* C:\\Windows\\System32\\%filename%
+* C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\%filename%
+
+![image](/images/dharma/dharma-05.png)
+![image](/images/dharma/dharma-06.png)
diff --git a/images/dharma/dharma-01.png b/images/dharma/dharma-01.png
diff --git a/images/dharma/dharma-02.png b/images/dharma/dharma-02.png
diff --git a/images/dharma/dharma-03.png b/images/dharma/dharma-03.png
diff --git a/images/dharma/dharma-04.png b/images/dharma/dharma-04.png
diff --git a/images/dharma/dharma-05.png b/images/dharma/dharma-05.png
diff --git a/images/dharma/dharma-06.png b/images/dharma/dharma-06.png