up

_posts/Malware Analyze/2024-06-30-darkrace-ransomware.md

@@ -25,6 +25,29 @@
 
 ## Operation of the malware
 
+There are three main parts in the malware.
+
+```assembly
+push    ebp
+mov     ebp, esp
+push    esi
+mov     esi, [ebp+argv]
+push    0               ; nCmdShow
+push    dword ptr [esi] ; lpWindowName
+push    offset ClassName ; "ConsoleWindowClass"
+call    ds:FindWindowA
+push    eax             ; hWnd
+call    ds:ShowWindow
+mov     eax, [esi]
+mov     lpFileName, eax
+call    sub_2C30D0          ; First Part (Setup of Malware)
+call    sub_2C3340          ; Second Part (Infection of files)
+call    sub_2C2F40          ; Third part (Cleaning of Malware)
+```
+
+## First Part (Setup of Malware) 
+
+
 ### Deletion of shadow copies
 
 ![delete-shadow-copy](/images/darkrace/delete-shadow-copy.png)
@@ -33,10 +56,9 @@ This command is used to delete shadow copies on a Windows system. Shadow copies
 
 Specifically, the command `cmd /c "wmic shadowcopy delete /nointeractive"` is a Windows command that uses the WMIC (Windows Management Instrumentation Command-line) tool to delete all shadow copies without prompting the user for confirmation (`/nointeractive`). This means it removes these shadow copies without requiring user confirmation, which can be useful in scripts or automated tasks where user interaction is not desired.
 
+### Empty the Recycle Bin
 
-### Vider la corbeille
-
-Le malware va vider la corbeille en utilisant l'API SHEmptyRecycleBinA.
+The malware will empty the Recycle Bin using the SHEmptyRecycleBinA API.
 
 ![empty-bin](/images/darkrace/empty-bin.png)
 
@@ -69,7 +91,7 @@ The malware will first create an icon that will be used for files with the encry
 
 ![icon](/images/darkrace/icone.png)
 
-### Associer ICON aux fichiers .3fe57B660
+### Associate ICON with .3fe57B660 files
 
 The malware will add values to the registry to associate the previously created icon with files ending in '.3fe57B660'.
 
@@ -91,6 +113,49 @@ This script repeatedly pings the local host (127.0.0.1) to create a delay, then
 
 ![bat-writefile](/images/darkrace/bat-writefile.png)
 
+```cpp
+void sub_2C33F0()
+{
+  FILE *v0; // ebx
+  int v1; // eax
+  const char *v2; // esi
+  const void *v3; // edi
+  char *v4; // ecx
+  CHAR SubKey[100]; // [esp+Ch] [ebp-D4h] BYREF
+  BYTE Data[100]; // [esp+70h] [ebp-70h] BYREF
+  DWORD dwDisposition; // [esp+D4h] [ebp-Ch] BYREF
+  HKEY phkResult; // [esp+D8h] [ebp-8h] BYREF
+  size_t ElementCount; // [esp+DCh] [ebp-4h] BYREF
+
+  memset(SubKey, 0, sizeof(SubKey));
+  memset(Data, 0, sizeof(Data));
+  ElementCount = 0;
+  v0 = fopen("C:\\ProgramData\\icon.ico", "wb");
+  v1 = sub_2D05B0(dword_2FE0EC, dword_2FE0EC, "ico", 0, 0, 1);
+  v2 = (const char *)sub_2C1990(v1);
+  sub_2C8A50(0, 0, &ElementCount, v2, strlen(v2));
+  v3 = (const void *)sub_2C1960(ElementCount);
+  sub_2C8A50(v3, ElementCount, &ElementCount, v2, strlen(v2));
+  fwrite(v3, 1u, ElementCount, v0);
+  fclose(v0);
+  sub_2C2680(SubKey, ".%ls", lpWideCharStr);
+  sub_2C2680(Data, "%lsfile", lpWideCharStr);
+  RegCreateKeyExA(HKEY_CLASSES_ROOT, SubKey, 0, 0, 0, 0xF003Fu, 0, &phkResult, &dwDisposition);
+  RegSetValueExA(phkResult, 0, 0, 1u, Data, strlen((const char *)Data));
+  RegCloseKey(phkResult);
+  v4 = &SubKey[99];
+  while ( *++v4 )
+    ;
+  strcpy(v4, "\\DefaultIcon");
+  RegCreateKeyExA(HKEY_CLASSES_ROOT, (LPCSTR)Data, 0, 0, 0, 0xF003Fu, 0, &phkResult, &dwDisposition);
+  RegSetValueExA(phkResult, 0, 0, 1u, "C:\\ProgramData\\icon.ico", 0x17u);
+  RegCloseKey(phkResult);
+  SHChangeNotify(0x8000000, 0, 0, 0);
+}
+```
+
+## Second Part (Infection of files)
+
 ### Infection des fichiers
 
 The malware will search for files. When it finds one, it will assign it the status of a normal file (80h). Then it will attempt to rename it with the extension '.3fe57B660'.
@@ -105,6 +170,8 @@ It will position itself at the beginning of the file to read it :
 
 ![read-crypt-write](/images/darkrace/read-crypt-write.png)
 
+## Third part (Cleaning of Malware)
+
 ### Clear logs and reboot
 
 ![clear-log](/images/darkrace/clear-log.png)