diff --git a/_posts/Malware Analyze/2024-06-30-darkrace-ransomware.md b/_posts/Malware Analyze/2024-06-30-darkrace-ransomware.md index 93477b8..bdbd8d5 100644 --- a/_posts/Malware Analyze/2024-06-30-darkrace-ransomware.md +++ b/_posts/Malware Analyze/2024-06-30-darkrace-ransomware.md @@ -25,6 +25,29 @@ ## Operation of the malware +There are three main parts in the malware. + +```assembly +push ebp +mov ebp, esp +push esi +mov esi, [ebp+argv] +push 0 ; nCmdShow +push dword ptr [esi] ; lpWindowName +push offset ClassName ; "ConsoleWindowClass" +call ds:FindWindowA +push eax ; hWnd +call ds:ShowWindow +mov eax, [esi] +mov lpFileName, eax +call sub_2C30D0 ; First Part (Setup of Malware) +call sub_2C3340 ; Second Part (Infection of files) +call sub_2C2F40 ; Third part (Cleaning of Malware) +``` + +## First Part (Setup of Malware) + + ### Deletion of shadow copies ![delete-shadow-copy](/images/darkrace/delete-shadow-copy.png) @@ -33,10 +56,9 @@ This command is used to delete shadow copies on a Windows system. Shadow copies Specifically, the command `cmd /c "wmic shadowcopy delete /nointeractive"` is a Windows command that uses the WMIC (Windows Management Instrumentation Command-line) tool to delete all shadow copies without prompting the user for confirmation (`/nointeractive`). This means it removes these shadow copies without requiring user confirmation, which can be useful in scripts or automated tasks where user interaction is not desired. +### Empty the Recycle Bin -### Vider la corbeille - -Le malware va vider la corbeille en utilisant l'API SHEmptyRecycleBinA. +The malware will empty the Recycle Bin using the SHEmptyRecycleBinA API. ![empty-bin](/images/darkrace/empty-bin.png) @@ -69,7 +91,7 @@ The malware will first create an icon that will be used for files with the encry ![icon](/images/darkrace/icone.png) -### Associer ICON aux fichiers .3fe57B660 +### Associate ICON with .3fe57B660 files The malware will add values to the registry to associate the previously created icon with files ending in '.3fe57B660'. @@ -91,6 +113,49 @@ This script repeatedly pings the local host (127.0.0.1) to create a delay, then ![bat-writefile](/images/darkrace/bat-writefile.png) +```cpp +void sub_2C33F0() +{ + FILE *v0; // ebx + int v1; // eax + const char *v2; // esi + const void *v3; // edi + char *v4; // ecx + CHAR SubKey[100]; // [esp+Ch] [ebp-D4h] BYREF + BYTE Data[100]; // [esp+70h] [ebp-70h] BYREF + DWORD dwDisposition; // [esp+D4h] [ebp-Ch] BYREF + HKEY phkResult; // [esp+D8h] [ebp-8h] BYREF + size_t ElementCount; // [esp+DCh] [ebp-4h] BYREF + + memset(SubKey, 0, sizeof(SubKey)); + memset(Data, 0, sizeof(Data)); + ElementCount = 0; + v0 = fopen("C:\\ProgramData\\icon.ico", "wb"); + v1 = sub_2D05B0(dword_2FE0EC, dword_2FE0EC, "ico", 0, 0, 1); + v2 = (const char *)sub_2C1990(v1); + sub_2C8A50(0, 0, &ElementCount, v2, strlen(v2)); + v3 = (const void *)sub_2C1960(ElementCount); + sub_2C8A50(v3, ElementCount, &ElementCount, v2, strlen(v2)); + fwrite(v3, 1u, ElementCount, v0); + fclose(v0); + sub_2C2680(SubKey, ".%ls", lpWideCharStr); + sub_2C2680(Data, "%lsfile", lpWideCharStr); + RegCreateKeyExA(HKEY_CLASSES_ROOT, SubKey, 0, 0, 0, 0xF003Fu, 0, &phkResult, &dwDisposition); + RegSetValueExA(phkResult, 0, 0, 1u, Data, strlen((const char *)Data)); + RegCloseKey(phkResult); + v4 = &SubKey[99]; + while ( *++v4 ) + ; + strcpy(v4, "\\DefaultIcon"); + RegCreateKeyExA(HKEY_CLASSES_ROOT, (LPCSTR)Data, 0, 0, 0, 0xF003Fu, 0, &phkResult, &dwDisposition); + RegSetValueExA(phkResult, 0, 0, 1u, "C:\\ProgramData\\icon.ico", 0x17u); + RegCloseKey(phkResult); + SHChangeNotify(0x8000000, 0, 0, 0); +} +``` + +## Second Part (Infection of files) + ### Infection des fichiers The malware will search for files. When it finds one, it will assign it the status of a normal file (80h). Then it will attempt to rename it with the extension '.3fe57B660'. @@ -105,6 +170,8 @@ It will position itself at the beginning of the file to read it : ![read-crypt-write](/images/darkrace/read-crypt-write.png) +## Third part (Cleaning of Malware) + ### Clear logs and reboot ![clear-log](/images/darkrace/clear-log.png)