0x5 - Locky.md

Analysis

Background - Locky Ransomware

• Locky ransomware was first discovered in February 2016 and quickly gained notoriety for its widespread usage and effectiveness. It has historically been associated with the Necurs botnet (commonly thought to be of Russian origin).

• Locky's dropper is written in VBA and the specimen is typically delivered via phishing email with an attached Microsoft Word document containing one or more embedded macros, along with a message enticing the user to enable and run the macros.

• The following image shows a typical message displayed to the end user upon opening such a document (source: KnowBe4):

• The specimen was historically distributed by the Necurs botnet, facilitated by the Necurs kernel-mode rootkit. Ironically, Necurs was also used to distribute Gameover Zeus specimens. See my previous analysis of a ZBot dropper here.

• The requested ransom was commonly between 0.5 and 1 BTC (valued at around ~$410 at that time, now valued at up to ~$62k at the time of this writing).

Hands-On Analysis - Primary Payload

Hash Type	File Hash
MD5	C63A537090D34F29DAADBEF221637435
SHA1	BA17638BAC43E6E3B2FAF4BF3A22197B99D8A390
SHA-256	28046C14EA3325885EE1E731CD0BCF9F38445DF02675836B851CB2AE94C050EB

• The sample we have here is a primary payload that would be delivered by the dropper.

• It is a 32-bit PE file written in C++ v8.

• The sections look normal (i.e. no evidence of sections used for unpacking).

• Compared to previous samples that I have analyzed, we can see lots of interesting libraries. I'll include some details about the most important ones we see here, skipping the common ones that we have seen many times before.

Interesting Libraries & Functions

shell32.dll - Contains functions for interacting with the Windows shell, providing an interface between the user and the OS (i.e. file operations and system dialogs). Often used for tasks like executing files, manipulating the file system, and displaying message boxes.

• APIs commonly seen in malware samples:

1. ShellExecute - ✅ Present in this sample
   • Executes a specified application or opens a document.
2. SHGetFolderPath - ✅ Present in this sample
   • Retrieves the path of a special folder, such as Program Files or Startup.
3. SHFileOperation - ❌ Not present in this sample
   • Performs file operations like copy, move, rename, or delete.

wininet.dll - Contains functions for internet-based applications to interact with HTTP and FTP protocols. Commonly used by malware to download/upload files, communicate with C2 servers, and perform data exfiltration.

1. InternetOpen - ✅ Present in this sample
   • Initializes application's use of WinINetfunctions.
2. InternetConnect - ✅ Present in this sample
   • Connections to an FTP server, Gopher server, or HTTP server.
3. HttpOpenRequest - ✅ Present in this sample
   • Creates an HTTP request handle.
4. InternetReadFile - ✅ Present in this sample
   • Reads data from an open internet file.

mpr.dll - Manages network connections, providing an interface for connecting to network resources. Commonly used by malware to map network drives, access remote resources, or manipulate network connections.

1. WNetAddConnection - ✅ Present in this sample
   • Establishes a connection to a network resource.
2. WNetGetConnection - ❌ Not present in this sample
   • Retrieves information about a network resource connection.
3. WNetOpenEnum - ✅ Present in this sample
   • Starts an enumeration of network resources or existing connections.
4. WNetEnumResource - ✅ Present in this sample
   • Continues an enumeration of network resources or existing connections.

netapi32.dll - Contains functions for network management and administration, such as accessing shared resources and managing network users and groups. Often used by malware to propagate through networks, interact with network shares, and enumerate network resources.

1. NetShareEnum - ❌ Not present in this sample
   • Lists shared resources on a server.
2. NetUserEnum - ❌ Not present in this sample
   • Lists user accounts on a server.
3. NetServerEnum - ❌ Not present in this sample
   • Lists all servers of a specified type visible in a domain.
4. NetUseAdd - ❌ Not present in this sample
   • Establishes a connection to a shared resource.
5. NetScheduleJobAdd - ❌ Not present in this sample
   • Schedules a job to run at a specified time and date.

• Since this is ransomware, we also want to look for functions related to encryption and decryption. Most of these will fall under advapi32.dll.

• advapi32.dll is commonly seen in ransomware, as it has many relevant functions, including:
  • Registry manipulation
  • Service manipulation
  • Cryptographic functions (CryptEncrypt, CryptDecrypt, etc)
  • User & privilege management

String Analysis

• The next step is to pull out strings and perform some static analysis.

• All static strings - nice.

• We see some IP addresses (very interesting!)

• We also see references to encryption and various Windows operating systems (presumably related to some type of functionality that checks the victim's operating system version).

• Next, we find an ASEP Key and references to a wallpaper (expected for ransomware) and maybe some network-based IOCs? A sneaky .php file perhaps?

• Very cool - here are some possible host-based IOCs - a .bmp image file and a ransom note, some run-of-the-mill ransomware vssadmin commands, and some important directories.

• Scrolling down to the end, we see every possible file extension under the sun.

• The final hardcoded string is wallet.dat, which is probably related to the TA's crypto wallet.

• With the initial phase of static analysis concluded, there are a few things I want to dig into:

1. What are the most important major functions of the specimen?
2. How does the specimen perform C2?
3. How does the specimen propagate through the network? (i.e. mapping network shares, etc)
4. How does the specimen encrypt the file system?
5. Can we extract host-based and network-based IOCs?

Enter the Dragon - Hands-On With Ghidra

• Upon loading the PE into Ghidra, we are presented with an initial execution flow that jumps right into a function:

• The program calls __security_init_cookie (indicating it was compiled with security features enabled) that we see in most PEs.

• It is essentially Microsoft's implementation of stack-based buffer overrun detection. It works by placing a security cookie (a known value) on the stack, which is checked for integrity before a function returns.

• Next, it jumps to FUN_0040aa07 and appears to carry out some basic environment checking with GetStartupInfoW.

• Let's start answering our first question - What are the most important major functions of the specimen?

• To answer this, we should break down the major components into different groups:

  • C2
  • Data Exfiltration
  • Enumeration
  • Propagation
  • Encryption

• Let's start by identifying the functions and calls that handle C2. Looking at APIs with the term Internet in them, we see a lot of calls originating from FUN_0040684c.

• So far, FUN_0040684c clearly holds the majority of C2/exfil functionality. Let's rename it for convenience.

• Remember these APIs from earlier? Looks like FUN_0040815 is probably handling a good bit of the enumeration.

• I see several functions related to file system enumeration and manipulation, but FUN_00407ca7 stands out like a sore thumb. At a glance, it looks like it uses FindFirstFileW along with CloseFile to enumerate the file system (presumably using some type of pattern matching, like that list of file extensions we saw previously).
• I've renamed it to FUN_Search_Files.

• Digging into a it a little further, we can see that it works recursively to iterate through files to search for specific files or directories within a given path using FindFirstFileW, FindNextFileW, and FindClose to iterate through.

• The main search loop iterates through each file or directory found and uses some conditions to filter out certain files and directories found, such as ignoring "." and ".." entries.

• Now let's look at encryption. FUN_00401c7a is our function of interest here.

• FUN_00401c7a appears to be the main function that handles the actual ransomware encryption process. It generates a random encryption key using CryptGenRandom.

• Here's what MSDN says about CryptEncrypt:

• To remember this function, we'll rename it FUN_Main_Encryption_Subroutine.

• Finally, let's pull out some IOCs.

Network-Based IOCs

• 91.195.12.187
• 195.64.154.114
• 149.202.109.205
• 51.254.181.122
• 78.40.108.39
• 188.127.231.116
• rupweuinytpmusfrdeitbeuknltf/main.php

• HTTP POST requests to */checkupdate
• HTTP POST requests with &act=getkey&affid=* in the URL

Host-Based IOCs

• While there is little value in providing static host-based indicators (because once the infection starts, it takes only minutes for the system and adjacent systems to become fully encrypted), there is utility in identifying things such as unique behavioral indicators.

• For example, consider if we took a command line such as vssadmin.exe Delete Shadows /All /Quiet and created a custom EDR rule to kill the process and quarantine the host upon detection - this could be extremely useful (although hopefully your EDR solution would already block such activity). Additionally, you could configure an auto-run script (i.e. a CrowdStrike RTR script) to kill the process, quarantine the file, and then pull forensic data with a tool like Kestrel.

Command Lines

vssadmin.exe Delete Shadows /All /Quiet *Locky*

Behaviors

• Macro execution in MS office documents or files with a MOTW zone identifier.
• MS office processes downloading files over the web (i.e. word.exe connecting to 91.195.12.187 to download the second-stage payload).
• Creation of a registry run key under Software\Microsoft\Windows\CurrentVersion\Run.
• svchost.exe spawning under from any directory other than C:\Windows\System32.
• Creation of a .bat file under %temp%
• svchost.exe spawning from any process other than services.exe (the Service Control Manager).
• Anomalous occurrences of Windows EIDs related to enumeration of file share and network drives:
  • 5140 - A Network Share Object Was Accessed
  • 5145 - A network share object was checked to see whether client can be granted desired access
  • 4633 - An attempt was made to access an object
  • 4648 - A Logon Was Attempted Using Explicit Credentials
    • Suspicious if statistically anomalous and targeted toward file shares, especially any that were previously rarely used.

Summary

Above image courtesy of CrowdStrike - see their article on Locky ransomware here

• The sample analyzed in this report would typically be the primary payload delivered after an unsuspecting end user runs a malicious VBA macro embedded in a document sent via phishing email.

• After the VBA macro runs, it reaches out to a C2 server to download and run the PE, which establishes persistence with a registry run key and proceeds to enumerate the file system as well as file shares and network drives.

• It thoroughly enumerates the file system and proceeds to generate an encryption key which it then uses to run its encryption routine on most of the important files on the disk.