Created: 25/06/2024 18:05 Last Updated: 30/11/2024 02:44
Category: Malware Analysis Tags: IDA, Ghidra, x64dbg, PeStudio, CFF Explorer
Scenario: You are part of the cybersecurity response team at Global Logistics Solutions, a leading organization in logistics and supply chain management. Recently, an unexpected spike in Remote Desktop Protocol (RDP) traffic has been detected, coinciding with reports of file encryption and ransom demands from various endpoints within the network. Initial investigations suggest that a ransomware attack is underway and you have been provided with the ransomware executable. Your task is to conduct a thorough analysis of the malware to understand its behavior, encryption mechanisms, and any unique characteristics that can aid in mitigation efforts.
Tools: - x32dbg - HxD Hex Editor - IDA - Ghidra - CFF Explorer - PEStudio - PEiD
Link: https://cyberdefenders.org/blueteam-ctf-challenges/phobos/
Q1: Understanding which hashing algorithm is used by the malware helps understand how the malware functions. What is the hashing algorithm used by the malware?
This lab provides us with a Phobos ransomware sample, so knowing the type of malware will help the investigation proceed much faster with online resources.
But we still need to examine the sample ourselves first, and what we will notice from Detect It Easy is the high entropy on .cdata section indicates that it could be encrypted data or packed payload inside this section.
Next is the Compiler indicates that we will have to use Ghidra or IDA to disassemble / decompile this sample for static analysis.
Next is to confirm whatever we could extract anything from .cdata section, is it packed or not?
I checked it on unpac.me which could automate unpacking process for us but the result shows that this sample is not packed.
It has so many capabilities as we can see here.
Next, I went to VirusTotal to understand more behavior of this ransomware which shown file extension that was used to encrypt files on infected system.
Doing a little bit of research then we could see that this link to 8Base Group then we could see different resources related to this ransomware.
Its time to use online resources as our disposal. The first resource that really helped me complete this lab is a blog on Cisco Talos highlighting the decrypting Phobos configuration file, which is a very important process that a ransomware will do some certain actions based on these configurations and we can also see that this ransomware will check CRC32 hash of .cdata section before decrypting it.
To confirm that we have identical functions, I disassembled our sample using IDA Free and verified our hypothesis. The next step will be renaming these functions and variables to match those in Talos's sample.
CRC32
Q2: Following up on the previous question. Could you provide the hard-coded value of the .cdata checksum?
We know that payload_hash variable store checksum of .cdata section so we could follow it to retrieve the answer of this question right here.
0D55F8833
Q3: Different malware versions may be linked to specific cybercriminal groups or campaigns, thus providing valuable leads for your threat intel analysts. What is the malware's version?
From the blog, we also know that Phobos has a debug file feature that prints out its version if a debug file exists. In the 8Base campaign, this file is named suppo. The intended way to solve this question might have been to create the debug file and execute the ransomware to generate the log files. However, I took a guess and submitted Talos's sample version as the answer, and it turned out to be correct. So, I guess I don't need to execute the ransomware anymore. π
Talos also made a malware configuration index of this ransomware which we can see the malware version ID entry index right here.
This time I used Ghidra to decompiled and search for mal_GetDecryptedConfigVar(0x33 (named after Talos's sample) which we can see the function responsible for debugging right here.
2.9.1
Q4: Malware sometimes masquerades as legitimate DLL files to bypass standard security measures and evade detection. Identifying which legitimate DLL a malware is impersonating allows for more accurate and effective detection mechanisms. Could you provide the name of the legitimate DLL that the malware is masquerading as?
I imported the sample into pestudio and examined the imported libraries. I noticed that ole32.dll didn't fit the context of this ransomware at all (you can find other dlls on many pe samples), and it turned out to be the right call!
ole32.dll
Q5: It is important to understand what this malicious DLL is used for and how it works. Could you analyze it and provide the first API function it calls?
For this one, I unfortunately don't have a detailed analysis to offer, since I merely guessed it.π
Many malicious DLLs call CreateProcessW to spawn another malicious executable or script. This is why CreateProcessW is often the first function invoked, as it allows the malware to continue its execution by creating new processes.
So I traced back to the function responsible for this which I found out that it will execute command / shell
Which we can see them on VirusTotal.
CreateProcessW
Q6: In ransomware attacks, the malware often terminates any processes that might disrupt its encryption before starting. Could you provide the address at which the process list decryption function is called?
Second online resource I utilized on this lab is a blog on Threatdown which also conducted malware analysis on Phobos ransomware that resembles our sample just like Talos's sample. This resource highlighted various functionalities of this ransomware which really helped me understand how this ransomware worked and completed this lab.
So we know that this ransomware has a configuration data that will be decrypted which also contains list of processes that will be terminated during execution time of this ransomware.
First, I opened Ghidra and located a reference to the TerminateProcess API, which led me to the function responsible for killing processes. However, since the question asks for the process list decryption function, we need to identify which function calls this one.
Then we will find that there is only function that calls this function so we will have to take a look at that function next.
To confirm if the function is the one weβre looking for, we can check the malware configuration index to identify which entry is linked to the process kill list.
We can see that the value 0x0A is associated with this list. This value will be passed to the mal_GetDecryptedConfigVar function, and we need to find the address of that function call to submit as the answer.
Then we will find that this function is really called for process list decryption function right here .
004022fb
Q7: Malware often disables and turns off the security settings part of the victim's machine to avoid detection and stay under the radar. What's the first command the malware uses to turn off a critical security measure?
We can find it from threatdown blog or VirusTotal behavior tab right here.
netsh advfirewall set currentprofile state off
Q8: Malware that successfully establishes a foothold and persistence can cause long-term damage by maintaining a presence on the infected system, allowing for continuous data theft, further infections, or other malicious activities. Could you provide the address of the function used by the malware for this purpose?
We know that Phobos have several persistence mechanism but the one that we can utilize API to pin point a function responsible for these persistence are API related registry such as RegSetValueExW
We will have to search this API on IDA since the answer format are made to match IDA function which we can see that a function that responsible for persistence is this function.
sub_401236
Q9: Knowing how the malware communicates with its command and control (C2) server for data transmission is vital for understanding the threat's capabilities and potential reach. What protocol is used by the malware for C2 communication to transmit the data?
There are a lot of HTTP related API are utilized by this sample and
After searching for these API to find out which function utilized them which we can see that there is a function responsible for HTTP communication (by sending POST request to specific address)
We can also find this information from Talos's blog as well.
http
Q10: We need to understand further how the malware interacts with system hardware, how it monitors the system environment, and how it extends its reach. Could you provide the address of the thread used to check continuously for new disk connections?
Threatdown highlighted which function that responsible for network shares enumeration so I used this to find how a threat will be created for this activity.
We can see that it will create a thread with an address of each function but which function is responsible for network share enumeration?
I also found the function showed by threatdown but that not the right answer so I had to find the other function.
I did a little bit more search on this ransomware which I finally found fortinet blog highlighting a function used to monitor and scan future logical drive.
This function is really resembled a function from fortinet blog and the address of this function is the correct answer of this question.
00401cc5
Q11: The malware appears to be using different functions to encrypt small and large files. A check is performed before each encryption. The file size is compared to a specific value. Could you provide this value?
We could find this answer on threatdown blog right here, take a note at the value that used to compare then go back to our sample to find this value and identical instructions.
There you go.
180000
https://cyberdefenders.org/blueteam-ctf-challenges/progress/Chicken_0248/176/ Somehow I managed to complete this lab without using debugger but heavily relied on online resources but all good I guess?.