[ Technical Tear Down: SIMPLELOCKER, ANDROID Ransomware ]

[ Sample used in the analysis ]
MD5: FD694CF5CA1DD4967AD6E8C67241114C
SHA1: 808DF267F38E095492EBD8AEB4B56671061B2F72

This is one of the latest Android ransomware that we got. It can be found in Mila’s website and you can take a look at the VirusTotal analysishere. The ransomware is TOR enabled and goes about encrypting files in the Android system and subsequently requesting for ransom before the key will be given to decrypt the files. Now let’s look at the technical details of the ransomware.
I’ve attached the link to the file here for anyone interested to try analysing it themselves.
The password to the attachment is “infected29A

[ Tools Used ]
Cebero Profiler is used to disassemble the apk file to analyse the smali code.
Dex2Jar and Java Decompiler are used to decompile the apk file to a jar file and subsequently to get the java code for analysis.
Android Emulator is used for the dynamic analysis portion.

[ Files ]
Below is the list of files after using Cebero Profiler to disassemble the apk file.

simplelocker-filelist

[ Manifest File ]

Below is the full manifest file extracted from the .apk file:

simplelocker-manifest

[ Permissions ]
Now let’s take a look at the AndroidManifest.xml file. When installing the application, the user is prompted with a list of permissions the application requires.

simplelocker-manifest-permissions

The permissions are more or less harmless in nature and doesn’t throw a redflag as in the case with other malwares. The permissions that could raise any kind of suspicion are android.permission.RECEIVED_BOOT_COMPLETED and android.permission.WAKE_LOCK. RECEIVED_BOOT_COMPLETED permission is required to allow an application to receive a broadcast that the system has finished booting up. WAKE_LOCK permission is required to keep the processor from sleeping or screen from dimming.
Both these permissions look harmless at first look but could be used to run an application upon bootup and keep it running without being pushed to suspended state by the Android operating system.

[ Source Code Analysis ]
From the manifest file, Main.class file is first launched upon starting of the app. The Main.class checks whether the MainService.class is running and if not calls it. MainService.class is linked to 5 other classes. MainService1.class, MainService2.class, MainService3.class, MainService4.class and MainService5.class. These classes are all interlinked.  What it does:

• Checks whether the TOR connection is established.
• If not try to establish a TOR connection.
• Next it gets a list of predetermined file extensions..
• Gets the filename of all files in the external storage that has any of the file extension.
• Does an AES encryption of the files.
• Displays a message presuming asking for an ransom.

Now let’s look at 2 class files that is of special interest. As it reveals more information about how the ransomware works. First is the Constants.class file. Look at the screenshot below.

simplelocker-constants

The first constant ADMIN_URL which point to http://xeyocsu7fu2vjhxs.onion/ is the TOR site the ransomware connects to. This explains why it checks and tries to establish TOR connection upon starting. 2nd piece of information we can find from the “Constants” class is that it contains a variable EXTENSIONS_TO_ENCRYPT which contains the following file extensions: “jpeg”, “jpg”, “png”, “bmp”, “gif”, “pdf”, “doc”, “docx”, “txt”, “avi”, “mkv”, “3gp”, “mp4”. As the name of the variable suggest, this is the file extensions which the Ransomware would encrypt.

Another key piece on information is the CIPHER_PASSWORD, “jndlasf074hr“. Is this the key used to encrypt the files? If yes, could it also decrypts the files? For this, we take a look at the FileEncryptor.class. Look at the screenshot below of two of the functions:

simplelocker-fileencryptor

As you can see from the functions, the encrypt and decrypt routine is fairly straightforward, AES using “jndlasf074hr“. Now let’s take a look at the AesCrypt class.

simplelocker-aescrypt

AesCrypt has both the encrypt and decrypt functions. Thus for example if you have installed the app by mistake and your files are now encrypted, you can re-use the functions to decrypt the files without the need to pay the ransom!!!

2 other interesting classes are “HttpSender” & “HttpSender$1”, as it send data & fetches JSON data from “http://xeyocsu7fu2vjhxs.onion/“.

[ Dynamic Analysis ]

I installed the app onto an emulator to test how it works. As it was executed on the emulator it could not perform all the ransomware “features”. But from the errors thrown, you can confirm the flow of the features. And also another reason is so that I need not turn one phone into a brick just in case it does some irreversible damage to the device.

Upon installing, it is displayed as a porn app as shown from the name of the icon.

simplelocker-icon

When the app is run, it shows a message in Russian and this screen just keeps on popping up consistently even when the app is closed.

simplelocker-firstscreen

So what does actually it do in the background. Let’s check the logcat.

simplelocker-torconnection

Obviously it is trying to establish a TOR connection which it can’t and this is repeated continuously.

simplelocker-netwkstat2

There are also a lot of error messages thrown by the external libraries (which are actually *.so files needed for TOR connection) and also error that the app could not excess the External Storage which it needs to access in order to encrypt the files.

These confirms the flow of the ransomware features/actions as discussed earlier in the static analysis portion.

[ Conclusion ]

In conclusion, the ransomware is most probably marketed as an porn app and upon installing will establishes a TOR connection to the C&C and  encrypts the victim’s files and will subsequently asks for an ransom in order to decrypt back the files. However on closer observation, a technically savvy person could decrypt the files without paying the ransom as the decryption key is hardcoded within the app itself. But to be absolutely safe, don’t install porn apps 🙂

David Billa (@billa316)

 

 

 

[ Technical Tear Down : Silver (.Net Keylogger) ]

This is a sample which i’ve found some time ago from VirusTotal but i totally forgotten to publish it until today. This is a very easy to analyse .NET Keylogger.

One of the first thing i usually do would be try to detect what compiler or packer/crypter did the exe used so that i could use the appropriate tools to analyse it. Usually I used ProtectioniD to determine it and this is the results.

From the returned results, we can see that the binary is developed in .NET. Now I’ll be doing the technical tear-down of this .NET binary.
I’ve attached the link to the file here for anyone interested to try analysing it themselves.
The password to the attachment is “infected29A

[ Sample used in the analysis ]
MD5: c326d834da742a9d00b54cf493857f8f
SHA1: 7d6ae63d942a57df62437e3a50a310edccb9c6fc

[ How it starts ]
Since it’s a .NET binary, let’s fire up ILSpy to decompile it try to understand how does it work.
Looking at ILSpy, we can deduce a few things:

  1. The application is developed in VB as it is referencing Microsoft.VisualBasic
  2. The application didn’t use any Packer or Crypter. This means it should not be too difficult to reverse it. 😛

Like any other .NET application(s), the entrypoint is always the “Main” method.
Looking at the “Main” Method, we can see that it’s firing up “Form1”

[ Dissecting Form_Load ]
Now let’s look at “Form1_Load” method and see what actually takes place when this “Form Load“.

At first glance, it appears that the “obfuscated looking strings” looks like it’s base64 encoded. But it’s not as it’s using the “ahbGUhSfA” method to decode the string. A quick and dirty way is simply re-using the decompiled VB source code for “ahbGUhSfA” method and grab out the “de-obfuscated” strings.

After de-ofuscation, we know that the values for the following variables are as follows:
EUehzMbhDfp = 666124593
TccIbaADsu = killyourministers@gmail.com
xUsGccFea = < _redacted_ >
iRPfddGlUHcas = h
TuqbA = http://

Next let’s look at this.

We can see that it first checks whether silver.exe exists in the victim(s)’ AppData folder. In our case as i’m using Win 7, the folder path will be “C:\Users\-.-\AppData\Roaming
Then it do a check on whether the startup path is same as the folder path which i’ve mentioned earlier.
If it is, it will start the timer. I will come back to this later on.

Ok, so what if “silver.exe” doesn’t exist in the first place?
So let’s look at the portion after “else” statement.

As we can see that it’s calling “nuaMfm” method and converting the returned data into string.
A quick look at “nuaMfm” method and it’s actually generating a random number between 3 and 50000
Then it will copy “itself” to “C:\Users\-.-\AppData\Roaming“, execute the new copy and set the file attributes to “hidden
Next it will create a new registry key,”Windows applicaton”, in “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” with the value of “C:\Users\-.-\AppData\Roaming\silver.exe
Finally it will call “wZLdOsNpk” method.

[ Dissecting “wZLdOsNpk” method ]
A quick glimpse at “wZLdOsNpk” method and we can know that it’s trying to send out emails. But to whom, you may ask and what data is it sending? Could it to the email address which we have de-obfuscated earlier?

Let’s look at the part of the snippet here and it is indeed sending an email from the email address which we have found earlier to itself.
The email’s subject title is “Vulcan

Now's let's look deeper into this snippet. We can also see now that this malicious application will take a screenshot of the victim(s)' computer and attached it to the email as attachment.

Finally in "wZLdOsNpk” method, we can see that it will call several methods to grab the victim(s)’ information and add it into the email’s contents.
I’ll briefly describe what does the different methods do.
GetMyIP method – basically grabs the IP address of the data by visiting “h–p://automation.whatismyip.com/n09230945.asp
biIS method – try to determine which version of Windows is the victim(s) running
Environment.UserName.ToString – Grab the “username” of the trojanised system.
Environment.MachineName.ToString – Grab the “computer name” of the trojanised system.
Environment.MachineName.ToString – Grab the fully qualified path of the system directory.
Environment.UserDomainName.ToString – Grab the network domain name associated with the current user.
Then using the “credentials” which we have “deobfuscated earlier, it will send it back to itself.

[ Dissecting Timer events ]
If you remember earlier while we were reversing this application, it will start 2 “Timer” if this malware exists and is running. So what does the 2 “Timer” do?
If you read the MSDN, you will realise that once a Timer had started, a “Tick” event had been triggered. In this case, it had fired up the 2 methods, “Timer1_Tick” & “Timer2_Tick”.
If we look at “Timer1_Tick”, it will look almost the same “wZLdOsNpk” method. The author probably could reuse the codes but he/she didn’t.
Next we look at “Timer2_Tick”, it’s very long…but after i spotted the API, “GetAsyncKeyState“. We can safely deduce that “Timer2_Tick” activated the “Keylogger” feature.

[ Conclusion ]
While this is definitely not one of the best .NET Malware that i’ve analysed, but it’s probably one of the many similar type of “keylogger” out there.
If we did a quick search on “Vulcan keylogger”, we can see that there are many website(s) teaching how to use it as shown in this link here.

I hope that this is fairly simple to understand technical tear down that people can repeat the steps on their own and learn how to analyse .NET malware on their own.

Happy Reversing,
Jacob Soo

[Technical Tear Down] Fiesta Exploit Kit – Silverlight Exploit (CVE-2013-3896 & CVE-2013-0074)

While analysing the Fiesta Exploit Kit, a number of “java applets” and a Silverlight application was downloaded by the exploit kit. This post will describe the Silverlight exploit. The purpose of this post is to give a better technical understanding of how exploits makes use of vulnerabilities and play with memory to acheive shellcode execution.

[ Sample used in the analysis ]
MD5: a920d4ead958746e4886859fc28dbcdb
SHA1: 12a3f08144d3d9f317a62cfefb4c54fe823e9724

[ Part 1: Getting Started ]

For those who want to follow along, this is a link to the Fiesta-EK-silverlight-exploit. Do note, this is a MALICIOUS file, so please run it in a “safe” environment. The password to the attachment is “infected29A”

Silverlight applications come in a .xap file. As .XAP file is a .zip compressed file that contains the client DLL for the Silverlight application as extra DLLs of assemblies that the Silverlight application could be using. This can be the author’s own assemblies of user controls or assemblies that are not part of the Silverlight runtime by default that gets installed on the client.

External resources like images or other types of files can also be added to the .XAP file if you do embed them into your client DLL. By renaming the .xap file to .zip you can view its contents. Inside the .xap file and we will see a manifest file and a DLL file:

The manifest file describes the entry point of the application so let’s take a look at that first.

In this case, the manifest file is quite straightforward. The “EntryPointAssembly” tells us that the application starts in the tuyngled30.dll and the “EntryPointType” tells us that it starts in the App class of that package.

The next step would be to decompile the dll file. For this purpose, I used .Net Reflector. Throw the DLL into it and you will get back the C# source of the internal classes. Let’s take a look at the entry point, the App class.

02_appclasscode

The constructor calls the InitializeComponent which actually loads in components based on a xaml file. Normally, you would want to look at the xaml file to see if it loads in any additional suspicious components but for this case, the xaml file does not load in anything extra. The Application_Startup method is also called when the Silverlight application is started. In this case, it creates a new “jake” object and passes it the InitParams (We will get back to these params later)

[ Part 2: Overview ]

This exploit uses 2 vulnerabilities to achieve code execution.

CVE-2013-3896 (Memory Disclosure vulnerability) bypasses ASLR by disclosing adjacent memory such that ROP gadgets can be reliably located within mscorlib.ni.dll.

After which, CVE-2013-0074 (Double-Dereference vulnerability) achieves code execution. DEP is also bypassed by overwriting the shellcode into legitimate executable memory addresses.

Also, this exploit seems to target only x86 (32-bit) architecture.

[ Part 3: Bypassing ASLR with Memory Disclosure CVE-2013-3896 ]

Let’s look at the “jake” class.

04_jakecons

The constructor of the “jake” class assigns the init parameter of “dies” into the byte array named “curd” and then calls the “wake” method (we will get back to this “dies” param later).

05_jakewake

The first interesting point of the wake method is on line 103. The “brab” method basically exploits the memory disclosure vulnerability and returns the address of the ROP gadget. For this part, we will examine the “brab” method. Part 4 will describe the rest of the code.

06_jakebrab

First, take a look at line 23 and 24. A “polk” object is created. Reading the source of the “polk” class will reveal that it is a subclass of the MemoryStream object. It will be used together with the BitmapImage and WriteableBitmap class to trigger this vulnerability.

The vulnerability lies in the BitmapImage.SetSource(MemoryStream ms) method. This method creates a BitmapImage based on a memory stream. The amount of memory that is read in is based on the “length” attribute within the stream. This value is controlled by user and can be manipulated to a larger value to read in adjacent memory.

In this case, the memory stream is manipulated to look like a PNG file with a declared PLTE chunk of 0x300 bytes. Those unfamiliar with the PNG format can read about it at the following links. These 2 chapters show how a PNG is represented and the idea of chunks within a PNG file. (http://www.w3.org/TR/PNG/#5DataRep and http://www.w3.org/TR/PNG/#11Chunks)

c01_pngheader

The constructor first writes 0x29 bytes into the memory stream. These 0x29 bytes is the header of a PNG file up till the PLTE chunk header.

07_polkread

The “racy.tunc” method then calls the BitmapImage.SetSource method which will call polk.Read method which has been overridden such that it will declare additional arrays in a specific order (specifically the scum and raps array). When these arrays are declared, they are stored right after the already written PNG header.

c02_pngfooter

The last few array elements will store the PNG Footer.

When viewed as a contiguous memory chunk, it looks like a legit PNG file. The resultant memory layout of the “polk” object is shown below.

c03_polk

The main objective of this arrangement is to have the additional arrays be stored in the PLTE chunk of the PNG. If we look at the PNG specifications at http://www.w3.org/TR/PNG/#11Chunks under the PLTE Palette section, it says that

“The first entry in PLTE is referenced by pixel value 0, the second by pixel value 1, etc.”

On line 29 of the “brab” method, “racy.papa” method creates a WriteableBitmap object with the affected BitmapImage object. The disclosed memory in the PLTE Chunk can then be accessed with the WriteableBitmap.Pixels array. The method transforms this pixels array (which stores 4 bytes/pixel in a ARGB format) into a contiguous byte array and returns it. So why is the disclosed memory important? Let’s take a look at what is disclosed.

c04_add

If you are not familiar with how C# stores objects/primitives in memory or about Runtime Type Information (RTTI), read this first ( http://www.abhisheksur.com/2011/09/internals-of-net-objects-and-use-of-sos.html) . Don’t worry if your RTTI addresses are different from mine, this is because these addresses are ASLR-ed. Basically, all objects in C# has this RTTI pointer. The RTTI stores type information that can be used for dynamic type-casting.

The objective here is to get the RTTI address. The RTTI address points to somewhere in the mscorlib.ni.dll which is ASLR enabled. However, this RTTI is always loaded at the same offset from the base address of the mscorlib.ni.dll. Therefore, with the RTTI address, the base address of the DLL can be calculated. With that, the exact location of the ROP gadget can be reliably determined thus bypassing ASLR.

[ Part 4: Achieving code execution with CVE-2013-0074 (Double De-reference vulnerability) ]

06_jakebrab

Looking back at the “brab” method again, these are what the other functions do.

  • vamp(p1, p2) – Reads 4 bytes from p1 array starting from offset p2 (Read Pointer)
  • oils(p1,p2,p3) – Writes 4 bytes (p3) into p1 array starting from offset p2 (Write Pointer)
  • racy.lisp() – Returns the offset to find the ROP Gadget on different Silverlight versions.
    • Based on this method, it seems to target the following Silverlight versions

08_racylisp

The rest of the “brab” method does the following

  • Save the RTTI pointer (num)
  • Save the raps[] pointer (num2)
  • Save the scum[] pointer (mews)
  • Save the offset to ROP gadget (num3)
  • Calculate and save the memory location of ROP gadget (num6)
  • Get the memory address of 41 bytes before the end of the PNG (c) (Take note of this!)
  • Writes a total of 8 bytes starting from memory address c in the following format
  • c05_8bytes
  • Returns the value of c “pointer to itself” (Take note of this!)

Let’s return back to the “wake” method.

05_jakewake

The next important step is on line 109. The “diam” class exploits the CVE-2013-0074 vulnerability. The vulnerability lies in the ScriptObject.Initialize method. Fortunately, this is a protected method, meaning only child classes can call it. Unfortunately, ScriptObject has a public child class called HTMLObject. By sub-classing the HTMLObject class, it is now possible to call the protected Initialize method.

09_diam

The “diam” class inherits from HTMLObject and wraps the Initialize method in the “gain” method. Calling the “gain” method with “(IntPtr) a” will lead to a “call [a+4]” instruction, meaning the next pointer after “a” will be called.

c05_8bytes

Recall that in the “brab” method, the above 8 bytes was written in the IDAT chunk, 41 bytes before the end of the PNG? Line 109 calls the “gain” method with “pointer to itself” as the parameter. This would lead to a “call [ptr to ROP gadget]”, thus executing the ROP gadget.

So, what ROP gadgets are being used? Interestingly, this ROP chain only consists of 1 gadget. The gadget consists of the following byte sequence “83-49-34-40-B8-01-00-00-00-C2-04-00”. Passing this sequence into Capstone yields the following result.

c06_rop

The gadget simply performs an OR operation with the value in [ecx+0x34] with 0x40.

Analysing the memory with WinDBG reveals that ecx at this moment contains the value of the “pointer to itself”. Therefore, [ecx+0x34] actually points to somewhere after the PNG “file”. In this case, it points to the most significant byte of the length of the next adjacent array, jake.chap[].

By performing this OR operation, it changes the length of the jake.chap[] array from 0x00000003 to 0x40000003, effectively allowing jake.chap[] array to access the entire 32-bit process memory space.

[ Part 5: Executing the Shellcode ]

05_jakewake

With access to the entire memory space, the next step would be to get the exploit to run the shellcode payload. From line 114 of the “wake” method, a “jake.loci” object is created. This object is responsible for putting the shellcode into memory and executing it.

10_loci

Take note of the “bust” method. It is the first method declared after the constructor and it contains a lot of code that does nothing. It performs a whole lot of mathematical operations and the result is neither returned nor used.

11_locipore

On line 115, the “loci.pore” method is called next with the parameter “curd”. The “curd” here refers to “jake.curd”. Recall the initParams that was passed into this Silverlight application in the beginning? “jake.curd” contains the value passed in through the “dies” parameter. The “loci.pore” method basically transfers “jake.curd” into “loci.curd” variable.

This is actually the shellcode itself, it is Base64 encoded and passed in through the initParams of the Silverlight Application. In this way, the shellcode could be changed or modified without needing to recompile the whole Silverlight application.

12_locignaw

On line 116, the “gnaw” method is called. The comments basically explain what this method is trying to do. Here is a summary. (Note: [“pointer”] means dereference the pointer)

  • Create “bust” method to make sure a vTable entry is created.
  • Create a new array “scum” which contains a marker value and the pointer to this “loci” object
  • Iterate through the jake.chap[] (with 0x40000003 length) to find the marker value
  • “loci” pointer = next pointer from the marker value
  • vTable pointer = [“loci pointer”] + 0x2c
  • “bust” function pointer = [“vTable pointer”] + 0x8 (I believe the value 0x8 is used because “bust” is the second function in the “loci” class)
  • Exchange the bytes from “loci.curd” (Shellcode) and the bytes at [“bust pointer”]
  • Call the “bust” method (Shellcode Execution Here!!!)
  • Exchange the bytes back from “loci.curd” and the bytes at [“bust pointer”]
  • Restore the length of jake.chap[] to its original value (Element 0x3fffffff causes an integer overflow, essentially becoming jake.chap[-1])

Shellcode execution is achieved by making use of the jake.chap[] array to override the “bust” function instruction bytes with the shellcode bytes and then calling the “bust” function. In this way, there is no need to bypass DEP as the shellcode is residing in a legitimate executable memory.

Although I am unable to confirm this, I believe that the length of the initial “bust” function instruction bytes must be the same as the length of the shellcode that will replace them. This would explain why there are a whole lot of useless instructions initially declared in the “bust” function.

[ Conclusion ]

I have discussed how this exploit made use of 2 vulnerabilities to achieve shellcode execution. I hoped that you gained a better understanding of how the exploit was able to work. Also, an additional point to note is that the exploit code is similar to the POC code initially released by Packet Storm for these 2 vulnerabilities.

This is also my first time writing such a technical article and there are some parts of the article that I found it difficult to explain the technical details in words. If you have any advice/suggestions on how to improve this, please let me know through the comments.

If not, I hoped you enjoyed the article!

Glenn (@_graypanda)