marcusbotacin

Netwalker Ransomware Analysis

Everything starts with a VBS file. It is available on VirusTotal. It is suspicious to have a text file sized 600KB, which already indicates it is a dropper in the first look.

Digging into the file, the first line presents:

code = "==A#>,A#>,A#>,A#>,A#>,A#>,A#>,A#>,A#>,...

Another clue that it is a dropper. Base64 strings often indicate that it is the encoded payload.

marcusbotacin

A Bit More On Code Obfuscation

I recently published my analysis on the Netwalker Ransomware, which included the deobfuscation step Check it here. I think that (de)obfuscation techniques is an interesting subject, so I decided to write a little bit more about it.

There are basically two types of obfuscation techniques:

• Binary Level: These are binary transformations to hide instructions and data inside binaries. It is usually implemented by binary packers, often used by malware.
• Source Code Level: These are source code transformations to hide the program's statements. These are often used by malicious scripts.

In this draft, I will consider only the last case.

marcusbotacin

 for(int i=0;i<size;i++){
		// byte pointer
    unsigned char c1 = ((char*)data)[i];
    // add your encryption/decryption routine here
		// drop byte to file
    fprintf(f,"%c",c1);
}
// file fully written
fclose(f);

marcusbotacin

void dead()
{
	return;
	memcpy(NULL,NULL,NULL);
	memset(NULL,NULL,NULL);
	strcpy(NULL,NULL);
	ShellAboutW(NULL,NULL,NULL,NULL);
	SHGetSpecialFolderPathW(NULL,NULL,NULL,NULL);
	ShellMessageBox(NULL,NULL,NULL,NULL,NULL);
	RegEnumKeyExW(NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL);

marcusbotacin

#ifdef INJECT
	char cmd[10*NAME_SIZE] = "C:\\Windows\\system32\\rundll32.exe";
	sprintf(args,"%s %s,#1",cmd,name);
	CreateProcessA(cmd,args,NULL,NULL,FALSE,0,NULL,NULL,&si,&pi );