Sunday, May 1, 2016

Locky Ransomware Analysis - Analysing through Process Explorer

Picking up from where the last post left off, we noticed that the "Locky.exe" process exited. However, we also noticed that it created the file "svchost.exe".

Because of the image path we monitored in Process Monitor, we were unable to see if the "svchost.exe" process was loaded and what was done. Lets use process explorer to see if the "svchost.exe" which was created was executed and is still running.

As we launch Process Explorer, from the "view" menu deselect the "show process from all users".

Next from the "options" menu, we select "Verify Image Signatures".


From above the above we see that the "svchost.exe" does not have a verified signature.

Additionally, its  a process which does not seem to have a parent. While a system can have multiple "svchost.exe" processes, these processes in most cases are always a child of "services.exe". This "svchost.exe" stands by itself.

Now that this process is deemed suspicious. Lets dig deeper into it.

Looking at the image data below, the first thing that stood out to me was build time in year 2005.
































I found this interesting as I'm using Windows 10 so I expect the build time to be more recent.

Next, from above we see the path and the command line representation of the path which was created when Locky.exe was loaded.


Additionally, we see the current directory is "c:\locky\locky". On a typical Windows system this would be " %WINDIR%\system32\"

Finally, we see the partent process is non-existent. We already know that the parent process exited.

The next item that stood out immediately was the difference between the strings on disk and the strings in memory.

Image below shows a snapshot of the strings on disk.






  
  
  
























Image below shows the strings in memory. Simply looking at the first few lines we can see an immediate difference.
   











   




















Going through the strings in memory we see some interesting information which stands out. One of the things I found interesting about this was that the malware actually attempts to delete your volume shadow copies, thus making it harder for you to restore files from previous versions.
   
































Below we see among other things that Locky will perform a HTTP POST to the site listed in memory.


















At this point, I think we have enough information to be able to draw conclusions that we can remediate. The next step would be to kill the process and try to understand what is being requested from the URL which was found in the strings.
   
The final step in the process was to validate the "svchost.exe" against Virus Total. Lucky for me the file was already analyzed and had a detection ratio of 49/56 as shown below.   

   
Now that we've reached this stage, I think it is important to understand that I was not attempting to see how my files gets encrypted. We already know this is the purpose of Locky.  However, I deliberately did not connect my VM to the Internet, thus the "Locky.exe" executable was unable to successfully download the actual ransomware as the site which is found in memory was not available. Maybe a another time I will be able to use a different lab.

Artificat:
File
svchost.exe
SHA256:  bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3
   

No comments:

Post a Comment