未加星标

LockyDump - All Your Configs Are Belong To Us

字体大小 | |
[系统(windows) 所属分类 系统(windows) | 发布者 店小二04 | 时间 2016 | 作者 红领巾 ] 0人收藏点击收藏
This post was authored by Warren Mercer and

Matthew Molyett


LockyDump - All Your Configs Are Belong To Us
Summary

Locky has continued to evolve since its inception in February 2016. This has made it difficult to track at times due to changes in the way in which it's distributed as well as various characteristics of the malware itself. The actors responsible for Locky have continuously attempted to improve operational security (OPSEC) in regards to the tracking of affiliates making use of the ransomware. This post will discuss a new Locky configuration extractor that Talos is releasing, which we are naming 'LockyDump'. This is the first open source tool which can dump the configuration parameters used by all currently known variants of Locky e.g. .locky, .zepto & .odin based ransomware.

Using LockyDump you can run a known Locky sample within a virtualized environment and it will extract and provide all of the configuration information for the sample, including the AffilID associated with the sample. The latest variant of Locky made this extraction process increasingly difficult. Once this config extraction changed Talos looked to reverse further Locky samples in an attempt to gain the all important AffilID information. Obtaining the affiliate information for individual samples allows the historical tracking of Locky affiliates to identify trends and other characteristics on an individual affiliate basis such as their primary distribution method of choice e.g. through the use of Exploit Kits (EKs) or spam/phishing email.

Configuration Extraction Details

Talos has created a configuration extraction tool that supports Locky (all current versions ie; Zepto/Odin) and allows you to extract the following configuration parameters that have been hardcoded into the malicious binary.


LockyDump - All Your Configs Are Belong To Us
LockyDump Requirements

LockyDump is a PE32 windows binary application that is used for extracting embedded configurations from the Locky malware family, which requires execution of the malware to allow for the extraction of these values from memory. This limits the analysis environment to Windows systems and to one that can be compromised by Locky.

LockyDump Process Methodology

Locky has been distributed as both Win32 executables and DLLs and as such, we created LockyDump to utilize two separate analysis methods. DLL files are started with LoadLibrary, which enables the unpacker to expose the Locky code and lets the initialization code decrypt the configuration. Once the decrypted configuration is exposed LockyDump locates it and prints to stdout.

The versions of Locky delivered as EXE files required a different approach to analysis, which is accomplished by executing the malware with LockyDump configured to debug it. The malware is allowed to run until the true code is detected, at which point LockyDump freezes its execution. LockyDump then locates the configuration information and prints it to stdout.

Optional Features:

This is a list of optional features that can be enabled at runtime of LockyDump to extract additional information from the Locky sample. These are configured using Windows environment variables which you can set prior to the execution of LockyDump:

set LOCKY_DUMP_VERBOSE=1

set LOCKY_DUMP_SAVE=1

Verbose Output - Locky configurations include two templates: one for the ransom note image and one for the ransom note HTML. By default LockyDump does not print these two fields because they increase the size of the output significantly. If the environment variable LOCKY_DUMP_VERBOSE is present then both ransom note templates will be printed to stdout.

Locky Unpacking - Locky binaries are protected with various packers, which makes static analysis challenging. If the environment variable LOCKY_DUMP_SAVE is set then the unpacked Locky file is saved as DUMPED_IMAGE.DLL in the current working directory. The proceeding file will always be 'DUMPED_IMAGE.DLL'

Execution Instructions

With LockyDump a user can take a virtualized instance of Microsoft Windows, place a known Locky sample within it, and run LockyDump against it. The use of a virtualized environment is highly recommended as LockyDump will execute Locky to allow the extraction of the configuration information from memory.

LockyDump is executed via command line using the following syntax:

LockyDump.exe sample.exe

This will run LockyDump against the sample you have specified. The optional features described above can be set using the command line using the 'set' command to configure your local environment variables. Once you have set any optional features you would like, you simply run LockyDump as before:


LockyDump - All Your Configs Are Belong To Us
Source

The LockyDump source is available from our GitHub . We have provided both the source and a compiled binary for usage.

LockyDump.10122016.exe SHA256: d49fd9fb7d290a530c292f451c32e558f6f5797944ecb2d6b73e151f450fc43c

Please validate the hash prior to execution.

Conclusion

Talos is releasing this to the open source community to allow other researchers to perform their own historical analysis of Locky. The Virus Bulletin talk from Fortinet provided enough information to warrant this release for others as it was not apparent whether the Fortinet configuration extraction tool would be made public.

The release of this tool coincides with a large downturn in spam-based Locky distribution that we have observed over the last week. With this in mind be aware that the ever evolving Locky could come back sooner or later with a different method of configuration inclusion which would potentially prevent this tool from working. In that instance we will aim to release an updated version that can continue to operate correctly and as intended.

本文系统(windows)相关术语:三级网络技术 计算机三级网络技术 网络技术基础 计算机网络技术

主题: WindowsHTMLGitHubGitDU
分页:12
转载请注明
本文标题:LockyDump - All Your Configs Are Belong To Us
本站链接:http://www.codesec.net/view/482504.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(windows) | 评论(0) | 阅读(33)