Makop Ransomware

SHA256: 21243cb4bc953b0773d68a8eb43efd9ba80d7ff2ea293c79e0e7f64e25946059

VirusTotal link: https://www.virustotal.com/gui/file/21243cb4bc953b0773d68a8eb43efd9ba80d7ff2ea293c79e0e7f64e25946059/detection

Hybrid analysis: https://www.hybrid-analysis.com/sample/21243cb4bc953b0773d68a8eb43efd9ba80d7ff2ea293c79e0e7f64e25946059/5f09e9cb351595220702dd4e

Summary

Makop ransomware encrypts user’s files and expects a ransom for the decryption key. It uses an AES256 key to decrypt important strings at runtime including a RSA public key. The process creates a mutex to ensure that it avoids infecting the system more than once and uses an entry under the Run key to establish persistence on the host. The malicious file spawns a copy of itself with a parameter which is used to attack network resources (if any). It deletes important services, the shadow copies and kills a list of processes in order to ensure that the targeted files are not locked by other applications. The malware creates two AES256 keys which will be used to encrypt the files content and the files name. For each file, another initialization vector (IV) is generated and stored in the encrypted file. The AES key used to encrypt a file is encrypted with the public RSA key and stored at the end of each encrypted file therefore the decryption is not possible without the private RSA key which is unknown at this time.

Technical analysis

Firstly the malicious process checks to see if it starts with a parameter or not, as shown in the screenshot below (as usual first parameter is the name of the file):

Figure 1

CryptAcquireContextW Windows API is used to obtain a handle to a particular key container (PROV_RSA_AES provider type):

Figure 2

The malicious process builds a key byte by byte and this one will be used to decrypt a lot of content. It imports the key using CryptImportKey API:

Figure 3
Figure 4

The parameters of the blob are explained as follows:

  • 08 – PLAINTEXTKEYBLOB – key is a session key
  • 02 – CUR_BLOB_VERSION
  • 0x00006610 – AlgID: CALG_AES_256
  • 0x00000020 – key length (32 in decimal)

Using the previously imported key it decrypts information which will be utilized during the entire execution:

Figure 5 – Before decryption
Figure 6 – After decryption

The blob parameters are defined as follows:

  • 06 – PUBLICKEYBLOB
  • 02 – CUR_BLOB_VERSION
  • 0x0000a400 – AlgID: CALG_RSA_KEYX
  • 0x00000400 – key length (1024 in decimal)
  • 0x00010001 – public exponent (65537 in decimal)

The malicious process performs a few CryptDecrypt operations in order to decrypt a few strings:

Figure 7

GetModuleHandleA API returns a handle to Kernel32.dll and Advapi32.dll and also the process determines the addresses of Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection and CreateProcessWithTokenW using GetProcAddress API. More decryption operations are performed and a few more strings are decrypted:

Figure 8
Figure 9

The malicious file creates a mutex called m23071644 in order to ensure that it doesn’t infect the system multiple times:

Figure 10

The persistence mechanism represents the creation of an entry called “1” under the registry “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” as shown below:

Figure 11

The strings “SOFTWARE\Microsoft\Windows NT\CurrentVersion” and “ProductId” are decrypted by the malware using CryptDecrypt API as before. The scope of the attacker is to obtain the Windows Product Id by querying the registry “SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId”:

Figure 12

GetVolumeInformationW API is used to collect information about the C drive such as the volume serial number. The result is concatenated with the previously product Id:

Figure 13

Other strings are decrypted using the imported AES256 key:

Figure 14

The execution continues with calling Wow64DisableWow64FsRedirection function in order to disable file system redirection for the current thread. This means a 32-bit application which is running under WOW64 is able to open the 64-bit version of another application (instead of being redirected to the 32-bit version). Later Wow64RevertWow64FsRedirection will be called to restore the file system redirection for the thread. OpenProcessToken function is used to open the access token for the current process and DuplicateTokenEx creates a new access token (primary token) that duplicates the first token:

Figure 15

The malicious process creates an anonymous pipe using CreatePipe API and returns 2 handles (read and write handles) as shown in figure below:

Figure 16

Another process is spawned by calling CreateProcessWithTokenW that executes the initial malicious file with the parameter n”Process Id of the first process” (for example n920). As we can see in the image below the first parameter is the handle of the duplicate token (0x290):

Figure 17

An interesting fact is the verification that the malware is indeed running with the parameter n followed by digits (process Id):

Figure 18

We have observed that the new process performs an enumeration of network resources or existing connections using WNetOpenEnumW and WNetEnumResourceW functions (it seems to target network shares and it is not responsible for the main encryption routine), so we will continue to analyze the initial process. GetLogicalDrives function is used to get the currently available disk drives and GetDriveTypeW returns a code which indicates if the disk is removable, fixed, CD-ROM, RAM disk or network drive (for example it returns 0x3 – DRIVE_FIXED if the drive is C ). The malware is not interested in CD-ROM drives and RAM disks:

Figure 19 – GetDriveTypeW returns 0x3 for C drive

CreateFileW API is used to access the “C:” volume and then DeviceIoControl is used to obtain the physical location and disk number of “C:” as shown below:

Figure 20

The malicious process uses CryptGenRandom API to generate 32 random bytes which represent an AES256 key and will be used further. Let’s call this key AES1:

Figure 21

The same process is repeated one more time, we can call the second key AES2:

Figure 22

4 bytes (“AD AD A1 A0”) which will be used as a marker are decrypted. The RSA public key which has been decrypted during the first steps is imported using CryptImportKey API:

Figure 23

The RSA key encrypts AES1 + other information collected during malware’s execution:

Figure 24 – Before encryption
Figure 25 – After encryption

The encryption is applied to AES2 as well:

Figure 26 – Before encryption
Figure 27 – After encryption

A few more strings are decrypted at runtime, we’ll see their usefulness as we analyze further:

Figure 28

The malicious file creates a new cmd.exe process which is used to delete the list of services decrypted above (the entire list is presented in the appendix) and the shadow copies (common technique used by ransomware):

Figure 29

The confirmation of successfully deleting a service is transmitted via a pipe from cmd.exe to our process as shown below:

Figure 30

The malware decrypts a list of processes which will be killed (the full list is written in the appendix). This operation is done using CreateToolhelp32Snapshot, Process32FirstW, Process32Next and TerminateProcess APIs and will ensure that the files which are intended to be encrypted are not locked by these processes:

Figure 31

The encryption process starts by creating a thread using CreateThread API. We will see that multiple threads will be created:

Figure 32

The files which are located in the current directory (in our case, Desktop) will be encrypted first. The selection of the files is done using FindFirstFileW and FindNextFileW APIs and they should have an extension which belongs to the list decrypted at runtime (for example .exe and .dll files are not encrypted, the system must remain in a functional state in order to make the payment for decrypting the files). CryptGenRandom function is again used to generate 16 random bytes:

Figure 33

AES1 is being imported and its initialization vector (IV) is set to the newly generated 16 bytes:

Figure 34
Figure 35

Firstly the name of the file is encrypted using AES1:

Figure 36 – Before encryption
Figure 37 – After encryption

The encrypted file name will be a part of the encrypted file, followed by 4 bytes which represent its length (“B0 00 00 00”, 176 in decimal). The next item which is written is the IV (16 bytes, generated at runtime):

Figure 38

Lastly before encrypting the file content, the malicious process append the encrypted AES1 key:

Figure 39

The file content is encrypted using AES1 and the process overwrites the initial file:

Figure 40 – Before encryption
Figure 41 – After encryption

The initial file is renamed and multiple extensions are appended, including the attacker’s email address:

Figure 42

Note: The same steps are also applied to other files but with the second key AES2.

All the encrypted elements are highlighted in the figure below:

Figure 43

The order of targeted directories is the following: Current directory, “C:\”, “C:\ProgramData” and “C:\Users” (one thread for each one). Every file content is encrypted 40000 bytes (40kb) at a time. More information is decrypted at runtime:

Figure 44

Using InternetOpenA, InternetConnectA, HttpOpenRequestA and HttpSendRequestA APIs the malware is trying to get the victim’s public IP address by accessing hxxps[:]//iplogger.org/1Bzcq7 (we have not seen any other network communication):

Figure 45

The process sleeps for 30 seconds and then jumps back in order to encrypt the other targeted directories:

Figure 46

After encryption is complete, it drops a ransom note in every targeted directory:

Figure 47

References

https://www.hex-rays.com/products/ida/support/download_freeware/

https://x64dbg.com/#start

https://docs.microsoft.com/en-us/windows/win32/api/

Appendix

List of services to be deleted + processes which delete shadow copies

sc delete vmickvpexchange

sc delete vmicguestinterface

sc delete vmicshutdown

sc delete vmicheartbeat

sc delete vmicrdv

sc delete storflt

sc delete vmictimesync

sc delete vmicvss

sc delete MSSQLFDLauncher

sc delete MSSQLSERVER

sc delete SQL SERVERAGENT

sc delete SQLBrowser

sc delete SQLTELEMETRY

sc delete MsDtsServer130

sc delete SSISTELEMETRY130

sc delete SQLWriter

sc delete “MSSQL$VEEAMSQL2012”

sc delete “SQLAgent$VEEAMSQL2012”

sc delete MSSQL

sc delete SQLAgent

sc delete MSSQLServerADHelper100

sc delete MSSQLServerOLAPService

sc delete MsDtsServer100

sc delete ReportServer

sc delete “SQLTELEMETRY$HL”

sc delete TMBMServer

sc delete “MSSQL$PROGID”

sc delete “MSSQL $WOLTERSKLUWER”

sc delete “SQLAgent$PROGID”

sc delete “SQLAgent$WOLTERSKLUWER”

sc delete “MSSQLFDLauncher$OPTIMA”

sc delete “MSS QL$OPTIMA”

sc delete “SQLAgent$OPTIMA”

sc delete “ReportServer$OPTIMA”

sc delete “msftesql$SQLEXPRESS”

sc delete “postgresql-x64-9.4”

sc delete WRSVC

sc delete ekrn

sc delete klim6

sc delete “AVP18.0.0”

sc delete KLIF

sc delete klpd

sc delete klflt

sc delete klbackupdisk

sc delete klbackupflt

sc delete klkbdflt

sc delete klmouflt

sc delete klhk

sc delete “KSDE1.0.0”

sc delete kltap

sc delete TmFilter

sc delete TMLWCSService

sc delete tmusa

sc delete TmPreFilter

sc delete TMSmartRelayService

sc delete TMiCRC ScanService

sc delete VSApiNt

sc delete TmCCSF

sc delete tmlisten

sc delete TmProxy

sc delete ntrtscan

sc delete ofcservice

vssadmin delete shadows /all /quiet

wbadmin delete catalog -quiet

wmic shadowcopy delete exit

List of processes to be killed

sqlbrowser.exe

sqlwriter.exe

sqlservr.exe

msmdsrv.exe

MsDtsSrvr.exe

sqlceip.exe

fdlauncher.exe

Ssms.exe

sqlagent.exe

fdhost.exe

fdlauncher.exe

ReportingServicesService.exe

msftesql.exe

pg_ctl.exe

postgres.exe

UniFi.exe

armsvc.exe

IntelCpHDCPSvc.exe

OfficeClickToRun.exe

DellOSDService.exe

DymoPnpService.exe

Agent.exe

FJTWMKSV.exe

IPROSetMonitor.exe

IRMTService.exe

MBCloudEA.exe

QBCFMonitorService.exe

QBIDPService.exe

RstMwService.exe

TeamViewer_Service.exe

dasHost.exe

IntelCpHeciSvc.exe

RAVBg64.exe

vds.exe

unsecapp.exe

TodoBackupService.exe

MediaButtons.exe

IAStorDataMgrSvc.exe

jhi_service.exe

LMS.exe

DDVDataCollector.exe

DDVCollectorSvcApi.exe

TeamViewer.exe

tv_w32.exe

tv_x64.exe

Microsoft.Photos.exe

MicrosoftEdge.exe

ApplicationFrameHost.exe

browser_broker.exe

MicrosoftEdgeSH.exe

MicrosoftEdgeCP.exe

RtkNGUI64.exe

RAVBg64.exe

WavesSvc64.exe

OneDrive.exe

DYMO.DLS.Printing.Host.exe

FtLnSOP.exe

FjtwMkup.exe

FTPWREVT.exe

FTErGuid.exe

qbupdate.exe

QBWebConnector.exe

ShellExperienceHost.exe

RuntimeBroker.exe

IAStorIcon.exe

PrivacyIconClient.exe

SupportAssistAgent.exe

SecurityHealthService.exe

taskhostw.exe

taskhosta.exe

wijca.exe

ktfwswe.exe

HeciServer.exe

mdm.exe

ULCDRSvr.exe

WLIDSVC.EXE

WLIDSVCM.EXE

GoogleCrashHandler.exe

GoogleCrashHandler64.exe

RAVCpl64.exe

igfxtray.exe

hkcmd.exe

igfxpers.exe

PsiService_2.exe

UNS.exe

taskeng.exe

AdobeARM.exe

rdpclip.exe

LenovoReg.exe

LMS.exe

dwm.exe

taskeng.exe

wuauclt.exe

armsvc.exe

avp.exe

OfficeClickToRun.exe

FBService.exe

Jhi_service.exe

LBAEvent.exe

PDFProFiltSrvPP.exe

avpsus.exe

IAStorDataMgrSvc.exe

klnagent.exe

vapm.exe

UNS.exe

unsecapp.exe

RAVCpl64.exe

ScanToPCActivationApp.exe

BrStMonW.exe

BrCtrlCntr.exe

concentr.exe

redirector.exe

BrccMCtl.exe

BrYNSvc.exe

Receiver.exe

BrCcUxSys.exe

LSCNotify.exe

SelfServicePlugin.exe

wfcrun32.exe

HPNETW~1.EXE

HPScan.exe

taskhost.exe

Teams.exe

AuthManSvr.exe

WLXPhotoGallery.exe

outlook.exe

prevhost.exe

excel.exe

chrome.exe

AcroRd32.exe

RdrCEF.exe

vssadmin.exe

WmiPrvSE.exe

oracle.exe

ocssd.exe

dbsnmp.exe

synctime.exe

agntsvc.exe

mydesktopqos.exe

isqlplussvc.exe

xfssvccon.exe

mydesktopservice.exe

ocautoupds.exe

encsvc.exe

firefoxconfig.exe

tbirdconfig.exe

ocomm.exe

mysqld.exe

mysqld-nt.exe

mysqld-opt.exe

dbeng50.exe

sqbcoreservice.exe

infopath.exe

msaccess.exe

mspub.exe

onenote.exe

powerpnt.exe

steam.exe

thebat.exe

thebat64.exe

thunderbird.exe

visio.exe

winword.exe

wordpad.exe

5 6 votes
Article Rating
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
exousus

Good start! Thank you, Vlad!

Ioan Uta

Este super tare! Foarte fain!