Sunday, May 1, 2016

Locky Ransomware Analysis - Understanding its execution, looking for artificats with Process Monitor

As we continue this journey looking at Locky, let's see what it looks like in actual production.

Since my AV detected it in the previous post, in this post I will disable the AV and its features.

Next I loaded up Process Monitor and set the "Image Path" to "c:\Locky\Locky\Locky.exe"

I then executed Locky and found some artifacts. Note, I compared these to a "clean" version of Windows 10 before deciding that these are good artifacts.

Looking through process monitor, we can see the following

From the above we see that the "Locky.exe" process started. It then created a thread and started attempting to open registry keys which were not found. I'm assuming it was probably checking to see if those entries existed, which may have meant it was executed before. However, those entries were "NOT FOUND"

As we move forward we see our first set of registry artifacts.

First we see the creation of registry key "HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\Locky_RASAPI32" and then we see that some values were set successfully and those values were then queried successfully.

While the items below cannot be used as artifacts, I thought it was important that I show some of the files which Locky tried to create but was unable to.

Something else that I found interesting is that Locky actually checks to see if specific Antivirus are installed. As we can see below, it is querying the registry looking for Kaspersky Lab, ESET and Avast. In the three cases shown below the values were "NOT FOUND"

Additionally, we see another registry artifacts in the successful creation of the key "HKCU\Software\Locky" and settings its value.

As we begin to look at the artifacts written to the disk, we see that the file "svchost.exe" was created in "%USERPROFILE%\AppData\Local\Temp\"

Next we see things start to get even more interesting with Locky creating a new process "cmd.exe". This process was executed with PID: "3636" and command line arguments. "cmd.exe /C del /Q /F "C:\Users\SECURI~1\AppData\Local\Temp\sysFAE3.tmp"

What the command is doing is basically "cmd.exe" is executing the specified command which is basically to delete quietly and force the deletion of some ".tmp" files in the "Temp" folder.

Finally, we see Locky process exists and closes.

At this point while we detected some artifacts, there is still information which we have not figured out. Do remember the "Locky.exe" process created other files and executed another process. Namely "svchost.exe". Let's dig a little deeper with process explorer in the next post.

Visible Artifacts
Registry Entries
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\EnableConsoleTracing: 0x00000000
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\Locky_RASAPI32\EnableFileTracing: 0x00000000
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\Locky_RASAPI32\EnableAutoFileTracing: 0x00000000
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\Locky_RASAPI32\EnableConsoleTracing: 0x00000000
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\Locky_RASAPI32\FileTracingMask: 0xFFFF0000
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\Locky_RASAPI32\ConsoleTracingMask: 0xFFFF0000
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\Locky_RASAPI32\MaxFileSize: 0x00100000
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\Locky_RASAPI32\FileDirectory: "%windir%\tracing"
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\svchost_RASAPI32\EnableFileTracing: 0x00000000
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\svchost_RASAPI32\EnableAutoFileTracing: 0x00000000
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\svchost_RASAPI32\EnableConsoleTracing: 0x00000000
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\svchost_RASAPI32\FileTracingMask: 0xFFFF0000
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\svchost_RASAPI32\ConsoleTracingMask: 0xFFFF0000
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\svchost_RASAPI32\MaxFileSize: 0x00100000
HKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\svchost_RASAPI32\FileDirectory: "%windir%\tracing"

No comments:

Post a Comment