Ghost Has Arrived
Credit to Author: Ghanshyam More| Date: Fri, 14 Dec 2018 11:58:50 +0000
Estimated reading time: 5 minutesOn the back of an upswing in Ransomware activity, we decided to carry out an in-depth analysis of Ghost Ransomware. Interesting fact about this malware is that it uses multiple components to encrypt user files. Technical Analysis : Main malware executable (Ghost.exe) is compiled using the DotNet Framework. The infection vector of this ransomware is still unknown, but this file may arrive on the victim’s machine via spam emails, malvertising, bundled with other files, etc. It uses an icon of the spreadsheet to deceive the user to think he has received an invoice/quotation etc. Initially, Ghost.exe queries “www.12312312eewfef231.com”. This domain is not registered, but if it is registered then it can work as a kill switch as it performs its malicious activity in the catch for the exception as shown in Fig. 1. Fig. 1: DNS Query Ghost.exe drops an executable GhostService.exe at location “%appdata%Ghost” on the victim’s machine. It also creates a bat file (Ghost.bat) in Ghost folder and executes it. Ghost.bat creates a service with display name as“Ghost”, binpath as“%appdata%GhostGhostService.exe” and start mode as “auto” as shown in Fig. 2. Due to auto mode, malware service will be auto-started on every system startup. Fig. 2: Code to create “Ghost.bat” Fig. 3: Content of Ghost.bat to register service Once the service is successfully registered Ghost.exe starts “Ghost” service as shown in Fig. 4. Fig. 4: Function to start Ghost Service GhostService.exe creates a .txt file named “Do_Not_Delete_codeId.txt” at the root of“C” drive with Code ID as a content. This Code ID is randomly generated as shown in Fig. 5. Fig. 5: Function to generate random Code ID Now it calls a function “startProcess” to drop components at the root of “C” drive. As shown in Fig. 6, GhostService.exe drops below components: GhostForm.exe – Displays Ransom note and encrypt files GhostFile.dll – Exports functions to create a list of files GhostHammer.dll – Exports AES_Encrypt function Fig. 6: Function to drop components and start GhostForm.exe After dropping the components, it runs GhostForm.exe. Then it calls a function “Database” to stop MSSQLSERVER service and encrypt files in “Microsoft SQL Server” folder. Fig. 7: Function to encrypt Database files Fig. 8: Function to stop SQL service It has a list of file extensions which are to be encrypted as shown in Fig. 9. Fig. 9: List of file extensions to be encrypted by GhostService.exe Also, it calls a function “datosC” that encrypts files present only at the root of “C” drive. Fig. 10: Function to encrypt files at the root of “C” drive GhostService.exe maintains a timer which repeats these tasks after every 120 seconds. Fig. 11: Timer function GhostForm.exe displays a Ransom note. It also maintains a timer, after every 120 seconds it closes the Ransom note. Fig. 12: Ransom Note Code ID in ransom note is same as one written to C:Do_Not_Delete_codeId.txt. As seen in Fig. 12 malware author demands Bitcoin worth 500 USD to be paid to the following address : https://blockchain.info/payment_request?address=1N7AmqH12EN3yAkVMPB5rZoVX758jgLbzj&amount_local=500¤cy=USD&nosavecurrency=true&message=Pay%20me! Fig. 13: Contents of Do_Not_Delete_codeId.txt Next, it calls a function “startEncrypt” to create a list of files present in the following folders : Desktop Document Picture Videos Music As seen in the above list, malware encrypts the files at some specific locations only. It has targeted Desktop folder where the user usually keeps most of their data. Also, Document, Pictures, Videos, and Music are folders provided by Windows OS to store respective type of files. Fig. 14: Function to create a list of files and encrypt them Functions to get the list of files from above-mentioned folders are present in GhostFile.dll. Fig. 15: Function to create a list of files in the Desktop folder Fig. 16: Function to create a list of files in the Documents folder Fig. 17: Function to create a list of files in the Pictures folder Fig. 18: Function to create a list of files in the Videos folder Fig. 19: Function to create a list of files in the Music folder The malware creates a list of files based on extensions present in the extension list as shown in Fig. 20. Once the list of files is ready, encryption routine is called from GhostHammer.dll. Files are encrypted using AES algorithm and “.Ghost”extension is…
http://blogs.quickheal.com/feed/