 Hello and welcome to malware analysis for Hedrugs. Today we will be looking at two different samples. Both are different ransomware families and one is an old family, the Powerware ransomware, made it into the news this week because it imitates Loki now and the Holy Crop ransomware is a new family which also made it into the news this week and let's check it out. We'll be starting by checking the strings in these files. It's one of the most easy things to do always and often it has good results for the first check. Holy Crypt. We will start with Holy Crypt. I need to look when I'm writing. Holy strings.txt. Here is our Holy Strings file and the strings.exe from system.txt will print the strings in the order that finds it in the file. So things that are later in the file will appear later here and that's already interesting that seems like this is using Python to do something. So let's check out these are the imports and here are some as it seems some Python functions that have to do with encoding and that's interesting. Right here you might see why this is called Holy Crypt. It's actually a bad practice to use the name that the author of the file intended the malware to have but I guess well since ransomware is so loud about its name and telling the victim how it wants to be called the victims we usually search for the names on Google and so the antivirus companies use those names for the ransomware although they don't do it for other malware usually. But yeah this is a Python wrapper or install some kind of Python thing and the first thing we need to find out is what was used to what application was used to wrap this file. In my case I knew it from the news article but if you don't know it you can still find out with looking at strings and with research so let's check this and I don't know we know the most interesting thing is in the end so yeah well from just from experiences already looks a bit like an archive. This is so dense here this is like some high entropy area and here in the end it looks similar to a zip archive with the listing of the files that are in there so interesting and here .pyd files in this archive and those are Python DLL files they are not written in Python I think they are written in C usually and compiled in any way they are compiled to native code and yeah these are PE files DLL files so in case you want to analyze them later now what do we have okay if you check this in a PE format viewer the report is done it's still computing the visualization or whatever I hear it is okay you will see that there's a huge overlay the overlay is often used by installers to save some data in there and the overlay is also high in its entropy so this is probably where the interesting data is so with the the files that we want to look at and now you can check the overlay here the location is here and I already well since I knew from this I already built in a check for the signature of py installer so now we know it's py installer you won't find it with dye at least not in my setup but I added this as soon as I saw that there's no signature for it but here's how you could have found it you go to the location of the overlay since the overlay seems to be interesting yeah that's the start of it and there's a signature and this this happens often that there's some kind of signature at the start of the data that the installer is using and often the installer itself also uses its own name somewhere in this case that's that's not that way the py installer is not in one of those strings but we have here pyz if you google for pyz you will find that this is a python archive similar to a zip archive and you might find also in the first results in google that this is commonly used by py installer so this is how you could have researched what you need to know and also you will find certain extracting tools for those archives like in this case this one I will open this extracting tool on the command then it uses the current working directory so if I drag this right in here the extracted files will not appear on the desktop so that's just why I do this okay holy crap only tell us it has extracted files there are lots of lots of files just a few I think more than 250 files in here and well that's actually where I got lost because for some reason I navigated right in here and I looked at all of these files and this dot pyc files is this python bytecode despite most people telling you that python is interpreted and it's actually not c python the which is the most common language implementation of python is compiled to bytecode similar to java and so you need to decompile this code and that makes the c python implementation a hybrid of interpreted and compiled because it is compiled okay um the these files if you wanted to look at them you would need something like idar or all ad work they are just dynamic linked libraries and these files you will just search for python the compiler and find lots of lots of tools that do this stuff um but in this case the most interesting the main um script is here the holy crypt script so sometimes you just need to know where to look um for some reason I overlooked this file I don't know I got kind of lost in looking at all the libraries and here's our file I checked the lines of code with it now it's 122 but if you count lines of code you don't count the empty lines and the comments you count really the code lines and that's 97 in this case it's a bit disappointing um the file is like you know um usually I expect a bit more it's it's almost 5 megabytes and the main code is really just this it's it's not much a huge part of it this is base 64 string and you can decode this let's just put it into another file that's base 64 if you decode it you will see that um this is a an image a jpeg and that's our wallpaper ransom note that the python script contains right in here and yeah well that's actually all we needed to do it's not much once you know how um we will I will execute this later so you can take a look at how it how it looks like if you are infected um but now let's take a look at the powerware sample now this is another interesting sample already look at this and it's a bit smaller calls itself rry.exe for some unknown reason and it's found the .net signature so this is a .net file and here are strings that might be interesting to look at here's some high entropy area here are resources which might be interesting the rest seems pretty empty so it's it's black here and here so it seems pretty empty um yeah so interesting areas are the blue ones here and this and the resources okay um .net yeah again okay I click here in the main so I'm at the entry point that's the loader that executes some arguments let's take a look at the loader what does it do I don't know so it tells something about power shell posh2config some script runner so and it um checks the resources for something now if you are there any other interesting things here well it's quite small program there's just this loader and that loads some some power shell so the resources are this they are there are three resources there's a dol for running something for running a script there's this .net dol that's probably nothing interesting and the scripts .zip an archive again now we can dump the resources right here save usually if you have an archive in a file you can just unpack it with for instance .zip but well in this case doesn't really work it unpacked something else here I show you what it is that's the well that's the pfile it's in there the .net file I guess let's see yeah um just some .net .zip library it's a library for handling archives which it obviously needs but it's a harmless library nothing we are interested in and the rest is still in there the other resources if you check this file here's this there's also well I think it's a good idea to use the visualization right here so then I'm otherwise I will be searching endlessly for stuff that's interesting okay so that's the resource dump it's quite similar to no not this one this one check this um it's just the the biggest part of this file of this pfile is the the resources here you can see that that only this part is not here so yeah interesting that we dumped the biggest part of the file now you can take a look at the resources we know there's an archive for a zip archive so we just search for the magic number of it let's check this and and if it makes sense we will we will just dump it oh here it is a fixed dot ps1 that's a power shell script ps and we select from here to I don't know how long it is just do something anything I don't care and if there's stuff in the end no one cares we save it as archive and now we unpack it again let's see if 7 zip does it this time and here is that's the power show disarm it that's the power shell script and here we are again that's not much I mean okay we have some additional code in the .net file but really this is just kind well somewhat like 50 lines of code we have our extensions here that will be encrypted by the ransomware and help instructions that's the name of the ransom node for locky it appends .locky so it looks like locky ransomware and that is a base 64 string again which is the ransom node so yeah that's already everything we need to know now you can check this file for decryptability you can check those those scripts for how you can decrypt the files that were encrypted by the ransomware both are decryptable there are decryption tools out there so but if you're interested in making one yourself just check it out and and try yourself and yeah I will not go into details right here um okay now I promise you that I will execute those as well so let's just do this and have some fun now already has a pdf icon which is very suspicious okay please encrypt my files the file already exists but should not it has some problems from interesting seems like it has some bugs it doesn't make it work here let's execute powerware now what happens please we want some action yeah since tesla crypt is here it is that's the holy crypt one maybe powerware does something similar uh and holy crypt prepends encrypted to the files that it encrypts like this and that's some yeah that's our ransom node the wallpaper powerware I'm not sure did it do anything now I should have checked with sysinternals I guess just before I execute it proc more no not prognome explorer run as administrator gray maybe I need to install power shelf first I don't know oh it's still running I guess it needs some time so um I will not wait for it now it's just like well but it's similar to loki it uses the same ransom node and the same extension just the files are not renamed like loki does loki renames the file names to some id and then depends dot loki and our powerware sample doesn't do it so that's how you can differentiate both ransomware families in case someone is infected generally you should be suspicious of if there's a loki copycat all of them could be decrypted so far there was one without it lately like out of it loki otoloki um yeah they try to get um the same same out of it okay and yeah well since tesla crypt is dead um the ransomware is that appears is well let's say the quality isn't that good anymore um and there's two two are quite well good samples for that um the what's new is that the holy script is written in python haven't seen anything like that before um and the powerware sample well power shell so there's also uh yeah ransomware written entirely in batch and it's pretty good so in good in the sense that it uh works very well and you can't decrypt it so it really doesn't matter what languages use so um to make something good or bad but yeah interesting how how much well or how less lines you need to do something that devastating to to other people so well i hope to see you in two weeks um i'm on vacation so uh have fun in the meantime and see you later thanks for watching