dissecting a metamorphic file-infecting ransomware march 23 … · 2020-04-22 · decoded bytes...
TRANSCRIPT
![Page 1: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/1.jpg)
© Copyright Fortinet Inc. All rights reserved.
Dissecting a Metamorphic File-Infecting Ransomware March 23-24, 2017
Raul Alvarez
![Page 2: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/2.jpg)
2
About Me
Senior Security Researcher @ Fortinet
22 published articles in Virus Bulletin
Regular contributor in our company blog
Confidential
![Page 3: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/3.jpg)
Malware Categories
![Page 4: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/4.jpg)
4
trojan
script/
macro
Malware Honeycomb
virus POS
bot
botnet
worm ransom
ware
![Page 5: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/5.jpg)
5
trojan
script/
macro
Virlock
virus POS
bot
botnet
worm ransom
ware
![Page 6: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/6.jpg)
Agenda
![Page 7: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/7.jpg)
7
Agenda
Confidential
Virlock as a ransomware • Visible signs
Virlock as a common malware • Reversing stages
Virlock as a file infector • Extracting the host file
Virlock as a polymorphic malware • On-demand polymorphic algorithm
Virlock as a metamorphic malware • Metamorphic engine • Generated metamorphic algorithm
![Page 8: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/8.jpg)
Virlock
![Page 9: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/9.jpg)
9
What Is A File Infector?
Confidential
Attaches the malware code into the host file.
Appending, prepending, and cavity type
Maintains persistency within the computer system
Infected file is hard to restore
![Page 10: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/10.jpg)
10
What Is A Ransomware?
Confidential
Holds your computer for ransom
Encrypts files
Uses cryptocurrency, such as bitcoins, for payment
![Page 11: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/11.jpg)
11
What Is Virlock?
Confidential
A ransomware
A file infector
Uses on-demand polymorphic algorithm
Uses metamorphic algorithm
Locks your screen
![Page 12: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/12.jpg)
Virlock As A Ransomware
![Page 13: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/13.jpg)
Visible Signs of Infection
![Page 14: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/14.jpg)
![Page 15: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/15.jpg)
![Page 16: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/16.jpg)
16
![Page 17: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/17.jpg)
17
![Page 18: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/18.jpg)
18
![Page 19: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/19.jpg)
19
![Page 20: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/20.jpg)
![Page 21: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/21.jpg)
Virlock As A Common Malware
![Page 22: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/22.jpg)
22
Debugging Tools
Confidential
ollydbg http://www.ollydbg.de/
immunity debugger http://www.immunityinc.com/pr
oducts/debugger/
x64dbg http://x64dbg.com/
![Page 23: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/23.jpg)
23
Common Reversing
Confidential
encrypted/
packed
decryptor
MZ header
Decrypting/Unpacking
malware using a
debugger
decrypted/
unpacked
decryptor
MZ header
1
Static/Dynamic
Analysis
2
![Page 24: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/24.jpg)
Reversing Stages
![Page 25: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/25.jpg)
25
Reversing Stages
Confidential
.text 0xbb000
.rsrc 0x01200
A
.text
.rsrc 0x01200
B
metamorphic
algorithm 0x06C77
MZ header MZ header
.text
.rsrc 0x01200
C
MZ header
decoded bytes 0x0250
.text
.rsrc 0x01200
MZ header
D
metamorphic
algorithm 0x06C77
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main functions
Virlock-infected file only
has 2 sections: .text and
.rscr
![Page 26: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/26.jpg)
26
Reversing Stages
Confidential
.text 0xbb000
.rsrc 0x01200
A
.text
.rsrc 0x01200
B
metamorphic
algorithm 0x06C77
MZ header MZ header
.text
.rsrc 0x01200
C
MZ header
decoded bytes 0x0250
.text
.rsrc 0x01200
MZ header
D
metamorphic
algorithm 0x06C77
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main functions
At the entry point, the
malware executes its
metamorphic algorithm.
![Page 27: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/27.jpg)
27
Reversing Stages
Confidential
.text 0xbb000
.rsrc 0x01200
A
.text
.rsrc 0x01200
B
metamorphic
algorithm 0x06C77
MZ header MZ header
.text
.rsrc 0x01200
C
MZ header
decoded bytes 0x0250
.text
.rsrc 0x01200
MZ header
D
metamorphic
algorithm 0x06C77
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main functions
The metamorphic
algorithm decodes
the initial decryptor.
![Page 28: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/28.jpg)
28
Reversing Stages
Confidential
.text 0xbb000
.rsrc 0x01200
A
.text
.rsrc 0x01200
B
metamorphic
algorithm 0x06C77
MZ header MZ header
.text
.rsrc 0x01200
C
MZ header
decoded bytes 0x0250
.text
.rsrc 0x01200
MZ header
D
metamorphic
algorithm 0x06C77
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main function
The initial decryptor
produces the main
function.
![Page 29: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/29.jpg)
29
Reversing Stages
Confidential
.text
.rsrc 0x01200
MZ header
E
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main function
on-demand poly
on-demand poly
on-demand poly
on-demand poly
.text
.rsrc 0x01200
MZ header
F
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main functions
on-demand poly
on-demand poly
on-demand poly
on-demand poly
.text
.rsrc 0x01200
MZ header
G
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main functions
on-demand poly
on-demand poly
on-demand poly
on-demand poly
.text
.rsrc 0x01200
MZ header
H
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main functions
on-demand poly
on-demand poly
on-demand poly
on-demand poly
Host file
The main function calls
the malicious threads
and other sub-
functions. Each sub-
function is
decrypted/re-
encrypted by individual
on-demand
polymorphic algorithm.
![Page 30: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/30.jpg)
30
Reversing Stages
Confidential
.text
.rsrc 0x01200
MZ header
E
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main function
on-demand poly
on-demand poly
on-demand poly
on-demand poly
.text
.rsrc 0x01200
MZ header
F
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main function
on-demand poly
on-demand poly
on-demand poly
on-demand poly
.text
.rsrc 0x01200
MZ header
G
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main functions
on-demand poly
on-demand poly
on-demand poly
on-demand poly
.text
.rsrc 0x01200
MZ header
H
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main functions
on-demand poly
on-demand poly
on-demand poly
on-demand poly
Host file
When an on-demand
polymorphic algorithm
runs, it decrypts the
malicious code and
executes them. Then
re-encrypts itself and
the malicious code
with a different key.
![Page 31: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/31.jpg)
31
Reversing Stages
Confidential
.text
.rsrc 0x01200
MZ header
E
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main function
on-demand poly
on-demand poly
on-demand poly
on-demand poly
.text
.rsrc 0x01200
MZ header
F
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main function
on-demand poly
on-demand poly
on-demand poly
on-demand poly
.text
.rsrc 0x01200
MZ header
G
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main function
on-demand poly
on-demand poly
on-demand poly
on-demand poly
.text
.rsrc 0x01200
MZ header
H
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main functions
on-demand poly
on-demand poly
on-demand poly
on-demand poly
Host file
After executing the
rest of the
malicious code, the
malware in
memory looks
totally different
from its original
binary content.
![Page 32: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/32.jpg)
32
Reversing Stages
Confidential
.text
.rsrc 0x01200
MZ header
E
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main function
on-demand poly
on-demand poly
on-demand poly
on-demand poly
.text
.rsrc 0x01200
MZ header
F
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main function
on-demand poly
on-demand poly
on-demand poly
on-demand poly
.text
.rsrc 0x01200
MZ header
G
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main function
on-demand poly
on-demand poly
on-demand poly
on-demand poly
.text
.rsrc 0x01200
MZ header
H
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main function
on-demand poly
on-demand poly
on-demand poly
on-demand poly
Host file
Finally, the host file
is decrypted,
dropped, and
executed.
![Page 33: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/33.jpg)
Virlock As A File Infector
![Page 34: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/34.jpg)
34
Cleaning: How To Clean An Infected File
Confidential
Basics: • Determine the kind of virus • Determine how to extract and restore the host file
![Page 35: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/35.jpg)
35
Different Kinds Of File Infectors
Confidential
Basics: • Appending • Prepending • Cavity • Overwriting • Companion
![Page 36: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/36.jpg)
36
Different Kinds Of File Infectors
Confidential
appending prepending cavity
overwriting companion
virlock
![Page 37: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/37.jpg)
37
Cleaning: Extracting The Host File From Virlock
Confidential
Details: • Host file is encrypted and embedded within the
malware • DecryptionKey can be found within the malware • DecryptionKey is encrypted using a simple XOR • Uses a simple decryption algorithm to extract the host
file
![Page 38: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/38.jpg)
38
Reversing Stages
Confidential
.text
.rsrc 0x01200
MZ header
E
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main function
on-demand poly
on-demand poly
on-demand poly
on-demand poly
.text
.rsrc 0x01200
MZ header
F
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main function
on-demand poly
on-demand poly
on-demand poly
on-demand poly
.text
.rsrc 0x01200
MZ header
G
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main function
on-demand poly
on-demand poly
on-demand poly
on-demand poly
.text
.rsrc 0x01200
MZ header
H
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main function
on-demand poly
on-demand poly
on-demand poly
on-demand poly
Host file
Finally, the host file
is decrypted,
dropped, and
executed.
![Page 39: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/39.jpg)
39
Cleaning: Extracting The Host File From Virlock
Confidential
EBX = initial key
XORing EBX with dword in [ESI]
generates the DecryptionKey
ECX = EBX = DecryptionKey
EBX = the next DWORD
ESI = location of the encrypted DecryptionKey
Decrypts the
HOST file
![Page 40: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/40.jpg)
40
Cleaning: Extracting The Host File From Virlock
Confidential
Decrypts the
HOST file
DecryptionKey
Original Host
Filename Encrypted Host File
Decrypted Host File
![Page 41: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/41.jpg)
Virlock As A Polymorphic Malware
![Page 42: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/42.jpg)
42
Reversing Stages
Confidential
.text
.rsrc 0x01200
MZ header
E
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main function
on-demand poly
on-demand poly
on-demand poly
on-demand poly
.text
.rsrc 0x01200
MZ header
F
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main function
on-demand poly
on-demand poly
on-demand poly
on-demand poly
.text
.rsrc 0x01200
MZ header
G
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main functions
on-demand poly
on-demand poly
on-demand poly
on-demand poly
.text
.rsrc 0x01200
MZ header
H
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main functions
on-demand poly
on-demand poly
on-demand poly
on-demand poly
Host file
When an on-demand
polymorphic algorithm
runs, it decrypts the
malicious code and
executes them. Then
re-encrypts itself and
the malicious code
with a different key.
![Page 43: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/43.jpg)
On-Demand Polymorphic Algorithm
![Page 44: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/44.jpg)
44
On-Demand Polymorphic Algorithm
Confidential
Implementation
• Uses Decryptor to decrypt a block of code using
an old key
• Executes the newly decrypted code
• Uses RDTSC (Read Time-Stamp Counter) to
generate a new dword value
• Uses NewKeyGenerator to generate new key
• Uses Encryptor to encrypt the same block of
code using the new key
newly decrypted
code
RDTSC
![Page 45: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/45.jpg)
45
Decryptor
Confidential
Features: • Uses garbage code • Keygen function for redundancy check • Uses XOR to generate the key • Uses XOR to decrypt a block of code
![Page 46: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/46.jpg)
46
Decryptor
Confidential
garbage code
# of bytes to
generate the key
actual key
generator;
EAX starts with
0xFFFFFFFF
starting location
of key-bytes
XOR decryptor keygen function
generates the
same EAX value
(key)
![Page 47: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/47.jpg)
47
On-Demand Polymorphic Algorithm
Confidential
Implementation
• Uses Decryptor to decrypt a block of code using
an old key
• Executes the newly decrypted code
• Uses RDTSC (Read Time-Stamp Counter) to
generate a new dword value
• Uses NewKeyGenerator to generate new key
• Uses Encryptor to encrypt the same block of
code using the new key
newly decrypted
code
RDTSC
![Page 48: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/48.jpg)
48
On-Demand Polymorphic Algorithm
Confidential
Implementation
• Uses Decryptor to decrypt a block of code using
an old key
• Executes the newly decrypted code
• Uses RDTSC (Read Time-Stamp Counter) to
generate a new dword value
• Uses NewKeyGenerator to generate new key
• Uses Encryptor to encrypt the same block of
code using the new key
newly decrypted
code
RDTSC
![Page 49: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/49.jpg)
49
On-Demand Polymorphic Algorithm
Confidential
Implementation
• Uses Decryptor to decrypt a block of code using
an old key
• Executes the newly decrypted code
• Uses RDTSC (Read Time-Stamp Counter) to
generate a new dword value
• Uses NewKeyGenerator to generate new key
• Uses Encryptor to encrypt the same block of
code using the new key
newly decrypted
code
RDTSC
![Page 50: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/50.jpg)
50
NewKeyGenerator
Confidential
Implementation: • RDTSC generates a new dword value • Saves it in different memory locations • The memory locations are within the memory range
that contains key bytes • Generates new key by XORing the key bytes • Saves the new key to the original location of the old
key used in the Decryptor
![Page 51: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/51.jpg)
51
NewKeyGenerator
Confidential
location of the
bytes needed to
generate the
new key
starting location
is one byte
before the first
DWORD value
from RDTSC
EAX = DWORD value
NEW KEY
![Page 52: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/52.jpg)
52
NewKeyGenerator
Confidential
NEW KEY
old key
new key
location of the NEW KEY
![Page 53: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/53.jpg)
53
On-Demand Polymorphic Algorithm
Confidential
Implementation
• Uses Decryptor to decrypt a block of code using
an old key
• Executes the newly decrypted code
• Uses RDTSC (Read Time-Stamp Counter) to
generate a new dword value
• Uses NewKeyGenerator to generate new key
• Uses Encryptor to encrypt the same block of
code using the new key
newly decrypted
code
RDTSC
![Page 54: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/54.jpg)
54
On-Demand Polymorphic Algorithm
Confidential
Implementation
• Uses Decryptor to decrypt a block of code using
an old key
• Executes the newly decrypted code
• Uses RDTSC (Read Time-Stamp Counter) to
generate a new dword value
• Uses NewKeyGenerator to generate new key
• Uses Encryptor to encrypt the same block of
code using the new key
newly decrypted
code
RDTSC
![Page 55: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/55.jpg)
55
Encryptor
Confidential
Features: • Uses the same algorithm as the Decryptor • Uses the new key to encrypt the same block of code
![Page 56: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/56.jpg)
56
Sample On-demand Polymorphic Values
Confidential
1C B0 19 99
F4 C7 7E 64
E2 40 7B 9A
F4 00 7B F1
E8 B0 62 02
00 C7 05 FF
16 40 00 01
00 00 00 6A
75 EB 89 E2
9D 9C EE 1F
8B 1B EB E1
9D 5B EB 8A
encrypted with OLD KEY
decrypted code
encrypted with NEW KEY
![Page 57: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/57.jpg)
57
Detection
Confidential
1C B0 19 99
F4 C7 7E 64
E2 40 7B 9A
F4 00 7B F1
E8 B0 62 02
00 C7 05 FF
16 40 00 01
00 00 00 6A
75 EB 89 E2
9D 9C EE 1F
8B 1B EB E1
9D 5B EB 8A
encrypted with OLD KEY
decrypted code
encrypted with NEW KEY
![Page 58: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/58.jpg)
58
Detection
Confidential
location of the
bytes needed to
generate the
new key
starting location
is one byte
before the first
DWORD value
from RDTSC
EAX = DWORD value
NEW KEY
![Page 59: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/59.jpg)
59
Detection
Confidential
location of the
bytes needed to
generate the
new key
starting location
is one byte
before the first
DWORD value
from RDTSC
EAX = DWORD value
NEW KEY
![Page 60: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/60.jpg)
Virlock As A Metamorphic Malware
![Page 61: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/61.jpg)
61
Metamorphic Algorithm
Confidential
Basics: Putting a value(0) in a register(EAX)
MOV EAX,0 EAX register gets 0 directly
XOR EAX,EAX XORing the same register by itself also generates a zero value placed into a given register
SUB EAX,EAX SUBtracting any register by itself also generates the same result.
MOV EAX, 0x10 ADD EAX, 0x10 SUB EAX, 0x20
EAX also gets 0
![Page 62: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/62.jpg)
62
Metamorphic Algorithm
Confidential
Detection Limitation • Hard to find similar bytes • Unknown length of bytes • Unpredictable code
![Page 63: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/63.jpg)
Metamorphic Engine
![Page 64: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/64.jpg)
64
• Number of instructions to generate
• Registers used per instruction • Number of bytes • Pseudorandom value generator • Instruction generator 1 • Instruction generator 2 • Length of code to encode
Raw Ingredients
![Page 65: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/65.jpg)
65
Pseudorandom value generator
ESI = buffer
EDI = malware buffer
address register
code register
![Page 66: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/66.jpg)
66
Pseudorandom value generator
ESI = buffer
address register
code register
Pseudorandom value generator -function that generates the randomized value
buffer - temporary memory location that collects the metamorphic code e.g., 0x009c0000 malware buffer – holds the code to be encoded, e.g., 0x01130000 address register(addreg) – randomly selected register that points to the address of the encoded bytes code register(codereg) – randomly selected register that holds the encoded bytes
EDI = malware buffer
![Page 67: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/67.jpg)
67
instruction generator 1
eax=0, edi=0, ebx=-1 MOV addreg, xxxx
eax=1, edi=0, ebx=-1 MOV codereg, yyyy
eax=0, edi=2, ebx=-1 SUB addreg, xyxy
eax=1, edi=2, ebx=-1 SUB codereg, yxy
![Page 68: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/68.jpg)
68
instruction generator 1
eax=0, edi=0, ebx=-1 MOV addreg, xxxx
eax=1, edi=0, ebx=-1 MOV codereg, yyyy
eax=0, edi=2, ebx=-1 SUB addreg, xyxy
eax=1, edi=2, ebx=-1 SUB codereg, yxy
instruction generator 1 -function that generates the initial MOV instructions for both the addreg and codereg registers -e.g MOV ESI, 6D442 MOV EDX, 142A - it also generates the subsequent ADD and SUB instructions for the addreg and codereg -e.g., SUB ESI, 0D8D47 SUB EDX, 6415E ADD ESI, 1234 ADD EDX, ABCD
![Page 69: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/69.jpg)
69
A few more combinations of eax, edi, and ebx registers
![Page 70: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/70.jpg)
70
MOV SUB ADD
B8 MOV EAX 2D SUB EAX 05 ADD EAX
BB MOV EBX 81EB SUB EBX 81C3 ADD EBX
B9 MOV ECX 81E9 SUB ECX 81C1 ADD ECX
BA MOV EDX 81EA SUB EDX 81C2 ADD EDX
BE MOV ESI 81EE SUB ESI 81C6 ADD ESI
BF MOV EDI 81EF SUB EDI 81C7 ADD EDI
Combination of Instructions
![Page 71: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/71.jpg)
71
instruction generator 2
eax=pseudorandom value replaces the original bytes
number bytes to encode
![Page 72: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/72.jpg)
72
instruction generator 2
eax=pseudorandom value replaces the original bytes
number bytes to encode
instruction generator 2 -function that generates the final MOV instructions
MOV [addreg], codereg e.g., MOV[ESI], EDX
![Page 73: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/73.jpg)
Generated Metamorphic Algorithm
![Page 74: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/74.jpg)
74
Reversing Stages
Confidential
.text 0xbb000
.rsrc 0x01200
A
.text
.rsrc 0x01200
B
metamorphic
algorithm 0x06C77
MZ header MZ header
.text
.rsrc 0x01200
C
MZ header
decoded bytes 0x0250
.text
.rsrc 0x01200
MZ header
D
metamorphic
algorithm 0x06C77
metamorphic
algorithm 0x06C77
decoded bytes 0x0250
main functions
At the entry point, the
malware executes its
metamorphic algorithm.
![Page 75: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/75.jpg)
75
Metamorphic Algorithm (sample 1)
Confidential
...
~ 28 kilobytes
Call to the decrypted
bytes at the start of the
.text section.
Entry Point
The size of the
metamorphic code varies
per infected file.
Approximately 28kb of
code constitutes the
metamorphic algorithm
that generates the rest of
the malicious code,
including the polymorphic
algorithm.
![Page 76: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/76.jpg)
76
Metamorphic Algorithm (sample 1)
Confidential
irrelevant bytes
decrypted bytes
first DWORD
second DWORD
third DWORD
![Page 77: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/77.jpg)
77
Metamorphic Algorithm (sample 2)
Confidential
irrelevant bytes
first DWORD
second DWORD
third DWORD
decrypted bytes
![Page 78: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/78.jpg)
78
Metamorphic Algorithm (sample 1)
Confidential
irrelevant bytes
decrypted bytes
first DWORD
second DWORD
third DWORD
![Page 79: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/79.jpg)
79
Metamorphic Algorithm (sample 2)
Confidential
irrelevant bytes
first DWORD
second DWORD
third DWORD
decrypted bytes
![Page 80: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/80.jpg)
80
Metamorphic Algorithm (comparison)
Confidential
Sample 1
Sample 2
first DWORD
MOV [EDI],ECX
MOV [EAX],ESI
![Page 81: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/81.jpg)
81
Metamorphic Algorithm (comparison)
Confidential
Sample 2
second DWORD
Sample 1
MOV [EAX],EBX
MOV [EDI],EBX
![Page 82: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/82.jpg)
82
Metamorphic Algorithm (comparison)
Confidential
Sample 2
third DWORD
Sample 1
MOV [EDX],ESI
MOV [EBX],ECX
![Page 83: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/83.jpg)
83
Metamorphic Algorithm (detection)
Confidential
Sample 2 Sample 1
MOV EAX, --------
NOP
JMP 0040108B
![Page 84: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/84.jpg)
Automated Detection
![Page 85: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/85.jpg)
85
FortiSandbox
Confidential
![Page 86: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/86.jpg)
86
FortiSandbox
Confidential
![Page 87: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/87.jpg)
87
FortiSandbox
Confidential
![Page 88: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/88.jpg)
88
FortiSandbox
Confidential
![Page 89: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/89.jpg)
89
FortiSandbox
Confidential
![Page 90: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/90.jpg)
90
Wrap Up
Confidential
• For reversing: Set a breakpoint at the end of metamorphic
algorithm Copy the decrypted code from memory
• For detection:
Get patterns from the decrypted code
• For cleaning: Remove the entries from the registry keys Extract the host file Delete all malicious dropped files
![Page 91: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/91.jpg)
Merci!
![Page 92: Dissecting a Metamorphic File-Infecting Ransomware March 23 … · 2020-04-22 · decoded bytes 0x0250 0x0250 main function on -demand poly on -demand poly on on- demand polyon on](https://reader034.vdocuments.us/reader034/viewer/2022050115/5f4c3918ce230f13fb7d390a/html5/thumbnails/92.jpg)