Ransomware Reverse Engineering Report: Practical Assignment 1

---

Situation:

This practical assignment focused on analyzing a suspicious malware sample (sample1.exe) using static and dynamic analysis techniques. The objective was to understand its functionality, identify indicators of compromise, and evaluate its impact on a compromised Windows 7 virtual machine.

---

Obstacles:

1. Program Execution Requirements:
   • The malware required specific arguments to execute correctly, limiting testing flexibility.
2. Environmental Dependency:
   • Full malware functionality was observed only on Windows 7 systems, complicating testing on other platforms.
3. Complex Indicators:
   • The malware exhibited a mix of subtle and overt behaviors, requiring detailed analysis to differentiate malicious intent from benign activity.

---

Actions Taken:

1. Static Analysis:
   • Decompiled the malware with PeStudio to examine imported functions, strings, and file sections.
   • Identified suspicious imports (e.g., CreateServiceW, SetEnvironmentVariableA, ShellExecuteW) linked to privilege escalation, process manipulation, and malicious code execution.
   • Analyzed 21,000+ strings, uncovering ransom messages and DiskCryptor-related indicators.
2. Dynamic Analysis:
   • Executed the malware on a Windows 7 VM with required command-line arguments.
   • Used RegShot to track registry changes and Process Explorer to monitor running processes.
   • Observed the malware creating administrative user accounts, adding new services, and encrypting files.
   • Captured logs indicating the malware's use of DiskCryptor and its persistence mechanisms.
3. Network Analysis:
   • Monitored traffic with Wireshark, FakeDNS, and INetSim, finding no significant outbound connections but confirming embedded URLs in strings.

---

Results:

1. Functionality Confirmed:
   • sample1.exe encrypts the victim’s drives using DiskCryptor, rendering the system inaccessible.
2. Indicators of Compromise:
   • Created services (dcrypt, DefragmentService), registry modifications, and the ransom message ("You are Hacked !!!!").
   • Installed files in the C:\DC22\ directory, including Mount.exe and netpass.exe.
3. Connection to Known Ransomware:
   • The malware matches the signature of Mamba ransomware, leveraging DiskCryptor for malicious purposes.

---

Tool Purpose Overview:

PeStudio:

• Used for static analysis of executable files, identifying imports, sections, and strings indicative of malicious activity.

RegShot:

• Monitored registry modifications pre- and post-malware execution, highlighting persistence mechanisms.

Process Explorer:

• Tracked processes initiated by the malware, confirming the execution of DiskCryptor components.

Wireshark, FakeDNS, INetSim:

• Assessed network activity to detect potential data exfiltration or communication with external servers.

Dynamic Environment (Windows 7 VM):

• Provided a controlled setting for observing the malware’s full execution lifecycle.

---

Recommendations:

1. Avoid Executing Unknown Files:
   • Implement strict policies against running unverified executables, especially on sensitive systems.
2. Improve Monitoring and Detection:
   • Deploy endpoint detection systems to identify ransomware-like behaviors (e.g., registry changes, disk encryption tools).
3. Patch Vulnerable Systems:
   • Regularly update software to mitigate risks from known exploits and malware.
4. Strengthen User Training:
   • Educate users to recognize phishing attempts and avoid downloading suspicious files.

---

View PDF Document