Do Math or Windows Dies! – customizing a .NET ransomware

NOTE: the content of this article is educational and informative. The goal is to learn how malware works and how can we identify its capabilities. The author is not responsible for any bad actions derived from the information of the post. The author does NOT ENCOURAGE to execute the sample OUTSIDE OF AN ISOLATED LABORATORY.

In this article we are going to analyze, gut and customize a little screen-locker (a member of ransomware family that locks the machine without encrypt the data). This is a clumsy but effective sample that we will alter to create our own ScreenLocker.

SSHBOT, the cr*ppy ScreenLocker

SSHBOT, also known as P4YME, is an old and unsophisticated malware from ransomware family.

We will use a public sample submited to VirusTotal, where is detected by 54 Anti-virus:

When executed, it restarts the machine and shows this message:

[Read more…]

Mr Natural, an iced meeting in traffic

ISC’ crew have a montly Traffic Analysis Quiz, and I want to practice some Network Forensic Kung-Fu, so allow me to introduce you Mr Natural.

What we have

  • a packet capture (pcap) of infection traffic (let’s keep reading, don’t open it yet!)
  • an image of the alerts shown in Squil (em ok)
  • a text file listing the alerts with a few more details (now this is yummy)
  • a PDF document with answers to the questions below. (SPOILERS!)

What do we know

  • LAN segment range: 10.12.1.0/24 (10.12.1.0 thru 10.12.1.255)
  • Domain: mrnatural.info
  • Domain controller: 10.12.1.2 – MrNatural-DC
  • LAN segment gateway: 10.12.1.1
  • LAN segment broadcast address: 10.12.1.255

What our b0$$ want to know

  1. What is the IP address of the infected Windows host?
  2. What is the MAC address of the infected Windows host?
  3. What is the host name of the infected Windows host?
  4. What is the Windows user account name used on the infected Windows host?
  5. What is the date and time of this infection?
  6. What is the SHA256 hash of the EXE or DLL that was downloaded from 5.44.43.72?
  7. Which two IP addresses and associated domains have HTTPS traffic with “Internet Widgets Pty” as part of the certificate data?
  8. Based on the alert for CnC (command and control) traffic, what type of malware caused this infection?
[Read more…]