Internals of DearCry Ransomware !

Ransomware used to target Microsoft Exchange Servers.

Recently attackers of APT groups started-off targeting Microsoft Exchange Servers after the flaw( 0day ) in the Microsoft exchange servers was published on github. As the 0day exploit is being published on github attackers of APT groups started hacking on MS-Exchange servers by scanning the servers for the 0day vulnerability and ransom’ing servers with the DearCry ransomware. In this blog i will be walking you through the reverse engineering of DearCry ransom where you will be seeing me reversing DearCry ransom for Static and Dynamic Analysis.

Static Analysis (Basic)

Signature Overview.
PE Studio View of DearCry Ransomware.

Static Analysis (Advanced)

Starting off from exports in DearCry Ransomware which is only one.

Start is the only export in DearCry Ransomware.

start function

There are two function in the start function, one is “calc_stack_canary_cookie_and_bof_mitigation function” and another one is “main _app” function.

calc_stack_canary_cookie_and_bof_mitigation function

This function is being used for calculating stack cookies and buffer overflow mitigation.

call graph & code of calc_stack_canary_cookie_and_bof_mitigation function.

main_app function

It’s the main function, where firstly the heap is being created using “heap_create” , throughout this main module there is the functions like “anti_dbging_laoding_dlls_checks” & “anti_dbg_load_dlls_thread_ops” are being used as anti-debugging and for loading dlls and handling threads operations.

Disassembly Call Graph and code of main_app function.

anti_dbging_loading_dlls_checks function

This module makes calls to “callr_anti_debigging_checks_and_loading_dlls” & what this module does is that same kinda behaviour analysis on system environment on which the ransom is being debugged and the same function load dlls. & another function which is being called in this module is that “load_dlls_callr” which is the deployed for the loading dlls that loads dynamic linked library in the infected system.

Disassembly Call Graph and code of anti_dbging_loading_dlls_checks function.

scrambling function

what this module does is that it scramble up the data present in the infected system.

Disassembly Call Graph and code of scrambling function.

anti_dbg_load_dlls_thread_ops function

In this module, mainly what happens in this is, it has three functions “callr_anti_debigging_checks_and_loading_dlls” , “anti_debigging_checks_and_loading_dlls” & “thread_ops”. Where first function in it is a function which calls a function “anti_debigging_checks_and_loading_dlls” in which the anti debugging checks & loading of dlls happens. Lastly, the function “thread_ops” is being deployed in this function where the thread operations happens.

Disassembly Call Graph and code of anti_dbg_load_dlls_thread_ops function.

anti_debugging_checks_and_loading_dlls function

In this function, using “anti_debugging_checks” the anti debugging happens whereas using the function “main_app_of_loading_dlls” dlls are being loaded.

Disassembly Call Graph and code of anti_debugging_checks_and_loading_dlls function.

thread_ops function

To get the thread value functions like TlsGetValue is being used whereas using the GetModuleHandleW function handle is being retrieved using this function & using “load_module_after_sleep” module is being loaded after execution of sleep.

Disassembly Call Graph and code of thread_ops function.

main function

In the main function, fake “msupdate” service is being started whereas their are two functions in this module which are “RSA_encryption_ops” and “encryption_service_ops” are being used.

Disassembly Call Graph and code of main function.

RSA_encryption_ops function

In this function, “encryption_service_ops” is used for starting the service.

Disassembly Call Graph and code of RSA_encryption_ops function.

encryption_service_ops function

This the function which is being used for starting the services for encrypting data on infected system.

Graph of encryption_service_ops function.

Some of the other interesting functions related to encryption/decryption keys operations , encryption/decryption operations.

exporting_key function

This function is used for exporting key for encryption key using CryptExportKey().

Disassembly Graph of exporting_key function.

encryption_decryption function

In this function, the encryption and decryption of data of victim infected system is being handled.

Disassembly Graph of encryption_decryption function.

key_ops function

This function is being used for carrying out key operation.

Disassembly Graph of key_ops function.

private_key_generation function

This function is being deployed for generating private key.

Disassembly Graph of private_key_generation function.

Algorithms used for DearCry Ransomware are RSA and CALG_SHA1 .

Use of CALG_SHA1 algorithm in DearCry Ransomware.
Use of RSA algorithm in DearCry Ransomware.

Dynamic Analysis (Advanced)

For the DearCry Ransom i had set the following breakpoints:-

…..:- start

……:- main_app

……:- exporting_key_function

……:- fill_up_cache and other following breakpoints are shown below

Breakpoints set for dynamic analysis of DearCry Ransom.

First off the debugger hits at the function in the start module which is “Anti_Analysis_and_Anti_VM_checks”.

Graph and Text view of Debug View during dynamic analysis of DearCry Ransomware.

As we debug the DearCry Ransom further we will see it falling in the “Anti_Analysis_and_Anti_VM_checks” function.

Here is the Text and Graph View of Debugger falling inside the Anti_Analysis_and_Anti_VM_checks function is shown.

In further debugging we will see that the debugger hits at the function “main_app” present in the start function.

Here is the Text and Graph view of debugger hitting at the main_app function is shown.

As debugging further DearCry Ransom, we see that debugger jumps inside the main_app function.

Here is the Text and Graph view of debugger jumping inside the main_app function.

on further debugging an exception is raised as shown.

Exception Raised during debugging.

On the further debugging, debugger hits inside the following database as shown below.

Debugger hitting inside the database.

Then after that, debugger hits at the function “fill_up_cache”.

Debugger hits at the function “fill_up_the_cache”.

Then soon after that the debugger hits at the function “callr_of_heavy_val_loader” who function is to load heavy bits in the cache of infected victim system.

Debugger hitting at the callr_of_heavy_vals_loader” function.

Then after that the debugger hits at the function “RSA_Key_Ops” in which the encryption/decryption key operations happens on the system using RSA algorithm.

Debugger jumping into the RSA_Key_Ops function.

As debugging continues, the debugger hits at the “private_key_generation” function in which the private key is being generated.

Debugger hits at the function “private_key_generation”.

As the move in further debugging , we encounter with debugger hitting at the “file_ops” function.

Debugger hits at the “file_ops” function.

Indicators of Compromise (IOCs) & Detection

T1176, T1081 .

Att&ck IDs detected by Any Run Sandbox.
Att&ck Mitre Techniques produced by Joe Sandbox.

MD5: cdda3913408c4c46a6c575421485fa5b .

SHA-1: 56eec7392297e7301159094d7e461a696fe5b90f

SHA-256:

e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6

YARA Signature

Yara Signature for DearCry Ransomware.

aka Nikhil Rathor | Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store