Reversing Conti Ransomware

Static and Dynamic Analysis.

Introduction:

In this particular blog Arkbird and i are analyzing the two versions of Conti Ransomware Version 2 (v2) and Version 3 (v3).

Conti Ransom (v2) Analysis:

Static Analysis(Basic):

Hash’s:

Hash’s of Conti v2 Ransom.

Libraries:

lib’s used in Conti Malware.

Strings:

Strings found during static analysis of Conti Ransom v2.

Imports:

Static Analysis(Advanced)

entry function:

Firstly,here in entry function the stack operations are happening by stack operations i mean function “stack_ops” is being performing the task on stack like in and out flow of data from stack. Then, after that in the “scarambling” function this data in being scrambled to several times by the “xor operations” and operations on this data by “in and out” flow of data in loops. Then certainly after retrieving the version information of targeted system ,that retrieving of the some module handle is being fetched for “encrypting (xor ops) and heap operations” the data flowing in the system deploying the “xor_and_heap_ops” function and it all passed to “iVar4" for further the conditional check to zero and if it gets satisfied then afterwards function “write_payload_fetch_some_module_abort_ps” is being executed to write the payload into the memory and some modules from the memory are being fetched for aborting the process and it all took place in particular memory space then afterwards the “ivar4” is being given the “kernel32_exploiting” function which does the exploitation of the 32-bit kernel present in the infected victim system, after doing all of this, same xor and “in and out flow of data” is being done in the “scrambling” function.

For the persistent mechanism:

“for staying up in the memory” ,the “startup information ” of infected system is being travelling to the C2 (Command ad Control Server) and this information is also being stored in “iVar4" for the further conditional check to satisfied it to zero then the “write_payload_pop_from_counter_reg” function executes for the further exploitation of system by loading(writing) the payload into memory and pop out the bytes from the counter register. Then just after that the execution of payload is being getting the command line string and it being loading the environment variables for the further infection by using the function “set_env_variables” and just after the setting up of the environment variables. The loading of the modules before encrypted [ i.e load_encrypted_module function] them is being loaded into the “iVar4” for the conditional check satisfying to zero. Then the same ops follows ups for execution of the “write_payload_pop_from_counter_reg” function after that the “unhooking_and_scramble_ops function” is also passed into the same “iVar4” for the same conditional check and the same function as described earlier here. Since we are describing the scenario of the infection by Conti Ransomware it has do deal with encrypting the system files and folders and data present in the memory locations sort of execute the same module again in the memory with the negative values in the memory as for the memory corruption of the system.

At lastly, the end of the entry function of Conti Ransomware, the encrypting of some files and folders are being occurring using “xor_func_smthg_encrypt” and also then the hiding its operations using the “hook_around” module is being taking place and just after it the “callr_of_cs_ps_&unhooking_ops” is being taking place.Lastly with access violation of memory location values the “0xfffffffff” and “0x40ed18” and then lastly all of it happens in the memory of infected system it free up the stack with “free_up_stack” function.

code of entry function of Conti v2 ransom.
Graph of entry function of Conti v2 ransom.

stack_ops function:

In this particular function named “stack_ops”, stack operations are being happening as preciously as these operations are affecting the stack registers.

Code of stack_ops function.
Graph of stack_ops function.

scrambling function:

Moving on to the “scrambling” function . Here the conditional check is being performed in which the if satisfied the some data is being freed from the stack.

code of scrambling function.
Graph of scrambling function.

xor_and_heap_ops function:

Here, in this one, “xor_and_heap_ops” function a call to the “HeapCreate” function is being made , and it has been creating the heap then afterwards of if conditional check, the “encrypt_xor_ops_or_ops” encryption with help of the “xor” instruction will take place and then pop out of several data from memory will happen. And lastly after that Heap will get destroyed by calling function “HeapDestroy”.

code of xor_and_heap_ops function.
graph of of xor_and_heap_ops function.

write_payload_fetch_some_module_abort_ps function:

Here in this function, this function mainly make two calls to “write_payload” and other to the “fetch_module_ps_addr_abort_ps” where both of these functions the payload is written in the memory by first function and whereas in the second function module is being fetched and it abort the process happening in the system.

code of write_payload_fetch_some_module_abort_ps function.
graph of of write_payload_fetch_some_module_abort_ps function.

load_kernel32_fetch_thread_ps_info function:

Here in this function, kernel32.dll is being loaded using the “GetModuleHandleA” and it is passed to the “iVar2” variable which is the 32 bit variable. And also the “GetProcAddress” fetching the address of the process. and lastly the thread related details from the system are being extracted.

code of load_kernel32_fetch_thread_ps_info function.
graph of load_kernel32_fetch_thread_ps_info function.

scrambling function:

In this function, the stack_ops with the in and out flow of data from the loop is happening then lastly the free’ing up of space of memory from stack is being happening with help of “free_up_stack”.

code of scrambling function.
graph of scrambling function.

get_startup_info_of_sys function:

Using this function, Conti Ransom will be fetching system information and along with that Files information is being fetched.

code of get_startup_info_of_sys function.
graph of get_startup_info_of_sys function.

write_payload_pop_from_counter_reg function:

This function writes the payload and pops out some of the data from the memory.

code of write_payload_pop_from_counter_reg function.
graph of write_payload_pop_from_counter_reg function.

unhooking_scarmble_ops function:

In this function unhooking of the specific data stored in the memory and processes is being data which leads to the crash of several processes and data-set stored in the form of pages in memory of system. Along with it, stack_ops and heap ops is being carried out so that memory is being crashes easily by the malicious executable and lastly the “sramble_it_up” function is being called for the tasking and looping in and out flow of data form loops and mess it up.

code of unhooking_scarmble_ops function.
graph of unhooking_scarmble_ops function.

encrypting function:

Its the encrypting function of “Conti Ransom” in which the main xor’ing or encrypting is being happening.

code of encrypting function.
graph of of encrypting function.

xor_func_smnthg_encrypt function:

Similar case here as like “encrypting” function.

code of xor_func_smnthg_encrypt function.
graph of of xor_func_smnthg_encrypt function.

hook_around function:

In this function hooking technique is being applied which suggests that hiding of the process will occur by this function.

graph of hook_around function.

callr_of_cs_ps_ops_unhooking function:

Here, the call to the process and critical section operation with the same unhooking technique is occurring.

code of callr_of_cs_ps_ops_unhooking function.
graph of callr_of_cs_ps_ops_unhooking function.

call_cs&ps_ops function:

caller of critical section and process operation function has been occurring.

code of call_cs&ps_ops function.
graph of of call_cs&ps_ops function.

free_up_stack function:

here in this function space of memory is being freed from the stack.

code of free_up_stack function.
graph of of free_up_stack function.

Conti Ransom (v3) Analysis:

Static Analysis(Basic):

Hash’s:

Hash’s of Conti ransom v3.

Imports:

Imports of Conti Ransom v3.

Static Analysis(Advanced)

entry function:

Code of entry function of Conti ransom v3.
Graph of entry function of v3 Conti Ransom.

fetch_sys_info function:

code of fetch_sys_info function.
Graph of of fetch_sys_info function.

encrypt_xor_ops function:

code of encrypt_xor_ops function.
Graph of encrypt_xor_ops function.

pop_scamble_or_xor:

code of pop_scamble_or_xor function.
Graph of pop_scamble_or_xor function.

main function:

graph of main function.

pop_rg_vals_from_stack function:

code of pop_rg_vals_from_stack function.
graph of pop_rg_vals_from_stack function.

Dynamic Analysis:

While running .exe dynamically following are the IPs that are hosting this ransom.

C2 server:

malware traffic from these IPs.

Yara Signature for v3 Conti Ransom Detection:

Yara Rule credit : Arkbird

Yara Signature’s for different samples we have analyzed

Conti Ransom (v1) yara Signature:

Conti Ransom (v2) yara signature:

Conti Ransom (v3) yara signature:

Conti Ransom super yara signature:

Conclusion:

As from our discussion, we can conclude that main part of (v2) loader is very much similar to emotet and its not much likely to focus on whereas it had become difficult to analyze the sample in October as it shows that this Conti Ransom Group had been very active during that time interval and had migrated to (v3).

That’s all for today.

Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.