Static and Dynamic Analysis.
In this particular blog Arkbird and i are analyzing the two versions of Conti Ransomware Version 2 (v2) and Version 3 (v3).
Conti Ransom (v2) Analysis:
Firstly,here in entry function the stack operations are happening by stack operations i mean function “stack_ops” is being performing the task on stack like in and out flow of data from stack. Then, after that in the “scarambling” function this data in being scrambled to several times by the “xor operations” and operations on this data by “in and out” flow of data in loops. Then certainly after retrieving the version information of targeted system ,that retrieving of the some module handle is being fetched for “encrypting (xor ops) and heap operations” the data flowing in the system deploying the “xor_and_heap_ops” function and it all passed to “iVar4" for further the conditional check to zero and if it gets satisfied then afterwards function “write_payload_fetch_some_module_abort_ps” is being executed to write the payload into the memory and some modules from the memory are being fetched for aborting the process and it all took place in particular memory space then afterwards the “ivar4” is being given the “kernel32_exploiting” function which does the exploitation of the 32-bit kernel present in the infected victim system, after doing all of this, same xor and “in and out flow of data” is being done in the “scrambling” function.
For the persistent mechanism:
“for staying up in the memory” ,the “startup information ” of infected system is being travelling to the C2 (Command ad Control Server) and this information is also being stored in “iVar4" for the further conditional check to satisfied it to zero then the “write_payload_pop_from_counter_reg” function executes for the further exploitation of system by loading(writing) the payload into memory and pop out the bytes from the counter register. Then just after that the execution of payload is being getting the command line string and it being loading the environment variables for the further infection by using the function “set_env_variables” and just after the setting up of the environment variables. The loading of the modules before encrypted [ i.e load_encrypted_module function] them is being loaded into the “iVar4” for the conditional check satisfying to zero. Then the same ops follows ups for execution of the “write_payload_pop_from_counter_reg” function after that the “unhooking_and_scramble_ops function” is also passed into the same “iVar4” for the same conditional check and the same function as described earlier here. Since we are describing the scenario of the infection by Conti Ransomware it has do deal with encrypting the system files and folders and data present in the memory locations sort of execute the same module again in the memory with the negative values in the memory as for the memory corruption of the system.
At lastly, the end of the entry function of Conti Ransomware, the encrypting of some files and folders are being occurring using “xor_func_smthg_encrypt” and also then the hiding its operations using the “hook_around” module is being taking place and just after it the “callr_of_cs_ps_&unhooking_ops” is being taking place.Lastly with access violation of memory location values the “0xfffffffff” and “0x40ed18” and then lastly all of it happens in the memory of infected system it free up the stack with “free_up_stack” function.
In this particular function named “stack_ops”, stack operations are being happening as preciously as these operations are affecting the stack registers.
Moving on to the “scrambling” function . Here the conditional check is being performed in which the if satisfied the some data is being freed from the stack.
Here, in this one, “xor_and_heap_ops” function a call to the “HeapCreate” function is being made , and it has been creating the heap then afterwards of if conditional check, the “encrypt_xor_ops_or_ops” encryption with help of the “xor” instruction will take place and then pop out of several data from memory will happen. And lastly after that Heap will get destroyed by calling function “HeapDestroy”.
Here in this function, this function mainly make two calls to “write_payload” and other to the “fetch_module_ps_addr_abort_ps” where both of these functions the payload is written in the memory by first function and whereas in the second function module is being fetched and it abort the process happening in the system.
Here in this function, kernel32.dll is being loaded using the “GetModuleHandleA” and it is passed to the “iVar2” variable which is the 32 bit variable. And also the “GetProcAddress” fetching the address of the process. and lastly the thread related details from the system are being extracted.
In this function, the stack_ops with the in and out flow of data from the loop is happening then lastly the free’ing up of space of memory from stack is being happening with help of “free_up_stack”.
Using this function, Conti Ransom will be fetching system information and along with that Files information is being fetched.
This function writes the payload and pops out some of the data from the memory.
In this function unhooking of the specific data stored in the memory and processes is being data which leads to the crash of several processes and data-set stored in the form of pages in memory of system. Along with it, stack_ops and heap ops is being carried out so that memory is being crashes easily by the malicious executable and lastly the “sramble_it_up” function is being called for the tasking and looping in and out flow of data form loops and mess it up.
Its the encrypting function of “Conti Ransom” in which the main xor’ing or encrypting is being happening.
Similar case here as like “encrypting” function.
In this function hooking technique is being applied which suggests that hiding of the process will occur by this function.
Here, the call to the process and critical section operation with the same unhooking technique is occurring.
caller of critical section and process operation function has been occurring.
here in this function space of memory is being freed from the stack.
Conti Ransom (v3) Analysis:
While running .exe dynamically following are the IPs that are hosting this ransom.
Yara Signature for v3 Conti Ransom Detection:
Yara Signature’s for different samples we have analyzed
Conti Ransom (v1) yara Signature:
Conti Ransom (v2) yara signature:
Conti Ransom (v3) yara signature:
Conti Ransom super yara signature:
As from our discussion, we can conclude that main part of (v2) loader is very much similar to emotet and its not much likely to focus on whereas it had become difficult to analyze the sample in October as it shows that this Conti Ransom Group had been very active during that time interval and had migrated to (v3).
That’s all for today.