Wednesday, June 1, 2016

Playing with Ransomware crypto

 

Sample: https://www.virustotal.com/gui/file/ae43de989c9f0dc03437866457fb378487d773e03caa39d3968369fd4fe01c92

In this post we will see how to use a ransomware’s own methods to encrypt and decrypt given strings.

For this task, firstly we will check whether this ransomware method is easy to locate, looking at the Smali produced:


As we can see, there’s a reference to a method named decrypt coming from class DU, receiving a String as argument.

Although we might think that this method alone will prove sufficient, it will not. We need to be able to reproduce the whole thing, and in this case we will need to convert a string to a Bytearray, so there must be other methods…

Luckily for us, after decompiling the dex file, we see a class named DU and that’s the first logical place to look at.


Voilà! This is quite interesting, we can see a whole class along with its methods… Still, there’s a visible error in the generated .java file.

static final {

 DU.strDefaultKey = "national";

}

This will give us problems when compiling the code back, so we are going remove it completely and just leave it as:

// package com.h...  <- Remove this line 

private static String strDefaultKey = "national"; 

public DU() throws Exception {

 this(strDefaultKey);

}

public DU(String arg4) ...


Now, going further we can see how the decrypt method was indeed split into two methods:

Firstly, it will call hexStr2ByteArr, returning the given string as a Byte[] array.

Secondly, it will call the byte [] decrypt method, finally applying the doFinal which decrypts the given bytearray.

We can also take a look to hexStr2ByteArr method:

public static byte[] hexStr2ByteArr(String arg7) throws Exception {

     byte[] v1 = arg7.getBytes();

     int v2 = v1.length;

     byte[] v3 = new byte[v2 / 2];

     int v0;

     for(v0 = 0; v0 < v2; v0 += 2) {

     v3[v0 / 2] = ((byte)Integer.parseInt(new String(v1, v0, 2), 16));

  }

 return v3;

 }

With this, we will be able to do a few operations… What we are going to do is create a encrypted string with the default key, and they get it back to its original state.

Inside DU class, we are going to type:

public static void main(String [] args) {

 DU du = new DU("national");

 try {

   System.out.println(du.encrypt("entdark at medium"));

 } catch (Exception e) {

   e.printStackTrace();

   }

}

This will generate the following string:

22afda34a0c7f6d3ea628d4531f6555f0e5242f1a809b7ea

Now suppose that all your files have been encrypted, and the master key to decrypt them would be this generated key. Is there a way to get it back one it’s in this state? Of course there is!

public static void main(String [] args) {

 DU du = new DU("national");

 try {

   System.out.println(du.decrypt("22afda34a0c7f6d3ea628d4531f6555f0e5242f1a809b7ea"));

 } catch (Exception e) {

   e.printStackTrace();

   }

}

$ java DU

> entdark at medium

As you can see, we have managed to retrieve the original text. Now, let’s look at a sample in the application:

v0.des = new DU(“flower”);

 s v4 = v0;

 try {

 v4.des = new DU(v0.des.decrypt(“c29fe56fa59ab0db”));

 }

 catch(Exception v4_1) {

 }

Don’t be afraid of variable names, obfuscated applications, even the one’s which have gone through ProGuard have weird names, just get the feeling of what it does.

What we see is that it instances DU, using the key flower instead of national. Afterwards, it calls the decrypt method and passes c29fe56fa59ab0db as argument.

We will now repeat the process using the argument to call decrypt and as master key flower, resulting in the “xxx” string. We can still go a bit further, see as ‘xxx’ will be used as key, then there will be a putString method setting up a passwd field. In this case, it will be using “8bbcaabcf07766f16259ad95b7d607e2”, now just go ahead and change the key and the string to decrypt; the generated output will be:

“小陌轩1314” (Little Mo Xuan 1314)

This is all for now folks, of course this is a very basic overview of what we can do; it is usually harder to find how applications generates crypto. Even in this application, there’s a password field generated through Math.random, making it hard to know what the seed will be, still we have gotten far with what we have!

Zanubis updates their list of targets, author nickname

 In recent changes the actors behind the Zanubis banking trojan have broadened their list of targets: The basic configuration has been updat...