cat _posts/2019-04-22-sepsis-en.md

windows malware analysis

Analysis of the Sepsis ransomware

I began writing this report when no comparable analysis was available online. I also presented it at the 2600 Kazakhstan cybersecurity meetup.

MalwareHunterTeam first discovered the malware on May 14, 2018. I downloaded the sample from VirusShare; a copy is also available here. Its hashes are:

MD5 1221ac9d607af73c65fd6c62bec3d249

SHA1 518d5a0a8025147b9e29821bccdaf3b42c0d01db

SHA256 3c7d9ecd35b21a2a8fac7cce4fdb3e11c1950d5a02a0c0b369f4082acf00bf9a

I analyzed the sample on 64-bit Windows 7 Ultimate SP1. The goal was to determine not only what the malware does, but how it performs each malicious action.

Sepsis is ransomware; the screenshot below shows the damage caused by its execution.

aftermath

All files have been encrypted and renamed with the suffix [Sepsis@protonmail.com].SEPSIS. The Windows VM has also crashed.

Static analysis

First, open the file in PPEE with the FileInfo plugin.

Virustotal

VirusTotal reported that 51 of 68 antivirus engines detected the file as malicious. Next, we inspect its suspicious strings.

suspicous

The string -KEY- … - END PUBLIC KEY- appears to be part of the public key used for encryption.

Another string looks like an argument passed to cmd.exe:

admin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

admin.exe delete shadows /all /quiet deletes system backups to prevent recovery of encrypted files.

bcdedit.exe /set {default} recoveryenabled no disables recovery mode.

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures prevents the Windows Error Recovery screen from appearing.

Next, inspect the URL strings.

PPEE-urls

The string

http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a >

suggests that the victim will be asked to buy Bitcoin and will be given instructions for doing so.

Now inspect the registry strings.

ppee-registry

Pay particular attention to Software\Classes\mscfile\shell\open\command. The Software\Classes registry branch maps file types to their handlers. The malware may therefore register a command that runs whenever an .msc file is opened. Other strings suggest that it may also modify Winlogon behavior, which controls interactive logon and logoff.

The PE headers appear normal.

PPEE reveals nothing else of interest. Tools like PPEE are useful for initial triage, but they rarely provide a complete picture. Strings may be inserted as decoys, decrypted at runtime, or constructed dynamically. The classic strings utility can extract plain text, while FireEye’s more capable FLOSS can also recover many obfuscated strings.

Because FLOSS produces a large amount of output, redirect it to a file:

floss sepsis.bin > c:\floss_output.txt

Open the resulting file. It contains an HTML document with the following content:

`<body>`
    `<div class='header'>`
	`<div style='color:yellow'>Welcome to Sepsis Ransomware!</div>`
		`<div style='color:blue'>All your files have been encrypted!</div>`
	`</div>`
    `<div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>Sepsis@protonmail.com</span></div>	 <div class='bold'>Write this ID in the title of your message <span class='mark'>16E734E0</span></div>`
	 `<div class='bold'>In case of no answer in 24 hours write us to theese e-mails:<span class='mark'>sepsis@airmail.cc</span></div>`
    `<div>`
		`The price depends on how fast you write to us. You have to pay for decryption in Bitcoins. After payment we will send you the decryption tool that will decrypt all your files.`
	`</div>`
	`<div class='note info'>`
      `<div class='title'>Free decryption as guarantee</div>`
		`<ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)	    </ul>`
    `</div>`
    `<div class='note info'>`
      `<div class='title'>How to obtain Bitcoins</div>`
      `<ul>`
        `The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. `
          `<br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a>`
		  `<br> Also you can find other places to buy Bitcoins and beginners guide here:`
          `<br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a>`
      `</ul>`
    `</div>`
    `<div class='note alert'>`
      `<div class='title'>Attention!</div>`
      `<ul>`
        `<li>Do not rename encrypted files.</li>`
        `<li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li>`
        `<li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li>`
      `</ul>`
    `</div>`
  `</body>`

This appears to be the ransom note displayed after file encryption. The output also contains SeDebugPrivilege, suggesting that the malware may access other processes. The eventvwr.exe string points to a possible privilege-escalation attempt. Finally, we see what looks like a list of directory names:

Windows MSOCache Perflogs DVD Maker Internet Explorer Reference Assemblies Windows Defender Windows Mail Windows Media Player Windows NT Windows Sidebar Startup Temp Program Files Program Files (x86)

These directories are probably excluded from encryption.

Open the file in PEiD to check whether it is packed.

PEiD

Detect It Easy indicates that the program was written in C or C++, making it a good candidate for decompilation with Hex-Rays in IDA.

DIE

Imported libraries and functions can provide clues about the malware’s behavior without executing it. This technique is less useful for packed files, but this sample exposes its imports.

DIE-Import

crypt32.dll provides cryptographic functions, while advapi32.dll includes registry-related APIs.

Dynamic analysis

The following pseudocode summarizes Sepsis’s execution flow:

1 if (elevated)
2     copy_to(C:\Windows\svchost.exe)
3     add_to_autorun()
4     exec(C:\Windows\svchost.exe)
5     sleep()
6 else
7     copy_to(%TEMP%\svchost.exe)
8     add_to_autorun()
9 if (!elevated)
10    run_as_elevated()
11    sleep()
12 if (run_first)
13    run_first = FALSE
14 else
15    exit()
16 encrypt_all_data()
17 if (elevated)
18    wipe_backups()
19 set_process_critical()
20 rename_all_files()
21 show_user_manual()
22 exit()

At lines 1, 9, and 17, the malware checks whether it is running with elevated privileges by calling GetTokenInformation with the TokenElevation information class.

isElevated

On the first, presumably non-elevated execution, the malware copies itself to the temporary directory as svchost.exe (line 7).

It then establishes persistence (line 8) by adding %TEMP%\svchost.exe to HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell.

Winlogon manages interactive user sessions, including logon and logoff. During logon, it starts the program configured in the Shell value, which causes the malware to run.

At line 9, the malware checks its privileges again. If it is not elevated, it attempts privilege escalation (line 10) by writing to HKCU\\Software\\Classes\\mscfile\\shell\\open\\command. This registry key controls the command invoked for .msc files. The malware then launches eventvwr.exe, a Windows utility that starts Microsoft Management Console (mmc.exe) and opens an .msc file. Because eventvwr.exe was configured for automatic elevation on the tested Windows version, this technique could bypass the UAC consent prompt and launch a second, elevated Sepsis instance. The first instance sleeps at line 11 while the elevated instance continues. After waking and performing the check at line 12, the first instance exits at line 15. Sepsis distinguishes instances by creating a mutex named HJG> <JkFWYIguiohgt89573gujhuy78 ^ * (& (^ & ^ $ and checking whether it can be opened.

We can now examine the elevated instance. The initial execution establishes persistence and triggers elevation. Once elevated, the malware silently copies itself to C:\Windows\svchost.exe.

After CopyFile returns, the copy at C:\Windows\svchost.exe has the same hash as the original sample.

At line 16, Sepsis encrypts files except those in the following directories:

Windows MSOCache Perflogs DVD Maker Internet Explorer Reference Assemblies Windows Defender Windows Mail Windows Media Player Windows NT Windows Sidebar Startup Temp Program Files Program Files (x86)

The public key identified during static analysis is imported.

Files are encrypted with CryptEncrypt.

At line 18, the malware deletes existing backups by running the command identified earlier:

/c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures.

This prevents the victim from recovering encrypted files through normal system recovery mechanisms.

At line 19, Sepsis calls the undocumented RtlSetProcessIsCritical function to mark its process as critical. When the malware finishes and terminates its own process, Windows crashes and reboots because a critical process has exited.

At line 20, Sepsis creates a thread for each available drive and renames files outside the excluded directories listed above.

At line 21, it creates the HTML ransom note shown earlier and displays it to the victim.

System recovery and IOCs

Delete %TEMP%\svchost.exe and C:\Windows\svchost.exe.

A distinctive indicator for this sample is the mutex name:

"HJG> <JkFWYIguiohgt89573gujhuy78 ^ * (& (^ & ^ $"

TOP