AgendaRansomware Malware Analysis
Note: I usually analyze malware and write randomly to remember my progress. Most of my reports are not detailed or clean - they're more like a diary.
Day 1
Note: I usually analyze malware and write randomly to remember my progress. Most of my reports are not detailed or clean - they're more like a diary.
I wanted to analyze my first ransomware to learn something new and chose AgendaRansomware (I don't really know why). This is a 1.6MB rustc-compiled binary. At first sight, it appeared that there was no obfuscation and it would be easy to analyze, but later I discovered something disrupting static analysis. So far, I've found two issues:
Ghidra can't disassemble because of these two additions made to the malware, but luckily it's easy to fix. I'll just write a script to replace all of them with "NOP" and the issue will (probably) be solved.
Initial Analysis
I found that we have to provide --password <pass> to the binary, otherwise it won't execute. That password is actually used later as login credentials to a domain in the Tor network to request the cipher/tool to decrypt files (by paying for it).
The malware also provides us with logs:
[WARNING] Cannot open service: [BrokerInfrastructure]: 5
Service [CryptSvc] stopped
Service [CryptSvc] disabled
Service [DoSvc] stopped
[WARNING] Cannot disable [DoSvc]: 5
[WARNING] Cannot stop [netprofm]: 1061
Service [netprofm] disabled
[WARNING] Cannot stop [netprofm]: 1061
Service [netprofm] disabled
[WARNING] Cannot stop [NlaSvc]: 1051
Service [NlaSvc] disabled
[WARNING] Cannot stop [EventLog]: 1051
Service [EventLog] disabled
[WARNING] Cannot open service: [gpsvc]: 5
[WARNING] Cannot open service: [MDCoreSvc]: 5
[WARNING] Cannot open service: [mpssvc]: 5
[WARNING] Cannot stop [netprofm]: 1061
Service [netprofm] disabled
[WARNING] Cannot stop [NlaSvc]: 1051
Service [NlaSvc] disabled
And more logs detailing which files it encrypted, etc.
Ransom Note
The README-RECOVER-
-- Qilin
Your network/system was encrypted.
Encrypted files have new extension.
-- Compromising and sensitive data
We have downloaded compromising and sensitive data from your system/network.
If you refuse to communicate with us and we do not come to an agreement, your data will be published.
Data includes:
- Employees personal data, CVs, DL, SSN.
- Complete network map including credentials for local and remote services.
- Financial information including clients data, bills, budgets, annual reports, bank statements.
- Complete datagrams/schemas/drawings for manufacturing in SolidWorks format
- And more...
-- Warning
1) If you modify files - our decrypt software won't be able to recover data
2) If you use third party software - you can damage/modify files (see item 1)
3) You need cipher key / our decrypt software to restore your files.
4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions.
-- Recovery
1) Download Tor browser: https://www.torproject.org/download/
2) Go to domain
3) Enter credentials
-- Credentials
Extension: MmXReVIxLV
Domain: ueegj65kwr3v3sjhli73gjtmfnh2uqlte3vyg2kkyqq7cja2yx2ptaad.onion
login: 6f031ccd-526a-4806-82a8-2e7d926243d4
password: test
Technical Observations
After walking through the binary a little, I found that "CreateThread" functions play a big role in the malware. In some parts of the malware, payloads are "hidden" and the malware uses "CreateThread" to start execution from these addresses. In Ghidra, they are not disassembled - instead, they're shown as "DATA".
My main purpose with this malware is finding out how the files are encrypted. Additionally, the malware also disables some services and chooses which files to encrypt (by comparing extensions), which I might look into more deeply.
What I discovered from dynamic analysis is that the malware uses the EnterCriticalSection API to check file extensions and encrypt if it doesn't conflict.
Day 2
Today I got a little closer to success, as I found where the malware decrypts strings. Luckily, it doesn't encrypt them back, so I can dump them all. This will help a lot for success.
Note: I will dump as many strings as possible (all of them), save them in a file, and store them in the GitHub repo.
API Hooking Technique
Additionally, I found that the malware uses GetProcAddress to get the NtWriteFile address and call it in a stealthy way. Here's exactly how it works:
The malware changes the function itself with the "NtWriteFile" address, so the next time it calls this function, it actually calls itself. The same technique was used for other functions too, like: NtReadFile, NtCreateKeyedEvent...
Encryption Process
The encryption process follows this sequence:
- NtCreateFile: Get file handle
- NtQueryInformationVolume, NtQueryInformationFile: Check the file extension (e.g., .exe) and compare with blacklisted extensions to decide whether to encrypt or not
- NtCloseFile: Close file handle
- NtReadFile: Read contents and encrypt them
- NtWriteFile: Write encrypted content
The flags that can be configured before running the ransomware are: skip, step, n, p, fast, accounts. In my version of Agenda ransomware, there is no guide on how to use them, and some flags that are available in newer versions are not available to me. Example usage: ./ransomware.exe --password test "skip: 10; fast"
Encryption Function
In my version of Agenda ransomware, the encryption function is located at 0x42edf0, which uses registers as arguments instead of the stack. The decompiled function has a length of around 875 lines, which would be a waste of time to analyze line by line. But this is the main encryption function. Additionally, analyzing this function will reveal the key itself.
