Sample 1, ctb-locker shelling of CTB-LOCKER swindlers

Sample 1, ctb-locker shelling of CTB-LOCKER swindlers

1. Introduction to viruses

The CTB-LOCKER extortion virus was first found abroad and consists of two parts: the download device and the encrypted part of the document. The virus author disguised the Downloaded Program as an email attachment and sent it to employees or executives of some large companies. When these people downloaded the attachments in the email, decompress the email attachment and run it as shown in. after src and other formats, many files in the computer will be encrypted, and the following prompt screen will appear (figure 1) and the desktop wallpaper will be modified (figure 2.

I. Virus Information

Virus: Trojan-Downloader.Win32.Cabby.cbtj

Sample name: ranking. scr

Sample size: 28672 bytes

Sample MD5: AB29C66146FEE3A7EC055B1961087256

Sample SHA1: BF377E3CD54B9EF3FC0EBCA2240DE4A49638A883

 

2. Virus shelling

The CTB-LOCKER extortion virus is composed of two parts, only the downloaded part of the virus is analyzed for the moment. CTB-LOCKER virus downloader program file disassembly instruction has a lot of junk instructions, not so easy to get started with analysis, the purpose of adding junk instructions is to prevent the analysis of virus analysts, however, this sample must be emphasized.

Although there are a lot of junk commands, shelling is still quite regular, and the PE files after shelling are relatively easy to disassemble.

Below is a direct disassembly of OD:

CTB-LOCKER extortion virus sample shelling debugging has a more obvious characteristics: OD dynamic debugging, should be in the jump command such as Jmp and some key Call of the F2 breakpoint, then run F9, and then continue to run the F2 breakpoint in the jump command such as Jmp and some key Call calls until similar commands like Jmp [eax] appear and then DEBUG them slowly. As follows:

Enter to the address 00401DF4, follow the steps above to break the breakpoint in the jump command and key Call, and then run the F9 debugging.

Repeat the above operations to perform dynamic debugging:

When dynamic debugging is running to an example, it means that the shelling is not far away:

Finally, the target command jmp dword ptr ds: [ESI]:

After unremitting efforts, we finally found the memory Dump address of the target PE file 008F0000.

Select all the binary memory data after the memory address 008F0000, and then copy the binary data in memory.

The data in the memory PE file has been copied. Use WinHex to create a new blank file to open the file, and then copy the binary memory data you just copied, Ctrl + C to the blank file and save it ,:

The above multi-page capture is very tiring. In fact, there is also a one-step method to Dump the target PE file, that is, to break the point where the VirtualProtect and VirtualProtectEx functions are located ,:

Run the F9 program. For example, you can obtain the target PE file from the memory by using the aforementioned manual Dump PE file method.

Iv. Virus analysis

Now, you can happily analyze the virus sample. Select OD or IDA.

Note until now, you can make a brick.