Let's Learn: Deep Dive Into Magniber Ransomware PEB Traversal Function

Goal: Reverse the latest Magniber ransomware with the focus on its PEB traversal function resolving APIs to hardcoded hashes.
Original infector: a4100b682b2b63374e4ed2fc937d9b96
Decoded payload: f51a5b8ee6a5f25aa293911702a37a34

  • The ransomware served by Magnitude Exploit Kit (EK), named “Magniber,” specifically targets individuals in the Republic of Korea. Magniber checks that the potential victim’s system default language is Korean (code: 0x0412) via GetSystemDefaultUILanguage he ransomware will terminate. Magniber generates a unique command-and-control (C2) server and ransom note website for each victim, only giving a valid response if the victim’s public IP address is located in South Korea.
#Magniber #Ransomware new variant via #MagnitudeEK with extension “.wmfxdqz”, evolved and is obfuscated now - still targets to South Korea.
Thx! @hasherezade @jeromesegura
MD5: a4100b682b2b63374e4ed2fc937d9b96 pic.twitter.com/b1BultusoG
— Marcelo Rivero (@MarceloRivero) December 13, 2017

Malwarebytes’ @hasherezade and FireEye researchers previously extensively covered some of the Magniber ransomware cryptography and basic functionality. The scope of the blog is to unpack the ransomware with the focus on its PEB traversal function resolving APIs to hardcoded hashes.
I. Unpacking Magniber ransomware
II. Victim ID generation function
III. The PEB traversal function resolving hashes to API
IV. Indicators of compromise
I. Unpacking malware
Extract the first-layer Magniber ransomware payload after it decodes and injects itself via  WriteProcessMemory. This process is rather trivial, and it includes simply dumping the buffer in OllyDbg.
II. Victim ID generation function
The very first function the Magniber ransomware performs right after the “start,” which is the main entry, is the DWORD victim ID generation function iterating from 0-9 in one function and from a-z in another one. The passed argument to the function is 19, which signifies the length of the returned bot ID generation function. It is a pretty interesting way to generate victim IDs leveraging GetTickCount Windows API calls iterating through [0-9a-z] characters until it reaches the count of 19 characters.
The C++ function is as follows:
_WORD *__cdecl generator_19_victim_id_string(int a1)
  HANDLE v1; 
  _WORD *v3; 
  int i;

  v1 = GetProcessHeap();
  v3 = HeapAlloc(v1, 8u, 2 * a1 + 2);
  for ( i = 0; i < a1; ++i )
    if ( get_tick_count_func(0, 1) )
      v3[i] = get_tick_count_func(‘0’, ‘9’);
      v3[i] = get_tick_count_func(‘a’, ‘z’);
  v3[a1] = 0;
  return v3;
III. The PEB traversal code resolving hashes to APIs
Here, we observe interesting Magniber ransomware technique for traversing the Process Environment Block (PEB) data. 
PEB is a user-mode data structure that can be used by applications  to get information such as the list of loaded modules, process startup arguments, heap address amongst other useful capabilities. From MSDN more on the PEB structure, read here.
The malware traverses PEB structure to search for module hash match obtaining access to PEB via __readfsdword( 0x30 ) [fs:30h] iterating through loaded modules looking for pFunctionName and matching it with hash via ROTR macro implementing the logic of a rotate right operation.
By and large, this PEB traversal function is used to load hashes and to avoid usual sequence of LoadLibrary and GetProcessAddress API from anti-virus basic detection. In this case, the ransomware resolves all Advapi32 cryptography, registry and Internet API calls.
Notably, this PEB traversal is almost an exact copy of the GitHub code belonging to the project “Position Independent Code Bindshell.”
The function C++ code works as follows:
int __cdecl resolve_api_by_hash(int a1)
  int pFunctionName; 
  int v3;
  int v4; 
  int v5; 
  _DWORD *pdwFunctionNameBase;
  int v7;
  int v8;
  unsigned int dwFunctionHash; 
  int dwModuleHash; 
  int v11;
  _BYTE *pTempChar;
  BYTE *pTempChar;
  unsigned int i;
  unsigned int j;

  v7 = *(_DWORD )((_DWORD *)(__readfsdword(0x30) + 0xC) + 0xC);// 0x30 = PEB; 0x0C = InLoadOrderModuleList
  while ( *(_DWORD *)(v7 + 0x18) )             
// while (pDataTableEntry->DllBase != NULL))
    dwModuleHash = 0;                           
    v8 = *(_DWORD *)(v7 + 0x18);                
// pDataTableEntry->DllBase
    v3 = *(_DWORD *)(v7 + 0x2C);                
// pDataTableEntry->BaseDllName
    v4 = *(_DWORD *)(v7 + 0x30);                
// pNTHeader
    v5 = *(_DWORD )((_DWORD *)(v8 + 0x3C) + v8 + 0x78);

/pNTHeader >OptionalHeader.DataDirectory[0].VirtualAddress;dwExportDirRVA
    v7 = *(_DWORD *)v7;
    if ( v5 )                                   
// dwExportDirRVA != 0
      for ( i = 0; i < HIWORD(v3); ++i )        
// calculate module hash
        pTempChar = (_BYTE )(i + v4);          // pTempChar
        v11 = (dwModuleHash << 19) | ((unsigned __int64)(unsigned int)dwModuleHash >> 13);
// dwModuleHash = ROTR32( dwModuleHash, 13 )
        if ( (signed int)
(_BYTE *)(i + v4) < ‘a’ )
// if ( *pTempChar >= 0x61 )
          dwModuleHash = v11 + *pTempChar;      
// dwModuleHash += *pTempChar
          dwModuleHash = v11 + *pTempChar - ’ ‘;
// dwModuleHash += *pTempChar - 0x20
      pdwFunctionNameBase = (_DWORD )((_DWORD *)(v5 + v8 + 0x20) + v8);
// pdwFunctionNameBase = (PDWORD) ((PCHAR) pModuleBase + pExportDir->AddressOfNames)
      for ( j = 0; j < *(DWORD *)(v5 + v8 + 0x18); ++j )// for (i = 0; i < dwNumFunctions; i++)
        dwFunctionHash = 0;
        pFunctionName = v8 + *pdwFunctionNameBase;
// (PCSTR) (*pdwFunctionNameBase + (ULONG_PTR) pModuleBase)
= (_BYTE *)pFunctionName;
          dwFunctionHash = ((dwFunctionHash << 19) | ((unsigned int64)dwFunctionHash >> 13)) + *pTempChar++;
// dwFunctionHash = ROTR32( dwFunctionHash, 13 )
        while ( *(pTempChar
- 1) );
        if ( dwModuleHash + dwFunctionHash == a1 )
          return *(_DWORD )((_DWORD *)(v5 + v8 + 28) + v8 + 4 * *(_WORD )((_DWORD *)(v5 + v8 + 36) + v8 + 2 * j))
               + v8;
  return 0;

The PEB traversal function leveraged 18 times to import and resolve the following hashes to their respective functions as follows:

Function LocationHashResolved API
IV. Indicators of Compromise
Default AES_KEY:

Initialization vector:


The list of the decoded subdomains is as follows:

Tor Domain:
The list of whitelisted directories is as follows:
[’:\\documents and settings\\all users\\', ‘:\\documents and settings\\default user\\’, ‘:\\documents and settings\\localservice\\’, ‘:\\documents and settings\\networkservice\\’, ‘\\appdata\\local\\’, ‘\\appdata\\locallow\\’, ‘\\appdata\\roaming\\’, ‘\\local settings\\’, ‘\\public\\music\\sample music\\’, ‘\\public\\pictures\\sample pictures\\’, ‘\\public\\videos\\sample videos\\’, ‘\\tor browser\\’, ‘\\$recycle.bin’, ‘\\$windows.~bt’, ‘\\$windows.~ws’, ‘\\boot’, ‘\\intel’, ‘\\msocache’, ‘\\perflogs’, ‘\\program files (x86)’, ‘\\program files’, ‘\\programdata’, ‘\\recovery’, ‘\\recycled’, ‘\\recycler’, ‘\\system volume information’, ‘\\windows.old’, ‘\\windows10upgrade’, ‘\\windows’, ‘\\winnt’]
Targeted extensions:
[‘doc’, ‘docx’, ‘xls’, ‘xlsx’, ‘ppt’, ‘pptx’, ‘pst’, ‘ost’, ‘msg’, ‘em’, ‘vsd’, ‘vsdx’, ‘csv’, ‘rtf’, ‘123’, ‘wks’, ‘wk1’, ‘pdf’, ‘dwg’, ‘onetoc2’, ‘snt’, ‘docb’, ‘docm’, ‘dot’, ‘dotm’, ‘dotx’, ‘xlsm’, ‘xlsb’, ‘xlw’, ‘xlt’, ‘xlm’, ‘xlc’, ‘xltx’, ‘xltm’, ‘pptm’, ‘pot’, ‘pps’, ‘ppsm’, ‘ppsx’, ‘ppam’, ‘potx’, ‘potm’, ‘edb’, ‘hwp’, ‘602’, ‘sxi’, ‘sti’, ‘sldx’, ‘sldm’, ‘vdi’, ‘vmx’, ‘gpg’, ‘aes’, ‘raw’, ‘cgm’, ‘nef’, ‘psd’, ‘ai’, ‘svg’, ‘djvu’, ‘sh’, ‘class’, ‘jar’, ‘java’, ‘rb’, ‘asp’, ‘php’, ‘jsp’, ‘brd’, ‘sch’, ‘dch’, ‘dip’, ‘p’, ‘vb’, ‘vbs’, ‘ps1’, ‘js’, ‘asm’, ‘h’, ‘pas’, ‘cpp’, ‘c’, ‘cs’, ‘suo’, ‘sln’, ‘ldf’, ‘mdf’, ‘ibd’, ‘myi’, ‘myd’, ‘frm’, ‘odb’, ‘dbf’, ‘db’, ‘mdb’, ‘accdb’, ‘sq’, ‘sqlitedb’, ‘sqlite3’, ‘asc’, ‘lay6’, ‘lay’, ‘mm’, ‘sxm’, ‘otg’, ‘odg’, ‘uop’, ‘std’, ‘sxd’, ‘otp’, ‘odp’, ‘wb2’, ‘slk’, ‘dif’, ‘stc’, ‘sxc’, ‘ots’, ‘ods’, ‘3dm’, ‘max’, ‘3ds’, ‘uot’, ‘stw’, ‘sxw’, ‘ott’, ‘odt’, ‘pem’, ‘p12’, ‘csr’, ‘crt’, ‘key’, ‘pfx’, ‘der’, ‘1cd’, ‘cd’, ‘arw’, ‘jpe’, ‘eq’, ‘adp’, ‘odm’, ‘dbc’, ‘frx’, ‘db2’, ‘dbs’, ‘pds’, ‘pdt’, ‘dt’, ‘cf’, ‘cfu’, ‘mx’, ‘epf’, ‘kdbx’, ‘erf’, ‘vrp’, ‘grs’, ‘geo’, ‘st’, ‘pff’, ‘mft’, ‘efd’, ‘rib’, ‘ma’, ‘lwo’, ‘lws’, ‘m3d’, ‘mb’, ‘obj’, ‘x’, ‘x3d’, ‘c4d’, ‘fbx’, ‘dgn’, ‘4db’, ‘4d’, ‘4mp’, ‘abs’, ‘adn’, ‘a3d’, ‘aft’, ‘ahd’, ‘alf’, ‘ask’, ‘awdb’, ‘azz’, ‘bdb’, ‘bib’, ‘bnd’, ‘bok’, ‘btr’, ‘cdb’, ‘ckp’, ‘clkw’, ‘cma’, ‘crd’, ‘dad’, ‘daf’, ‘db3’, ‘dbk’, ‘dbt’, ‘dbv’, ‘dbx’, ‘dcb’, ‘dct’, ‘dcx’, ‘dd’, ‘df1’, ‘dmo’, ‘dnc’, ‘dp1’, ‘dqy’, ‘dsk’, ‘dsn’, ‘dta’, ‘dtsx’, ‘dx’, ‘eco’, ‘ecx’, ‘emd’, ‘fcd’, ‘fic’, ‘fid’, ‘fi’, ‘fm5’, ‘fo’, ‘fp3’, ‘fp4’, ‘fp5’, ‘fp7’, ‘fpt’, ‘fzb’, ‘fzv’, ‘gdb’, ‘gwi’, ‘hdb’, ‘his’, ‘ib’, ‘idc’, ‘ihx’, ‘itdb’, ‘itw’, ‘jtx’, ‘kdb’, ‘lgc’, ‘maq’, ‘mdn’, ‘mdt’, ‘mrg’, ‘mud’, ‘mwb’, ‘s3m’, ‘ndf’, ‘ns2’, ‘ns3’, ‘ns4’, ‘nsf’, ‘nv2’, ‘nyf’, ‘oce’, ‘oqy’, ‘ora’, ‘orx’, ‘owc’, ‘owg’, ‘oyx’, ‘p96’, ‘p97’, ‘pan’, ‘pdb’, ‘pdm’, ‘phm’, ‘pnz’, ‘pth’, ‘pwa’, ‘qpx’, ‘qry’, ‘qvd’, ‘rctd’, ‘rdb’, ‘rpd’, ‘rsd’, ‘sbf’, ‘sdb’, ‘sdf’, ‘spq’, ‘sqb’, ‘stp’, ‘str’, ‘tcx’, ‘tdt’, ‘te’, ‘tmd’, ‘trm’, ‘udb’, ‘usr’, ‘v12’, ‘vdb’, ‘vpd’, ‘wdb’, ‘wmdb’, ‘xdb’, ‘xld’, ‘xlgc’, ‘zdb’, ‘zdc’, ‘cdr’, ‘cdr3’, ‘abw’, ‘act’, ‘aim’, ‘ans’, ‘apt’, ‘ase’, ‘aty’, ‘awp’, ‘awt’, ‘aww’, ‘bad’, ‘bbs’, ‘bdp’, ‘bdr’, ‘bean’, ‘bna’, ‘boc’, ‘btd’, ‘cnm’, ‘crw’, ‘cyi’, ‘dca’, ‘dgs’, ‘diz’, ‘dne’, ‘docz’, ‘dsv’, ‘dvi’, ‘dx’, ‘eio’, ‘eit’, ‘emlx’, ‘epp’, ‘err’, ‘etf’, ‘etx’, ‘euc’, ‘faq’, ‘fb2’, ‘fb’, ‘fcf’, ‘fdf’, ‘fdr’, ‘fds’, ‘fdt’, ‘fdx’, ‘fdxt’, ‘fes’, ‘fft’, ‘flr’, ‘fodt’, ‘gtp’, ‘frt’, ‘fwdn’, ‘fxc’, ‘gdoc’, ‘gio’, ‘gpn’, ‘gsd’, ‘gthr’, ‘gv’, ‘hbk’, ‘hht’, ‘hs’, ‘htc’, ‘hz’, ‘idx’, ‘ii’, ‘ipf’, ‘jis’, ‘joe’, ‘jp1’, ‘jrtf’, ‘kes’, ‘klg’, ‘knt’, ‘kon’, ‘kwd’, ‘lbt’, ‘lis’, ‘lit’, ‘lnt’, ‘lp2’, ‘lrc’, ‘lst’, ‘ltr’, ‘ltx’, ‘lue’, ‘luf’, ‘lwp’, ‘lyt’, ‘lyx’, ‘man’, ‘map’, ‘mbox’, ‘me’, ‘mel’, ‘min’, ‘mnt’, ‘mwp’, ‘nfo’, ‘njx’, ‘now’, ‘nzb’, ‘ocr’, ‘odo’, ‘of’, ‘oft’, ‘ort’, ‘p7s’, ‘pfs’, ‘pjt’, ‘prt’, ‘psw’, ‘pu’, ‘pvj’, ‘pvm’, ‘pwi’, ‘pwr’, ‘qd’, ‘rad’, ‘rft’, ‘ris’, ‘rng’, ‘rpt’, ‘rst’, ‘rt’, ‘rtd’, ‘rtx’, ‘run’, ‘rzk’, ‘rzn’, ‘saf’, ‘sam’, ‘scc’, ‘scm’, ‘sct’, ‘scw’, ‘sdm’, ‘sdoc’, ‘sdw’, ‘sgm’, ‘sig’, ‘sla’, ‘sls’, ‘smf’, ‘sms’, ‘ssa’, ‘sty’, ‘sub’, ‘sxg’, ‘tab’, ‘tdf’, ‘tex’, ‘text’, ‘thp’, ‘tlb’, ‘tm’, ‘tmv’, ‘tmx’, ‘tpc’, ‘tvj’, ‘u3d’, ‘u3i’, ‘unx’, ‘uof’, ‘upd’, ‘utf8’, ‘utxt’, ‘vct’, ‘vnt’, ‘vw’, ‘wbk’, ‘wcf’, ‘wgz’, ‘wn’, ‘wp’, ‘wp4’, ‘wp5’, ‘wp6’, ‘wp7’, ‘wpa’, ‘wpd’, ‘wp’, ‘wps’, ‘wpt’, ‘wpw’, ‘wri’, ‘wsc’, ‘wsd’, ‘wsh’, ‘wtx’, ‘xd’, ‘xlf’, ‘xps’, ‘xwp’, ‘xy3’, ‘xyp’, ‘xyw’, ‘ybk’, ‘ym’, ‘zabw’, ‘zw’, ‘abm’, ‘afx’, ‘agif’, ‘agp’, ‘aic’, ‘albm’, ‘apd’, ‘apm’, ‘apng’, ‘aps’, ‘apx’, ‘art’, ‘asw’, ‘bay’, ‘bm2’, ‘bmx’, ‘brk’, ‘brn’, ‘brt’, ‘bss’, ‘bti’, ‘c4’, ‘ca’, ‘cals’, ‘can’, ‘cd5’, ‘cdc’, ‘cdg’, ‘cimg’, ‘cin’, ‘cit’, ‘colz’, ‘cpc’, ‘cpd’, ‘cpg’, ‘cps’, ‘cpx’, ‘cr2’, ‘ct’, ‘dc2’, ‘dcr’, ‘dds’, ‘dgt’, ‘dib’, ‘djv’, ‘dm3’, ‘dmi’, ‘vue’, ‘dpx’, ‘wire’, ‘drz’, ‘dt2’, ‘dtw’, ‘dv’, ‘ecw’, ‘eip’, ‘exr’, ‘fa’, ‘fax’, ‘fpos’, ‘fpx’, ‘g3’, ‘gcdp’, ‘gfb’, ‘gfie’, ‘ggr’, ‘gih’, ‘gim’, ‘spr’, ‘scad’, ‘gpd’, ‘gro’, ‘grob’, ‘hdp’, ‘hdr’, ‘hpi’, ‘i3d’, ‘icn’, ‘icon’, ‘icpr’, ‘iiq’, ‘info’, ‘ipx’, ‘itc2’, ‘iwi’, ‘j’, ‘j2c’, ‘j2k’, ‘jas’, ‘jb2’, ‘jbig’, ‘jbmp’, ‘jbr’, ‘jfif’, ‘jia’, ‘jng’, ‘jp2’, ‘jpg2’, ‘jps’, ‘jpx’, ‘jtf’, ‘jw’, ‘jxr’, ‘kdc’, ‘kdi’, ‘kdk’, ‘kic’, ‘kpg’, ‘lbm’, ‘ljp’, ‘mac’, ‘mbm’, ‘mef’, ‘mnr’, ‘mos’, ‘mpf’, ‘mpo’, ‘mrxs’, ‘my’, ‘ncr’, ‘nct’, ‘nlm’, ‘nrw’, ‘oc3’, ‘oc4’, ‘oc5’, ‘oci’, ‘omf’, ‘oplc’, ‘af2’, ‘af3’, ‘asy’, ‘cdmm’, ‘cdmt’, ‘cdmz’, ‘cdt’, ‘cmx’, ‘cnv’, ‘csy’, ‘cv5’, ‘cvg’, ‘cvi’, ‘cvs’, ‘cvx’, ‘cwt’, ‘cxf’, ‘dcs’, ‘ded’, ‘dhs’, ‘dpp’, ‘drw’, ‘dxb’, ‘dxf’, ‘egc’, ‘emf’, ‘ep’, ‘eps’, ‘epsf’, ‘fh10’, ‘fh11’, ‘fh3’, ‘fh4’, ‘fh5’, ‘fh6’, ‘fh7’, ‘fh8’, ‘fif’, ‘fig’, ‘fmv’, ‘ft10’, ‘ft11’, ‘ft7’, ‘ft8’, ‘ft9’, ‘ftn’, ‘fxg’, ‘gem’, ‘glox’, ‘hpg’, ‘hpg’, ‘hp’, ‘idea’, ‘igt’, ‘igx’, ‘imd’, ‘ink’, ‘lmk’, ‘mgcb’, ‘mgmf’, ‘mgmt’, ‘mt9’, ‘mgmx’, ‘mgtx’, ‘mmat’, ‘mat’, ‘ovp’, ‘ovr’, ‘pcs’, ‘pfv’, ‘plt’, ‘vrm’, ‘pobj’, ‘psid’, ‘rd’, ‘scv’, ‘sk1’, ‘sk2’, ‘ssk’, ‘stn’, ‘svf’, ‘svgz’, ‘tlc’, ‘tne’, ‘ufr’, ‘vbr’, ‘vec’, ‘vm’, ‘vsdm’, ‘vstm’, ‘stm’, ‘vstx’, ‘wpg’, ‘vsm’, ‘xar’, ‘ya’, ‘orf’, ‘ota’, ‘oti’, ‘ozb’, ‘ozj’, ‘ozt’, ‘pa’, ‘pano’, ‘pap’, ‘pbm’, ‘pc1’, ‘pc2’, ‘pc3’, ‘pcd’, ‘pdd’, ‘pe4’, ‘pef’, ‘pfi’, ‘pgf’, ‘pgm’, ‘pi1’, ‘pi2’, ‘pi3’, ‘pic’, ‘pict’, ‘pix’, ‘pjpg’, ‘pm’, ‘pmg’, ‘pni’, ‘pnm’, ‘pntg’, ‘pop’, ‘pp4’, ‘pp5’, ‘ppm’, ‘prw’, ‘psdx’, ‘pse’, ‘psp’, ‘ptg’, ‘ptx’, ‘pvr’, ‘px’, ‘pxr’, ‘pz3’, ‘pza’, ‘pzp’, ‘pzs’, ‘z3d’, ‘qmg’, ‘ras’, ‘rcu’, ‘rgb’, ‘rgf’, ‘ric’, ‘riff’, ‘rix’, ‘rle’, ‘rli’, ‘rpf’, ‘rri’, ‘rs’, ‘rsb’, ‘rsr’, ‘rw2’, ‘rw’, ‘s2mv’, ‘sci’, ‘sep’, ‘sfc’, ‘sfw’, ‘skm’, ‘sld’, ‘sob’, ‘spa’, ‘spe’, ‘sph’, ‘spj’, ‘spp’, ‘sr2’, ‘srw’, ‘wallet’, ‘jpeg’, ‘jpg’, ‘vmdk’, ‘arc’, ‘paq’, ‘bz2’, ‘tbk’, ‘bak’, ‘tar’, ‘tgz’, ‘gz’, ‘7z’, ‘rar’, ‘zip’, ‘backup’, ‘iso’, ‘vcd’, ‘bmp’, ‘png’, ‘gif’, ‘tif’, ‘tiff’, ‘m4u’, ‘m3u’, ‘mid’, ‘wma’, ‘flv’, ‘3g2’, ‘mkv’, ‘3gp’, ‘mp4’, ‘mov’, ‘avi’, ‘asf’, ‘mpeg’, ‘vob’, ‘mpg’, ‘wmv’, ‘fla’, ‘swf’, ‘wav’, ‘mp3’]

Article Link: http://www.vkremez.com/2017/12/lets-learn-studying-magniber-ransomware.html