Reversing HiddenTear Ransomware !
Analysis of .Net Ransomware of “Ryzerlo” Malware Family.
Intezer Report: https://analyze.intezer.com/analyses/0762ca51-f301-4dc2-9f3c-786cffd0437a#ttp-section .Static Analysis (Basic)
Signature Overview of File.File InformationPE Studio View of HiddenTear Ransomware.
Static Analysis (Advanced)
Starting off with the Main function present in Program class present in namespace hidden_tear.dnSpy view of “Main” function followed in Class “Program” followed in the namespace “hidden_tear”.
Further in the main function there are three functions defined:
…:- EnableVisualStyles
…:- SetCompatibleTextRenderingDefault
…:- RunThree functions called in called in class Application.
called in class Application.
In this class mainly basic operations of running this application are being operated in which mainly operations related to processes, thread, application information all are being operated inside the victim system.<a href="https://medium.com/media/35457dd48a570bbde439c15f6ca59113/href">https://medium.com/media/35457dd48a570bbde439c15f6ca59113/href</a>
Moving on to the three functions called using Application class.
First function is : EnableVisualStyles
This function sets up visuals for HiddenTear Ransomware.EnableVisualStyles function.
In the beginning of this function there is the call is made to FileIOPermission is being made in which for crafting confusion for Analyst is being made creating the flag called “m_unrestricted” which is used for the passing the boolean value 1 or 0 to state.FileIOPermission function.
PermissionState enum defines the State of Permission which is assigned as 1 to Unrestricted and 0 assigned as None.PermissionState enumeration.
further as we move in the function, we counter with enum FileIOPermissionAccess where is “AllFiles” component is defined. In which the access of Files is defined.<a href="https://medium.com/media/d316bd465f2822a39c3152a811f9ab65/href">https://medium.com/media/d316bd465f2822a39c3152a811f9ab65/href</a>Enum FileIOPermissionAccess.
Then as we move in this function EnableVisualStyles(), there three conditional statements are being executed. try, finally, if . In the finally conditional check what happens is that the exceptions are being created.<a href="https://medium.com/media/efb719f55f34003d228b5a0c21ea5224/href">https://medium.com/media/efb719f55f34003d228b5a0c21ea5224/href</a>
lastly in this function call to styling the theme is being activated using the function “EnableVisualStylesInternal” is being done.EnableVisualStylesInternal function.Activation code for theme for HiddenTear Ransomware.
Now moving on to the second function “SetCompatibleTextRenderingDefault” called using the class Application. In this function manly what happens is that conditional “if” statement is being created for raising exception.
SetCompatibleTextRenderingDefault function.In the conditional “if” check the NativeWindow function is being deployed for the disposing the residual from cache memory created due to NativeWindow function after syncing the event handler to C&C server.
NativeWindow function.Here comes the Main function called “Run”.
Main function of HiddenTear Ransomware.InitializeComponent of HiddenTear Ransomware.Main class : Form1:
In this function, main operation like AES algo. encryption ,decryption happens.
<a href="https://medium.com/media/9c711da9a0cb5040115298756024941a/href">https://medium.com/media/9c711da9a0cb5040115298756024941a/href</a>Dynamic Analysis(Basic)
Dynamic Analysis(Advanced)
IOCs:
MD5: 477e66eb6c969823890eaa56105a3801
SHA-1: 75647c701d04f64dbea02eead7a693ae8b7dcbc8
SHA-256: ab67847cf268c5dba3796b0c022148da53a39b857061fe93a9d704c9844647d8
Att&ck Mitre Matrix [ TTPs]
Attack Mitre TTPs.Command and Control (aka C&C/C2):
VT Detection.YARA Signature:
<a href="https://medium.com/media/0f739b7442ddb713ec52b58cfb23bf3e/href">https://medium.com/media/0f739b7442ddb713ec52b58cfb23bf3e/href</a>Thanks for Reading.
Article Link: https://medium.com/@0xthreatintel/reversing-hiddentear-ransomware-dd7baeff62a6?source=rss-a15183055fd6------2