1.背景
1.1 Babuk勒索家族
https://www.acronis.com/en-eu/blog/posts/babuk-ransomware/
██████╗ ██████╗ ██████╗ ███████╗ ██████╗ ███████╗██╗ █████╗ ██╗ ██╗ ██╗██╗██╗
██╔═══██╗██╔═══██╗██╔══██╗██╔════╝ ██╔══██╗██╔════╝██║ ██╔══██╗╚██╗██╔╝ ██║██║██║
██║ ██║██║ ██║██████╔╝███████╗ ██████╔╝█████╗ ██║ ███████║ ╚███╔╝ ██║██║██║
██║ ██║██║ ██║██╔═══╝ ╚════██║ ██╔══██╗██╔══╝ ██║ ██╔══██║ ██╔██╗ ╚═╝╚═╝╚═╝
╚██████╔╝╚██████╔╝██║ ███████║ ██║ ██║███████╗███████╗██║ ██║██╔╝ ██╗ ██╗██╗██╗
╚═════╝ ╚═════╝ ╚═╝ ╚══════╝ ╚═╝ ╚═╝╚══════╝╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝╚═╝╚═╝
What happened?
---------------------------------------------------------------
Your computers and servers have been encrypted, which is fundamentally different from normal file damages.
And you can save yourself the trouble of going to the internet to find a way to decrypt them, because unless you pay the ransom.
Even if God comes, he will not be able to
help
you
recover
them!
What guarantees?
---------------------------------------------------------------
We
value
our reputation.
If
we
do
not
do
our
work
and
liabilities, nobody will pay us. This
is
not
in
our interests.
All
our decryption software
is
perfectly tested
and
will
decrypt
your data. We will also provide support
in
case
of
problems.
You can contact us
to
test
an unimportant encrypted
file
and
we will
decrypt
it
to
prove that we have the ability
to
decrypt
them.
How
to
canotact us?
---------------------------------------------------------------
Your encryption
ID
:
7
gui):
You can contact us
at
the email address below:
[email protected]
[email protected]
How
to
Pay?
---------------------------------------------------------------
Please pay $
20000
worth
of
bitcoins(BTC)
to
the address below:
bc1qz23mpc3qdy02jzw64xw9zhe4s275un40efsd2l
We will send you the decryption program
after
we
confirm
your payment.
---------------------------------------------------------------
*****
WARNING
: You have up
to
7
days
to
consider
whether
or
not
to
make a payment,
so hurry
or
you may lose your files
and
data
forever,
And
, we will make
all
your
data
available
to
the Internet.
1.2 来源
https://twitter.com/vxunderground/status/1433758742244478982?s=46&t=7D_QCICAVCcsuuaq3z_Tkw
https://github.com/Hildaboo/BabukRansomwareSourceCode/tree/main
其中存在三种针对不同系统类型(Linux系统、NAS系统、Windows系统)的病毒文件,本篇是针对Windows系统的分析。
2 总体行为
2.1 行为展示
2.2 密钥下发(Builder.exe)
2.3 文件释放
2.4 流程图
2.恶意文件分析
2.1 逻辑分析
3.密钥产生程序
3.1 逆向分析(keygen.exe)
4.Windows源代码分析
4.1 流程图
4.1 加密器(e_win)
4.2 关闭服务
vss,sql,svc$,memtas,mepocs,sophos,veeam,,backup,GxVss,,GxBlr,GxFWD,GxCVD,GxCIMgr,DefWatch,ccEvtMgr,ccSetMgr,SavRoam,RTVscan,QBFCService,QBIDPService,Intuit.QuickBooks.FCS,,QBCFMonitorService,YooBackup,YooIT,zhudongfangyu,sophos,stc_raw_agent,VSNAPVSS,VeeamTransportSvc,VeeamDeploymentService,VeeamNFSSvc,veeam,PDVFSService,BackupExecVSSProvider,BackupExecAgentAccelerator,BackupExecAgentBrowser,BackupExecDiveciMediaService,BackupExecJobEngine,BackupExecManagementService,BackupExecRPCService,AcrSch2Svc,AcronisAgent,CASAD2DWebSvc,CAARCUpdateSvc
4.3 停止进程
利用TerminateProcess函数来实现对指定进程的关闭。
sql.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, isqlplussvc.exe,
xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, encsvc.exe, firefox.exe, tbirdconfig.exe,
mydesktopqos.exe, ocomm.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe,
mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thunderbird.exe,
visio.exe, winword.exe, wordpad.exe, notepad.exe
4.4 删除系统的影卷
cmd.exe /c vssadmin.exe delete shadows /all /quiet
4.5 清空了系统的回收站
4.5.1 加密流程
4.6 加密分析
4.6.1 算法分析
4.6.1.1 流程图
1 .先生成一对随机的密钥,然后再生成对应的公钥
import random
import donna25519
private_key = ''
for i in range(0,32):
private_key+= chr(random.randint(33,126))
donna = donna25519.PrivateKey(secret=private_key)
public_key = donna.get_public().public
print 'private_key: '+private_key.encode('hex')
print 'public_key: '+public_key.encode('hex')
private_key: 3840763b6b2a68583f7e3d7076224a5b7571217423236f6b233a6b6e68586649
public_key: 0b495944de1f2fa6dfa9fba7f73d53fc47d0c43592a52d4f80e4d7ae34a54556
private_key: 705078776a2f316747502573447255492a513a3653385a3f213674482c495753
public_key: 30c1df51602efdd0eaa2d9f51e87851ecb351d2d555f3ec32cbb76916c74e43b
2 .实现一下这个交换的过程,这里先让Alice给Bob做密钥交换。
import
donna25519
Alice_private_key =
'3840763b6b2a68583f7e3d7076224a5b7571217423236f6b233a6b6e68586649'
.decode(
'hex'
)
Bob_public_key =
'30c1df51602efdd0eaa2d9f51e87851ecb351d2d555f3ec32cbb76916c74e43b'
.decode(
'hex'
)
donna = donna25519.PrivateKey(secret=Alice_private_key)
public_key = donna25519.PublicKey(public=Bob_public_key)
share_key = donna.do_exchange(public_key=public_key)
'share_key: '
+share_key.encode(
'hex'
)
Alice_public_key: 0b495944de1f2fa6dfa9fba7f73d53fc47d0c43592a52d4f80e4d7ae34a54556
share_key: 7ef8f5be057f00fed06c3b993c0d5b6102d86680c124ebf12f005cf1c22c1f27
3 .假设Bob接收到了这个Alice的公钥后,然后来实现一下Bob对Alice的密钥交换。
import
donna25519
Bob_private_key =
'705078776a2f316747502573447255492a513a3653385a3f213674482c495753'
.decode(
'hex'
)
Bob_public_key =
'30c1df51602efdd0eaa2d9f51e87851ecb351d2d555f3ec32cbb76916c74e43b'
.decode(
'hex'
)
Alice_public_key =
'0b495944de1f2fa6dfa9fba7f73d53fc47d0c43592a52d4f80e4d7ae34a54556'
.decode(
'hex'
)
donna = donna25519.PrivateKey(secret=Bob_private_key)
public_key = donna25519.PublicKey(public=Alice_public_key)
share_key = donna.do_exchange(public_key=public_key)
'Bob_public_key: '
+Alice_public_key.encode(
'hex'
)
'share_key: '
+share_key.encode(
'hex'
)
Bob_public_key: 0b495944de1f2fa6dfa9fba7f73d53fc47d0c43592a52d4f80e4d7ae34a54556
share_key: 7ef8f5be057f00fed06c3b993c0d5b6102d86680c124ebf12f005cf1c22c1f27
4.6.2 加密标志写入
5.总结
6.安全建议
6.1 风险消减措施
资产梳理排查目标:根据实际情况,对内外网资产进行分时期排查
服务方式:调研访谈、现场勘查、工具扫描
服务关键内容:流量威胁监测系统排查、互联网暴露面扫描服务、技术加固服务、集权系统排查
6.2 安全设备调优
目标
主要目标设备
6.3 全员安全意识增强调优
目标:
形式:
线下培训课表
1.提供相关的安全意识培训材料,由上而下分发学习
2.组织相关人员线上开会学习。线上培训模式。
原文始发于微信公众号(solar专业应急响应团队):【病毒分析】Babuk勒索家族babyk后缀系列分析--Windows篇
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论