In this project, I have selected a recently reported ransomware sample from MalwareBazaar for in-depth analysis, aiming to gain hands-on experience in malware research. The objective is to systematically examine the ransomware’s capabilities, attack methodology, and potential impact using a range of analysis techniques and tools.
The analysis is structured into three key phases. The first phase involves setting up an isolated environment to ensure a secure and controlled space for examining the malware. The second phase focuses on static analysis, where the ransomware’s properties, such as file structure, embedded strings, and code patterns, are examined without executing it. The third phase is dynamic analysis, which involves observing the malware’s behavior in a controlled execution environment to understand its functionality, persistence mechanisms, and overall impact.
Each phase follows a structured approach with specific methodologies and tools, leading to key findings that will be discussed in detail throughout this report.
- Malware selection for analysis.
- Setting up the isolated environment.
- Static analysis.
- Dynamic analysis.
For this project, I am selecting the recent rensomware for analysis. you can find more detail about this malware here.
SHA256: a0cf7860499118926c61f08dc2e6b8701b90f16cf3887aebf79111e6ac2763c6
MD5: b5873a60af597ce01867fede65c2846f
SHA3-384: e0e0726b4ec854e9440b1881355e2bc3a965b46f1636fcbfd08657781c17134beb4641990c5204b780f6b4e156fcd250
File Size: 1076736 bytes
Tags: akira / rensomware / exe
First seen: 2025-02-27 14:51:50 UTC
Last seen: 2025-03-04 14:16:32 UTC
This section of the report includes the details of an isolated virtual machine's configuration.
For this project, I have installed windows 10 virtual machine running on Hyper-V hypervisor.
to further isolate the machine properly, I have disabled Hyper-V's integration services to eliminate all control of the host over virtual machine. I also disabled enhance session mode for server as well as user to stop all the interaction between host and vm including, file and clipboard transfer.
Though there are lots of tools available to mimic like internet such as fakenet-ng and inetsim, to capture malware's every request, but as this malware is recently reported, I decided to provide internet connection to virtual box while taking care of isolation to get to know it's actual behavior. for that I have put a virtual external type ethernet adapter in place and assign dedicated ethernet port of host to that external type virtual adapter virtually, and make sure that host is completely disconnected from those physical and virtual ports. Finally, I assigned that virtual adapter to windows 10 vm.
Reverified the whole configuration, performed check for isolation between systems through pinging, file/ clipboard transfer, and many more ways. Also made sure the hypervisor and windows 10 are up to date.
The next step is to install FlareVM on the windows 10 VM to install all necessory tools and environment for malware analysis. I followed every steps given on the FlareVM's git repository. The installation took about 5 hours to complete.
This section of the report includes detailed analysis of executable malware. All the screenshots and Floss tool's output file is stored under "Static Analysis" directory.
There are a number of tools, I had used to perform static analysis on this ransomware. including, Exiftool, exeinfo PE, PE BEAR, PESTUDIO, FLOSS, Strings, CFF explorer, www.malapi.io, HxD, Ida etc.
Before performing static analysis on ransomware, I changed its extension to .malf to stop execution by mistake[fig 1].
File hash:
- sha256: a0cf7860499118926c61f08dc2e6b8701b90f16cf3887aebf79111e6ac2763c6
- MD5: b5873a60af597ce01867fede65c2846f
Filetype: executable, 64-bit
File extension: .exe (MZ...)
first compilation date and time: Thu Jan 16 10:25:08 2025 (UTC)
digital certificate: not found
file size: 1.03MB
Overlay: No Overlay
Packed: no
Obfuscated: Yes
Characteristics:
- Large address aware
- Terminal server aware
- Dynamic base
- NX compatible number of sections: 7 (.text, .rdata, .data, .pdata, _Rdata, .rsrc, .reloc)
Based on above info, it is clear that, the file is obfuscated to prevent reverse engineering, By Directly looking at the executable in tools including Floss, PE Bear, PE Studio, I found lots of indicators that clearly denotes that this file is ransomware
- Found ransomware message in clear text. (Floss, 010 editor) [fig 8-12]
Hi friends,
Whatever who you are and what your title is if you're reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption.
Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment, you have to know:
1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal.
2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them - in this case we won't be able to help.
3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we've managed to detect and used in order to get into, identify backup solutions and upload your data.
4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog - https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion.
5. We're more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us.
If you're indeed interested in our assistance and the services we provide you can reach out to us following simple instructions:
1. Install TOR Browser to get access to our chat room - https://www.torproject.org/download/.
2. Paste this link - https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/d/5954206765-VJFFW
3. Use this code - 3741-NY-OYRD-FUKN - to log into our chat.
Keep in mind that the faster you will get in touch, the less damage we cause.
- Found shell command to delete backup files reside on the machine through wmi utility. ( PEBEAR) [fig 13]
powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"
- Found shell command that clears the windows event logs to hide itself in the system. (PEBEAR) [fig 14]
Get-WinEvent -ListLog * | where { $_.RecordCount } | ForEach-Object -Process{ [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($_.LogName) }
- Found many strings that again clearly shows that it is rensomware. (Floss, PEStudio) [fig 15-16]
write_encrypt_info error
(Full) Cipher is not initialize!
(Full) Encrypt exception:
(Full) Cipher error:
file rename failed. System error:
List of drives
Command line to argvW failed!
Init crypto failed!
No cpu available!
Number of thread to root folder parsers =
Number of thread to folder parsers =
Number of threads to encrypt =
ShellExecute failed:
.akira
.arika
akira_readme.txt
Through this static analysis, I didn't found any attacker's information such as Ip address, domain etc. other than single attacker's message regarding the ransom. The message invites us to join the chat via tor browser on https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/d/5954206765-VJFFW website with 3741-NY-OYRD-FUKN code. if not negotiated. hacker may publish details on https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion. blog.
Moreover, through static analysis, I found that malware is calling various windows Apis. Below, I am mapping those Apis to malapi.io website. moreover, there are also some Api calls that was flagged by Pe studio. (Floss, PEStudio) [fig 17-19]
api-ms-win-core-datetime-l1-1-1
api-ms-win-core-file-l1-2-2
api-ms-win-core-localization-l1-2-1
api-ms-win-core-localization-obsolete-l1-2-0
api-ms-win-core-processthreads-l1-1-2
api-ms-win-core-string-l1-1-0
api-ms-win-core-sysinfo-l1-2-1
api-ms-win-core-winrt-l1-1-0
api-ms-win-core-xstate-l2-1-0
api-ms-win-rtcore-ntuser-window-l1-1-0
api-ms-win-security-systemfunctions-l1-1-0
ext-ms-win-ntuser-dialogbox-l1-1-0
ext-ms-win-ntuser-windowstation-l1-1-0
api-ms-win-appmodel-runtime-l1-1-2
EnterCriticalSection, WaitForMultipleObjects, LeaveCriticalSection, WaitForSingleObject, PostQueuedCompletionStatus, GetLastError, SetEvent, TerminateThread, TlsAlloc, CloseHandle, QueueUserAPC, LocalFree, DeleteCriticalSection, TlsFree, FormatMessageA, ReadFile, GetFileSizeEx, SetWaitableTimer, TlsSetValue, SetLastError, WriteFile, InitializeCriticalSectionAndSpinCount, GetQueuedCompletionStatus, GetCurrentThreadId, CreateEventW, SetFileInformationByHandle, DeleteFileW, CancelIoEx, SleepEx, TlsGetValue, CreateIoCompletionPort, CreateFileW, GetFileAttributesW, SetFileAttributesW, GetDriveTypeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, GetCommandLineW, GetStdHandle, WriteConsoleA, GetDynamicTimeZoneInformation, Sleep, GetConsoleMode, GetFileAttributesA, GetSystemInfo, GetCurrentProcessId, GetCurrentProcess, GetProcessId, OpenProcess, ResetEvent, GetLogicalDriveStringsW, MultiByteToWideChar, WideCharToMultiByte, ShellExecuteW, CommandLineToArgvW, CoUninitialize,
CoCreateInstance, CoSetProxyBlanket, CoInitializeEx, PathIsNetworkPathW, WNetGetConnectionW, WTSFreeMemory, WTSEnumerateProcessesW, RmRegisterResources, RmGetList, RmStartSession, RmShutdown, RmEndSession, GetLocaleInfoEx, RtlPcToFileHeader, RaiseException, QueryPerformanceCounter, QueryPerformanceFrequency, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, InitializeConditionVariable, WakeConditionVariable, WakeAllConditionVariable, SleepConditionVariableSRW, GetStringTypeW, WaitForSingleObjectEx, GetExitCodeThread, CreateDirectoryW, FindClose, FindFirstFileW, FindFirstFileExW, FindNextFileW, GetFileAttributesExW, AreFileApisANSI, GetModuleHandleW, GetProcAddress, GetFileInformationByHandleEx, InitializeCriticalSectionEx, GetSystemTimeAsFileTime, EncodePointer, DecodePointer, LCMapStringEx, CompareStringEx, GetCPInfo, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent,
IsDebuggerPresent, GetStartupInfoW, InitializeSListHead, RtlUnwindEx, FreeLibrary, LoadLibraryExW, CreateThread, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, ExitProcess, GetModuleFileNameW, HeapAlloc, HeapReAlloc, HeapSize, HeapFree, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, ReadConsoleW, GetTimeZoneInformation, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetProcessHeap, SetStdHandle, WriteConsoleW, SetEndOfFile, RtlUnwind
This malware is importing it's Api calls through 9 different Apis where the Pe studio marked 4 libraries as flag such as WTSAPI32.dll - A windows remote desktop session host server Apis, WS2_32.dll - windows socket library and more. (PEStudio) [fig 20]
I also found the single manifest file showing the execution level of the malware which was asinvoker meaning that if malware's permission to change the system is depends on who is access it. So, if this malware will be successful in encrypting those files that this exe cannot access then it means that this malware is using some other techniques such as dll sideloading/ or process injection attack to accomplish that. We will discuss this in dynamic analysis. (FLOSS, PEStudio) [fig 21]
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
Through the floss analysis, I can see that other than the message, I found some other strings such as system's executable files such as (Floss)
spoolsv.exe, explorer.exe, sihost.exe, fontdrvhost.exe, cmd.exe, dwm.exe, LogonUI.exe, SearchUI.exe, lsass.exe, csrss.exe, smss.exe,
winlogon.exe, services.exe, conhost.exe, System, System Idle Process, Secure System, Registry, Memory Compression, wininit.exe
I think the process regarding this executable might be used to inject the code or it could be the list that malware should not change in order to maintain system's integrity.
I also found (Floss)
.vdi .vhd .vmdk .pvm .vmem .vmsn .vmsd .nvram .vmx .raw .qcow2 .subvol .bin .vsv .avhd .vmrs .vhdx .avdx .vmcx .iso
These string from the floss string analyser. I think that as we found the perticular shell code to delete shawod copy, this are the files that malware is specifically encrypting or deleting.
I also found lots of commandline tool's argument options shows that it dynamically generates command at runtime. (Floss, PEBear) [fig 13]
--encryption_path
--share_file
--encryption_precent
-local only
-dellog
--exclude
-ep bypass -command
--wz
Based on this static analysis, this executable shows clear signs of malicious ransomware activity, employing several MITRE ATT&CK tactics. It utilizes defense evasion techniques such as process injection and DLL sideloading to escalate privileges and obscure its operations, while incorporating sleep delays likely to thwart behavioral detection. The malware also disables forensic artifacts by clearing event logs and deleting backup files, hindering recovery efforts. It conducts extensive reconnaissance by enumerating system drives, processes, and network paths etc. The actions that hint at potential lateral movement and data exfiltration. Although dynamic analysis has not yet been performed, the static indicators strongly suggest that this ransomware leverages persistence, privilege escalation, discovery, and impact tactics to maximize damage and complicate remediation.
Currently working on the dynamic analysis part.