OphionLocker Analysis: Proof Anyone Really Can Write Malware

OphionLocker is supposedly the new ransomware on the block and is already being compared with sophisticated operations such as CryptoLocker and CryptoWall, so i decided to take a look and what I found is nothing short of hilarious.

That’s right, the ransomware is actually a console application, Instead of writing the Win32 application. The developer has opted to use a console application, which implies he is either writing command line tools (he’s not), or that he has absolutely no damn idea what he’s doing.

If there is even any shadow of doubt that this was written by a competent C++ developer, this should set the record straight:

H:ConsoleApplication1ReleaseConsoleApplication1.pdb

That’s the PDB path of this application: “ConsoleApplicationX” is the name chosen by Visual Studio when automatically creating a new C++ console project, ConsoleApplication1 implies that this is the first Visual Studio project created; either the developer has just moved from another development environment, or more likely he’s never coded C++ before.

This is a hack to make the console window invisible, as a result the console window will open and then disappear a second later when running the application.

If you’re new to programming, writing your own cryptographic library is obviously quite a challenge, as you can see he’s opted to just use the Crypto++.

“But MalwareTech, even using a public cryptographic library, he’d need to know how to implement it.”

Well if we look through the strings in the application, we find the following string: “ecies.private.key”, which is the name of the file that the application uses to store the private key; this is consistent with the example ECIES (Elliptic Curve Integrated Encryption Scheme) code on the Crypto++ wiki.

The C&C communicated mechanism is much of the same story, although it could have been implemented with a few lines of code using the WinInet library, the developer has opted to use the insanely bulky HTTP Client library WinHTTPClient, which uses the WinHTTP api (should only be used for service and not client applications).

Obviously, no application is complete without some error handling, so here’s what happens if the locker fails to connect to the C&C.

Error handling is love, error handling is life.
GUI programming tends to be quite tricky, but it’s nothing you cant achieve with a message box and 300 text files that all say the same thing.
This is why we can’t have nice things.

Conclusion

Q: Can you code functional ransomware with absolutely no programming experience whatsoever?
A: Yes.

OphionLocker
MD5: e17da8702b71dfb0ee94dbc9e22eed8d
SHA1: eb78b7079fabecbec01a23c006227246e78126ab
SHA256: c1a0173d2300cae92c06b1a8cb344cabe99cf4db56fa9dca93629101c59ce68f

Reverse Engineering
Video: First Look at Ghidra (NSA Reverse Engineering Tool)

Today during RSA Conference, the National Security Agency release their much hyped Ghidra reverse engineering toolkit. Described asĀ  “A software reverse engineering (SRE) suite of tools”, Ghidra sounded like some kind of disassembler framework.Prior to release, my expectation was something more than Binary Ninja, but lacking debugger integration. I figured …

Malware Analysis
Tracking the Hide and Seek Botnet

Hide and Seek (HNS) is a malicious worm which mainly infects Linux based IoT devices and routers. The malware spreads via bruteforcing SSH/Telnet credentials, as well as some old CVEs. What makes HNS unique is there’s no command and control server; instead, it receives updates using a custom peer-to-peer network …

Malware Analysis
3
Best Languages to Learn for Malware Analysis

One of the most common questions I’m asked is “what programming language(s) should I learn to get into malware analysis/reverse engineering”, to answer this question I’m going to write about the top 3 languages which I’ve personally found most useful. I’ll focus on native malware (malware which does not require …