OphionLocker Analysis: Proof Anyone Really Can Write Malware

Uncategorized
3

OphionLocker is supposedly the new ransomware on the block and is already being compared with sophisticated operations such as CryptoLocker and CryptoWall, so i decided to take a look and what I found is nothing short of hilarious.

That’s right, the ransomware is actually a console application, Instead of writing the Win32 application. The developer has opted to use a console application, which implies he is either writing command line tools (he’s not), or that he has absolutely no damn idea what he’s doing.

If there is even any shadow of doubt that this was written by a competent C++ developer, this should set the record straight:

H:ConsoleApplication1ReleaseConsoleApplication1.pdb

That’s the PDB path of this application: “ConsoleApplicationX” is the name chosen by Visual Studio when automatically creating a new C++ console project, ConsoleApplication1 implies that this is the first Visual Studio project created; either the developer has just moved from another development environment, or more likely he’s never coded C++ before.

This is a hack to make the console window invisible, as a result the console window will open and then disappear a second later when running the application.

If you’re new to programming, writing your own cryptographic library is obviously quite a challenge, as you can see he’s opted to just use the Crypto++.

“But MalwareTech, even using a public cryptographic library, he’d need to know how to implement it.”

Well if we look through the strings in the application, we find the following string: “ecies.private.key”, which is the name of the file that the application uses to store the private key; this is consistent with the example ECIES (Elliptic Curve Integrated Encryption Scheme) code on the Crypto++ wiki.

The C&C communicated mechanism is much of the same story, although it could have been implemented with a few lines of code using the WinInet library, the developer has opted to use the insanely bulky HTTP Client library WinHTTPClient, which uses the WinHTTP api (should only be used for service and not client applications).

Obviously, no application is complete without some error handling, so here’s what happens if the locker fails to connect to the C&C.

Error handling is love, error handling is life.
GUI programming tends to be quite tricky, but it’s nothing you cant achieve with a message box and 300 text files that all say the same thing.
This is why we can’t have nice things.

Conclusion

Q: Can you code functional ransomware with absolutely no programming experience whatsoever?
A: Yes.

OphionLocker
MD5: e17da8702b71dfb0ee94dbc9e22eed8d
SHA1: eb78b7079fabecbec01a23c006227246e78126ab
SHA256: c1a0173d2300cae92c06b1a8cb344cabe99cf4db56fa9dca93629101c59ce68f

Uncategorized
3
Best Languages to Learn for Malware Analysis

One of the most common questions I’m asked is “what programming language(s) should I learn to get into malware analysis/reverse engineering”, to answer this question I’m going to write about the top 3 languages which I’ve personally found most useful. I’ll focus on native malware (malware which does not require …

Uncategorized
2
Investigating Command and Control Infrastructure (Emotet)

Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade endpoint blacklisting and be resilient to take-down. In this article I will go through and explain my process of identifying …

Uncategorized
10
Creating a Simple Free Malware Analysis Environment

Computer Requirements: A CPU with AMD-V or Intel VT-x support (pretty much any modern CPU). 4 GB RAM (more is better). Make sure Virtualization (AMD-V or Intel VT-x) is enabled in the BIOS. To do this, you’ll need to google “enable virtualization” along with your bios or motherboard version, then …