Malware Analysis: Snake Ransomware
Introduction
This article contains the analysis of snake ransomware. The sample used in analysis was downloaded from https://app.any.run/tasks/7b7d33d9-15f9-4d45-8ae4-291c8cde7ef8/.
Basic Static Analysis
First the sample was submitted to virustotal to see if it is identified as malicious https://www.virustotal.com/gui/file/e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60/detection.
We can see that 60 out of 72 AV engines detect this sample as malicious.
Using coff explorer tool, we observe that there are very few number of imports, and there is a presence of .symtab section. These both are signs of a binary written and compiled using the GO programming language.
After string analysis, it is confirmed that this is a go binary.
Go compiler adds the project used by the malware author
Running yara rule in the binary with the rules found in this public repository https://github.com/Yara-Rules/rules we get the following results.
We can see that the malware has possible CnC traffic, and that malware is capable of performing AES encryption.
Basic Dynamic Analysis
For basic dynamic analysis, the malware was already run in app.any.run, so i observed the data from there.
The malware is touted as malicious, but i do not see any network connection. So I ran the malware in a VM, the malware encrypted most of the data, but i could not file any help text, as to how to recover them.
Code Reversing
Unlike regular golang binaries, there were no regular function names. The malware author has thus attempted to obfuscate the various function names.
So in order to de-obfuscate the function names a tool called idagolang helper was used https://github.com/sibears/IDAGolangHelper.
Now we getting somewhere, there are a lot of golang builtin functions that we can see. But looking at function name, I was trying to get a hint of the purpose the various main functions , but the function names itself is weird and was most likely obfuscated/randomized to slow down reversing process.
So I started analyzing the main functions, eventually it led me to the syscall function call from the golangs built in function.
So after referring to the golangs documentationat https://golang.org/pkg/syscall/?GOOS=windows, it seemed that it was used to call a function from a windows dll file. Here’s a snippet.
I could not determine the exact function being called via static analysis, so had to run the sample inside a debugger.
It seems the function that was being called is CreateMutexW.
By observing that the value esp+0x18 being used in error condition check we can assume that it is the lastErr value and the rest is the returned pointer. Seeing this we can safely assume, that the function main_bhjfpdopjclepflkbeoj is responsible for calling the windows function CreateMutexW and returning its value. Renaming the function to sycall_function. Renamed main_ienocpmdijcihngapkhe to calls_function_Creating_global_and_sycall_create_mutex.
Continuing further analysis, the function at 0054E480 was responsible for key extraction.
I did not see network communication for getting key, and after running the malware multiple times, the key seems to be the same “ — — -BEGIN RSA PUBLIC KEY — — -\nMIIBCgKCAQEAyQ+M5ve829umuy9+BSsUX/krgdF83L3m8/uxRvKX5EZbSh1+buON\nZYr5MjfhrdiOGnrbB1j0Fy31U/uzvWcy7VvK/zcsO/5aAhujhHB/qMAVpZ8zT5BB\nujT1Bvsith/BXgtM99MixD8oZ67VDZaRM9TPE89WuAjnaBZORrk48wFcn1DOAAHD\nZ9z9komtqIH1fm3Y0Q6P76nUscLsYOme082L217Th/lTMoqqs4cF2rn9O9Vp4V9U\naCs4XVxGSpcuqbIscfpf0cm44P2eOEk+sbZdahO9C6fezt7YF4OCJ4Vz3qqMD6z4\n+6d7FRxUu6k3Te2T2bWBZnsDO30pYFi/gwIDAQAB\n — — -END RSA PUBLIC KEY — — -\n”.
After indepth analysis, it seems function with name pattern main_ffhlhdmhalodcojcaeok_*** seems to be junk function, because the function just converts slice of byte to string or vice versa, and the value is not useful at all.
Digging further, function sub_0053A060 is responsible for looping through each files and encrypting them and finally the function main_amgmhoeegchpnnaljano 00539C30 eventually calls io_ioutil_WriteFile. I thought it could be possibly help file, so i debugged it and trying to find what it actually wrote.
The file is at C:\\Fix-Your-Files.txt. but I could not find the file. The ransomware seems to have failed to write the file. So i thought may be it needed admin privileges to write the help file. I ran the sample again with admin privileges, and now it has written the file.
This just seems extremely odd. I do not understand why the author chose to write the help file in such a specific location where the user had to search for it. Other ransomwares seem to have changed the wallpaper itself, or drop the help file in each file. It just seems like a bad choice to keep the help file in a specific location where to write admin privileges was required.
Yara rule for this ransomware:
rule SnakeRansomware{meta:Author = "Nishan Maharjan"Description = "A yara rule to catch snake ransomware"Data = "15th May 2020"strings:$go_build_id = "Go build ID: \"X6lNEpDhc_qgQl56x4du/fgVJOqLlPCCIekQhFnHL/rkxe6tXCg56Ez88otHrz/Y-lXW-OhiIbzg3-ioGRz\""$math_rand_seed_calling = { 89 C8 BB 00 CA 9A 3B 89 D1 F7 E3 81 E1 FF FF FF 3F 89 C3 01 C8 89 C6 05 00 00 1A 3D 89 04 24 69 ED 00 CA 9A 3B 01 EA 89 CD C1 F9 1F 01 EB 11 CA 81 C6 00 00 1A 3D 81 D2 EB 03 B2 A1 89 54 24 04 E8 10 62 F6 FF }$encryption_function = {64 8B 0D 14 00 00 00 8B 89 00 00 00 00 3B 61 08 0F 86 38 01 00 00 83 EC 3C E8 32 1A F3 FF 8D 7C 24 28 89 E6 E8 25 EA F0 FF 8B 44 24 2C 8B 4C 24 28 89 C2 C1 E8 1F C1 E0 1F 85 C0 0F 84 FC 00 00 00 D1 E2 89 CB C1 E9 1F 09 D1 89 DA D1 E3 C1 EB 1F 89 CD D1 E1 09 D9 89 CB 81 C1 80 7F B1 D7 C1 ED 1F 81 C3 80 7F B1 D7 83 D5 0D 89 C8 BB 00 CA 9A 3B 89 D1 F7 E3 81 E1 FF FF FF 3F 89 C3 01 C8 89 C6 05 00 00 1A 3D 89 04 24 69 ED 00 CA 9A 3B 01 EA 89 CD C1 F9 1F 01 EB 11 CA 81 C6 00 00 1A 3D 81 D2 EB 03 B2 A1 89 54 24 04 E8 10 62 F6 FF 31 C0 EB 79 89 44 24 20 8B 4C 24 40 8D 14 C1 8B 1A 89 5C 24 24 8B 52 04 89 54 24 1C C7 04 24 05 00 00 00 E8 48 FE FF FF 8B 44 24 08 8B 4C 24 04 C7 04 24 00 00 00 00 8B 54 24 24 89 54 24 04 8B 5C 24 1C 89 5C 24 08 89 4C 24 0C 89 44 24 10 E8 EC DD EF FF 8B 44 24 18 8B 4C 24 14 89 4C 24 08 89 44 24 0C 8B 44 24 24 89 04 24 8B 44 24 1C 89 44 24 04 E8 68 BB F3 FF 8B 44 24 20 40}condition:all of them}