Coinvault surfaced around November time publicly, ransomware seems to be a growing trend; One, being the fast cash approach instead of reading logs and stealing things. With ransomware, you get your money back fast. Two, ransomware can be easily made unlike other forms of malware. Three, since CryptoLockers inception it seems as if everyone wants to copy it, which is normal as it was fairly successful.
Looking upon this ransomware, I noticed that it was very .NET looking, I think its fairly easy to notice a .NET application. It seems like I reverse a fair bit of high level languages compared to lower level, but it seems like there is an increase of high level malware. This could be down to it being easier and to be less expensive (no need to hire a programmer), unless of course you are a malware developer in which you’d choose a better language. Whenever I analyse malware I create unique executables for the things I will be using to detect malwares characteristics, that doesn’t make a lot of sense, so I’ll bring some more definition to what I mean. I use packers and change version strings, I change resource variables within the exe and obviously, change the name of the exe. This is to evade the malwares anti-anti-malware techniques (still with me?), usually they just check the process name or version information, but I can guess advanced malware checks md5’s and version strings to see if it is tracking it. So far my creations have been fairly successful, I haven’t had Process Explorer killed in a very long time, I recommend using Wireshark Portable at any time while analysing malware. Having it in a default directory simply won’t help you. Also change the portable exe’s name (It’s still called wireshark.exe) if you’re going to be venturing into malware analysis. I’m not expert, just things I’ve learnt on my journey, you don’t have to follow anything I say, it’s not like I’m a professional.
I’ll show the basic structure of how it works and how it evades basic detection, I honestly think runPE is a bad idea for malware developers, but they still keep using it, so either they are dumb as shit or it’s working somehow. First is a .NET dropper which seems to have no form of obfuscation whatsoever. Bytes are stated within the code which are decrypted and executed within the original exe to the runPE side of things, the runPE collects the resource (within original exe) and decrypts, it then checks for Wireshark and what sort of computer you are running (Computer Manufacturer) before executing this time. They both use the same encryption/decryption function, it’s probably some standard, it’s very simplistic anyway. For all of you who want to know the technicality of how they check, they use ManagementObjectSearcher, from here they select Win32_ComputerSystem[‘manufacturer’], the values they search for are “microsoft corporation” and “vmware”. It then checks Win32_ComputerSystem[‘model’], to see if “VirtualBox” is there.
I know diagrams aren’t that fun, but it’s easier to show it this way, and to be perfectly honest I don’t know how else to show it. Back when I was cracking programs I used to use MegaDumper, this tool is fabulous for things .NET, I honestly don’t know what I would do without it. It’s part of the CodeCrackers tools and should be around somewhere, I’ll upload it if there aren’t verifiable mirrors, I thought I’d add a little bit of credit to that program as it helped me understand many parts of CoinVault, I let it run for a bit and then dump it to see what’s inside, I of course did some manual work before, which I sort of regret, as I could of simply used MegaDumper for the whole process. After this it becomes interesting, beforehand the previous two executables haven’t had obfuscation or anything remotely close to this. But once it comes to the main party piece ‘Locker.exe’ it starts to spice up with Confuser 1.9, a well known obfuscation tool which is widely known by malware analysts (I hope). Saying this SecureList failed to show code after they see how they describe ‘chinese’ characters, seems like they may of not come across this obfuscator before, I’m writing an extended article from secure list, they talk about the 2 previous methods in detail, but not the actual locker.
Securelist Article: Here
They did however get to capture some of the Traffic from CoinVault, which showed them the domain names, but nothing else really, which is quite dissapointing but none the less I’ll show a bit more for people who are interested.
1 indicates the first method which is the HWID, as you would expect it’s created with a set of unique variables of a computer. In this instance CoinVault uses
2 indicates the callback, this is where the domains are shown and they indeed only had 2 domains, they didn’t have anything fancy like a DGA like many others just two static domains. After calling back it decides to do a few nasty things to help itself when the user gets a nasty surprise, one thing that a lot of Crypto clones have been doing is removing all shadow copies from the system. With XP it’s almost instant, but with UAC it will keep bugging you, I would like to think when people see vssadmin coming up they would think “hang about I haven’t heard or seen of this process before, maybe I should look into this before clicking yes.”. But alas, many will click yes, removing all shadow copies, no specific drive given. It also checks for debuggers with the Debugger.IsAttached() and Debugger.IsLogging functions, in another method it also checks for certain processes to kill.
Here I show the list of places CoinVault looks to encrypt files for a ransom, it also shows the file types it targets, some obvious ones I can see there are Microsoft office extensions as well as a pdf, presumably targeting businesses or people who have work computers at home. As well as that there are archive extensions although I don’t see .7z, which means that 7-ZIP is ransomware secure kids!
As shown on the initial screenshot, CoinVault allows you to have a free decryption on one file, I see this as a way to coax the user into paying, they see that the decryption works and that the file is not affected in any way, making it more of an incentive just to pay the application. It would be nice to have the host online still, see if I’m able to decrypt any of the files, I’m sure you could create a spoof hwid POST to the C&C if the hwid is limited on the decryptFile.php page. If you were able to spoof hwid’s, then it would mean you could decrypt as many single files as you want by requesting the files in multiple POST requests. From what we can see on this screenshot, you only need the hwid, in which I would imagine they set the amount as 1 after.
I can guess the possible origins of this malware quite easily, there are two languages included in CoinVault, English and Dutch. You may be saying that really isn’t a plausable way of deciding an origin but I came across references to blockchain.info, in which I would consider that’s how they set the prices of the ransom. Showing the ticker is nl again, meaning they used the nl customised blockchain page and not the English one. It’s a theory, but I think it’s enough evidence to put it under consideration. Although origins don’t really matter anymore as every country has what the media calls cyber criminals.
In conclusion, it seems a rather newbish job, although it did work it seems like it wasn’t very profitable or they weren’t very organised, a few weeks now and the host is down and the application doesn’t respond properly when executed. Among that they used confuser 1.9, although there are better obfuscators out there for .NET including ConfuserEx, the only reason people use Confuser 1.9 is because ease of use, you don’t have to compile. I had fun with CoinVault, but it’s no Nightmare, as it’s assembly description seems to use as a war cry. I’m sorry Coin Vault creator, but I won’t be cradling myself to sleep over this one.