After receiveing an email about ThanOS new ransomware,I downloaded one of ThanOS version to understand behavior and new techniques used. As per Nyntron Company mentioned the new technique used on ThanOS was bypassing almost AV,EDR and Microsoft security tools.
“In January 2020, while using the Recorded Future® Platform to monitor the weaponization of the RIPlace technique, Insikt Group uncovered a new family of ransomware for sale on Exploit Forum called Thanos, developed by a threat actor with the alias “Nosophoros.”
Nosophoros offered Thanos as a private ransomware builder with the ability to generate new Thanos ransomware clients based on 43 different configuration options. Recorded Future analyzed the Thanos ransomware builder to detect, understand, and exercise the breadth of functionality that the Thanos ransomware can support. The Thanos client is simple in its overall structure and functionality. It is written in C# and is straightforward to understand even with obfuscation, though it does incorporate some more advanced features such as the RIPlace technique”[1].
“In November 2019, security company Nyotron released a proof of concept for a ransomware technique dubbed RIPlace. At the time of release, RIPlace bypassed most existing anti-ransomware methods, slipped past antivirus (AV) products tested, and evaded detection by endpoint detection and response (EDR) products. Nyotron disclosed the flaw to the vendors listed, including Microsoft”[1].
Basic information:
MD5
e01e11dca5e8b08fc8231b1cb6e2048c
SHA1
4983d07f004436caa3f10b38adacbba6a4ede01a
SHA256
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f
Imphash
f34d5f2d4577ed6d9ceec516c1f5a744
Signature
Microsoft Visual C# v7.0 / Basic .NET
Compiler-stamp
0x5F0168F7 (Sat Jul 04 22:45:27 2020 — UTC)
Section :
Analysis :
When I started to analyze the code, I did not understand anything letterly, the obfuscation began from the name/value of the variable to end by the name of the function. the developer of the malware did hard work to reach this result. Thanos ransomware builder will use it to generate smellar code with different configuration(walletID, file extension, so..).
The writer of the malware used base64 to encode most values(register, value, url, …) on it. So I decoded all the values on the malware.
The malware starts by checking list applications then killing it. This list mentions most tools used in analyzing and monitoring malwares activities.
After killing open processes on the above list. Then it checks if malware was working in windows 8 or 10? if not it will check the priority of booting properties.
Then malware downloads the application which it uses to hide processes on the below list. https://raw.githubusercontent.com/d35ha/ProcessHide/master/bins/(ProcessHide64.exe or ProcessHide32.exe) based on system architecture.
Next step the malware disable windows defender configuration:
Registers :
SOFTWARE\\Microsoft\\Windows Defender\\Features”, “TamperProtection”, “0”
SOFTWARE\\Policies\\Microsoft\\Windows Defender”, “DisableAntiSpyware”, “1”
SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection”, “DisableBehaviorMonitoring”, “1”
SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection”, “DisableOnAccessProtection”, “1”
SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection”, “DisableScanOnRealtimeEnable”, “1”
PowerShell : the malware checks all features available on victim pc. If found it will disable.
Then disable agents for AV, EDR and backup.
Disable services for sql server audit and diagnostic:
Then malware goes deeply on window processes and kills it and removes shadowstorage as the final stage of preparing a stable environment to encrypt files.
The malware sets value on register. “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”
The effect of changing data on the register value will be after reboot and logon victim pc, the below message will come to the victim.
List of the files target by malware
dat
txt
jpeg
gif
jpg
png
php
cs
cpp
rar
sxi
sxw
odt
hwp
tar
bz2
mkv
eml
msg
ost
zip
html
htm
xlsx
xls
avi
mp4
ppt
doc
docx
pst
edb
sql
accdb
mdb
dbf
odb
myd
php
java
cpp
pas
asm
key
pfx
pem
p12
csr
gpg
aes
vsd
odg
raw
nef
svg
psd
vmx
vmdk
vdi
lay6
sqlite3
sqlitedb
accdb
java
class
mpeg
djvu
tiff
backup
cert
docm
xlsm
dwg
bak
qbw
nd
tlg
lgb
pptx
mov
xdw
ods
wav
mp3
aiff
flac
m4a
csv
sql
ora
mdf
ldf
ndf
dtsx
rdl
dim
mrimg
qbb
rtf
7z
The malware checks if there is access to the internet or not by sending a request to (www.google.com). If yes, It will download the paexec.exe file from (https://www.poweradmin.com/paexec/paexec.exe) to be used for pivoting on the network.
This file finds all folders have been encrypted and will start automatically when the system starts.
Conclusion:
There are a lot of options disabled on this version of ThanOS malware, I analyzed only the enable options.
The developer of malware used a complicated method to avoid the method of anti(Analyze, VM).
Finally the main method or i can say dangorce one the new technique “Ripleace”. I will write another blog about how it bypasses most security agents and compares with old techniques .