Ransomware Tflower

                        Tactical report of ransomware Tflower
Identification

Vendor
Detection
McAfee
Ransom-TFlower.a
TrendMicro
Ransom-TFlower.a
ALYac
Trojan.Ransom.TFlower


Summary

Tflower is categorized as ransomawre . It didn’t change the extensions of encrypted file but it creates a ransom message included in file called “!_Notice_!.txt” which describes the instructions about how to pay and get decryption tool to decrypt encrypted files.

The following table contains a list of artifacts that had been analyzed within this document.

PE timestamp
MD5
Size in bytes
File name
Description
2019/8/25 Sat 00:13:47 UTC
0643324FA7F74A3C5288CDE9D26C19A8
2.15 MB (2,255,360 bytes)
chilli.exe
Main functionality + encryption


Packing 

The ransomware Tflower protected with strong commercial packing called Themida as shown in figure (1).

Figure (1)


Let’s see how we can get important information from this sample.

UnPacking 

It checks for blue screen error, “iceext.sys”, “ntice.sys”, “Syser.sys” “HanOlly.sys”, “extrem.sys” “FRDTSC.sys”,” fengyue.sys” as shown in figure (2), (3), (4), (5),(6),(7).

Figure (2)

Figure (3)
Figure (4)
Figure (5)

Figure (6)

Figure (7)


The reason of these checks is ransomware need to unpack itself by debugger.

Anti- dynamic analysis

It checks for specific tools like “FileMonitor.sys “ , “ REGMON“ , “regsys”,” sysregmà sandbox ,”PROCMON ”, “Kernel Detective “ , “FileMonitoring.sys“  if one of them detected so ransoware will terminate as shown in figures (8),(9),(10),(11),(12),(13),(14).

Figure (8)

Figure (9)
Figure (10)
                                                                             
Figure (11)
                                                                               
Figure (12)
Figure (13)

Figure (14)


If it detects one of the monitoring tools then it shows the error as shown in figure (15).

Figure (15)

So after bypassing and skipped many of code you will reach to correct execution after” retn 0xc “as shown in figures (16), (17) then just analysis this and you will see code as shown in figure (18).

Figure (16)

Figure (17)




Figure (18)



Ransomware behavioral

It clears shadow volume copies using this command as shown in figure (19).
  • "vssadmin.exe delete shadows /all /quiet".

It disables windows 10 repair environment using these commands as shown in figure (19).
  1. "bcdedit.exe /set {default} recoveryenabled no “.
  2. "bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures “.
  3. "bcdedit.exe /set {current} recoveryenabled no".
  4. "bcdedit.exe /set {current} bootstatuspolicy ignoreallfailures".



Figure (19)


Command and control server

It creates thread as shown in figure to connect to attacker as shown in figure (20).




Figure (20)

It gets computer name and set state where state can be null or start to start encryption of files inside computer as shown in figure (21), (22), and (23).


Figure (21)
Figure (21)

Domain name
https://www.adamaitalycup.it/wp-includes/wp-merge.php
Computer name
WIN-RA9U596OBGJ
State
start





Figure (22)

Figure (23)

Persistence

It sets registry value called “proxycap” to make sure that ransomware will auto start encrypting files as shown in figure (24) and table.

Registry path
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Value name
proxycap
Value data
C:\Users\Mahmoud_El_Menshawy\Desktop\sample.exe



Figure (24)


Target files and Encryption

It generates random key using RSA algorithm, starts encrypting them but it neglect windows folder and sample music as shown in figure (24).

Figure (24)

It searches for process outlook.exe and terminate it as shown in figure (25).

Figure (25)
It encrypts files and adds string “*tflower” to mark this file is encrypted or not as shown in figure (26).

Figure (26)
Tflower note
It creates file called !_Notice_! “ When encrypt target files as shown in figure (28).

Figure (28)


First Email address
flower.harris@protonmail.com
Second email address
flower.harris@tutanota.com


After that it connects to attack website and sent information about success of encrypted file and retried as shown in figure (29),(30).

Figure (29)

Figure (30)

If you wanna learn malware analysis you can check my YouTube channel I'm trying publish analysis of malware and some methods to analysis malwares.
Please don't forgot subscribe my channel Than you ♥  
YouTube channel 
https://www.youtube.com/channel/UCParXHaBXBmqRdHuVUg21pA



Malware analyst : Mahmoud El Menshawy.
Contact Me : mahmoudmorsy372@gmail.com.
linkedin profile : https://www.linkedin.com/in/mahmoudmorsy1/

Comments

Post a Comment

Popular posts from this blog

Phishing Attacks 23_4_2022

Image
  If you wanna learn how to detect phishing emails  only by your eye , you can check my udemy course here  . My udemy course   (1) Sender ip 180.214.238.82 From "Dang Thi Thu Hien<hiendang@panpacific.co.kr>" Subject "RE: [SSC CS] F22 03/09 Buy Shipping request_04062022" Attachment "SEALOGISTICS DEBIT NOTE.zip" MD5 add8e964a595d7af30f02783943c3a00 SHA256 24f6485539bc5d700d17ec8d629827ea80dfae2eb2189e872f4b8ae0e7f1d66f Family AgentTesla   If you wanna know how to analysis AgentTesla Malware you can      check my analysis in YouTube   AgentTesla .         (2) Sender ip 138.197.200.182 From "Nguyen Thi Quy <nguyen@47.fximnii.sbs>" Subject "RE: Purchase Inquiry: KPC/PU-231(MECH...
Read more

Phishing Attacks 3_3_2021

Image
  If you wanna learn how to detect phishing emails  only by your eye , you can check my udemy course here  . My udemy course (1) Sender ip 45.137.22.124 From "Cheng Yong"<rosa@franball.net>" Subject "RV: Shipping advice - 2nd container under ct.876" Attachment "SHIPPING ADVICE#202203.zip" MD5 aa2d18552a8d5041e4c757cee09f2c4d SHA256 0628b564bad3c4e59644e91398899f88143aa2eb3473e720270fb1566c628d60 Family AgentTesla If you wanna know how to analysis AgentTesla Malware you can      check my analysis in YouTube   AgentTesla .       (2) Sender ip 2.56.56.35 From "contato@vastoverde.com.br" Subject "fwd :Outstanding Remittance payment" Attachment "receipt_pdf.z" ...
Read more

Phishing Attacks 15_12_2021

Image
  If you wanna learn how to detect phishing emails  only by your eye , you can check my udemy course here  . My udemy course (1) Sender ip 37.0.10.173 From "Mona Bharti <m.bhart@frigel.com>" Subject "Purchase Order 1212200205_PR21220055" Attachment "Purchase Order 1212200205_PR21220055.zip" MD5 5e1c9b4e130a7a9bb68ed6e6f414ff20 SHA256 0ba7a7c7189d5bcd38048ba7418ff521d6a00ab36804b8980c4d51ba43fcf070 Family AgentTesla If you wanna know how to analysis AgentTesla Malware you can      check my analysis in YouTube   AgentTesla .          (2) Sender ip 45.137.22.181 From "ajay.katoch@unilever.com" Subject "RE: invoice & packing list for shipping order no. 411301" Attachment ...
Read more