Reversing Revil Malware – Part 2 - String Obfuscation and Configuration Setup

locutus@the-collective.net (Ben Mason) — Wed, 24 Feb 2021 09:00:00 -0500

This is the second in a series looking at part of the Revil malware. The first post covered a triage and unpacking of the first stage. The post will look at the high-level flow and look in-depth at the configuration embedded in the sample and some options.

Revil Process Diagram

Looking at the flow diagram (shown above), there is a pretty straightforward flow to the sample. It initially sets itself up by resolving the import table, reading the embedded configuration data, and command-line arguments. After the initial configuration is loaded and processed, the sample starts to execute the encryption and beaconing activities. Finally, it cleans up after itself clearing itself from memory, deleting itself from disk, and exiting. Now that we have an overview of this stage, we will look at how strings are obscured and how the configuration is loaded and processed.

String Encryption

When you run a string identification tool on this binary, you find there are not many readable strings. This sample obscures the vast majority of its strings. When analyzing it, you see many calls similar to this example.

This function located at 0x0040575B uses RC4 to decrypt the strings from a data block located at either 0x0040F270 or 004101B0. These blocks contain both the key and the encrypted data itself. The function is passed a pointer to the data block, offsets of the key and encrypted data, key size, and data size. It returns the clear string as the last parameter of the function call.

In the function that I labeled “mw_run_rc4_decrypt” (0x0040646A), you find a fairly standard RC4 decryption set of routines. I have recreated this functionally in python, which I used heavily when analyzing this sample to label the string variables.

!pip3 install arc4
from arc4 import ARC4
import pefile
import binascii

secondstage = "file1.bin"

pe = pefile.PE(secondstage)
section_offest = 0xf000

for section in pe.sections:
    if b".data" in section.Name:
        hex_data_1 = section.get_data()[(0x101b0-section_offest):]
        hex_data_2 = section.get_data()[(0xf270-section_offest):(0xf17)]

def decrypt(data, position, keylen, datasize):
        
    key = data[position:position+keylen]
    cipher = ARC4(key)
    rc4_data = cipher.decrypt(data[position+keylen:position+keylen+datasize])
    
    # Convert to string
    string_data = ""
    for byte in rc4_data:
        string_data += chr(byte)
    
    return string_data

Revil Configuration

The encrypted configuration is stored in the .7tdlvx section of the binary. The data is RC4 encrypted like string data was. It also includes some tamper protection; there is a CRC32 value stored with the data. Below is the structure of the configuration section. I have labeled the data segments with numbers.

Decryption Key
crc32 Checksum
Configuration Size
Start of Encrypted configuration

The function shown in the image below is used to decrypt the data from the 7tdlvx section. When executed, the CRC32 value of the data is checked, and if it matches, the function is called to run the RC4 decryption. Pointers to the key, key length, address of the encrypted data, and size of the encrypted data are passed into the function to decrypt the data.

After the RC4 decryption, it returns a block of JSON data to a variable for further processing. Below is an abbreviated version of the configuration for readability. I put a full copy of it at the end of this post.

{'arn': False,
 'dbg': False,
 'dmn': '',
 'et': 0,
 'exp': False,
 'img': 'QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG... AHMAdAB1AGMAdABpAG8AbgBzAAAA',
 'nbody': 'LQAtAC0APQA9AD0AIABXAGUAbABjAG8AbQBlAC4AIABBAGcAYQBpAG4ALgAgAD ... ACEAIAAhACEAIQAgACEAIQAAAA==',
 'net': False,
 'nname': '{EXT}-README.txt',
 'pid': '$2b$13$wz1reRfdLg.aiStLDqg5JeqqySemSPatWKHdwbpWVrC3ty7Akscg6',
 'pk': 'SrxAOJ8RkDIIb7jurGu3kJGcui9QRzgmLyRe3dUxNSI=',
 'prc': ['vsnapvss',
         'EnterpriseClient',
         'firefox',
         ..
         'excel',
         'msaccess',
         'agntsvc'],
 'spsize': 1,
 'sub': '58',
 'svc': ['QBCFMonitorService',
         ..
         'saphostexec'],
 'wfld': ['backup', 'bkp', 'archive'],
 'wht': {'ext': ['dll',
                 ..
                 'cur'],
         'fld': ['program files',
                 ..
                 '$recycle.bin'],
         'fls': ['ntuser.ini',
                 ..
                 'thumbs.db']},
 'wipe': True}

To assist in processing and analysis of the configuration I created the following python script to extract and parse the configuration file from the sample.

!pip3 install arc4
from arc4 import ARC4
import pefile
import binascii
import json
import pprint as pp

secondstage = "file1.bin"

try:
   pe
except NameError:
    pe = pefile.PE(secondstage)

key_len = 0x20
section_name = ".7tdlvx"

# located in the .7tdlvx section
for section in pe.sections:
    if bytes(section_name, 'utf-8') in section.Name:
        section_data = section.get_data()

key = section_data[:key_len]
crc = section_data[key_len:key_len+0x4]
config_len = int.from_bytes(section_data[key_len+0x4:key_len+0x8], "little")
print(hex(config_len))
data_3_hex = section_data[key_len+0x8:config_len+key_len+0x8]

print (len(data_3_hex))

cipher = ARC4(key)
dump = cipher.decrypt(data_3_hex)

# Store JSON to file
f = open("config_decoded.txt", "wb")
f.write(bytearray(dump))
f.close()

cfg = json.loads(dump[:-1])
pp.pprint(cfg)

As shown in the configuration example, the configuration is in a JSON-like format that needs to be parsed further to be used by the malware. In the first part of the parsing process, an array is built out, defining the elements and how to process them. The three elements in the example below are and string for the JSON key, an integer for the data type, and a function pointer to the function to parse the data.

// String with configuration Name
configuration_structure[0] = (int)&str_pk;
// Data Type
configuration_structure[1] = 5;
// Funcation to handle the data and write it to a Global Variable
configuration_structure[2] = (int)mw_cfg_pk_decoder;

The parser array along and decrypted configuration are passed into a function the walks through the JSON configuration. The function searches for the keys in the JSON configuration, and the parser function is called to process the configuration content.

Some examples of configuration values that take further processing are ‘pk’, ‘img’, and ‘nbody’. These are all base64 encoded strings that are decoded before being stored in memory. Using the following python code we can see the values stored in these keys.

import base64
import binascii

print("pk: " + str(binascii.hexlify(base64.b64decode(cfg['pk']))))
print("img: " + str(base64.b64decode(cfg['img']).decode('utf-16')))
print("nbody: " + str(base64.b64decode(cfg['nbody']).decode('utf-16'))

pk: b'4abc40389f119032086fb8eeac6bb790919cba2f504738262f245eddd5313522'
img: All of your files are encrypted!

Find {EXT}-README.txt and follow instuctions
nbody: ---=== Welcome. Again. ===---

[+] What's Happened? [+]

Your files have been encrypted and currently unavailable. You can check it. All files in your system have {EXT} extension. By the way, everything is possible to recover (restore) but you should follow our instructions. Otherwise you can NEVER return your data.

[+] What are our guarantees? [+]

It's just a business and we care only about getting benefits. If we don't meet our obligations, nobody will deal with us. It doesn't hold our interest. So you can check the ability to restore your files. For this purpose you should visit our website where you can decrypt one file for free. That is our guarantee.
It doesn't metter for us whether you cooperate with us or not. But if you don't, you'll lose your time and data cause only we have the private key to decrypt your files. In practice - time is much more valuable than money.

[+] How to get access to our website? [+]

Use TOR browser:
  1. Download and install TOR browser from this site: https://torproject.org/
  2. Visit our website: http://4to43yp4mng2gdc3jgnep5bt7lkhqvjqiritbv4x2ebj3qun7wz4y2id.onion

When you visit our website, put the following data into the input form:
Key:


{KEY}


!!! DANGER !!!
DON'T try to change files by yourself, DON'T use any third party software or antivirus solutions to  restore your data - it may entail the private key damage and as a result all your data loss!
!!! !!! !!!
ONE MORE TIME: It's in your best interests to get your files back. From our side we (the best specialists in this sphere) ready to make everything for restoring but please do not interfere.
!!! !!! !!

Conclusion

We covered a couple of the obfuscation functions in this stage of the malware, the use of RC4 in many places to hide plain text data making various functions harder to detect and reverse engineer. The configuration section allows for a lot of flexibility. I can imagine allowing for a fair amount of automation in the build system, simplifying the building and deploy time. The next post will cover the file encryption function section of the code.

Configuration Keys

The key below is a select list of some of the configuration options that affect the flow or functionality of the sample. There are many more keys shown in the full configuration.

Config Key	Usage
dbg	Debug mode?
et	Fast or Full Encryption
dmn	Domain to Beacon
net	Do HTTP beaconing?
arn	Add Run Key?
nbody	Ransom note text
nname	Ransom note filename
img	Desktop Background Text

Full configuration

{'arn': False,
 'dbg': False,
 'dmn': '',
 'et': 0,
 'exp': False,
 'img': 'QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAFIARQBBAEQATQBFAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA',
 'nbody': 'LQAtAC0APQA9AD0AIABXAGUAbABjAG8AbQBlAC4AIABBAGcAYQBpAG4ALgAgAD0APQA9AC0ALQAtAA0ACgANAAoAWwArAF0AIABXAGgAYQB0ACcAcwAgAEgAYQBwAHAAZQBuAGUAZAA/ACAAWwArAF0ADQAKAA0ACgBZAG8AdQByACAAZgBpAGwAZQBzACAAaABhAHYAZQAgAGIAZQBlAG4AIABlAG4AYwByAHkAcAB0AGUAZAAgAGEAbgBkACAAYwB1AHIAcgBlAG4AdABsAHkAIAB1AG4AYQB2AGEAaQBsAGEAYgBsAGUALgAgAFkAbwB1ACAAYwBhAG4AIABjAGgAZQBjAGsAIABpAHQALgAgAEEAbABsACAAZgBpAGwAZQBzACAAaQBuACAAeQBvAHUAcgAgAHMAeQBzAHQAZQBtACAAaABhAHYAZQAgAHsARQBYAFQAfQAgAGUAeAB0AGUAbgBzAGkAbwBuAC4AIABCAHkAIAB0AGgAZQAgAHcAYQB5ACwAIABlAHYAZQByAHkAdABoAGkAbgBnACAAaQBzACAAcABvAHMAcwBpAGIAbABlACAAdABvACAAcgBlAGMAbwB2AGUAcgAgACgAcgBlAHMAdABvAHIAZQApACAAYgB1AHQAIAB5AG8AdQAgAHMAaABvAHUAbABkACAAZgBvAGwAbABvAHcAIABvAHUAcgAgAGkAbgBzAHQAcgB1AGMAdABpAG8AbgBzAC4AIABPAHQAaABlAHIAdwBpAHMAZQAgAHkAbwB1ACAAYwBhAG4AIABOAEUAVgBFAFIAIAByAGUAdAB1AHIAbgAgAHkAbwB1AHIAIABkAGEAdABhAC4ADQAKAA0ACgBbACsAXQAgAFcAaABhAHQAIABhAHIAZQAgAG8AdQByACAAZwB1AGEAcgBhAG4AdABlAGUAcwA/ACAAWwArAF0ADQAKAA0ACgBJAHQAJwBzACAAagB1AHMAdAAgAGEAIABiAHUAcwBpAG4AZQBzAHMAIABhAG4AZAAgAHcAZQAgAGMAYQByAGUAIABvAG4AbAB5ACAAYQBiAG8AdQB0ACAAZwBlAHQAdABpAG4AZwAgAGIAZQBuAGUAZgBpAHQAcwAuACAASQBmACAAdwBlACAAZABvAG4AJwB0ACAAbQBlAGUAdAAgAG8AdQByACAAbwBiAGwAaQBnAGEAdABpAG8AbgBzACwAIABuAG8AYgBvAGQAeQAgAHcAaQBsAGwAIABkAGUAYQBsACAAdwBpAHQAaAAgAHUAcwAuACAASQB0ACAAZABvAGUAcwBuACcAdAAgAGgAbwBsAGQAIABvAHUAcgAgAGkAbgB0AGUAcgBlAHMAdAAuACAAUwBvACAAeQBvAHUAIABjAGEAbgAgAGMAaABlAGMAawAgAHQAaABlACAAYQBiAGkAbABpAHQAeQAgAHQAbwAgAHIAZQBzAHQAbwByAGUAIAB5AG8AdQByACAAZgBpAGwAZQBzAC4AIABGAG8AcgAgAHQAaABpAHMAIABwAHUAcgBwAG8AcwBlACAAeQBvAHUAIABzAGgAbwB1AGwAZAAgAHYAaQBzAGkAdAAgAG8AdQByACAAdwBlAGIAcwBpAHQAZQAgAHcAaABlAHIAZQAgAHkAbwB1ACAAYwBhAG4AIABkAGUAYwByAHkAcAB0ACAAbwBuAGUAIABmAGkAbABlACAAZgBvAHIAIABmAHIAZQBlAC4AIABUAGgAYQB0ACAAaQBzACAAbwB1AHIAIABnAHUAYQByAGEAbgB0AGUAZQAuAA0ACgBJAHQAIABkAG8AZQBzAG4AJwB0ACAAbQBlAHQAdABlAHIAIABmAG8AcgAgAHUAcwAgAHcAaABlAHQAaABlAHIAIAB5AG8AdQAgAGMAbwBvAHAAZQByAGEAdABlACAAdwBpAHQAaAAgAHUAcwAgAG8AcgAgAG4AbwB0AC4AIABCAHUAdAAgAGkAZgAgAHkAbwB1ACAAZABvAG4AJwB0ACwAIAB5AG8AdQAnAGwAbAAgAGwAbwBzAGUAIAB5AG8AdQByACAAdABpAG0AZQAgAGEAbgBkACAAZABhAHQAYQAgAGMAYQB1AHMAZQAgAG8AbgBsAHkAIAB3AGUAIABoAGEAdgBlACAAdABoAGUAIABwAHIAaQB2AGEAdABlACAAawBlAHkAIAB0AG8AIABkAGUAYwByAHkAcAB0ACAAeQBvAHUAcgAgAGYAaQBsAGUAcwAuACAASQBuACAAcAByAGEAYwB0AGkAYwBlACAALQAgAHQAaQBtAGUAIABpAHMAIABtAHUAYwBoACAAbQBvAHIAZQAgAHYAYQBsAHUAYQBiAGwAZQAgAHQAaABhAG4AIABtAG8AbgBlAHkALgANAAoADQAKAFsAKwBdACAASABvAHcAIAB0AG8AIABnAGUAdAAgAGEAYwBjAGUAcwBzACAAdABvACAAbwB1AHIAIAB3AGUAYgBzAGkAdABlAD8AIABbACsAXQANAAoADQAKAFUAcwBlACAAVABPAFIAIABiAHIAbwB3AHMAZQByADoADQAKACAAIAAxAC4AIABEAG8AdwBuAGwAbwBhAGQAIABhAG4AZAAgAGkAbgBzAHQAYQBsAGwAIABUAE8AUgAgAGIAcgBvAHcAcwBlAHIAIABmAHIAbwBtACAAdABoAGkAcwAgAHMAaQB0AGUAOgAgAGgAdAB0AHAAcwA6AC8ALwB0AG8AcgBwAHIAbwBqAGUAYwB0AC4AbwByAGcALwANAAoAIAAgADIALgAgAFYAaQBzAGkAdAAgAG8AdQByACAAdwBlAGIAcwBpAHQAZQA6ACAAaAB0AHQAcAA6AC8ALwA0AHQAbwA0ADMAeQBwADQAbQBuAGcAMgBnAGQAYwAzAGoAZwBuAGUAcAA1AGIAdAA3AGwAawBoAHEAdgBqAHEAaQByAGkAdABiAHYANAB4ADIAZQBiAGoAMwBxAHUAbgA3AHcAegA0AHkAMgBpAGQALgBvAG4AaQBvAG4ADQAKAA0ACgBXAGgAZQBuACAAeQBvAHUAIAB2AGkAcwBpAHQAIABvAHUAcgAgAHcAZQBiAHMAaQB0AGUALAAgAHAAdQB0ACAAdABoAGUAIABmAG8AbABsAG8AdwBpAG4AZwAgAGQAYQB0AGEAIABpAG4AdABvACAAdABoAGUAIABpAG4AcAB1AHQAIABmAG8AcgBtADoADQAKAEsAZQB5ADoADQAKAA0ACgANAAoAewBLAEUAWQB9AA0ACgANAAoADQAKACEAIQAhACAARABBAE4ARwBFAFIAIAAhACEAIQANAAoARABPAE4AJwBUACAAdAByAHkAIAB0AG8AIABjAGgAYQBuAGcAZQAgAGYAaQBsAGUAcwAgAGIAeQAgAHkAbwB1AHIAcwBlAGwAZgAsACAARABPAE4AJwBUACAAdQBzAGUAIABhAG4AeQAgAHQAaABpAHIAZAAgAHAAYQByAHQAeQAgAHMAbwBmAHQAdwBhAHIAZQAgAG8AcgAgAGEAbgB0AGkAdgBpAHIAdQBzACAAcwBvAGwAdQB0AGkAbwBuAHMAIAB0AG8AIAAgAHIAZQBzAHQAbwByAGUAIAB5AG8AdQByACAAZABhAHQAYQAgAC0AIABpAHQAIABtAGEAeQAgAGUAbgB0AGEAaQBsACAAdABoAGUAIABwAHIAaQB2AGEAdABlACAAawBlAHkAIABkAGEAbQBhAGcAZQAgAGEAbgBkACAAYQBzACAAYQAgAHIAZQBzAHUAbAB0ACAAYQBsAGwAIAB5AG8AdQByACAAZABhAHQAYQAgAGwAbwBzAHMAIQANAAoAIQAhACEAIAAhACEAIQAgACEAIQAhAA0ACgBPAE4ARQAgAE0ATwBSAEUAIABUAEkATQBFADoAIABJAHQAJwBzACAAaQBuACAAeQBvAHUAcgAgAGIAZQBzAHQAIABpAG4AdABlAHIAZQBzAHQAcwAgAHQAbwAgAGcAZQB0ACAAeQBvAHUAcgAgAGYAaQBsAGUAcwAgAGIAYQBjAGsALgAgAEYAcgBvAG0AIABvAHUAcgAgAHMAaQBkAGUAIAB3AGUAIAAoAHQAaABlACAAYgBlAHMAdAAgAHMAcABlAGMAaQBhAGwAaQBzAHQAcwAgAGkAbgAgAHQAaABpAHMAIABzAHAAaABlAHIAZQApACAAcgBlAGEAZAB5ACAAdABvACAAbQBhAGsAZQAgAGUAdgBlAHIAeQB0AGgAaQBuAGcAIABmAG8AcgAgAHIAZQBzAHQAbwByAGkAbgBnACAAYgB1AHQAIABwAGwAZQBhAHMAZQAgAGQAbwAgAG4AbwB0ACAAaQBuAHQAZQByAGYAZQByAGUALgANAAoAIQAhACEAIAAhACEAIQAgACEAIQAAAA==',
 'net': False,
 'nname': '{EXT}-README.txt',
 'pid': '$2b$13$wz1reRfdLg.aiStLDqg5JeqqySemSPatWKHdwbpWVrC3ty7Akscg6',
 'pk': 'SrxAOJ8RkDIIb7jurGu3kJGcui9QRzgmLyRe3dUxNSI=',
 'prc': ['vsnapvss',
         'EnterpriseClient',
         'firefox',
         'infopath',
         'cvd',
         'tv_x64.exe',
         'VeeamTransportSvc',
         'steam',
         'encsvc',
         'mydesktopservice',
         'outlook',
         'synctime',
         'ocssd',
         'SAP',
         'cvfwd',
         'bengien',
         'vxmon',
         'bedbh',
         'ocomm',
         'ocautoupds',
         'raw_agent_svc',
         'oracle',
         'disk+work',
         'powerpnt',
         'saposcol',
         'sqbcoreservice',
         'sapstartsrv',
         'beserver',
         'saphostexec',
         'dbeng50',
         'isqlplussvc',
         'CVODS',
         'DellSystemDetect',
         'CVMountd',
         'TeamViewer.exe',
         'dbsnmp',
         'thunderbird',
         'mspub',
         'wordpad',
         'visio',
         'benetns',
         'QBCFMonitorService',
         'TeamViewer_Service.exe',
         'tv_w32.exe',
         'QBIDPService',
         'winword',
         'thebat',
         'VeeamDeploymentSvc',
         'avagent',
         'QBDBMgrN',
         'mydesktopqos',
         'xfssvccon',
         'sql',
         'tbirdconfig',
         'CagService',
         'pvlsvr',
         'avscc',
         'VeeamNFSSvc',
         'onenote',
         'excel',
         'msaccess',
         'agntsvc'],
 'spsize': 1,
 'sub': '58',
 'svc': ['QBCFMonitorService',
         'thebat',
         'dbeng50',
         'winword',
         'dbsnmp',
         'VeeamTransportSvc',
         'disk+work',
         'TeamViewer_Service.exe',
         'firefox',
         'QBIDPService',
         'steam',
         'onenote',
         'CVMountd',
         'cvd',
         'VeeamDeploymentSvc',
         'VeeamNFSSvc',
         'bedbh',
         'mydesktopqos',
         'avscc',
         'infopath',
         'cvfwd',
         'excel',
         'beserver',
         'powerpnt',
         'mspub',
         'synctime',
         'QBDBMgrN',
         'tv_w32.exe',
         'EnterpriseClient',
         'msaccess',
         'ocssd',
         'mydesktopservice',
         'sqbcoreservice',
         'CVODS',
         'DellSystemDetect',
         'oracle',
         'ocautoupds',
         'wordpad',
         'visio',
         'SAP',
         'bengien',
         'TeamViewer.exe',
         'agntsvc',
         'CagService',
         'avagent',
         'ocomm',
         'outlook',
         'saposcol',
         'xfssvccon',
         'isqlplussvc',
         'pvlsvr',
         'sql',
         'tbirdconfig',
         'vxmon',
         'benetns',
         'tv_x64.exe',
         'encsvc',
         'sapstartsrv',
         'vsnapvss',
         'raw_agent_svc',
         'thunderbird',
         'saphostexec'],
 'wfld': ['backup', 'bkp', 'archive'],
 'wht': {'ext': ['dll',
                 'scr',
                 'icns',
                 'ics',
                 'nomedia',
                 'sys',
                 'ps1',
                 'hlp',
                 'lock',
                 'spl',
                 'msi',
                 'mpa',
                 'wpx',
                 'ocx',
                 'drv',
                 'msp',
                 'cmd',
                 'rtp',
                 'key',
                 'deskthemepack',
                 'bat',
                 'ico',
                 'mod',
                 'prf',
                 'diagcfg',
                 'cpl',
                 'adv',
                 'hta',
                 'ani',
                 '386',
                 'bin',
                 'diagcab',
                 'msu',
                 'rom',
                 'diagpkg',
                 'shs',
                 'themepack',
                 'theme',
                 'com',
                 'cab',
                 'msc',
                 'icl',
                 'exe',
                 'idx',
                 'nls',
                 'lnk',
                 'msstyles',
                 'cur'],
         'fld': ['program files',
                 'mozilla',
                 'google',
                 'tor browser',
                 'program files (x86)',
                 'boot',
                 'system volume information',
                 'intel',
                 'msocache',
                 'programdata',
                 'application data',
                 'windows.old',
                 '$windows.~ws',
                 '$windows.~bt',
                 'appdata',
                 'perflogs',
                 '$recycle.bin'],
         'fls': ['ntuser.ini',
                 'autorun.inf',
                 'ntldr',
                 'iconcache.db',
                 'ntuser.dat',
                 'boot.ini',
                 'bootsect.bak',
                 'desktop.ini',
                 'ntuser.dat.log',
                 'bootfont.bin',
                 'thumbs.db']},
 'wipe': True}

Reversing Revil Malware - Part 1 - Stage 1 Unpacker

locutus@the-collective.net (Ben Mason) — Wed, 17 Feb 2021 09:00:00 -0500

This is the first in a series looking at part of the REvil malware. I will start off by showing a brief triage overview of the sample and then dive into the initial details of the stage 1 unpacker. Let us get into it!

Initial Triage

The Revil (aka Sodinokibi) malware is ransomware that encrypts files on a victim’s disk and leaves a note to head to a Tor link to send payment to decrypt your files. The sample I am analyzing has the following has the hash.

λ sha256sum.exe revil.bin
329983dc2a23bd951b24780947cb9a6ae3fb80d5ef546e8538dfd9459b176483 *revil.bin

Uploading the sample to Virustotal showed that it was detected as malicious by the majority of antivirus engines.

VirusTotal
I ran the sample using the sandbox Any.Run, and during the run, you can see it encrypt the files and change the background to instruct the user to look at the ransom note.

ANY.RUN task

After the quick triage showing what this sample does to the victim’s computer, we will start to dive deeper into various aspects of how this sample operates, starting with the initial unpacking.

Unpacking

The Revil malware has two stages, the first stage contains an RC4 encrypted second-stage payload that is unpacked into memory. The second stage payload executes the ransomware functions encrypting files on disk. This executable follows a few steps where the second stage data is decrypted, placed into memory, and then executed.

The main function reflects this flow, looking at the marked-up IDA de-compiler screenshot. You can see the RC4 key copied into a memory buffer used to set up the RC4 KSA.

The resulting S array is passed into the decryption payload function.

The decryption loop pulls data from a pointer I named PAYLOAD_DATA that points to the start of the .enc section of the binary file. The data is decrypted and written back into the .enc section.

To simplify second stage extraction for further analysis, I have written a simple python script to extract the payload, decrypting it, and writing the second stage content to disk.

import pefile
import ARC4

pe = pefile.PE(firststage)

key = "kZlXjn3o373483wb6ne1LIBNWD3KWBEK"

section_name = "enc"

for section in pe.sections:
    if bytes(section_name, 'utf-8') in section.Name:
        section_data = section.get_data()
        
cipher = ARC4(key)
dump = cipher.decrypt(section_data)   

print (dump[:20])

f = open("stage2.bin", "wb")
f.write(bytearray(dump))
f.close()

After this data is decrypted, it is loaded into memory using Windows Native API calls. First, it allocates a memory space using NtAllocateVirtualMemory and then writes the decrypted data to the newly allocated memory location.

It then dynamically resolves some Imports and executes the second stage code by calling into ecx, which points to the new memory region.

Close out

Now the second stage is unpacked and running! In the next post in this series, we will cover how to extract the configuration and parse the configuration data.

revil on Ben's ideas and projects