Locate ransomware encryption Address using IDA

Hi Guys,

Today I am gonna share how to locate ransomware encryption process using process monitor and pin point the function address in IDA to help you easier to debug.

As we know the basic behaviour of ransomware is encrypting the content of the file within its privilege range by reading and creating new file and at the end will remove the original file. With this behaviour we can use process monitor privided by sysinternal to pin point the address in IDA

Simple Ransomware

I wrote a simple code that mimic the behaviour of ransomware (read file, encrypt content and write file) to make our tutorial simpler

#include <iostream>
#include <fstream>
#include <string>
using namespace std;

void ReadFile() {
    fstream newfile;
    newfile.open("C:\\Temp\\file.txt", ios::in); 
    if (newfile.is_open()) {   
        string tp;
        while (getline(newfile, tp)) { 
            cout << tp << "\n"; 
        }
        newfile.close();
    }
}

void EncryptFile() {
    cout << "Encrypting file here...." << endl;
    cout << "Encrypting file here...." << endl;
    cout << "Encrypting file here...." << endl;
    cout << "Encrypting file here...." << endl;
    cout << "Encrypting file here...." << endl;
    cout << "Encrypting file here...." << endl;
}

void WriteFile() {
    fstream newfile;
    newfile.open("C:\\Temp\\file.txt", ios::out);  
    if (newfile.is_open()) 
    {
        newfile << "#$%#^$&%^%@#$%@#$%@%^@%^%FGHDGHGHDFH#%$#%@#$%@#$ \n";   
        newfile.close();    
    }
}

int main() {
    string test;
    cout << "Rio Ransomware" << endl;
    ReadFile();
    EncryptFile();
    WriteFile();
    cout << "Rio Finish ..." << endl;
    cin >> test;

    return 0;
}

As we see above the of the C++ code that I call 3 function ReadFile, EncryptFile, WriteFile in squence. Lets compile it with name MyRansom.exe

Process Monitor

Lets prepare the process monitor and setup the filter so that only our apps being monitored. Lets run process monitor

Press filter and input our application name with Process name containts MyRansom and press Add

when this is ready then you can start trigger the application by double clicking MyRansom console apps. Process monitor will start gathering all information of our application like below

The above is a list of all the activities captured from the begining of the application triggered untill it exited the process. Now as we know this is a ransomware then what we should find in the operation is where the process start reading files from the disk and write it back to the disk.

if we scroll down then we will find that the process will call ReadFile, WriteFile in among its opeation

lets focus our analyses here because we know that based our sequence of function call in our code there will encryption in between of FileRead and FileWrite. We can now add filter so that the list will be shrinked to only that operation with specific path with below

The Function Address

Now lets find the address of the function. We can select one of the operation. I will select the read function and check the stack to get the address

I will try to find the readfile that triggered from our main process as higlighted above. We can see that the ReadFile address is 0x418b3a

Hunt the Address

Now we can open our IDA to findout what is actually happening in that address 0x418b3a. You can press G in IDA to jump to the specified address and press OK

If we look where this code occurs is inside the ReadFile function. Let trace back this function in order to find out where the Encryption function being called.

We can browse back by pressing ‘x

We found the call wrapper. We can press ‘x‘ again to go up again

Now we are arrived at main function where we can see the sequence of our function call

Finaly we found the encryption function being called here. Let see what is the encryption does here

This is the code where the encryption happens. To make the code easier to be understood then IDA provide a handy tool to see the Pseudocode by pressing the F5 in the function

Ok .. we see that it only print out Ecrypting file here …. that match the original C++ code

That is all for the the tutorial to find out where the ransomware encryption function call.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s