Princess Locker

sha256:dc7ab2e7ed26554a11da51a184e95b01e685b1a2f99c7fc77d54d5966530bf60

exeinfo shows it is unpacked(lies) and it is made with c++ with a GUI

../_images/Screenshot_116.png

it has decent number of imports with antidebugging import so we have to be carefull and import for iterating files marked x by pstudio and virtual protect (which changes permission in memory)

../_images/Screenshot_214.png

we will set breakpoint on virtualprotect to capture the address it will change permission on , it will be first parameter and we can breakpoint on virtualalloc to capture return address on EAX for the memory address

../_images/Screenshot_313.png

we hit our entrypoint breakpoint, continuing run

../_images/Screenshot_413.png

we hit our first breakpoint on virtualalloc

../_images/Screenshot_713.png

stepping into till we get the main virtualalloc

../_images/Screenshot_84.png

stepping over then get the value in EAX and following it in dump we get this

../_images/Screenshot_93.png

it may look like garbage data but looking ahead we rdata text .rsrc in the dump so this is our main application, so we set a breakpoint on execution there

../_images/Screenshot_104.png

then we hit our virtualprotect

../_images/Screenshot_613.png

following with stepping till we reach the main virtualprotect call

../_images/Screenshot_123.png

looking at the stack to look at the pushed data (we want the first pop top of the stack which will be the first parameter)

../_images/Screenshot_133.png

with the third parameter is 0x20 which is execute read (third from top of stack) setting hard breakpoint on execute there

../_images/Screenshot_152.png

And we hit the hardware breakpoint

../_images/Screenshot_232.png

Going there at that address we find what looks like to be code starting with call E8 dumping all that to a binary

../_images/Screenshot_142.png

Opening in hex we know the header is grabage we need to change to a good header, we will replace all before the Machine value as it is in the File header which the OS needs it to load the executable into memory so it won’t be corrupted The machine value on 32-bit file is 0x014C which in memory will little endian 4C 01 ,

../_images/Screenshot_162.png

replacing the garbage header, but notice it is different in size so will need to fix some sections alignment

../_images/Screenshot_172.png ../_images/Screenshot_182.png

now we can open it in PEbear, we need to fix first the raw address since we dumped it from memory it is equal to the virtual address

../_images/Screenshot_192.png

Now we need to fix the raw size like start of .rdata at 31000 and .text at 1000 so raw size of .text is 31000-1000=30000

../_images/Screenshot_202.png ../_images/Screenshot_242.png

now saving the file then trying to fix the misalignment we created earlier in HxD beacause we copied header of different size Opening at the start .text in 1000 address

../_images/Screenshot_215.png

we need to just pad zeroes till it is fixed

../_images/Screenshot_222.png

trying to open it in ida i get error, after checking we see here size on disk is smaller that size of PE file, we can add zeroes(difference of both sizes) to match both sizes

../_images/Screenshot_252.png ../_images/Screenshot_262.png

Opening the unpacked in pstudio

../_images/Screenshot_272.png

Let’s check the unpacked file in ida, first it calls 121900 then the output of that function is set to mutex name

../_images/Screenshot_281.png

That function is a decrypting routine with convulted functions, we can just see the output in a debugger to check the mutex name created

../_images/Screenshot_292.png

Mutex name is “lCQhNOCPFC”

../_images/Screenshot_322.png

If there is mutex created before close the exe

../_images/Screenshot_302.png

If not then create a mutex and based on call 122B40 it will either continue or not

../_images/Screenshot_314.png

in 122B40 call it check if some file found in some place (cant see it now in ida) if not found create it

../_images/Screenshot_332.png

Will open that function in x32 to see what is the file, it is Opening roaming path

../_images/Screenshot_342.png

So it searches for file name “vnjJCGkc.PyO” under roaming folder it opens that with createfile with Creationdisposition 3

../_images/Screenshot_352.png ../_images/Screenshot_362.png

returns 1 if file exits which then makes the if condition false so nothing happens (probably checks if it already infected this machine)

../_images/Screenshot_372.png

After that it just makes sure to run this call 123780

../_images/Screenshot_382.png

it iterates in all drives the local and remote

../_images/Screenshot_392.png ../_images/Screenshot_402.png ../_images/Screenshot_414.png

After that we see routine that created mutex also creates some libraries which will be loaded with loadlibrary

../_images/Screenshot_432.png ../_images/Screenshot_442.png

then calls 124040

../_images/Screenshot_452.png

it will iterate over the drive path converting to smaller

../_images/Screenshot_462.png ../_images/Screenshot_472.png

After it will decrypt some string and put that in a function

../_images/Screenshot_482.png

It was recycle bin

../_images/Screenshot_492.png

Then insert the string recycle bin into function call 127E30 which i saw only use is give out value if it is -1 (2’s complement of FFFFFF) then break (from likely encryption)

../_images/Screenshot_502.png

so it break on some folders it wont encrypt

../_images/Screenshot_514.png

second values it will break on and don’t encrypt: 1. system volume information 2. temporary internet files 3. program files 4. program data 5. program files x86 6. windows 7. microsoft 8. appdata 9. local settings 10. recycler 11. mosache

now it iterates over drive:\* and encrypts them using findfirstfile and findnextfile

../_images/Screenshot_601.png

then checks if it is a file or directory if directory it starts all above again if file continue flow

../_images/Screenshot_631.png ../_images/Screenshot_614.png ../_images/Screenshot_621.png

out the function it loads another hidden library then calls 1278A0

../_images/Screenshot_642.png ../_images/Screenshot_651.png

in the call 122E00 it first calls getdefaultlcid which Returns the locale identifier for the user default locale then checks it with 1049(Russia) if it checks out then abort the ransomware

../_images/Screenshot_661.png

then calls a function which take a random number between 21 and 27 and empty array which it will set

../_images/Screenshot_671.png

in 121D50 it will load encrypted dlls

../_images/Screenshot_681.png

acquiring advapi then some encrypting functions

../_images/Screenshot_691.png ../_images/Screenshot_701.png ../_images/Screenshot_714.png

the rest is encryption of files then creating the encrypted file using AES

../_images/Screenshot_721.png

and sends some data (base64 related to my machine)

../_images/Screenshot_731.png ../_images/Screenshot_741.png