{"id":87153,"date":"2018-12-14T17:28:50","date_gmt":"2018-12-14T11:58:50","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=87153"},"modified":"2018-12-14T17:47:00","modified_gmt":"2018-12-14T12:17:00","slug":"ghost-has-arrived","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/ghost-has-arrived\/","title":{"rendered":"Ghost Has Arrived"},"content":{"rendered":"

On the back of an upswing in Ransomware activity, we decided to carry out an in-depth analysis of Ghost Ransomware. Interesting fact about this malware is that it uses multiple components to encrypt user files.<\/p>\n

Technical Analysis :<\/b><\/strong><\/p>\n

Main malware executable (Ghost.exe) is compiled using the DotNet Framework. The infection vector of this ransomware is still unknown, but this file may arrive on the victim\u2019s machine via spam emails, malvertising, bundled with other files, etc. It uses an icon of the spreadsheet to deceive the user to think he has received an invoice\/quotation etc.<\/p>\n

Initially, Ghost.exe queries \u201cwww.12312312eewfef231.com\u201d. This domain is not registered, but if it is registered then it can work as a kill switch as it performs its malicious activity in the catch for the exception as shown in Fig. 1.<\/p>\n

\"\"
Fig. 1: DNS Query<\/figcaption><\/figure>\n

Ghost.exe drops an executable GhostService.exe at location \u201c%appdata%\\Ghost\u201d on the victim’s machine. It also creates a bat file (Ghost.bat) in Ghost folder and executes it. Ghost.bat creates a service with display name as\u201cGhost\u201d, binpath as\u201c%appdata%\\Ghost\\GhostService.exe” and start mode as \u201cauto\u201d as shown in Fig. 2. Due to auto mode, malware service will be auto-started on every system startup.<\/p>\n

\"\"
Fig. 2: Code to create \u201cGhost.bat\u201d<\/figcaption><\/figure>\n
\"\"
Fig. 3: Content of Ghost.bat to register service<\/figcaption><\/figure>\n

Once the service is successfully registered Ghost.exe starts \u201cGhost\u201d service as shown in Fig. 4.<\/p>\n

\"\"
Fig. 4: Function to start Ghost Service<\/figcaption><\/figure>\n

GhostService.exe creates a .txt file named \u201cDo_Not_Delete_codeId.txt\u201d at the root of\u201cC\u201d drive with Code ID as a content. This Code ID is randomly generated as shown in Fig. 5.<\/p>\n

\"\"
Fig. 5: Function to generate random Code ID<\/figcaption><\/figure>\n

Now it calls a function \u201cstartProcess\u201d to drop components at the root of \u201cC\u201d drive.<\/p>\n

As shown in Fig. 6, GhostService.exe drops below components:<\/p>\n

    \n
  • GhostForm.exe – Displays Ransom note and encrypt files<\/li>\n
  • GhostFile.dll – Exports functions to create a list of files<\/li>\n
  • GhostHammer.dll – Exports AES_Encrypt function\n

    \"\"
    Fig. 6: Function to drop components and start GhostForm.exe<\/figcaption><\/figure><\/li>\n<\/ul>\n

    After dropping the components, it runs GhostForm.exe. Then it calls a function \u201cDatabase\u201d to stop MSSQLSERVER service and encrypt files in \u201cMicrosoft\u00a0SQL\u00a0Server\u201d folder.<\/p>\n

    \"\"
    Fig. 7: Function to encrypt Database files<\/figcaption><\/figure>\n
    \"\"
    Fig. 8: Function to stop SQL service<\/figcaption><\/figure>\n

    It has a list of file extensions which are to be encrypted as shown in Fig. 9.<\/p>\n

    \"\"
    Fig. 9: List of file extensions to be encrypted by GhostService.exe<\/figcaption><\/figure>\n

    Also, it calls a function \u201cdatosC\u201d that encrypts files present only at the root of \u201cC\u201d drive.<\/p>\n

    \"\"
    Fig. 10: Function to encrypt files at the root of \u201cC\u201d drive<\/figcaption><\/figure>\n

    GhostService.exe maintains a timer which repeats these tasks after every 120 seconds.<\/p>\n

    \"\"
    Fig. 11: Timer function<\/figcaption><\/figure>\n

    GhostForm.exe displays a Ransom note. It also maintains a timer, after every 120 seconds it closes the Ransom note.<\/p>\n

    \"\"
    Fig. 12: Ransom Note<\/figcaption><\/figure>\n

    Code ID in ransom note is same as one written to C:\\Do_Not_Delete_codeId.txt.<\/p>\n

    As seen in Fig. 12 malware author demands Bitcoin worth 500 USD to be paid to the following address : https:\/\/blockchain.info\/payment_request?address=1N7AmqH12EN3yAkVMPB5rZoVX758jgLbzj&amount_local=500&currency=USD&nosavecurrency=true&message=Pay%20me!<\/p>\n

    \"\"
    Fig. 13: Contents of Do_Not_Delete_codeId.txt<\/figcaption><\/figure>\n

    Next, it calls a function \u201cstartEncrypt\u201d to create a list of files present in the following folders :<\/p>\n

      \n
    • Desktop<\/li>\n
    • Document<\/li>\n
    • Picture<\/li>\n
    • Videos<\/li>\n
    • Music<\/li>\n<\/ul>\n

      As seen in the above list,\u00a0malware encrypts the files at some specific locations only. It has targeted Desktop folder where the user usually keeps\u00a0most of their data. Also, Document, Pictures, Videos, and Music are folders provided by Windows OS to store respective type of files.<\/p>\n

      \"\"
      Fig. 14: Function to create a list of files and encrypt them<\/figcaption><\/figure>\n

      Functions to get the list of files from above-mentioned folders are present in GhostFile.dll.<\/p>\n

      \"\"
      Fig. 15: Function to create a list of files in the Desktop folder<\/figcaption><\/figure>\n
      \"\"
      Fig. 16: Function to create a list of files in the Documents folder<\/figcaption><\/figure>\n
      \"\"
      Fig. 17: Function to create a list of files in the Pictures folder<\/figcaption><\/figure>\n
      \"\"
      Fig. 18: Function to create a list of files in the Videos folder<\/figcaption><\/figure>\n
      \"\"
      Fig. 19: Function to create a list of files in the Music folder<\/figcaption><\/figure>\n

      The malware creates a list of files based on extensions present in the extension list as shown in Fig. 20. Once the list of files is ready, encryption routine is called from GhostHammer.dll. Files are encrypted using AES algorithm and \u201c.Ghost\u201dextension is added to encrypted files.<\/p>\n

      \"\"
      Fig. 20: List of file extensions to be encrypted by GhostForm.exe<\/figcaption><\/figure>\n

      Difference between the 2 extension list is \u201c.txt\u201d files are not encrypted by GhostService whereas they are encrypted by GhostForm.exe.<\/p>\n

      IOCs :<\/strong><\/p>\n

      3a2633cd5152a229d1f986073082ecd0<\/p>\n

      3d33f7f9f2e5fa3f4e7d2d6de5c9b7f1<\/p>\n

      464da6c4465816cba2d278634e2b9d3e<\/p>\n

      5db40b7c42376cc077383069a9c509eb<\/p>\n

      b93588bbb3f3f0addd5598586bbe2566<\/p>\n

      cd0f7f29e337f2ebe455ba4a85fb2b70<\/p>\n

      Quick Heal products detects these malware with below names :<\/strong><\/p>\n

      “Ransom.Ghost.S*”<\/p>\n

      “Ransom.Bat.Ghost.*”<\/p>\n

      Conclusion :<\/b><\/strong><\/p>\n

      We have seen the ransomware count to have\u00a0significantly increased in recent times. Malware authors have started using different techniques to encrypt user files.<\/p>\n

      Some general recommendations to stay safe from Ransomware :<\/strong><\/p>\n

        \n
      • Do not open suspicious emails, especially if they have an attachment.<\/li>\n
      • Update your Operating System(OS)<\/li>\n
      • Update your software. Older and outdated versions of software have vulnerabilities which are mostly exploited by attackers to infect your system.<\/li>\n
      • Take regular data backup and keep it in a secure location.<\/li>\n
      • Use a multi-layered antivirus in your system which will protect you from real-time threats. And keep your antivirus up-to-date.<\/li>\n<\/ul>\n

        Subject Matter Expert:<\/strong><\/p>\n

        Ravi Gidwani | Quick Heal Security Labs<\/p>\n

         <\/p>\n

         <\/p>\n","protected":false},"excerpt":{"rendered":"

        On the back of an upswing in Ransomware activity, we decided to carry out an in-depth analysis of Ghost Ransomware. Interesting fact about this malware is that it uses multiple components to encrypt user files. Technical Analysis : Main malware executable (Ghost.exe) is compiled using the DotNet Framework. The infection vector of this ransomware is […]<\/p>\n","protected":false},"author":51,"featured_media":87177,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21,24,910,5,304,293],"tags":[1637,1635,331,1638,50,1636],"class_list":["post-87153","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-email","category-malware","category-ransomware","category-security","category-social-engineering-2","category-spam","tag-database","tag-dotnet","tag-encryption","tag-kill-switch","tag-ransomware","tag-user-files"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87153"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/51"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=87153"}],"version-history":[{"count":5,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87153\/revisions"}],"predecessor-version":[{"id":87181,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87153\/revisions\/87181"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/87177"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=87153"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=87153"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=87153"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}