11 months ago

Revenge is a ransomware that ciphers user files with .REVENGE extension.

Analyzed sample:
md5, e0d52cc8793592184a854fde5afaf152
sha256, f5bceebaecb329380385509d263f55e3d7bddde02377636a0e15f8bfd77a84a6

After run the sample it leave a help file next to the ciphered files.

Inside the help file there are the instructions to recover the ciphered files.
Also, it connect with the CnC and send user data.
This is not a behaivor analysis of Revenge so, lets unpack it.

After a research we see a call to GlobalAlloc with the size 0xB400, so we will put a BP to see where and what it drops in the memory address returned by GlobalAlloc.

We are going to debug with OllyDBG.
We set the BP on GlobalAlloc. After GlobalAlloc call, we can see the address where the some data will be dropped. In my case it is 0x0015B7F0 (EAX)

We follow the address in Hex dump and we can see a empty section. Bellow GlobalAlloc we see the RtlMoveMemory function with a length 0xB400 as parameter (Like before Allocated memory size) so probably in that call some data will be moved from somewhere to allocated memory. Lets see

After set the BP in the next instrucction and press run we see that some data was dropped to allocated memory.

They look like encrypted data or garbage
We see a call to a function bellow last instrucction maybe it is the decipher algorithm. We run to 0x00407183 address (after possible decryption algorithm) and we can see deciphered data and it seems a PE file so, lets dump.

We do static analysis to the dumped file and we see interesting strings:

- (CNC)
- /js/other_scripts/get.php
- EMAIL: revenge00@writeme.com (Support mail)

And many more:

If we run the dumped exe it run well and it starts ciphering the files.

As you can See is a PE and we can open with IDA or another debugger.

Author: @D00RT

← Calling conventions #NotPetya #NotRelated files, In other words "Loki Bot" →