ymchen

powershell ransomware

Recommended Posts

The Behavior Blocker can monitor for potentially malicious behavior in scripts (VBS, batch, JavaScript, etc) that are executed by command line script processors (cscript.exe and cmd.exe for instance). To my knowledge PowerShell is no different.

Share this post


Link to post
Share on other sites

Below that samples powershell ransomware i had tested  , unfortunately behavior blocker doesnt monitor powershell command tightly .

https://my.mixtape.moe/mlfmap.7z

 

Edited by GT500
Put link to live malware in code tag to avoid missclicks.

Share this post


Link to post
Share on other sites

Guys a couple of important  points.

 

1.  THIS IS A BIGGIE.   That zip file is live malware.   If you don't know what you are doing.  DON'T MESS WITH IT.

2. In terms of dealing with this malware a couple of things.

The BB may  not be perfect, and the File Guard may not be perfect but together they can be a formidable defense.  When I tested this file upon extracting them all 4 pieces of malware were immediately quarantined by the File Guard.  So you were protected.

But there is also a third thing you can do and it totally nails the coffin.

Most users  have no use for powershell other than potentially getting infected so do this:

1 Go to the Protection tab>Application Rules.

You are going to create 4 new rules as  follows.

a) select c:\windows\system32\WindowsPowershell\v1.0\Powershell.exe    set it to always block

b)  Do the same thing for powershell_ise.exe

Then repeat a and b but with c:\windowss\syswow64\windowspowershell\v1.0    and the same two exe's

 

Then you can relax about powershell

Share this post


Link to post
Share on other sites

Fabian mentioned somewhere in the past (I think on Wilders):

1.  Powershell script parsing is an ongoing project due the many ways powershell can be used to attack

2.  Attributing action to a script requires it to be unobfuscated (he made a brief distinction between unobfuscated and obfuscated)

 

And Windows powershell is not powershell.exe; Windows powershell is System.Management.Automation.  Disabling powershell.exe on a system is not 100 % absolute protection against powershell abuse.  A custom .exe and .dll can be used to execute powershell even with powershell.exe is disabled.  Is all of this something you should be paranoid about ? 

Statistically it is "fringe" stuff and should not be a day-to-day concern.

The litmus test is this question:  "How many dedicated Emsisoft users actually have their system(s) compromised under typical computing conditions ?"  What do you think - is it a tiny, a small or a big number ?

Anyway, potentially serious security issues seem to be pretty much always addressed by Emsisoft.

 

 

Share this post


Link to post
Share on other sites

As soon as I unpacked the zip, I too found that everything in it got quarantined.    The files are of course harmless provided you don't run them.  I was very careful...
 

Share this post


Link to post
Share on other sites
21 hours ago, ymchen said:

Below that samples powershell ransomware i had tested  , unfortunately behavior blocker doesnt monitor powershell command tightly .

https://my.mixtape.moe/mlfmap.7z

 

Do not post links to live malware on the forums (password protected or otherwise) without at least making sure that the forums don't automatically turn them into links. Use code tags or obfuscate part of the URL so that the forums don't linkify it. I went ahead and fixed it in your post.

 

I've asked our malware analysts about this particular ransomware sample.

Share this post


Link to post
Share on other sites

Quick analysis, the JavaScript (*.js) files are all blocked by the Behavior Blocker. The .hta file (which is the encrypter itself) was not blocked, however since the JavaScript files would usually execute the encrypter this should not be a major issue since all of those are blocked automatically (no need to even click a button in an alert).

Also, we are having trouble getting the .hta file to run on Windows 10. It works fine on 64-bit Windows 7 though (haven't tested on 32-bit). Our malware analysts are checking to see why this is the case (it may need to be executed with certain parameters in order to run on Win 10 or it may simply not be compatible with Win 10), and why the Behavior Blocker is not blocking the .hta file to begin with.

Share this post


Link to post
Share on other sites

Quick update, one of our malware analysts is seeing an alert for the .hta file on Windows 7 x64, so now we have to figure out why my VM is being weird. ;)

Edit: I misunderstood, and apparently the .hta file wasn't executing on Windows 7 x64 for our malware analyst who was helping me test. He was eventually able to get it to run, and there were no alerts for it. We have confirmed that it is blocked automatically by the Behavior Blocker on Windows 10 though:

ransomware_blocked_win_10.png
Download Image

Share this post


Link to post
Share on other sites

looks good now ,all js script comfirm blocked ^_^  .hta file there were still no alert from bb or antimalware network (win 7 x64) , extension BMCODE . Anyway thanks for testing ,very much appreciated 8)

image.png

image.png

 

Share this post


Link to post
Share on other sites
12 hours ago, ymchen said:

.hta file there were still no alert from bb or antimalware network (win 7 x64)

From what I've heard, it may have something to do with differences in how .hta files are processed on Windows 7 and Windows 10.

Share this post


Link to post
Share on other sites
On 7/14/2017 at 6:45 AM, Peter2150 said:

Guys a couple of important  points.

 

1.  THIS IS A BIGGIE.   That zip file is live malware.   If you don't know what you are doing.  DON'T MESS WITH IT.

2. In terms of dealing with this malware a couple of things.

The BB may  not be perfect, and the File Guard may not be perfect but together they can be a formidable defense.  When I tested this file upon extracting them all 4 pieces of malware were immediately quarantined by the File Guard.  So you were protected.

But there is also a third thing you can do and it totally nails the coffin.

Most users  have no use for powershell other than potentially getting infected so do this:

1 Go to the Protection tab>Application Rules.

You are going to create 4 new rules as  follows.

a) select c:\windows\system32\WindowsPowershell\v1.0\Powershell.exe    set it to always block

b)  Do the same thing for powershell_ise.exe

Then repeat a and b but with c:\windowss\syswow64\windowspowershell\v1.0    and the same two exe's

 

Then you can relax about powershell

Thanks for the important information.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.