Dynamically Analyzing Linux Black Basta Ransomware
HTML-код
- Опубликовано: 11 июл 2024
- In this video, we dynamically analyze the Linux Black Basta ransomware family. We use strace to determine the required directories and trigger both the encryption and decryption behavior.
---
Timestamps:
00:00 Intro
00:44 Analysis Enviroment
02:13 Starting Dynamic Analysis
03:19 Decryptors
04:26 Trigging Encryptor
06:21 Strace
08:00 VMWare ESXi
09:39 VMFS Test
12:30 Ransom Note
15:07 Strace Encryptor Output
15:50 Multithreading
17:48 Triggering Decryptor
19:38 Dumped key?
20:58 Decryptor Round 2
22:58 Successful Decryption!
23:27 Recap
---
Software Links Mentioned in Video:
strace manpage:
www.man7.org/linux/man-pages/...
---
Malware Examined in the video (BlackBasta):
Decryptor:
sha256:96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be
Encryptor:
sha256:0d6c3de5aebbbe85939d7588150edf7b7bdc712fceb6a83d79e65b6f79bfc2ef
---
laurieWIRED Twitter:
/ lauriewired
laurieWIRED Website:
lauriewired.com
laurieWIRED Github:
github.com/LaurieWired
laurieWIRED HN:
news.ycombinator.com/user?id=...
laurieWIRED Reddit:
/ lauriewired Наука
The fact that you can analyze, decypher, plan ahead and slow yourself down for us, in order to perform this perfectly clear pedagogic explanation, all at once, is kinda impressive.
This must be one of the most underrated channels on YT.
I beg to differ
she chose the worst ransomware to investigate ever
Explain @@thesickestnoodle-nq3wn
@@thesickestnoodle-nq3wn what's wrong with this one?
@@dogyX3It's incredibly simple and featureless... Tons of more fitting samples
@@thesickestnoodle-nq3wn Come on... I am impressed. Don't be a dick
typical Linux experience: you even have to troubleshot malware and actually try hard to get it working
Actually, her experience was due to the fact she was not running Virtual Machine hardware in a certain configuration. A mere change to a path can result in the ransomware not working.
I absolutely love this format. The "window" switching is really cool.
yup, a switch to classic Mac OS. Could use some BeOS love :D
Let's all love lain
Thanks for uploading. I’m learning a lot of cool stuff from the channel. Haven’t seen all the videos but thank the algorithm for the recommending this channel.
Great job Laurie! I love how strace can show so much. In a CTF I wrote in x86 Assembler, I worked to hide all of the traces but few ever go to such lengths.
strace traces syscalls. No way to read or write files under Linux without syscalls, even in assembly.
Kudos to the amount of work you put into the production! The MacOS/WinXP crossover made me lough and love to the Corgi :)
Also, you have a really calm and structured way of teaching. 👌
This was a great watch, really interesting stuff. Thank you for creating this
Thanks for these videos. It has really got me interested in malware analysis.
Very interesting, love your channel
I love your videos! I learn so much!! Thank you
Pure Gold !
Pls never stop !
Excellente vidéo, merci pour ce contenu
Good work Laurie.
Great content!
ty for the upload!
awesome and way above my head! ::Swoosh::
Ok you had ne at the Lain intro lol subscribed
That's awesome
Fun! Informative! Really enjoy your videos! #LaurieWired
Nice exercice! Note that this malware must first acquire root privileges to do anything ugly.
The world needs more Lauries
Thanks, I leaned so much. I agree withlkron5741, this channel is very underrated.
"Present Day, Present Time -- Copland OS"
container inside vm inside vm. lets go!
Hi Laurie great video do you mind making a video of putting black Basta into ghidra I'm currently trying to analyze a windows version the one that starts with ae7 an I'm completely lost in ghidra
I started my reverse engineering career as a teen in the late 80s, mostly cracking games and hunting malware on MS-DOS. Glad to see the next generation going strong at it!
This women has great style :-) and so cool how she explains stuff. Thanks
Jimmy 'two-times' from GoodFellas would've cracked this. "I'm gonna get the papers. Get the papers". "I'm gonna decrypt the files. Decrypt the files".
Hi Laurie. Stupid question, but the Ubuntu VM you are using is 64bit or 32bit ? just asking. Thank you
Great Video BTW
What theme is Laurie using for the XP feeling?
Saw the lain intro and hit subscribe immediately
I'm so confused... it encrypted to a length of bytes that you'd probably expect. Which then decrypted to a small number of bytes (about the size of a key). Which then encrypted back to a length similar to the original encryption. Which then decrypted back to the original bytes.
I've never come across anything like that before... wouldn't the initial decryption that shortened the bytes lose information? Is this multiple encrypt/decrypt a common method in cyber-sec land?
it's really weird for sure... but after the first "Decrypt" the length could also be similar to the "hello world" text itself, so maybe it converted it to something close to the original bytes, but maybe NOT'd or something. Then when you Encrypt again, and Decrypt again, you get another NOT inverse which results in the original text. I'm actually more interested how it really is doing the encryption, what key it is using. if they really wanted the client not to be able to recover it they would generate a random encryption key on the fly and then send it back to the "mothership". but I guess that leads to too many potential problems so it's not worth it -- better to make a pseudo security theater encryption/decryption for the best chances of getting paid.
@@MichaelButlerC It's perhaps a XOR pass or something else that masks the data in a reversible way? If it's XOR'ed with the key, it would make it more difficult to break, as the decrypted data wouldn't actually match the encrypted data in a predictable way?
How about a roadmap for learning these techniques
The old TV
These thumbnails though 😂
It doesn't appear that the ransomware is actually "stealing" the data and transferring it to another server. Wouldn't you see that in the strace? Or am I misunderstanding how this malware works?
My guess is that the authors are bluffing with the data being stoled, but obviously not with the encryption part. They have probably crafted versions of this malware based on the targeted company and when paid ransom would reveal the decryption key based on the company id of the target (or they wouldn't share it at all).
I was looking for the malware attempting to detect network interfaces as based on the fact that this container is isolated it would not be able to do much and cease further attempts, but I did not see any syscalls that would indicate it.
@@MartinWoadand also, looks like the "decryption" part didn't even require any decryption key input, so it was most likely all "built-in" to both binaries (probably to reduce risk of failure, which leads to failure in getting paid).
What keyboard are you using? I love the sound of it
perhaps a mechanical keyboard with customized switches.. I love the sound of it too
what OS is that?
win11
Weird that it took an extra encrypt+decrypt to get back to the original
Probably a mistake of malware writers. I have seen a case when some ransomware encrypted all files with the same kay and IV, so if you happen to have an original file of one of the encrypted files, you just needed to xor them, and then xor the result with all other files to decrypt them (except ones that are longer, obviously).
It would be nice to find out how it really works and understand why it happens.
Looks like it targets VMware O/S
WRITE A BOOK
Schway
похоже это настоящая девушка, не транс, фембой или актёрша не понимающая что читает с телесуфлёра...
Well, strace doesn't tell you much, just traces system calls. You should use gdb and/or a disassembler instead to figure out how the actual encryption works.
i am sorry !what! thankyou
How's chad?