Hi, firstly: sorry for my bad English. It's not my native language (I'M FRENCH)
Well, I’ve wanted to make a post about that a long time ago but I was really bored to have a look at it.
Finally I did it because no one seem done it before (or no one have the sample to work at it?)
So let's start directly, if you want to know more about GpCode story, have a look at this post:
Some technical informations about the file:
Packer: UPX 0.89.6 - 1.02 / 1.05 - 2.90 -> Markus & Laszlo
File size: 10,5 Kb (10 752 bytes)
Also known as: Trojan.Gpcoder.G (Symantec), GPcoder.j (McAfee), Trojan:Win32/Ransom.BQ (Microsoft), TROJ_RANSOM.EWQ (TrendMicro), Troj/Ransom-U (Sophos)
"Main place" in Ollydbg:
OEP: 0x401990 (When unpacked)
In the first call, GpCode will load, and lock a resource.
Screenshot of grabbed data:
According to the first bytes this is not a valid PE file (So, why moving this?).
Here it grabs the size of the resource, eax will contain 0000055D (1373)
Note: The screenshot of resource hacker also indicate the size.
When it's done, it gets free memory by GlobalAlloc (at eax: 00175158)
With the specified size: 55D
Then, it does a copy to the following memory (00175158)
Just after doing this, it goes to another call
In this call it will decrypt the data contained at 00175158 (seems interesting now)
At the end of loop:
We got a clear text with also a list of extensions which will be encrypted:
.bat .sys .exe .ini files will not be attacked because the system uses all of them.
And the goal of GpCode is not to crash the system.
So, he returns to the call and move again the memory to another place.
With selecting this time a block of bytes (398) and move it to 00175BB8
Block of 398 bytes:
After, another block is moved (271 bytes)
The block of bytes moved, you guessed it?:
After that he returns to the "Main place" (screenshot 1)
And Create the mutex "ilold"
Then it goes to a call.. a crypto procedure
Well I'm not very good to explain crypto stuff
So I will make it simple: it generate a key then it store it and use GlobalAlloc to set a free memory place.
I will give you some screenshot if you have a better level than me you will surely understand
Hex dump of address 4044A2:
Then it also gets free memory at 0017CD30:
Take 44 from 0017B928 and move it 008F0020
And what we see in the source?
Call CryptEncrypt, used for RSA:
After it creates a thread and retrieves a bitmask representing the currently available disk drives.
Then we enter in a loop.
The return value from GetLogicalDrives is a bitmask representing the currently available disk drives.
Bit position 0 (the least-significant bit) is drive A, bit position 1 is drive B, bit position 2 is drive C, and so on.
On the loop, we will start from 25 (Drive Z) and when a number is found for example 'D' (who have the position 3)
You will not take the "jump if equal", enter in a call *do something* and then return in the loop for continue, next letters position 2: "C"
I name this place "Core" because all will be decided inside this procedure for data.
Let's see what he is doing to 'D'
He does... NOTHiNG.
'D' was my CD drive and there is no CD inside (FindFirstFileA is an explicit API right?) so eax return FFFFFFFF
He take the jump which leave the procedure.
But what's about my local disk 'C' who is the next ?
There is a blacklisted file "HOW TO DECRYPT FILES.txt"
If the ransomware found this file, he will quit the routine:
It does another check after, but we dont know wich file for the moment.
That will be bad if the ransomware encode it's own stuff -.^ (to be continued)
After this check, the ransomware 'create' a path to the file
And then it check the extention of the file:
The ".bat" extension is not in the 'list' of extension to crypt so he simply leave with this line.
And proceed to the next file:
To test the procedure i've made a txt file called "AUTOEXEC.txt"
This time it detects the extension .txt and dont take the conditional jump:
it jump here:
What do we see ?
He takes the full patch to the file, then it enters to a procedure and do something
After the return, it renames the file with the extension ".ENCODED"
And continue to check for other files.
Let's enter inside the call now.
Interesting thing is this size check, files under 11 bytes are not crypted
like my AUTOEXEC.txt which have 4 bytes "test"
He takes the conditional jump and we are here:
It closes the handle and returns to the "core" nothing was encoded inside the txt
I think it doesn't crypt files under 10 bytes for win time, 10 bytes files are useless.
And it needs to crypt datas as fast as possible.
It adds anyway to the files under 10 bytes the extension .ENCODED [iS THAT A BUG????]
(A basic victim will think all is crypted right?)
So it will continue to proceed next files and finally after some attempt the 2nd thread start
GpCode will create a TXT file on your desktop
Using SHGetSpecialFolderPathA api to find the desktop path.
It create and write inside a file called “HOW TO DECRYPT FILES.txt”
Then it goes to a loop for the RSA key, and write it at the end of file (HOW TO DECRYPT FILES.txt)
Example of file maked:
After it changes your wallpaper
Searching the bitmap resource and drop it in %temp% folder with a random name.
Then it calls an API to set it as wallpaper, with stretch option to fill your entire screen.
Then it continue to search for other files to crypt
And now we know the dropped bitmap is the second blacklisted file.
Let's follow this "brndlog.txt" located in:
C:\Documents and Settings\Administrateur\Application Data\Microsoft\Internet Explorer
It create a handle to the file with GENERIC_READ and use GetFileSize to check if we should encrypt it or not.
After the size check, it use SetFilePointer Function to stores the file pointer in two LONG values
Then it reads the file and store data in a buffer, then it calls CryptEncrypt on the data stored.
After it writes the file (brndlog.txt) with new data.
Now it returns to the core, to add the extention .ENCODED and proceed to the next file.
Once all drives are “crypted”, it quit the "core" and return to the "main place"
It will enter in two procedures and call an API to close the program
The first procedure:
It destroys the key and releases the handle of CSP
It creates a file called "ntfs_system.bat" (in the same folder as the ransomware)
And execute it, then it Calls the ExitPocess API to close the program
And "ntfs_system.bat" will delete GpCode from our system
All your data are crypted with an executable of 25Kb and there is no possibility to recover them until paying the ransom...
The malware author claim on the txt file:
"after n days all encrypted files will be completely deleted and you will have no chance to get it back."
Like we have see, there is absolutely nothing inside the code for do such action.
It says that just to scare users, pushing them into buying the 'special decrypt program'
Also, people who are not should be aware of the problem and should recognize GpCode from the first and second when the “warnings” appears on your screen.
Pushing Reset/Power button of your PC can save a significant amount of your valuable data
And GpCode dont create a startup key so you can boot safe after an infection.
Conclusion: Backup your data from time to time in a safe place, and dont forget to unplug the storage device which contains these saved data.
Bonus, a tiny app useless who read the cfg file from gpcode :)