Nemty Ransomware (Version 2.6) Technical Analysis Report

Home  /  Yazılar

Nemty Ransomware (Version 2.6) Technical Analysis Report

Analyst : Fatih ŞENSOY
Introduction

It is seen that a new Ransomware family Nemty, which first appeared in August 2019, continued its attacks recently. Nemty, which was last appeared on 09/03/2020 and is called version number 2.6, targets companies and personal computers.

After the encryption process, the attacker requests from victim an average of $ 1000 worth of Bitcoin. In addition, if the payment is not made within the specified date range, blackmail is made in the form of leaking files in the systems.

The descriptive information of the Nemty malware of ransomware type is given in the table below:

Malware Name Nemty Ransomware
Version V.2.6
MD5 2b6c6d8424c1b149c7f81e2565aaa7e6
SHA1 f966ffdeabd60ae0ebd9c78fbd11f78319016fd8
SHA256 613c390d6b3b792d6bf0765e97719ac4278741abcebdd03d9fe394c8a46a841c
Preview

Nemty malware type of ransomware performs many operations on the system. Below is the process preview image of Nemty.

C:\Users\Fatih Şensoy\AppData\Local\Microsoft\Windows\INetCache\Content.Word\nemty-procover.png

C:\Users\Fatih Şensoy\AppData\Local\Microsoft\Windows\INetCache\Content.Word\nemty-proc2.png

Shadow copy deletion, a characteristic of every ransomware, has also been observed in the Nemty malware of the Ransomware type.

After the encryption process is over, it creates a text file named NEMTY_ [RANDOM-ID] -DECRYPT.txt for each folder and subfolders and outputs it to the screen.

In addition to the notes on how to decrypt the encrypted files in the text file created by Malware, there is a key in the BEGIN NEMTY KEY header at the bottom lines of the text file. Looking at the key, it can be said that it reminds the RSA encryption algorithm. It is also seen in the instructions that besides the normal website, there is a website using the TOR network.

The websites in the text file are as follows:

  • http://nemty.top/public/pay.php
  • http://zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion/public/pay.php

The files encrypted by the Nemty malware of Ransomware type are NEMTY_ [RANDOM-ID].

Detailed Analysis

Critical findings were found in the analysis of the Nemty malware of ransomware type. The first is that the Nemty malware of the Ransomware type uses anti-debug techniques to complicate the analyst’s work during the dynamic analysis phase.

It uses the IsDebuggerPresent API, one of the most basic anti-debug techniques.

It uses the GetTickCount API, one of the time-based anti-debug techniques.

C:\Users\Fatih Şensoy\AppData\Local\Microsoft\Windows\INetCache\Content.Word\nemty-antidebug.png

In addition, when the software used frequently in debug applications detects the int 3 command, which is the assembly equivalent of the breakpoint operation, it catches the debugger and terminates itself.

In addition, it has been determined that it uses other techniques besides the anti-debug techniques mentioned in the above images.

When the APIs of the Nemty malware of Ransomware type are analyzed, some critical APIs are determined:

  • WriteFile
  • GetTickCount
  • WriteConsoleA
  • DebugActiveProcessStop
  • CreateFileA
  • GetCommandLineA
  • IsDebuggerPresent
  • QueryPerformanceCounter
  • DebugBreak
  • WriteConsoleW
  • VirtualAlloc
  • VirtualProtect

It imports other critical functions at the time of runtime, except for the functions it statically imports.

Mutex objects used by the pest were determined by analyzing the Nemty malware of Ransomware type.

-MUTEX-

“edu v magazi gucccchi v spb, grrrrrraa, ona zhret moi xui kak-budto eto burger…”

Nemty malware of ransomware type creates some files before it gets into the system. These files are:

  • C:\Windows\Registration\R000000000006.clb
  • C:\Users\[USERNAME]\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
  • C:\Users\[USERNAME]\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
  • C:\User\Malw Lab\\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
  • C:\Users\Malw Lab\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3995735235-1365421534-3291203492-1000\917b685c402c569c7ef15953ac01f631_619fd25d-6773-46b7-a416-8c5c8c16290c
  • C:\Users\Malw Lab\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3995735235-1365421534-3291203492-1000\d860c3add425c732002dea04eb2c98f0_619fd25d-6773-46b7-a416-8c5c8c16290c
  • C:\Users\Malw Lab\AppData\Roaming\Microsoft\Windows\Cookies\75CW9Q4P.txt
    • The content of this file includes the cfuid value of the Cloudflare infrastructure used by the db-ip.com IP and IP query country.

When detailed analysis of Nemty malware of Ransomware type is made, it is observed that it decided to infect the system according to some factors.

By querying the system’s IP address to api.db-ip.com website via APIs, it determines which country the IP address belongs to. As a result of this determination;

Appdata\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PC6EIDCU

creates a file named countryName [1] .txt in the directory. In the content of this file, the name of the country to which the IP address belongs is written.

As a result of the analysis of the Nemty malware of ransomware type, it was noticed that some countries were included in the blacklist. If the country name returned from the website as a result of IP query with the API is located in the following blacklist, the Nemty malware of Ransomware type is not infected with the system:

  • Russia
  • Belarus
  • Kazakhistan
  • Tajikistan
  • Ukraine
  • Azerbaijan
  • Armenia
  • Kirghizistan
  • Moldova

In addition to language control, Nemty malware of ransomware type;

  • Operating System and Version,
  • User name of the user using the system,
  • System name,
  • It collects information such as the hardware ID of the system.

Then, with all this information it collects, it encrypts it using the RSA1024 encryption algorithm. And it creates NEMTY KEY by modifying the encrypted key according to its own algorithm. It sends this NEMTY KEY to the command and control server with certain parameters.

http://nemty10.biz/public/gate.php?data=

The first IP Address of the command and control server belonging to the specified domain of the malware;

45.143.138.38

it was determined as. Later, the IP address of the C&C server was changed;

91.215.170.231

has been updated.

The Nemty malware of Ransomware type creates the keys to encrypt before encrypting the files. It then modifies these keys according to the attacker’s own algorithm and sends them to the data parameter with the GET method in the gate.php file on the command and control server.

It uses the string “Naruto Uzumake” as the User-Agent in this posting process.

After all these processes, it starts operating. And first, it resizes the shadow area to 401 MB. Then, the probe increases to an unlimited dimension with the “unbounded” parameter.

After this harmful process, it deletes shadow copies using the command below.

/c bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wmic shadowcopy delete

Nemty, which has not finished the harmful processes yet, stops many processes in a difficult way after these harmful commands. Here is a list of services where the Nemty malware of the ransomware type stops:

  • Sql
  • Winword
  • Wordpad
  • Outlook
  • Thunderbird
  • Oracle
  • Excel
  • Onenote
  • Virtualboxvm
  • Node
  • QBW32
  • WBGX
  • Teams
  • Flow

Nemty malware of ransomware type terminates not only the running processes but also the specific services listed below:

  • DbxSvc
  • OracleXETNSListener
  • OracleServiceXE
  • AcrSch2Svc
  • AcronisAgent
  • Apache2.4
  • SQLWriter
  • SQLEXPRESS
  • MSSQL
  • MSSQLServerADHelper100
  • MongoDB
  • SQLAgent
  • SQLEXPRESS
  • SQLBrowser
  • CobianBackup11
  • cbVSCService11
  • QBCFMontorService
  • QBVSS

Nemty terminates certain processes and services to the Powershell command client;

-e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==

send the command. When the command encoded with Base64 is decoded;

Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}

command has been detected to occur. The Nemty malware of Ransomware performs the deletion of Shadow Copies several times and does this both from the classic command line of Windows and from the Powershell command client.

Registry Findings

Nemty malware of ransomware type makes many changes in Windows Registry. The most critical change has been detected and creates a registry folder named NEMTY under HKCU\Software. There are 3 values in this folder named cfg, fid and pbkey.

And at runtime it often checks if these values are present.

Whitelist

It has been determined that Nemty malware of Ransomware type uses whitelist during file encryption. Files with the extensions in the list below create their whitelist and do not encrypt files with these extensions.

  • .exe
  • .log
  • .cab
  • .cmd
  • .com
  • .cpl
  • .ini
  • .dll
  • .url
  • .ttf
  • .mp3
  • .pif
  • .mp4
  • .NEFILIM
  • .msi
  • .lnk

Apart from the extensions available in the Whitelist, specific file names are also available in the whitelist.

  • Windows
  • $RECYCLE.BIN
  • rsa
  • NTDETECT.COM
  • ntldr
  • MSDOS.SYS
  • IO.SYS
  • boot.ini
  • AUTOEXEC.bat
  • ntuser.dat
  • Desktop.ini
  • CONFIG.SYS
  • RECYCLER
  • BOOTSECT.BAK
  • bootmgr
  • Programdata
  • Appdata
  • Program Files
  • Program Files (X86)
  • Microsoft
  • Sophos
  • Pagefile.sys

Unusual strings are found in runtime analysis of the Nemty malware of ransomware type.

 

Revealing the Nemty malware of ransomware type, the attacker frequently gives messages to analysts as in the image above. Looking at the language of the messages, it is determined that they are Russian.

Solution Proposals

There are ways to protect yourself from Nemty malware of ransomware type:

  • The use of up-to-date, reliable antivirus software in systems,
  • Careful attention to the incoming mails, not opening the attachments unconsciously without analyzing them,
  • Spam mails ignored,
  • Solutions such as the creation of Mutex objects on the system can prevent the Nemty malware of Ransomware type from infecting the system.
YARA

import “hash”

rule nemty:ransomware{

meta:

description = “Nemty Ransomware”

analyzer = “Fatih ŞENSOY”

version = “2.6”

release_date = “09.03.2020”

 

strings:

$site = “nemty10.biz”

$ip = “91.215.170.231”

$ip2 = “45.143.138.38”

$str1 = “f:\dd\vctools\crt_bld\self_x86\crt\src\_file.c”

$str2 = “f:\dd\vctools\crt_bld\self_x86\crt\src\onexit.c”

$mutex = “edu v magazi gucccchi v spb, grrrrrraa, ona zhret moi xui kak-budto eto burger…”

$user_agent = “Naruto Uzumake”

 

condition:

hash.md5(0,filesize) == “2b6c6d8424c1b149c7f81e2565aaa7e6” or $mutex and $user_agent or all of them

}