Technical Malware Test

This template simulates certain aspects of malware behavior similar to FinFisher, but without making any modifications to the system (e.g., no hooks, MBR changes, etc.). All activities will be executed with standard user rights.

Setup

• The tool creates a subfolder in the TEMP directory, named something like TMP6BCF227D (details will be provided in the report).

• A file named malware.jpeg is placed in this subfolder.

Execution

• The image is decrypted and launched from its current location.

• The contained file is a standard LUCY dropper that establishes a reverse HTTP/HTTPS connection using the browser to make base64 POST requests.

• The new process will be named malware.jpeg.

Logging

• The dropper generates a log file named log.txt, which is stored in the TMP* folder.

Information Harvesting

• A hidden folder is created in the TEMP directory, named something like ADVDROP81227C11 (details will be recorded in log.txt).

• The dropper begins to gather information and, for each session, creates a subfolder within the hidden folder, named similarly to 82C89047. The resulting structure will look like ADVDROP81227C11\82C89047 in the TEMP directory.

• Harvested files are placed in this subfolder and are later encrypted.

Data Transmission

• After encryption, the LUCY URL is called, and the dropper sends the files back to LUCY via POST (using HTTP or HTTPS, depending on your campaign settings).

Variables

Several LUCY variables can be defined for this template:

• Working Hours: Currently set from 10:00 to 00:00. If the template is launched at 9:00, the dropper will wait until 10:00 to begin execution.

• Session Count: Currently set to 3, meaning the dropper will create 3 subfolders within ADVDROP81227C11, each containing its dataset.

• Session Intervals: Currently set to 5 minutes, allowing the dropper to operate for approximately 15 minutes in total (number of sessions X minutes per session).

• Maximum File Size: This defines the maximum size of files the tool will send or encode within the POST requests (in kB).

Overview

Ransomware is a type of malware that restricts users from accessing their systems or files. Victims are typically coerced into paying a ransom through various online payment methods to regain access to their systems or recover their data. Some ransomware, such as Cryptolocker, encrypts files, while others, like CTB Locker, utilize TOR to conceal command and control (C&C) communications.

Simulation Tool

Our template simulates a form of ransomware that locks files such as documents, spreadsheets, and other important data. It then creates an encrypted copy on either a shared drive with write access or locally. The primary goal of this template is to determine if the information-gathering activities or the significant number of read/write operations on a drive from a single PC trigger any alerts in your monitoring system.

Settings

Within the tool, you can specify several settings:

• File Location: Where the tool will install itself. 0 = Current directory, 1 = Desktop, 2 = Temp folder, 3 = User folder

• Start/Stop Hours: When the tool will execute and when it will automatically unlock.

• Operation Mode: Choose whether to work with dummy data or real data discovered on the network. Mode 0 = Data Discovery, Mode 1 = Dummy Data.

• File Extensions: Specify which file types to search (default: doc, ppt, xls, pdf, txt).

• Maximum File Size: Set the maximum size of files to process (default: 512 KB).

• Number of Files: Specify the maximum number of files to copy (default: 100).

• Crawl Time (minutes): The maximum amount of time the tool will spend searching for files.

• Data Retention: Decide whether to leave a copy of the data on the PC/share or delete it after execution.

• Number of fake file operations: If using dummy data, this setting controls the maximum number of files the tool will create.