MalwareAnalysisSeries

This repository contains the analysis reports, technical details or any tools created for helping in malware analysis. Additionally, the repo contains extracted TTPs with code along with the detection rules

Project maintained by shaddy43 Hosted on GitHub Pages — Theme by mattgraham

MedusaLocker: Encrypter

MedusaLocker Image

This is the encryptor TTP extracted from MedusaLocker Ransomware. It uses a combination of AES and RSA keys for encrypting files. The ransomware first initializes the encryptor by setting encryption libraries and cryptographic context. It creates a random AES session key and encrypt it with the embedded attacker’s public key. It saves the encrypted AES key in the RansomNote first as a UNIQUE ID, and then launches the encryptor on whole system.

Detection Indicators

The detection indicators i found in MedusaLocker Encrypter are:

RansomNote file creation with name: “how_to_back_files.html”
Sensitive File Read Operations (.docx, .pdf, .xlsx, etc)

Log Sources

I have configured multiple log sources in my detection lab. I am using Azure Sentinel as my SIEM solution. The following logs are injested into SIEM:

Microsoft Defender XDR logs
Windows Security Audit logs
Sysmon Logs with sysmon-moduler configuration

Detection Engineering with Defender XDR

In the encrypter TTP, I am correlating two different type of events based on Microsoft XDR logs. The first are file create events, in which i am looking for the ransom note. The second type of events are SensitiveFileRead events, which is logged whenever a computer program tries to open or get handle of specific extension files (eg .docx, .pdf, .xlsx, .pnpt etc). In the following query, I am correlating ransom note creation events with the sensitive file read events based on the Process that is responsible for both these events in any computer system.

let ransomnote_create_events = DeviceFileEvents
    | where FileName contains 'how_to_back_files.html'
    | project TimeGenerated, DeviceName, RansomNote = FileName, RansomNotePath = FolderPath, InitiatingProcessFileName, InitiatingProcessParentFileName;
let sensitive_file_read_events = DeviceEvents
    | where ActionType in ('SensitiveFileRead')
    | project TimeGenerated, DeviceName, SensitiveFileRead = FileName, SensitiveFileReadFolder = FolderPath, InitiatingProcessFileName;
ransomnote_create_events
    | join kind=innerunique (sensitive_file_read_events) on DeviceName, InitiatingProcessFileName
    | project TimeGenerated, DeviceName, RansomNote, RansomNotePath, SensitiveFileRead, SensitiveFileReadFolder, InitiatingProcessFileName, InitiatingProcessParentFileName;

detection rule1