Reverse Engineering Mallox Ransomware - Malware Analysis

Опубликовано: 01 Октябрь 2024
на канале: Guided Hacking

9,603

$2000 Ransomware - let's take a look
Support us on GH: https://guidedhacking.com/register/
Support us on Patreon: / guidedhacking
Support us on YT: / @guidedhacking

oin Fred HK from Guided Hacking as we dive deep into the analysis of Mallocs Ransomware. In this comprehensive walkthrough, we cover everything from language ID checks, gaining privileges, disabling protection, and encryption functions to C2 communications, and restoring system functions. This video is perfect for anyone interested in learning about the inner workings of ransomware and malware analysis.

Mallox Ransomware Analysis Article
https://guidedhacking.com/threads/mal...

This 32bit Mallox ransomware, written in C++, is not obfuscated and its strings are easily readable, thus making analysis simpler.

Analyzing the malware with IDA Pro, the main function calls GetUserDefaultLangID to determine the victim's language ID. This is then compared to IDs of countries in the CIS, to prevent infection in these places, as the local law in Russia is more favorable towards the threat actors who do not distribute malware in the CIS.

Continuing malware analysis in IDA Pro, Mallox ransomware sets up the Active scheme of the victim's power supply to run optimally. It obtains privilege for its execution, and shuts down database services and disables Rancine, a tool that tries to prevent ransomware.

After removal, malware analysis can continue. The Ransomware encrypts HDD, creates a public key, and inserts it into a "HOW TO RECOVER" doc. Then, Mallox ransomware encrypts files and notifies the C2 of a locked target. Finally, the ransomware restores settings and exits.

00:00 - Introduction
00:16 - Language ID and CIS Country Check
01:07 - Gaining Privileges and Disabling Protection
02:00 - Disabling Services and Databases
03:22 - Editing Registry Keys and Shutdown Prevention
04:38 - Main Encryption Function
06:09 - How to Recover File and Key Replacement
07:15 - C2 Communications and Infection Information
08:20 - Target Info File and Decryption Process
09:07 - Restoring System Functions and Conclusion

Follow us on Facebook : http://bit.ly/2vvHfhk
Follow us on Twitter : http://bit.ly/3bC7J1i
Follow us on Twitch : http://bit.ly/39ywOZ2
Follow us on Reddit : http://bit.ly/3bvOB57
Follow us on GitHub : http://bit.ly/2HoNXIS
Follow us on Instagram : http://bit.ly/2SoDOlu