Technical Analysis of REvil ransomware

Static Analysis

Binary Differing with BinDiff
Function Similarity Score
Function Block and Flow Comparison
Figure out partially unmatched function
Unmatched Function Reverse Engineering
List of Primary Unmatched Functions
Binary Differing Overview
Unmatched Function Analysis — 1
Unmatched function Analysis — 2
Anti-Debugging with rdtsc — 1
Anti-Debugging with rdtsc — 2
Import Table
Reverse engineered function in RC4 — KSA
Reverse engineered function in RC4 — PRGA
RC4 Algorithm
RC4 in C Vs Assembly Instruction — KSA
RC4 in C Vs Assembly Instruction — PRGA
Elliptical Curve 25519 Function — 1
Elliptical Curve 25519 Function — 2

Dynamic Analysis

The REvil Ransomware is imported to the ANY.RUN
Manually executed the sample
The document and media files are encrypted, and the background is changed
The Ransom Notes
process graph
netframe.exe is flagged as a dangerous process
Mitre ATT&CK Matrix of the sample
Non-REvil family ransomware exhibits more malicious activities

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store