• Stars
    star
    945
  • Rank 48,368 (Top 1.0 %)
  • Language
    C++
  • License
    The Unlicense
  • Created about 4 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A Simple Ransomware Vaccine

Inactively Maintained

Raccine

Raccine

A Simple Ransomware Protection

Why

We see ransomware delete all shadow copies using vssadmin pretty often. What if we could just intercept that request and kill the invoking process? Let's try to create a simple vaccine.

Ransomware Process Tree

How it works

We register a debugger for vssadmin.exe (and wmic.exe), which is our compiled raccine.exe. Raccine is a binary, that first collects all PIDs of the parent processes and then tries to kill all parent processes.

Advantages:

  • The method is rather generic
  • We don't have to replace a system file (vssadmin.exe or wmic.exe), which could lead to integrity problems and could break our raccination on each patch day
  • Flexible YARA rule scanning of command line params for malicious activity
  • The changes are easy to undo
  • Runs on Windows 7 / Windows 2008 R2 or higher
  • No running executable or additional service required (agent-less)

Disadvantages / Blind Spots:

  • The legitimate use of vssadmin.exe delete shadows (or any other blacklisted combination) isn't possible anymore
  • It even kills the processes that tried to invoke vssadmin.exe delete shadows, which could be a backup process
  • This won't catch methods in which the malicious process isn't one of the processes in the tree that has invoked vssadmin.exe (e.g. via schtasks)

The Process

  1. Invocation of vssadmin.exe (and wmic.exe) gets intercepted and passed to raccine.exe as debugger (vssadmin.exe delete shadows becomes raccine.xe vssadmin.exe delete shadows)
  2. We then process the command line arguments and look for malicious combinations using Yara rules.
  3. If no malicious combination could be found, we create a new process with the original command line parameters.
  4. If a malicious combination could be found, we collect all PIDs of parent processes and the start killing them (this should be the malware processes as shown in the screenshots above). Raccine shows a command line window with the killed PIDs for 5 seconds, logs it to the Windows Eventlog and then exits itself.

Malicious combinations:

  • delete and shadows (vssadmin, diskshadow)
  • resize and shadowstorage (vssadmin)
  • delete and shadowstorage (vssadmin)
  • delete and shadowcopy (wmic)
  • delete and catalog and -quiet (wbadmin)
  • win32_shadowcopy or element from a list of encoded commands (powershell)
  • recoveryenabled (bcedit)
  • ignoreallfailures (bcedit)

^ outdated list: check the corresponding YARA rule

Powershell list of encoded commands: JAB, SQBFAF, SQBuAH, SUVYI, cwBhA, aWV4I, aQBlAHgA and many more

Example

Emotet without Raccine - Link

Emotet wihtout Raccine

Emotet with Raccine - Link (ignore the process activity that is related to the Raccine installation)

Emotet wihtout Raccine

The infection gets nipped in the bud.

Warning !!!

USE IT AT YOUR OWN RISK!

You won't be able to run commands that use the blacklisted commands on a raccinated machine anymore until your apply the uninstall patch raccine-reg-patch-uninstall.reg. This could break various backup solutions that run that specific command during their work. It will not only block that request but kills all processes in that tree including the backup solution and its invoking process.

If you have a solid security monitoring that logs all process executions, you could check your logs to see if vssadmin.exe delete shadows, vssadmin.exe resize shadowstorage ... or the other blocked command lines are frequently or sporadically used for legitimate purposes in which case you should refrain from using Raccine.

Version History

  • 0.1.0 - Initial version that intercepted & blocked all vssadmin.exe executions
  • 0.2.0 - Version that blocks only vssadmin.exe executions that contain delete and shadows in their command line and otherwise pass all parameters to a new process that invokes vssadmin with its original parameters
  • 0.2.1 - Removed explorer.exe from the whitelist
  • 0.3.0 - Supports the wmic method calling delete shadowcopy, no outputs for whitelisted process starts (avoids problems with wmic output processing)
  • 0.4.0 - Supports logging to the Windows Eventlog for each blocked attempt, looks for more malicious parameter combinations
  • 0.4.1 - Statically linked binaries
  • 0.4.2 - Bugfixes provided by John Lambert
  • 0.5.0 - Removed Eventlog logging (basic info was unnecessary; cuased higher complexity; can be achieved by process creation logging as well), support for wbadmin filtering
  • 0.5.1 - Improvements by @JohnLaTwC
  • 0.5.2 - Additional check for delete shadowstorage by @JohnLaTwC, code review by @_hillu, application icon
  • 0.5.3 - Batch installer
  • 0.6.0 - Additional checks for bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures and bcdedit.exe /set {default} recoveryenabled no
  • 0.7.0 - Additional checks for powershell.exe and win32_shadowcopy or a list of encoded commands
  • 0.7.1 - Improvements by @JohnLaTwC
  • 0.7.2 - Using abolsute paths in registry patches
  • 0.8.0 - Creates a log file with all intercepted requests and actions performed C:\ProgramData\Raccine_log.txt
  • 0.9.0 - Logs to Windows Eventlog by @JohnLaTwC
  • 0.10.0 - Simulation mode only
  • 0.10.1 - Fix for Simulation mode
  • 0.10.2 - Includes diskshadow.exe delete shadows command
  • 0.10.3-5 - Minor fixes and additions
  • 1.0 BETA - GUI elements and YARA rule scanning of command line params
  • 1.1 BETA - YARA rule matching with external variables, troubleshooting functions
  • 1.2 BETA - Signature Updater
  • 1.3 BETA - In-Memory YARA Scanning of invoking parent process
  • 1.4 BETA - Full x86 support, moved static strings to YARA rules to avoid AV detections, Log of accepted executions, .NET Framework setup in installer
  • 1.4.2 BETA - Exit code fix (pass through of exit code returned by the intercepted program), intercept taskkill.exe

Installation

Requirements

Both the Visual C++ Redistributable package and the .NET Framework will be automatically installed running install-raccine.bat.

Automatic Installation

  1. Download Raccine.zip from the Release section
  2. Extract it
  3. Run raccine-installer.bat as administrator

Windows Batch Installer

The batch installer includes an "uninstall" option.

Manual Uninstall

As Administrator do:

  1. Run raccine-reg-patch-uninstall.reg
  2. Remove %ProgramFiles%\Raccine and `%ProgramData%\Raccine folders
  3. Run reg delete HKCU\Software\Raccine /F
  4. Run taskkill /F /IM RaccineSettings.exe
  5. Run reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  6. Run schtasks /DELETE /TN "Raccine Rules Updater" /F

Updates

Program Upgrade

We recommend an uninstall and reinstall to upgrade. An uninstall removes all registry keys with configurations.

Signature Update

Raccine has an integrated signature-updater since version 1.2. This program named RaccineRulesSync.exe is configured to run once a day via scheduled task. You can run a signature update manually using the option in the tray icon menu.

YARA Matching

Since version 1.0, Raccine additionally uses YARA rules to determine if a process command line or parent process is malicious or not. Raccine uses 2 sets of rules for two different purposes.

  1. ./yara - rules that get applied to the command line with all parameters, e.g. WMIC.exe delete justatest
  2. ./yara/in-memory - rules that get applied to process memory of the parent process of our intercepted process, e.g. ransomware.exe running our intercepted process vssadmin.exe

YARA External Variables

Since version 1.1 we pass a list of external variables into the YARA matching process to allow for much more complex and clever YARA rules that take attributes of the process and its parent into account.

Variable Description Example Value
FromRaccine true
Name Image file name WMIC.exe
ExecutablePath Full path to binary C:\Windows\System32\wbem\WMIC.exe
CommandLine Full command line with parameters WMIC.exe delete justatest
Priority Process priority 32
ParentName Parent image file name cmd.exe
ParentExecutablePath Full path to parent executable C:\Windows\System32\cmd.exe
ParentCommandLine Full parent command line with parameters C:\WINDOWS\system32\cmd.exe
ParentPriority Parent process priority 32

The matching process looks like this on the command line:

"C:\Program Files\Raccine\yara64.exe" -d FromRaccine="true" -d Name="WMIC.exe" -d ExecutablePath="C:\Windows\System32\wbem\WMIC.exe" -d CommandLine="WMIC.exe delete justatest" -d  Priority=32 -d FromRaccine="true" -d ParentName="cmd.exe" -d ParentExecutablePath="C:\Windows\System32\cmd.exe" -d ParentCommandLine="'C:\WINDOWS\system32\cmd.exe' " -d ParentPriority=32 C:\ProgramData\Raccine\yarayara\mal_emotet.yar C:\ProgramData\Raccine\yara\Rac1C6A.tmp

The following listing shows an example YARA rule that makes use of the external variables in its coindition.

rule env_vars_test {
    condition:
        Name contains "WMIC.exe"
        and CommandLine contains "delete justatest"
        and ParentPriority >= 8
        and (
            ParentCommandLine contains "cmd"
            or ParentCommandLine contains "powershell"
        )
}

Deploy Configuration via GPO

The folder GPO includes Raccine.ADMX and Raccine.ADML. In deployment the Raccine.ADMX file goes in C:\Windows\PolicyDefinitions. The accompanying Raccine.ADML files goes in C:\Windows\PolicyDefinitions\en-US.

To use: Open GPEDIT.MSC > Computer Configuration > Administrative Templates > System > Raccine

After configuring the changes, you may need to bump gpo by running gpupdate.exe.

Logfile

A logfile with all interceptions and actions taken is written to C:\ProgramData\Raccine\Raccine_log.txt

Log File

Windows Eventlog

An entry is generated by every blocking event in the Application eventlog.

Eventlog

The IDs that Raccine generates

  • EventId 1 - Setup activity
  • EventId 2 - Malicious activity detected
  • EventId 3 - Benign activity detected

Simulation Mode

Since version 0.10.0, Raccine can be installed in "simulation mode", which activates all triggers, logs all actions but doesn't kill anything. This mode should be used in environments in which backup solutions or other legitimate software for a reasonable amount of time to check if Raccine would interfere with other software. The idea is to install Raccine in simulation mode, let it log for a week or month and then check the logs to see if it would have blocked legitimate software used in the organisation.

Kill Run

Screenshot

Run raccine.exe and watch the parent process tree die (screenshot of v0.1)

Kill Run

GUI

Available and required since version 1.

GUI

GUI

GUI

Pivot

In case that the Ransomware that your're currently handling uses a certain process name, e.g. taskdl.exe, you could just change the .reg patch to intercept calls to that name and let Raccine kill all parent processes of the invoking process tree.

Help Wanted

I'd like to extend Raccine but lack the C++ coding skills, especially o the Windows platform.

Help - My System is Broken

If anything happens to your installation, e.g. sudden error messages, broken services or programs that won't start anymore, run the file raccine-reg-patch-uninstall.reg in the reg-patches sub folder. This should bring everything back to normal.

After that your should also be able to run a full uninstallation using install-raccine.bat.

Other Info

The right pronounciation is "Rax-Een".

Credits

More Repositories

1

Loki

Loki - Simple IOC and YARA Scanner
Python
3,321
star
2

signature-base

YARA signature and IOC database for my scanners and tools
YARA
2,426
star
3

yarGen

yarGen is a generator for YARA rules
Python
1,518
star
4

auditd

Best Practice Auditd Configuration
1,448
star
5

munin

Online hash checker for Virustotal and other services
Python
809
star
6

log4shell-detector

Detector for Log4Shell exploitation attempts
Python
729
star
7

Fenrir

Simple Bash IOC Scanner
Shell
680
star
8

yarAnalyzer

Yara Rule Analyzer and Statistics
Python
356
star
9

vti-dorks

Awesome VirusTotal Intelligence Search Queries
325
star
10

Fnord

Pattern Extractor for Obfuscated Code
Shell
295
star
11

BlueLedger

A list of my personal projects
166
star
12

DLLRunner

Smart DLL execution for malware analysis in sandbox systems
Python
141
star
13

god-mode-rules

God Mode Detection Rules
YARA
129
star
14

YARA-Performance-Guidelines

A guide on how to write fast and memory friendly YARA rules
122
star
15

evt2sigma

Log Entry to Sigma Rule Converter
Python
104
star
16

yaraQA

YARA rule analyzer to improve rule quality and performance
Python
93
star
17

Cyber-Search-Shortcuts

Browser Shortcuts for Cyber Security Related Online Services
78
star
18

exotron

Sandbox feature upgrade with the help of wrapped samples
Python
75
star
19

Loki2

LOKI2 - Simple IOC and YARA Scanner
Rust
73
star
20

ImpHash-Generator

PE Import Hash Generator
Python
72
star
21

Rewind

Immediate Virus Infection Counter Measures
C#
62
star
22

radiocarbon

Leak File Analyzer
Python
62
star
23

tiny-shells

All kinds of tiny shells
59
star
24

panopticon

A YARA Rule Performance Measurement Tool
YARA
58
star
25

LOLSecIssues

Cybersecurity's lighter side: a collection of the most amusing misunderstandings and missteps from newcomers to offensive security tools. A repository where naivetΓ© in infosec is met with humor.
57
star
26

ti-falsepositives

A collection of typical false positive indicators
Python
54
star
27

webshell-intel

Scan web server for known webshell names and responses
50
star
28

xorex

XOR Key Extractor
Python
48
star
29

Talks

Slides of my public talks
46
star
30

cyber-chef-recipes

Recipes for GCHQ's CyberChef Web App
35
star
31

sysmon-version-history

An Inofficial Sysmon Version History (Change Log)
32
star
32

littlesnitch-log-exporter

LittleSnitch Log Statistics Exporter
Python
32
star
33

YARA-Style-Guide

A specification and style guide for YARA rules
32
star
34

SkeletonKeyScanner

Scanner for the SkeletonKey Malware
Python
30
star
35

ThreatResearch-Reporting-Guide

Offensive Research Guide to Help Defense Improve Detection
29
star
36

prisma

Command Line STDOUT Colorer
Python
29
star
37

ReginScanner

Scanner for Regin Virtual Filesystems
Python
26
star
38

space-id

Invisible Watermarks with Space Characters in ASCII Files
Python
22
star
39

neolog

Windows Syslog Command Line Client
15
star
40

narsil

Spy Agency Teasing
Python
14
star
41

yara-uuid-generator

A tool that adds reproducible UUIDs to YARA rules
Python
13
star
42

WPWatcher

Wordpress Watcher is a wrapper for WPScan that manages scans on multiple sites and reports by email
Python
11
star
43

defensive-project-ideas

Ideas for projects for defensive research or blue teaming
10
star
44

agile-hacking

Collection of hacks that make use of the least available on victim systems
Visual Basic
8
star
45

CredsSpreader

A tool to spread canary credentials in your organisation
8
star
46

language-thor

Syntax Theme for THOR APT Scanner log files
5
star
47

yara-type-selectors

YARA rules to certain types of files without using YARA modules to avoid the performance impact
YARA
5
star
48

PassTweaker

Tweaks password files to match modern password requirements
Python
5
star
49

speedy

(Demo) - Only used to demonstrate a memory leak caused by Golang regexp
Go
4
star
50

loki-cloud

A flexible and lightweight way to execute LOKI on end systems
3
star
51

imphash-go

Imphash Generator
1
star