Scribd Logo
Upload

Welcome to Scribd!

  • 68 views

    Archivr Maggick

    Uploaded by

    Anang Suharto
    The document provides examples of how to track bitcoin transactions on the blockchain to analyze ransomware actors and activities. It discusses tracking ransom payments from Globe and Locky ransomware to identify wallet addresses and cash outs. It also describes a case study of the Shark/Atom ransomware where transaction graph analysis was able to link multiple addresses to the same author. Additional examples look at tracking the Spora ransomware operator and their suspected affiliate model.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Archivr Maggick

    Uploaded by

    Anang Suharto
    68 views45 pages
    The document provides examples of how to track bitcoin transactions on the blockchain to analyze ransomware actors and activities. It discusses tracking ransom payments from Globe and Locky ransomware to identify wallet addresses and cash outs. It also describes a case study of the Shark/Atom ransomware where transaction graph analysis was able to link multiple addresses to the same author. Additional examples look at tracking the Spora ransomware operator and their suspected affiliate model.

    Original Description:

    Follow yt sejarah dunia channel

    Original Title

    Archivr maggick

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document provides examples of how to track bitcoin transactions on the blockchain to analyze ransomware actors and activities. It discusses tracking ransom payments from Globe and Locky ransomware to identify wallet addresses and cash outs. It also describes a case study of the Shark/Atom ransomware where transaction graph analysis was able to link multiple addresses to the same author. Additional examples look at tracking the Spora ransomware operator and their suspected affiliate model.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    68 views45 pages

    Archivr Maggick

    Uploaded by

    Anang Suharto
    The document provides examples of how to track bitcoin transactions on the blockchain to analyze ransomware actors and activities. It discusses tracking ransom payments from Globe and Locky ransomware to identify wallet addresses and cash outs. It also describes a case study of the Shark/Atom ransomware where transaction graph analysis was able to link multiple addresses to the same author. Additional examples look at tracking the Spora ransomware operator and their suspected affiliate model.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 45

    2

    About Me
    • Booz Allen Hamilton (2015- Present)
    – Cyber4Sight- TechINT Lead
    – Malware analysis
    – Threat Hunting and Network Forensics

    • Georgetown University
    – McDonough School of Business (2013)

    • DFIR Netwars Champion (SANS CDI 2016)


    • Spoke at SANS DFIR in 2016 on YARA rules/VT
    – https://www.youtube.com/watch?v=DdkLY99HgAA

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    3

    Setting the Stage

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    4
    What is the a blockchain?
    • Public, decentralized ledger
    • Consists of a “block” holding transaction batches
    – Hashed and timestamped
    – New transactions broadcast to and collected by nodes
    in a block, each block holds a hash of the previous
    block
    – Uses include medical records, currency, DNS

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    5
    Bitcoins and the Blockchain
    • Released in 2009
    • Wallet contains Addresses
    – Receive money, change via address
    – Entire address spent on transaction
    – Wallet configuration determines change address

    • “We automatically generate a new address for you after every


    transaction you make … so that a third-party can not view all other
    transactions associated with your account simply by using a blockchain
    explorer to look-up an address they know to be yours.” - Coinbase

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    6
    Bitcoin Transaction (With Change)

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    7

    Tracking Bitcoin Transactions

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    8
    Resources Needed
    • Blockchain.info- record of all bitcoin
    transactions (bottom)
    • API
    • Search by address or by transaction ID

    • Wallet Explorer (top right)


    • Collects transactions
    • With enough data, can associate
    addresses with wallets

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    9
    Start Simple- Globe Ransomware

    frogobigens@india[.]com- Has been used in newer campaigns


    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow
    10
    Tracking Globe Instance
    1HyasSC2VifTZo7YkUNn33udnWXw3Ffq7T

    Possible Ransom Payments (Not full list):

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    11
    Tracking Globe (2)

    • Identify Wallet
    • Export Data
    • Identify Payments
    • Cash outs?

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    12
    Globe- Takeaways
    • Actor provided BTC address via email
    • Actor used same BTC address for personal
    transactions
    – Somewhat atypical
    – Cash-outs not immediately obvious

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    13
    Example 2- Locky [Scale]

    -Money Sent to a Locky address (178HGmCfR26dSSiFxJQah1U588p2CjgX7f)


    -Locky address then moves that money to “1Q1” and “12p2” addresses
    -Bigger Wallet? Let’s “map out” an address

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    14
    Example 2- Locky (2)

    https://github.com/kevinperlow/SANS-DFIR-2017

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    15
    Example 2- Locky (3)

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    16
    Example 2 - Locky (4)

    -Large number of “whole number” or “half” number transactions


    -Activity started in February 2016, when Locky first gained steam
    -!!!! There are 81 pages of this!!!!
    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow
    17
    Example 2 - Locky (5)
    • Exported all 80 pages in October 2016
    • ONLY BTC input transactions divisible by .25 - 11,295.75 BTC (5410
    victims)
    • Take BTC input transactions < 4 characters in length - 13,677.22
    BTC (6136 victims)
    • Take ALL received (they've never received > 10 BTC) - 15,229.78
    BTC (8313 victims)
    • Somewhere between 11,000 BTC and 15,000 BTC from February
    2016 through October 2016

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    18
    Example 2- Locky (6)
    Cash-outs:

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    19
    Example 3- Shark/Atom [Attribution]
    • Ransomware as a Service (RaaS)
    – 20% of collected ransom went to authors
    – Advertised on Russian website
    – Major OPSEC failure

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    20
    Example 3- Shark/Atom (2)
    BTC payment automatically split between the author and the “renter”

    Author’s share went to 1FzWxf1Ay6DYbJC6hY63CLiBtYpCZQFMf6

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    21
    Example 3- Shark/Atom (2)
    Other addresses sent the “cut” to the same “author” address

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    22
    Example 3- Shark/Atom (3)
    • What other addresses are associated with 1FzW?

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    23
    Example 3- Shark/Atom (3)
    • Another method using newer data (this is going to get tricky…)
    – We know who “owns” 1FzWxf1Ay6DYbJC6hY63CLiBtYpCZQFMf6
    – First address ever to put money in 1FzW:
    16qCmuYD4SVoZq7wnheVZywRycJwDfSUxd
    – First address ever to put money in 16qC:
    16q3LKLg1GXXmR67QLVXHEPDoxFwC594PF
    • Which has also been paid by 1FzW

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    24
    Example 3- Shark/Atom (4)

    The same person who controls 1FzW likely controls the other two addresses.

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    25
    Example 3- Shark/Atom (5)
    • First address to “fund” 16q3?
    – 17N4mi5VkwVTH3JBspa4gW2jC6oixhW7ca
    – Likely also owned by Atom author
    • 17N5mi also sent money to
    172iQZ7EaPuyogueWvY1d2LJ7VfiAbL6Wv in
    same transaction

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    26
    Example 3- Shark/Atom (6)

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    27
    Example 3- Shark/Atom (7)
    • 172iQZ7EaPuyogueWvY1d2LJ7VfiAbL6Wv
    sends money to
    1EbMfiWQ1fjeCpCevRA4nbmWdMbP8M3izP,
    only transaction ever conducted.
    • 1EbM’s only “output” transactions at the time were
    to 1JtPVRYda18BJCZe9rJHn1Qahjkn48Lpor
    and 19XasTdLbTvYbCtBMijuT8tDg1VwjVKVXo

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    28
    Example 3- Shark/Atom (8)

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    29
    Example 3- Shark/Atom (9)
    • Automatically generated
    graph of above
    • Bottom right (7-10) are
    Matbea addresses
    • Not enough to generate
    “answer” on its own, but
    saves time

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    30
    Example 3- Shark/Atom (10)

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    31
    Bonus Example- Spora
    • Initial version: needed to
    upload key file to Spora[.]biz

    • Store is digitally signed with


    BTC address

    • Store contains your payment


    address

    • Address:
    1SporaxoosUPYPEizY46t
    8yquLfzyABRm

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    32
    Bonus Example- Spora (2)
    • Early on: able to show the actor possessed at least 58 BTC
    • Possible startup funding?
    • First ransoms?
    • New activity shows a LOT of money moving in and out

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    33
    Bonus Example- Spora (3)

    Separately, the ransom payments (bottom left) get sent to addresses in batches (bottom right)
    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow
    34
    Bonus Example- Spora (4)
    • Suspected affiliate program based
    on its blockchain properties

    • Later corroborated by other research

    • Follow the money:


    137zbLqMQjc96kYcEyPonpT44
    2eWuuvKYK

    Source: https://blog.cyber4sight.com/2017/01/blockchain-analysis-suggests-spora-
    ransomware-operates-via-affiliate-program/spora/

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    35

    The Namecoin Bockchain

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    36
    Namecoin (.Bit) Domains
    • Decentralized blockchain for DNS records (Requires special DNS
    server or OpenNIC)
    • Carries DNS records with transaction
    – New (registration fee, destroyed by transaction)
    – First Update
    – Update
    • Functions as cryptocurrency
    – Domains get a special coin
    – This “special coin” property “flattens” part of the blockchain
    – Makes it easier to correlate IPs and domains
    • Holds historical data- We can use to identify domains, timeline of
    campaign, other IPs

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    37
    Shifu Banking Trojan
    • Unit42 report- came out 6 January 2017
    – Shifu Banking trojan underwent update in 2016
    – Two domains (klyatiemoskali[.]bit, slavaukraine[.]bit)

    http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    38
    Shifu Banking Trojan (2)

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    39
    Shifu Banking Trojan (3)

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    40
    Shifu Banking Trojan (4)

    New IOCs! What happens if we map out the rest of the Namecoin chain?

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    41
    Shifu Banking Trojan (5)
    • Namecha.in
    – No API, you’re on your own for a script
    – The script should:
    • Capture IP info
    • Capture domain info
    • Associate transactions and addresses
    – Remember, this is a flatter blockchain

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    42
    Shifu Banking Trojan (6)

    • Did my best to zoom in, but clearly graphing this isn’t *quite* enough
    • We need to output some data to CSVs
    • Timeline
    • Infrastructure
    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow
    43

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    44
    Shifu Banking Trojan (8)
    Identified Domains:
    • d/slavaukraine
    • d/healthshop
    • d/klyatiemoskali
    • d/contentdeliverynet
    • d/foreveral0ne
    • d/clientdata
    • d/forevery0ung
    • d/beautyforum
    • d/freedomfornadya
    • d/microurl
    • d/windata
    • d/osdata
    • d/ktoneskachettotmoskal
    • d/clusterdata

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow


    45
    Quick Recap
    • Blockchain technology stores a LOT of data
    • We can track and correlate this data
    – Monetary transactions
    – Domains
    – Property??
    – Medical records??
    • Questions?

    Tracking Bitcoin Transactions on the Blockchain | Kevin Perlow

    You might also like