Home

Awesome

Inactively Maintained

Raccine

Raccine

A Simple Ransomware Protection

Why

We see ransomware delete all shadow copies using vssadmin pretty often. What if we could just intercept that request and kill the invoking process? Let's try to create a simple vaccine.

Ransomware Process Tree

How it works

We register a debugger for vssadmin.exe (and wmic.exe), which is our compiled raccine.exe. Raccine is a binary, that first collects all PIDs of the parent processes and then tries to kill all parent processes.

Advantages:

Disadvantages / Blind Spots:

The Process

  1. Invocation of vssadmin.exe (and wmic.exe) gets intercepted and passed to raccine.exe as debugger (vssadmin.exe delete shadows becomes raccine.exe vssadmin.exe delete shadows)
  2. We then process the command line arguments and look for malicious combinations using Yara rules.
  3. If no malicious combination could be found, we create a new process with the original command line parameters.
  4. If a malicious combination could be found, we collect all PIDs of parent processes and the start killing them (this should be the malware processes as shown in the screenshots above). Raccine shows a command line window with the killed PIDs for 5 seconds, logs it to the Windows Eventlog and then exits itself.

Malicious combinations:

^ outdated list: check the corresponding YARA rule

Powershell list of encoded commands: JAB, SQBFAF, SQBuAH, SUVYI, cwBhA, aWV4I, aQBlAHgA and many more

Example

Emotet without Raccine - Link

Emotet without Raccine

Emotet with Raccine - Link (ignore the process activity that is related to the Raccine installation)

Emotet with Raccine

The infection gets nipped in the bud.

Warning !!!

USE IT AT YOUR OWN RISK!

You won't be able to run commands that use the blacklisted commands on a raccinated machine anymore until you apply the uninstall patch raccine-reg-patch-uninstall.reg. This could break various backup solutions that run that specific command during their work. It will not only block that request but kill all processes in that tree including the backup solution and its invoking process.

If you have a solid security monitoring that logs all process executions, you could check your logs to see if vssadmin.exe delete shadows, vssadmin.exe resize shadowstorage ... or the other blocked command lines are frequently or sporadically used for legitimate purposes in which case you should refrain from using Raccine.

Version History

Installation

Requirements

Both the Visual C++ Redistributable package and the .NET Framework will be automatically installed running install-raccine.bat.

Automatic Installation

  1. Download Raccine.zip from the Release section
  2. Extract it
  3. Run raccine-installer.bat as administrator

Windows Batch Installer

The batch installer includes an "uninstall" option.

Manual Uninstall

As Administrator do:

  1. Run raccine-reg-patch-uninstall.reg
  2. Remove %ProgramFiles%\Raccine and %ProgramData%\Raccine folders
  3. Run reg delete HKCU\Software\Raccine /F
  4. Run taskkill /F /IM RaccineSettings.exe
  5. Run reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  6. Run schtasks /DELETE /TN "Raccine Rules Updater" /F

Updates

Program Upgrade

We recommend an uninstall and reinstall to upgrade. An uninstall removes all registry keys with configurations.

Signature Update

Raccine has an integrated signature-updater since version 1.2. This program named RaccineRulesSync.exe is configured to run once a day via scheduled task. You can run a signature update manually using the option in the tray icon menu.

YARA Matching

Since version 1.0, Raccine additionally uses YARA rules to determine if a process command line or parent process is malicious or not. Raccine uses 2 sets of rules for two different purposes.

  1. ./yara - rules that get applied to the command line with all parameters, e.g. WMIC.exe delete justatest
  2. ./yara/in-memory - rules that get applied to process memory of the parent process of our intercepted process, e.g. ransomware.exe running our intercepted process vssadmin.exe

YARA External Variables

Since version 1.1 we pass a list of external variables into the YARA matching process to allow for much more complex and clever YARA rules that take attributes of the process and its parent into account.

VariableDescriptionExample Value
FromRaccinetrue
NameImage file nameWMIC.exe
ExecutablePathFull path to binaryC:\Windows\System32\wbem\WMIC.exe
CommandLineFull command line with parametersWMIC.exe delete justatest
PriorityProcess priority32
ParentNameParent image file namecmd.exe
ParentExecutablePathFull path to parent executableC:\Windows\System32\cmd.exe
ParentCommandLineFull parent command line with parametersC:\WINDOWS\system32\cmd.exe
ParentPriorityParent process priority32

The matching process looks like this on the command line:

"C:\Program Files\Raccine\yara64.exe" -d FromRaccine="true" -d Name="WMIC.exe" -d ExecutablePath="C:\Windows\System32\wbem\WMIC.exe" -d CommandLine="WMIC.exe delete justatest" -d  Priority=32 -d FromRaccine="true" -d ParentName="cmd.exe" -d ParentExecutablePath="C:\Windows\System32\cmd.exe" -d ParentCommandLine="'C:\WINDOWS\system32\cmd.exe' " -d ParentPriority=32 C:\ProgramData\Raccine\yarayara\mal_emotet.yar C:\ProgramData\Raccine\yara\Rac1C6A.tmp

The following listing shows an example YARA rule that makes use of the external variables in its condition.

rule env_vars_test {
    condition:
        Name contains "WMIC.exe"
        and CommandLine contains "delete justatest"
        and ParentPriority >= 8
        and (
            ParentCommandLine contains "cmd"
            or ParentCommandLine contains "powershell"
        )
}

Deploy Configuration via GPO

The folder GPO includes Raccine.ADMX and Raccine.ADML. In deployment the Raccine.ADMX file goes in C:\Windows\PolicyDefinitions. The accompanying Raccine.ADML files goes in C:\Windows\PolicyDefinitions\en-US.

To use: Open GPEDIT.MSC > Computer Configuration > Administrative Templates > System > Raccine

After configuring the changes, you may need to bump gpo by running gpupdate.exe.

Logfile

A logfile with all interceptions and actions taken is written to C:\ProgramData\Raccine\Raccine_log.txt

Log File

Windows Eventlog

An entry is generated by every blocking event in the Application eventlog.

Eventlog

The IDs that Raccine generates

Simulation Mode

Since version 0.10.0, Raccine can be installed in "simulation mode", which activates all triggers, logs all actions but doesn't kill anything. This mode should be used in environments in which backup solutions or other legitimate software for a reasonable amount of time to check if Raccine would interfere with other software. The idea is to install Raccine in simulation mode, let it log for a week or month and then check the logs to see if it would have blocked legitimate software used in the organisation.

Kill Run

Screenshot

Run raccine.exe and watch the parent process tree die (screenshot of v0.1)

Kill Run

GUI

Available and required since version 1.

GUI

GUI

GUI

Pivot

In case that the Ransomware that your're currently handling uses a certain process name, e.g. taskdl.exe, you could just change the .reg patch to intercept calls to that name and let Raccine kill all parent processes of the invoking process tree.

Help Wanted

I'd like to extend Raccine but lack the C++ coding skills, especially on the Windows platform.

Help - My System is Broken

If anything happens to your installation, e.g. sudden error messages, broken services or programs that won't start anymore, run the file raccine-reg-patch-uninstall.reg in the reg-patches sub folder. This should bring everything back to normal.

After that your should also be able to run a full uninstallation using install-raccine.bat.

Other Info

The right pronounciation is "Rax-Een".

Credits