Welcome to the VMRay Malware Analysis Report Recap. Every month our Research Team provides a recap of the malware analysis reports posted to the VMRay Twitter account. This past November, our team analyzed a malicious Javascript file, the Ordinypt wiper, and a variant of the XZZX Cryptomix ransomware.
Click the links below to jump to a specific report:
Report Name:
Malicious Javascript from MYOB Email Attack
Date Released:
November 7, 2017
SHA256:
24139566e338de0e3c54fba4668eab701caa9ee7c8853b2ab2e2746277c57857
Malware written in JavaScript is usually a ‘dropper’ that only downloads and runs the actual malicious executable. Looking at the VTI section of the report, the file used in the MYOB Email attack does exactly that (Figure 1).
Figure 1: Typical ‘Dropper’ behavior displayed by malicious JavaScript file
More interestingly, the downloaded executable uses an evasion technique, checking to see if it’s running in a virtual machine. VMRay Analyzer is designed to deal with evasive malware and makes sure that these detection attempts are dealt with appropriately.
The malicious executable continues to inject into the process of “c:\windows\syswow64\dllhost.exe” with the goal of hiding its tracks (Figure 2).
Figure 2: Evasive behavior and code injection associated with malicious JavaScript file
Date Released:
November 10, 2017
SHA256:
085256b114079911b64f5826165f85a28a2a4ddc2ce0d935fa8545651ce5ab09
Sometimes malware authors just want to watch the world burn. In this analysis, the Ordinypt Wiper acts like it encrypts user files but instead just deletes them.
We can see in Figure 3, this file triggers VTI Rules for user file deletion as well as file creation. This behavior is in many ways similar to ransomware.
The “Behavior Information – Sequential View” (Figure 4), shows more of the file’s behavior. We can observe that files are deleted but never read – without reading a file it is obviously not possible to encrypt it.
However, this file tries to hide this fact, by creating a new file with a random name for each deleted file. These actions are repeated over and over again, for each user file. We can also see that the file simply deletes the file “Wo_sind_meine_dateien.html” (German for “where are my files”) and writes it again each time.
Figure 4: Behavior Section of the report showing file deletion
Report Name:
XZZX Cryptomix Ransomware Variant
Date Released:
November 14, 2017
SHA256:
33a60a16e50b8df2a731023951475ff0f973fc66334d2cfa6ce30aa36bb36414
This variant of XZZX Cryptomix ransomware only starts encrypting files after a restart.
Figure 5: Ransomware note created by the XZZX Cryptomix Ransomware variant
On initial infection this file simply hides its presence using various methods: changing folder appearances, using an alternate data stream and turning off essential Windows security services.
To stay in control after a reboot the file adds an entry to the windows startup registry.
Figure 6: Evasive behavior, critical system service disablement and persistence shown by XZZX Cryptomix Ransomware variant
After a reboot, the sample starts to encrypt user files. We can see this behavior in the process graph (Figure 7). Initially, only cmd.exe processes are created to hide the sample’s tracks, followed by a reboot where the actual encryption takes place. We can also see the process then spawns “notepad.exe” to provide the message shown in Figure 5.
Figure 7: Process graph of the XZZX Cryptomix Ransomware variant
Report Name:
Malicious Microsoft Word Document
Date Released:
November 28, 2017
SHA256:
607aa428401fe8e6d66583cdfc43a7879b1173c0d116a1e53ebd4e044511bfd1
Documents are often used as the first stage of a malware infection. Most of these documents simply use embedded macros for further infection. However, since macros are usually not executed by default, the malware needs try to trick the user into enabling the execution:
Figure 8: Execution of macros is disabled by default. Malware tries to trick users into enabling them.
In this case, the macro first decodes a Powershell script which in turn downloads and executes a packed PE file named “3292.exe”. This file goes through several unpacking stages and finally executes the actual payload. This fairly complicated execution process can clearly be seen in the process graph:
Figure 9: Process graph of the malware sample’s unpacking stages.
Fully unpacked, the malware sample starts communicating with its control server by sending information about the operating system, hardware, and active processes and then waiting for further commands.
Report Name:
Suspected Zeus Panda Banking Trojan
Date Released:
November 30, 2017
SHA256:
b34abadaa54fa828fc3d1b1540004f5dd94873918d5b3f2a3eab49272b67415b
This sample appears to be a variant of the “Zeus Panda” banking Trojan, which is well known for its awareness of the environment in which it is executed. This Trojan uses several heuristics to determine if it is being executed on a user machine or an analysis machine. The sample typically looks for vendor artifacts on the system, running processes, etc.:
Figure 10: Zeus Panda banking trojan detected threats
This malware sample is a good illustration of the importance of an agentless approach to dynamic analysis. Since VMRay Analyzer does not modify the environment in which the malware sample is executed, it cannot be detected by looking for such artifacts.
