Welcome to the VMRay Malware Analysis Report Recap. Every month our Research Team provides a recap of the malware analysis reports posted to the VMRay Twitter account. This past February, our team analyzed Black Ruby ransomware, Cobalt Strike Beacon and a Javascript file attempting to detect VMs via the registry.
Click the links below to jump to a specific report:
Date Released:
February 6, 2018
SHA256:
daea4b5ea119786d996f33895996396892fa0bdbb8f9e9fcc184a89d0d0cb85e
The Black Ruby ransomware was discovered in February 2018 by the MalwareHunterTeam.
For some malware authors, one attack type isn’t enough. Black Ruby includes a bonus cryptominer in addition to its standard ransomware capabilities. Not only does this malware encrypt the user’s files and demand a ransom but it also deploys a coin mining module to generate digital cryptocurrency.
Black Ruby’s capabilities are easy to identify from the function log (Figure 1).
Figure 1: VMRay Function log detailing Black Ruby’s behavior
Another observation is that Black Ruby will only encrypt a user’s machine if the user is not in Iran. The ransomware does this by checking the IP address using freegeoip.net to determine the user’s location
Figure 2: Threat Indicators (VTI) associated with Black Ruby ransomware
To make matters worse, Black Ruby adds the cryptominer to the startup routine for persistence, as is indicated in the list of Threat Indicators (Figure 2).
Date Released:
February 13, 2018
SHA256:
2dc346015c02c8c9f97e75f72cf194c8a8830c7a932ba22c502fcd3841a14e56
This is a classic case of ‘VBA macro in a Microsoft Office document’. This malware sample downloads the payload via a macro script inside Excel and executes it.
The embedded VBA code can also be seen in the analysis report without the need for a separate local extraction.
Figure 3: VBA code embedded in the Excel document submitted for analysis
In the VTI section of the analysis report, the VTI rule “Download File” reveals the malicious payload “val.exe” was downloaded and renamed to “heidi.exe” (Figure 4).
Figure 4: Threat Indicators (VTI) associated with the malicious Excel file
In addition, the Network tab indicates the contacted host is already blacklisted and is based in Malaysia (Figure 5)
Figure 5: Network activity involving Blacklisted hosts and URLs
Date Released:
February 15, 2018
SHA256:
d8ef1c4f64a05b1abf100044fcb7048c9526d175a114cb90bd134b80783da146
HTML applications (HTA) are not often used as malware. In this case, the HTA file is used to download and execute a malicious payload.
The interesting part is the payload itself. It is a Javascript that injects and modifies the code of the “explorer.exe” process. The result is “explorer.exe” then injects and modifies the code of “rundll32.exe” to place a trojan into the system, as seen in the monitored processes in Figure 6.
Figure 6: Process graph for Cobalt Strike Beacon
Figure 7: Threat Indicators (VTI) associated with Cobalt Strike Beacon
Date Released:
February 28, 2018
SHA256:
f664d5e8a47084388e3d0efabc38b5f04a759e382211846f722be6f7365df7fc
This sample represents one of the most common techniques used by malware authors: writing a JavaScript file that downloads and executes a malicious payload. In this case, the JavaScript starts the command prompt and runs Powershell which then downloads and executes the payload. This can be seen clearly in the process graph included in the Overview section of the analysis report.
Figure 8: : Process graph associated with the malware behavior
Once downloaded, the malicious payload “roamingeox20.exe” is executed and is added to the startup routine.
Figure 9: Threat indicators (VTI): Addition of the malicious payload to the system startup routine for persistence
