Welcome to the VMRay Malware Analysis Report Recap. Every month our Research Team provides a recap of the malware analysis reports posted to the VMRay Twitter account. This past January, our team analyzed a variant of BigEyes/Lime ransomware, GandCrab ransomware and Lotus Blossom malspam.
Click the links below to jump to a specific report:
Date Released:
January 10, 2018
SHA256:
880b352d1186a1c33d73a42907ee9b9902363c2358fe9f0c540c776602093772
This malicious Word document uses several techniques to detect the presence of security tools such as Sandboxes and Anti-virus software. All of these techniques are detected by VMRay Analyzer and listed as potential threats in the VTI section of the report (Figure 1).
Figure 1. Techniques used to detect the presence of a Sandbox, Anti-Virus and Firewall
In the Network Tab (Figure 2), we can see the Word document using a VBA Macro to connect to a known malicious domain and Dropbox (using bitsadmin) to download the payload.
Figure 2: Network Map shows connections to
blacklisted hosts and URLs to download the payload
The payload uses common techniques like process injection and adding an entry into the Windows startup for persistence. Both of these can be seen in the process graph (Figure 3), with persistence resulting in an automatic reboot.
Figure 3: Process Graph highlighting Injection and persistence
The malware then goes on to steal credentials from Mozilla Firefox, Google Chrome and Internet Explorer as well as system data (Figure 4).
Figure 4: Stealing information and credentials
Date Released:
January 17, 2018
SHA256:
9dbd7b3133c9bc80b9ed83712d488d014b856c8814a268871046a30c4b6fc6ae
BigEyes/Lime ransomware is written in .NET and directly starts to encrypt the files on the computer. To be quick it only encrypts files of the current user. This means that only files in the Documents, Pictures, Music, Videos and Desktop folders are affected.
Figure 5: BigEyes/Lime Ransomware encrypts files only in certain folders
Every encrypted file gets the suffix “.lime” and the system wallpaper displays the ransom note.
Figure 6: BigEyes/Lime ransom note displayed as wallpaper
The ransom note demands 100$ in Bitcoin for the decryption key. This key is needed for the program named “#Decryptor.exe” (shown in figure 7) which is dropped to the desktop and decrypts the encrypted files. However, our analysis shows that the decryption key is also dropped in “C:\microsoft\hash” in plain text. The malware authors made it relatively easy to decrypt the files without paying the ransom.
Figure 7: BigEyes/Lime Ransomware decryptor
Figure 8: BigEyes/Lime Ransomware decryption key dropped in “C:\microsoft\hash”
Date Released:
January 26, 2018
SHA256:
5d53050a1509bcc9d97552fa52c1105b51967f4ccf2bde717b502605db1b5011
This file exhibits typical ransomware behavior i.e. it encrypts all files on the user’s system and demands a ransom payment for the decoder key. To ensure that the user cannot restore files, it deletes all snapshots created by the Volume Shadow Copy Service.
Figure 9: GandCrab Ransomware behavior exhibited by the sample
All encrypted files have the suffix “.GDCB” as shown in the accompanying figure.
Figure 10: Encrypted files with the suffix “.GDCB”
The ransom note with further instructions on how to decrypt the user’s files is shown after a reboot.
Figure 11: GandCrab Process Graph highlighting the behavior after the reboot process
Figure 12: GandCrab ransom note shown after reboot
Date Released:
January 31, 2018
SHA256:
d3fc69a9f2ae2c446434abbfbe1693ef0f81a5da0a7f39d27c80d85f4a49c411
This malware uses the CVE-2017-11882 vulnerability , which is an MS Word exploit. This exploit allows the malware authors to run their own program code instead of the original. In this scenario, a DLL is dropped in “\appdata\roaming\microsoft\windows\chaches\navshext.dll” and injected into the browser (Internet Explorer).
Figure 13: Dropped DLL file that is injected into Internet Explorer
The filename “navshext.dll” suggests that the file is a legitimate DLL from Norton Security Antivirus software. After injection, the DLL checks if its run in a debugger and creates a mutex “donotbotherme”.
Figure 14: Mutex created by the DLL
It then proceeds to create a system startup routine.
Figure 15: Startup routine created by the Lotus Blossom
Next, the malware tries to connect to its Command and Control (C2) Server. If this isn’t successful the malware will sleep forever (roughly 19 years). If it is successful it uploads information about the victim’s system and waits for commands.
Figure 16: Victim’s system information uploaded to the C2 server
All of these behavior patterns are indicators of an Information Stealer or a Trojan. Some analysts have concluded this is part of a targeted attack against ASEAN members.