![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/07\/Picture1-1.png\")
Even though we did not get hold of the initial attack vector, we were able to trace the attack chain from the malicious URL used here.<\/p>\n
URL: 92.63.197.112\/t[.]exe<\/i><\/em><\/p>\n The ‘t.exe’ file is PE32 executable\u00a0for MS Windows and compiled in Microsoft Visual C++. It seems to be a custom packed file. It contains an interesting resource section of a large size. It seems to be encrypted and contains data of high entropy. Resource name is ransom which is unusual.<\/p>\n After doing the analysis, we found that the malware reads one of the resources and then decrypts it with XOR operation. Key which is present in AL register is calculated in function ‘call_407B5C’ present just before the XOR operation. Initial value of key is read from the file and then various operations are performed to get a final value in AL register.<\/p>\n The malware decrypts some code and one compressed PE file as shown in Fig 4. After decryption, the control goes to the decrypted code which decompressed PE file in memory and after that malware overwrites the parent process memory with the decompressed file and finally executes it. This decompressed file is the main malware file which performs further activity.<\/p>\n The malware file contains hardcoded\u00a0process names. It calls ‘process32First’ and ‘process32next’ to enumerate various processes and compares 16 process names for identifying the presence of VMware and Virtual box and its related components. It also checks for the sandbox by checking the presence of library name \u201csbiedll.dll\u201d. These are the typical anti-VM and anti-sandbox techniques implemented in this malware.<\/p>\n After identifying the existence of a virtual environment, the malware stop its malicious behavior and calls the ‘ExitProcess’ function and stops current running process.<\/p>\n It creates mutex by the name \u201c.__-TLDR-__<\/b><\/strong>.\u201d\u00a0 so that only one of its copies runs at any one time. It also creates its copy in %appdata% by random number name and in Windows folder by the following name <C:\\WINDOWS\\T-5682806352635035603\\winsvc.exe<\/b><\/strong>> and\u00a0deletes the original copy. It also sets file attributes to 7 which indicates file as hidden, read-only and file has system attributes.<\/p>\n The Trojan also creates an entry of its file in the following registry so that it runs every time Windows starts:<\/p>\n \u201cHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run<\/b><\/strong>\\\u201d<\/p>\n Entry present after malware infection looks like:<\/p>\n It also creates the following registry entries to disable Windows Firewall.<\/p>\n The Trojan remains persistent in the memory & tries to send a request to many CNC servers. It has many random domain names as shown in Fig 9. By connecting to these CNC domains, it tries to download further malicious components.<\/p>\n It connects to available CNC servers over HTTP protocol to download multiple files. It downloads JavaScript, PE files, some text file.<\/p>\n While analyzing the downloaded files, we have observed that one of the file it downloaded is JavaScript file\u00a0‘go.js’.<\/b><\/strong>\u00a0Which is obfuscated and content is display in Fig 11. When executed the \u2018.js\u2019 file downloads and execute the malware “new.exe”.<\/p>\n De-obfuscating code of JavaScript has a Powershell one-liner code to download and execute a file new.exe in temp folder.<\/p>\n List of Files downloaded by the malware:<\/p>\n New.exe is gandcrab ransomware, it is executed through js script and it finds the IP address of the machine by making request to\u00a0ipv4bot.<\/b><\/strong>whatismyipaddress.com<\/b><\/strong>\u00a0host. The public IP is received as a response. It loops again and again attempting to succeed. If it never receives public IP, it will never encrypt any file.<\/p>\n The ‘new.exe’ also uses nslookup to resolve the IP addresses. The hardcoded C&C servers to which the malware performs nslookup are,<\/p>\n nslookup ransomware.bit wowservers[.]ru The initial trojan ‘t.exe’, also downloads a text file contain mailing list of recipients,\u00a0it may send messages out for spreading infection.\u00a0Below are some examples of the email ids found in text file.<\/p>\n leiladonovan@verizon.net In addition, another downloaded file ‘m.exe’ of which running copy with name ‘wuapp.exe’ connects to monerohash.com\u00a0( Monero coin miner -XMRig) over TCP port 3333 (a non-standard port) for doing mining activity. Generally, use of non-standard ports is observed in order to evade network security software such as IDS\/IPS.<\/p>\n Conclusion<\/b><\/strong><\/p>\n Ransom-miner malware campaign represents an emerging threat which is able to download various payloads like ransomware, miner and other Trojans all together and adding new elements for infection. We advise our users to avoid accessing suspicious websites\/emails and keep their antivirus up-to-date to prevent their systems from being infected by such complex malwares. Quick Heal, with its advanced detection technology mechanism, has been consistently monitoring & blocking these complex malware and malicious sites.<\/p>\n IOC:<\/b><\/strong><\/p>\n 01c4ce531727fe6e447e217c9404c0c1<\/p>\n Subject Matter Expert<\/b><\/strong><\/p>\n Preksha Saxena | Quick Heal Security Labs<\/p>\n","protected":false},"excerpt":{"rendered":" Since the past few weeks, Quick Heal Security Labs has been observing a series of interesting malware blocked at our customer end. The further analysis of the malware ‘t.exe’ revealed that the malware seems to be Trojan dropper. Interestingly, this multipurpose malware is downloading a ransomware component, a crypto-mining malware and many more. It also […]<\/p>\n","protected":false},"author":45,"featured_media":86500,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[24],"tags":[49,1534,50,40],"class_list":["post-86470","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware","tag-malware","tag-miner","tag-ransomware","tag-trojan"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86470"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/45"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=86470"}],"version-history":[{"count":6,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86470\/revisions"}],"predecessor-version":[{"id":86498,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86470\/revisions\/86498"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/86500"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=86470"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=86470"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=86470"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/07\/Picture2-1.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/07\/Picture3-1.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/07\/Picture4.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/07\/Picture5.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/07\/Picture6.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/07\/Picture7.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/07\/Picture8.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/07\/Picture9.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/07\/Picture10.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/07\/Picture11.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/07\/Picture12.png\")
\n
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/07\/Picture13.png\")
\nnslookup carder.bit ns1.wowservers[.]ru<\/p>\n
\naromero2086@sbcglobal.net
\ngbhaiiknpd@flamail.com
\ngenesplace4ever@yahoo.com
\nsunflower_file@yahoo.com
\njsanders300@yahoo.com
\nmft@btinternet.com
\nbinoykphilip@yahoo.com
\nnicholascpa@yahoo.com
\njpica@graco.com
\nbarath_safety@yahoo.com
\ntjedrzej@yahoo.com
\nlisamsimms43@yahoo.com
\nkat@artcloth.com
\nbish4533@bellsouth.net
\ndaisygirl0224@yahoo.com
\nmarkfasano@email.com
\nwhitethickgurl2@myspace.com (etc…)<\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/07\/Picture14.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/07\/Picture15.png\")