![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/04\/update.html_.png\")
<\/p>\nFor\u00a0several months, QH Labs has been observing an upswing in ransomware activity. We found a new ransomware which is written in Go lang. Malware authors are finding it easy to write ransomware in Go lang rather than traditional programming languages.<\/p>\n
Infection of Jcry ransomware starts with a compromised website.<\/p>\n
<\/p>\n
As shown in the above image, malware author tries to impersonate users by pretending to be an update of Adobe flash player and download malware on the user\u2019s machine. Fig 1. contains a part of javascript hosted on the compromised domain, which downloads a malicious file from the given URL. Whenever an impersonated user clicks on the Update button and executes a malicious file with the intention of updating the flash player, malware starts its execution.<\/p>\n Flow of Execution:<\/strong><\/p>\n Technical Analysis:<\/b><\/strong><\/p>\n Downloaded malware (flashplayer_install.exe) is Self-extracting archive. On execution, it will extract the below mentioned components in \u201cStartup\u201d directory to create its persistence.<\/p>\n Components:<\/p>\n As mentioned in the above figure malware extract components and starts msg.vbs along with enc.exe(Encryptor)<\/p>\n msg.vbs:<\/p>\n This file is used to impersonate the user that, the system tried to update adobe flash player but access is denied for the user.<\/p>\n Enc.exe (Encryptor):<\/p>\n This executable is responsible for file encryption and it is written in Go language.<\/p>\n On execution, it firstly checks for the existence of \u201cpersonalKey.txt\u201d file in the current directory, to determine that system is already infected or not. If the file exists then malware considers that the system is already infected and it terminates itself. As well as it deletes msg.vbs and Enc.exe with the help of decryptor file. During encryption, it uses the combination of AES and RSA algorithm. File encryption is performed using AES 128 bit algorithm with 16-byte initialization Vector in CBC mode. Hardcoded RSA public key is found in the enc.exe file which is later used to encrypt AES key.<\/p>\n <\/p>\n It encrypts the below listed 138 extension files.<\/p>\n \u201c3dm, 3ds, 3g2, 3gp, 7z, ai, aif, apk, app, asf, asp, avi, b, bak, bin, bmp, c, cbr, cer, cfg, cfm, cgi, cpp, crx, cs, csr, css, csv, cue, dat, db, dbf, dcr, dds, deb, dem, der, dmg, dmp, doc, dtd, dwg, dxf, eps, fla, flv, fnt, fon, gam, ged, gif, gpx, gz, h, hqx, htm, ics, iff, iso, jar, jpg, js, jsp, key, kml, kmz, log, lua, m, m3u, m4a, m4v, max, mdb, mdf, mid, mim, mov, mp3, mp4, mpa, mpg, msg, msi, nes, obj, odt, otf, pct, pdb, pdf, php, pkg, pl, png, pps, ppt, ps, psd, py, rar, rm, rom, rpm, rss, rtf, sav, sdf, sh, sln, sql, srt, svg, swf, tar, tex, tga, thm, tif, tmp, ttf, txt, uue, vb, vcd, vcf, vob, wav, wma, wmv, wpd, wps, wsf, xlr, xls, xml, yuv, zip\u201d<\/p>\n To speed up the encryption, it encrypts only 1MB data for files of size more than 1 MB. After successful file encryption it appends \u201c.jcry\u201d extension to the filename.<\/p>\n After encryption of files, it deletes all shadow copies with the help of the below command.<\/p>\n \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u201cvssadmin delete shadows \/all\u201d<\/b><\/strong><\/p>\n and launch Dec.exe using Powershell command.<\/p>\n Dec.exe:<\/p>\n On execution of Dec.exe firstly it terminates and deletes enc.exe. Dec.exe is console application which asks the decryption key (RSA private key). After entering valid key it may decrypt encrypted files.<\/p>\n It also drops ransom note on desktop location. To recover encrypted files it demands for 500$ as ransom and provides onion link (hxxp:\/\/kpx5wgcda7ezqjty.onion) where infected user will get private key after payment.<\/p>\n <\/p>\n IOCs:<\/strong><\/p>\n flashplayer_install.exe: c86c75804435efc380d7fc436e344898 Prevention tips<\/b><\/strong><\/p>\n Subject Matter Expert:<\/strong><\/p>\n Nagesh lathakar, Pratik Pachpor | Quick Heal Security Labs<\/p>\n","protected":false},"excerpt":{"rendered":" For\u00a0several months, QH Labs has been observing an upswing in ransomware activity. We found a new ransomware which is written in Go lang. Malware authors are finding it easy to write ransomware in Go lang rather than traditional programming languages. Infection of Jcry ransomware starts with a compromised website. As shown in the above image, […]<\/p>\n","protected":false},"author":51,"featured_media":87619,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[70,24,910],"tags":[294,77,49,50],"class_list":["post-87604","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-adobe","category-malware","category-ransomware","tag-adobe-flash-player","tag-drive-by-download","tag-malware","tag-ransomware"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87604"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/51"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=87604"}],"version-history":[{"count":8,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87604\/revisions"}],"predecessor-version":[{"id":87628,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/87604\/revisions\/87628"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/87619"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=87604"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=87604"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=87604"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/04\/Fig_1_Update.html_-1.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/04\/flow_diagram-1.png\")
<\/p>\n\n
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/04\/extracted_comp.png\")
<\/p>\n![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/04\/Fig_2_SFX_instructions.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/04\/Fig_3_msg.vbs_.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/04\/Fig_4_Go_lang.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/04\/Fig_5_Public_key.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/04\/Fig_6_Crypto_Operation.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/04\/Fig_7_Encypted_Files.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/04\/Fig_8_powershell.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/04\/Fig_9_Dec.exe_.png\")
![\"\"](\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2019\/04\/Fig_10_Ransom_Note.png\")
\nEnc.exe : 5B640BE895C03F0D7F4E8AB7A1D82947
\nDec.exe : 6B4ED5D3FDFEFA2A14635C177EA2C30D
\nRecovery Link: hxxp:\/\/kpx5wgcda7ezqjty.onion
\nWallet Id: 1FKWhzAeNhsZ2JQuWjWsEeryR6TqLkKFUt<\/p>\n\n