This is all about malware analysis, reverse engineering and some cool stuff

Monday, 6 June 2016

Analysis of Ransomware spread by JavaScript


The sample is a JavaScript file, after execution it downloads BAT file and EXE file to run, traverse computer files and encrypts 80 kinds of extension format files including documents, pictures, media and etc. After the encryption, it ask for 0.5 BTC to decrypt the files.

The malware author embeds malicious JavaScript in any kind of input data being passed to the application that understand it, application may be PDF, SWF, etc.

This kind of JavaScript mostly injects a website and spread links through social networking, Email, etc.

JavaScript File:

MD5 : 2FABECC77B10B39FF03F221F39F50C6C
File size : 8.70 KB (8905 bytes)

The sample drops following files in Temp directory on execution:

1. Executable file : Downloaded from a network address
2. BAT file : Created by itself
3. TXT file : Created by itself
Fig1 : Workflow of JavaScript sample

Content of JS file before the de-obfuscation is as follows:

Fig2 : Obfuscated JS code

After de-obfuscation and decryption of the above code looks like as follows:

Fig3 : Deobfuscated JS script

When user executes the JS file, it downloads executable file from three network addresses orderly to the Temp directory and execute them. If downloads successfully from the first address, other two addresses will be skip.
The sample downloads an executable file from any of the below websites which are found to be malicious:


Batch File:

MD5 : 49163792F3B8C4F62018670033E9FC82
File size : 15.93 KB (16317 bytes)

The Batch file is created by JavaScript file and dropped into the Temp directory.

Fig4 : JavaScript code for creating BAT file

After the creation of batch file, it looks like: 

Fig5 : BAT file snippet

The batch file has 26 encryption loops.
Each loop is for encrypting each drive (i.e. A to Z).
It takes every file of the disk with the extension shown below; pass it to the executable file as a parameter.
It calls the executable file (_crypt.exe) for each and every file on the disk.

*.zip *.rar *.7z *.tar *.gz *.xls *.xlsx *.doc *.docx *.pdf *.rtf *.ppt
*.pptx *.sxi *.odm *.odt *.mpp *.ssh *.pub *.gpg *.pgp *.kdb *.kdbx *.als
*.aup *.cpr *.npr *.cpp *.bas *.asm *.cs *.php *.pas *.vb *.vcproj *.vbproj
*.mdb *.accdb *.mdf *.odb *.wdb *.csv *.tsv *.psd *.eps *.cdr *.cpt *.indd
*.dwg *.max *.skp *.scad *.cad *.3ds *.blend *.lwo *.lws *.mb *.slddrw
*.sldasm *.sldprt *.u3d *.jpg *.tiff *.tif *.raw *.avi *.mpg *.mp4 *.m4v
*.mpeg *.mpe *.wmf *.wmv *.veg *.vdi *.vmdk *.vhd *.dsk

After the encryption, it deletes the executable file (_crypt.exe) from Temp directory and starts the Text file (_readme.txt).

Text file has ransom note, it ask for 0.5 BTC to decrypt the files.

Fig7 : Ransom note

At the end, Batch file makes the run entry of above text file (_readme.txt) and deletes itself from the Temp directory.

Fig8 : Run entry of ransom note

Executable file:

MD5 : 955FC65F54FA12AFAA5199585D749E67

File size : 2.50 KB (2560 bytes)

The EXE file is downloaded by the JavaScript file and dropped at the Temp directory.
The file is only executed by command line with a single parameter.

The executable file is an encryption tool which encrypts a file coming from its parameter; Only Batch file is responsible for executing this file.

The sample reads a file, encrypt it with the following encryption logic and write the file with the same extension:

Fig9 : Encryption routine

Where, the key is directly present in a .data section of the sample, size of key is 0xFF bytes.

Fig10 : Encryption key shown in data section

Conclusion :

Ransomware mostly comes in an executable PE file with different extension. In this case, it uses JavaScript to avoid detection and prevention of antivirus software. The Trojan downloads the malicious software and executes them without user’s concern.
The sample encrypts each and every non-PE file with simple encryption.
As most of the ransomware changes the extension of a file after encryption therefore it is easy to identify the encrypted file and decrypt it. But in this case, the sample encrypts the files but does not change the extension so it is difficult to identify weather a file is encrypted or not.
In future, this kind of JavaScript ransomware might come with a different payload and a complex encryption algorithm.


Post a Comment