Fiddling with junk mail "ransomware"

I have been receiving junk emails from the same guy. It annoys me very much.

Old version of the junk email

The old version of the junk email leads victims to open the malicious .js, resulting in downloading a .exe which exits immediately.

Full version of the obvious bullshit

Just not long ago I received this "full version" junk mail:

From: State Court

Notice to Appear,

You have to appear in the Court on the March 18.

Please, prepare all the documents relating to the case and bring them to Court on the specified date.

Note: The case will be heard by the judge in your absence if you do not come.

The copy of Court Notice is attached to this email.

Yours faithfully,

William Fuller,

Court Secretary.

The email has an attachment, which is a zipped .js file, and obvious bullshit is obvious.


Just done some beautify, and what I got is this "obfuscated" javascript.

I can guarantee that my environment is secure (using Arch Linux + latest firefox-aurora with firejail. So, I fired up Firefox's scratchpad, commented out the last line e83(x79);, and appended console.log(e83, x79);.

This is what I got. e83 is eval function, that means x79, which is the following code, will be executed:

I am able to prepend some dummy classes to further analyze the malicious code.

Fuck shit up

I can notice that 5 websites are hacked and deployed as the ransomware's mirror.


Whatever, let's just fuck up this ransomware. First the webpage and .js stuff, then the hardcore .exe stuff.

Action output

This is what I get when the malicious code is executed with the dummy classes code altogether:

Let's explain the action output using a table.

LineWhat does it do
5 - 7Create a .htm file
8 - 16Write ransom notice into the .htm file
17 - 18Create a .cmd file. Commands above will be executed
19 - 42Command: append .crypted to all "important" files' names for all Windows drive letters
43Command: open up the ransom notice to victim
45Command: mark territory on registry
44, 46Command: making Windows open up the ransom notice on each boot
47 - 49Command: move the ransom notice to desktop
51Actual execution of all the commands above
From 523 different .exe files will be downloaded from mirrors, then execute immediately

Encrypted notice

This is what the victim will see at first when they get ransomed.


All your documents, photos, databases and other important personal files
were encrypted using strong RSA-1024 algorithm with a unique key.

Nobody can help you except us. It is useless to reinstall Windows,
use antiviruses, rename files, etc.

To unlock your files you have to make payment.

Please click one of the following links for details:

Opening the one of the payment page with IE8 User-Agent results in this:

Decrypt page

If other non-MSIE User-Agent is used, the payment page will be blank.


In the payment page, I have noticed the test decryption section. Also, step 4 of the instruction stated that a decryption program is available after you paid, which is actually downloadable at any time. The Click here to download zip-archive link leads victim to download a zipped .js file.


Using the old trick again...

What the fuck? The decrypting .js and the test decryption section of the payment page, do only rename your .crypted files to normal and send back to you. Why would they do this?

The 3 exes

The exes can be only downloaded specifying MSIE User-Agent, for example, I used User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.4; InfoPath.2; SV1; .NET CLR 3.3.69573; WOW64; en-US) to download those files.

If other non-MSIE User-Agent is used, nothing will be downloaded.

Trimming the User-Agent to something like Mozilla/a.0(compatab Windows NT) will work too.

Analytic of 1st .exe file downloaded

Analytic of 2nd .exe file downloaded

3rd .exe file download is empty.

The behavior of these 2 .exe files should be further examined and reverse-engineered.

2016-03-11 07:40 GMT+8 variant VirusTotal 1st 2nd 3rd


The malicious script's purpose should be installing a Trojan into victim's computer, instead of ransoming the victims. Therefore, this malware should not be classified as ransomware at all, as the ransoming process should be a cover for the Trojan downloaded.

All bitcoins sent to that address should be some bonus profit for the criminal behind this.

It's unknown that whether those .exe binaries will convert those .crypted files into actual encrypted files. If they do so, decryption method will be unknown.

The Trojan installed might be stealing bank accounts or credit cards, or downloading any other kind of malware, such as an actual ransomware.

This malware can only infect Windows users with IE as .js file handler. It's unknown how far (maximum version of Windows and IE) this malware can go.

General recommendations for...

Windows users

  • Do not open malicious or suspicious emails, especially their attachments.
  • Install Anti-Virus software.
  • Stop using Internet Explorer, use other browsers (Firefox, Chrome, Edge) instead.

Website owners

  • Use strong password for admin panel, FTP user account and remote desktop account.
  • Use firewall to hide ports that are unneeded to expose.
  • Install an Intrusion detection system (IDS).
  • Look for website vulnerabilities such as SQL Injection, XSS and CSRF.
  • Perform regular system update and CMS update.
  • Aware of Common Vulnerabilities and Exposures (CVE).


Last modified: 2016-03-22 14:39:53
Powered by Simple Blog