Edit post
subject
Title
edit
I have been receiving junk emails from the same guy. It annoys me very much. ## Old version of the junk email The old version of the junk email leads victims to open the malicious `.js`, resulting in downloading a [`.exe` which exits immediately.](https://www.virustotal.com/en/file/fb1c1ae20d77ccc4d1e08eaefa6948d6e84f529c82be4bf89d9006d20cac4235/analysis/1454502178/) ## Full version of the obvious bullshit Just not long ago I received this "full version" junk mail: > From: State Court <william.fuller@myhallmarkhome.com> > Notice to Appear, > You have to appear in the Court on the March 18. > Please, prepare all the documents relating to the case and bring them to Court on the specified date. > Note: The case will be heard by the judge in your absence if you do not come. > The copy of Court Notice is attached to this email. > Yours faithfully, > William Fuller, > Court Secretary. The email has an attachment, which is a zipped `.js` file, and **obvious bullshit is obvious**. ## Preparing Just done some beautify, and what I got is [this "obfuscated" javascript](https://gist.github.com/Saren-Arterius/53c0e5e0cceacd3fb317). I can guarantee that my environment is secure (using Arch Linux + latest `firefox-aurora` with `firejail`. So, I fired up Firefox's scratchpad, commented out the last line `e83(x79);`, and appended `console.log(e83, x79);`. This is what I got. `e83` is `eval` function, that means `x79`, which is the following code, will be executed: <script src="https://gist.github.com/Saren-Arterius/e890767439da75f3bc14.js"></script> I am able to prepend some dummy classes to further analyze the malicious code. <script src="https://gist.github.com/Saren-Arterius/6747a2934892bbf0d4af.js"></script> ## Fuck shit up I can notice that 5 websites are hacked and deployed as the ransomware's mirror. - ollaerika.com - newcook.com.es - americanleaguebetting.com - chefgourmet4000.com - ollagm.com.es Whatever, let's just **fuck** up this ransomware. First the webpage and `.js` stuff, then the hardcore `.exe` stuff. ### Action output This is what I get when the malicious code is executed with the dummy classes code altogether: <script src="https://gist.github.com/Saren-Arterius/90edca0f40367c786706.js"></script> Let's explain the action output using a table. <table class="highlight"> <thead><tr><th>Line</th><th>What does it do</th></tr></thead> <tbody> <tr><td>5 - 7</td><td>Create a .htm file</td></tr> <tr><td>8 - 16</td><td>Write ransom notice into the .htm file</td></tr> <tr><td>17 - 18</td><td>Create a .cmd file. Commands above will be executed</td></tr> <tr><td>19 - 42</td><td>Command: append `.crypted` to all "important" files' names for all Windows drive letters</td></tr> <tr><td>43</td><td>Command: open up the ransom notice to victim</td></tr> <tr><td>45</td><td>Command: mark territory on registry</td></tr> <tr><td>44, 46</td><td>Command: making Windows open up the ransom notice on each boot</td></tr> <tr><td>47 - 49</td><td>Command: move the ransom notice to desktop</td></tr> <tr><td>51</td><td>Actual execution of all the commands above</td></tr> <tr><td>From 52</td><td>3 different .exe files will be downloaded from mirrors, then execute immediately</td></tr> </tbody> </table> ### Encrypted notice This is what the victim will see at first when they get ransomed. > <h1>Attention!</h1><p>All your documents, photos, databases and other important personal files<br> were encrypted using strong RSA-1024 algorithm with a unique key.</p><p>Nobody can help you except us. It is useless to reinstall Windows,<br> use antiviruses, rename files, etc.</p><p>To unlock your files you have to make payment.</p><p>Please click one of the following links for details:</p> > <a href="http://ollaerika.com/counter/?id=555D535E170516010A241310050F0B4A0A01105E275E091D0C0508080905160F0C0B09014A070B095E17525E55505153515C5C52555C5E55&p=457587">http://ollaerika.com/payment/</a> > <a href="http://newcook.com.es/counter/?id=555D535E170516010A241310050F0B4A0A01105E275E091D0C0508080905160F0C0B09014A070B095E17525E55505153515C5C52555C5E55&p=457587">http://newcook.com.es/payment/</a> > <a href="http://americanleaguebetting.com/counter/?id=555D535E170516010A241310050F0B4A0A01105E275E091D0C0508080905160F0C0B09014A070B095E17525E55505153515C5C52555C5E55&p=457587">http://americanleaguebetting.com/payment/</a> > <a href="http://chefgourmet4000.com/counter/?id=555D535E170516010A241310050F0B4A0A01105E275E091D0C0508080905160F0C0B09014A070B095E17525E55505153515C5C52555C5E55&p=457587">http://chefgourmet4000.com/payment/</a> > <a href="http://ollagm.com.es/counter/?id=555D535E170516010A241310050F0B4A0A01105E275E091D0C0508080905160F0C0B09014A070B095E17525E55505153515C5C52555C5E55&p=457587">http://ollagm.com.es/payment/</a> Opening the one of the payment page with **IE8 User-Agent** results in this:  If other non-MSIE User-Agent is used, the payment page will be blank. ### Decryption? In the payment page, I have noticed the test decryption section. Also, step 4 of the instruction stated that a decryption program is available after you paid, which is actually **downloadable at any time**. The [`Click here to download zip-archive`](http://ollaerika.com/counter/?download=1&p=1&id=555D535E170516010A241310050F0B4A0A01105E275E091D0C0508080905160F0C0B09014A070B095E17525E55505153515C5C52555C5E55) link leads victim to download a zipped [`.js` file](https://gist.github.com/Saren-Arterius/51c9609df09907b20472). Deobfuscated... <script src="https://gist.github.com/Saren-Arterius/24606e6d585865c015f9.js"></script> Using the old trick again... <script src="https://gist.github.com/Saren-Arterius/78ebf229958005bd51fe.js"></script> **What the fuck?** The decrypting `.js` and the test decryption section of the payment page, do only **rename** your `.crypted` files to normal and send back to you. Why would they do this? ### The 3 exes The exes can be only downloaded specifying MSIE User-Agent, for example, I used `User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.4; InfoPath.2; SV1; .NET CLR 3.3.69573; WOW64; en-US)` to download those files. If other non-MSIE User-Agent is used, nothing will be downloaded. Trimming the User-Agent to something like `Mozilla/a.0(compatab Windows NT)` will work too. Analytic of 1st `.exe` file downloaded - [VirusTotal](https://www.virustotal.com/en/file/a5a7bfdd27f1068650818ee4c0bfa29d211889fa5e3bc0947dfe5d8ae221f4b1/analysis/) - [Anubis](https://anubis.iseclab.org/?action=result&task_id=170669c8fed481ba4cd32a88d8d0bae99) Analytic of 2nd `.exe` file downloaded - [VirusTotal](https://www.virustotal.com/en/file/7e40690bbdfc3211fd1b6066cf21caf25aa0dac5181b7b832177ba5d6ec05987/analysis/) - [Anubis](https://anubis.iseclab.org/?action=result&task_id=1a5fe24d01d82b0d465fa2ade0b0bf9d2&call=first) 3rd `.exe` file download is empty. The behavior of these 2 `.exe` files should be further examined and reverse-engineered. > 2016-03-11 07:40 GMT+8 variant VirusTotal > [1st](https://www.virustotal.com/en/file/2a668711da82947f3fa4a145015e0a042c6c4180fc7bc45beb6c675bbaccbc34/analysis/1457673245/) [2nd](https://www.virustotal.com/en/file/4fe0173f95d7217f390ca624ff614433e7980e87809a41428a23c730ef26ddd9/analysis/) [3rd](https://www.virustotal.com/en/file/daf4d96a121c9e4935082d4e0264088ff352f14d868f8720d8fa7e4f99c82f05/analysis/) # Conclusion The malicious script's purpose should be installing a **Trojan** into victim's computer, instead of ransoming the victims. Therefore, this malware should not be classified as ransomware at all, as the ransoming process should be **a cover** for the Trojan downloaded. All bitcoins sent to that address should be some **bonus** profit for the criminal behind this. It's unknown that whether those `.exe` binaries will convert those `.crypted` files into actual encrypted files. If they do so, decryption method will be unknown. The Trojan installed might be **stealing** bank accounts or credit cards, or downloading any other kind of malware, such as an **actual ransomware**. This malware can only infect Windows users with IE as `.js` file handler. It's unknown how far (maximum version of Windows and IE) this malware can go. # General recommendations for... ### Windows users - Do not open malicious or suspicious emails, especially their attachments. - Install Anti-Virus software. - Stop using Internet Explorer, use other browsers (Firefox, Chrome, Edge) instead. ### Website owners - Use strong password for admin panel, FTP user account and remote desktop account. - Use firewall to hide ports that are unneeded to expose. - Install an Intrusion detection system (IDS). - Look for website vulnerabilities such as SQL Injection, XSS and CSRF. - Perform regular system update and CMS update. - Aware of Common Vulnerabilities and Exposures (CVE).
Content
vpn_key
Password
Preview
Powered by
Simple Blog