I have been receiving junk emails from the same guy. It annoys me very much.
Old version of the junk email
The old version of the junk email leads victims to open the malicious .js, resulting in downloading a .exe which exits immediately.
Full version of the obvious bullshit
Just not long ago I received this "full version" junk mail:
From: State Court william.fuller@myhallmarkhome.com
Notice to Appear,
You have to appear in the Court on the March 18.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: The case will be heard by the judge in your absence if you do not come.
The copy of Court Notice is attached to this email.
Yours faithfully,
William Fuller,
Court Secretary.
The email has an attachment, which is a zipped .js file,
and obvious bullshit is obvious.
Preparing
Just done some beautify, and what I got is this "obfuscated" javascript.
I can guarantee that my environment is secure (using Arch Linux + latest firefox-aurora with firejail. So, I fired up Firefox's scratchpad, commented out the last line e83(x79);, and appended console.log(e83, x79);.
This is what I got. e83 is eval function, that means x79, which is the following code, will be executed:
I am able to prepend some dummy classes to further analyze the malicious code.
Fuck shit up
I can notice that 5 websites are hacked and deployed as the ransomware's mirror.
- ollaerika.com
- newcook.com.es
- americanleaguebetting.com
- chefgourmet4000.com
- ollagm.com.es
Whatever, let's just fuck up this ransomware. First the webpage and .js stuff, then the hardcore .exe stuff.
Action output
This is what I get when the malicious code is executed with the dummy classes code altogether:
Let's explain the action output using a table.
| Line | What does it do |
|---|---|
| 5 - 7 | Create a .htm file |
| 8 - 16 | Write ransom notice into the .htm file |
| 17 - 18 | Create a .cmd file. Commands above will be executed |
| 19 - 42 | Command: append .crypted to all "important" files' names for all Windows drive letters |
| 43 | Command: open up the ransom notice to victim |
| 45 | Command: mark territory on registry |
| 44, 46 | Command: making Windows open up the ransom notice on each boot |
| 47 - 49 | Command: move the ransom notice to desktop |
| 51 | Actual execution of all the commands above |
| From 52 | 3 different .exe files will be downloaded from mirrors, then execute immediately |
Encrypted notice
This is what the victim will see at first when they get ransomed.
Attention!
All your documents, photos, databases and other important personal files
were encrypted using strong RSA-1024 algorithm with a unique key.Nobody can help you except us. It is useless to reinstall Windows,
use antiviruses, rename files, etc.To unlock your files you have to make payment.
Please click one of the following links for details:
Opening the one of the payment page with IE8 User-Agent results in this:
If other non-MSIE User-Agent is used, the payment page will be blank.
Decryption?
In the payment page, I have noticed the test decryption section. Also, step 4 of the instruction stated that a decryption program is available after you paid, which is actually downloadable at any time. The Click here to download zip-archive link leads victim to download a zipped .js file.
Deobfuscated...
Using the old trick again...
What the fuck? The decrypting .js and the test decryption section of the payment page, do only rename your .crypted files to normal and send back to you. Why would they do this?
The 3 exes
The exes can be only downloaded specifying MSIE User-Agent, for example, I used User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.4; InfoPath.2; SV1; .NET CLR 3.3.69573; WOW64; en-US) to download those files.
If other non-MSIE User-Agent is used, nothing will be downloaded.
Trimming the User-Agent to something like Mozilla/a.0(compatab Windows NT) will work too.
Analytic of 1st .exe file downloaded
Analytic of 2nd .exe file downloaded
3rd .exe file download is empty.
The behavior of these 2 .exe files should be further examined and reverse-engineered.
Conclusion
The malicious script's purpose should be installing a Trojan into victim's computer, instead of ransoming the victims. Therefore, this malware should not be classified as ransomware at all, as the ransoming process should be a cover for the Trojan downloaded.
All bitcoins sent to that address should be some bonus profit for the criminal behind this.
It's unknown that whether those .exe binaries will convert those .crypted files into actual encrypted files. If they do so, decryption method will be unknown.
The Trojan installed might be stealing bank accounts or credit cards, or downloading any other kind of malware, such as an actual ransomware.
This malware can only infect Windows users with IE as .js file handler. It's unknown how far (maximum version of Windows and IE) this malware can go.
General recommendations for...
Windows users
- Do not open malicious or suspicious emails, especially their attachments.
- Install Anti-Virus software.
- Stop using Internet Explorer, use other browsers (Firefox, Chrome, Edge) instead.
Website owners
- Use strong password for admin panel, FTP user account and remote desktop account.
- Use firewall to hide ports that are unneeded to expose.
- Install an Intrusion detection system (IDS).
- Look for website vulnerabilities such as SQL Injection, XSS and CSRF.
- Perform regular system update and CMS update.
- Aware of Common Vulnerabilities and Exposures (CVE).