Notification
This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise.
This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.
Summary
Description
Three artifacts were submitted for analysis.
For a downloadable copy of IOCs, see:
MAR-10164494.r1.v1.stix
Submitted Files (3)
738c95f5bfe63a530b200a0d73f363d46c5671c1fcbb69c217e15a3516501a86 (mswinupdate.exe)
9b23bfc35b18ed80104c496b2aa722b3e56ff9ceb9dae60d1aff7230321c1d12 (ClassLibrary1.dll)
bbd4102fe25e73c0815d0c020d60d47dbbfbe79ef1e490e7b4f97640dd932b58 (g04inst.bat)
Findings
9b23bfc35b18ed80104c496b2aa722b3e56ff9ceb9dae60d1aff7230321c1d12
Tags
downloaderransomwaretrojan
Details
| Name |
ClassLibrary1.dll |
| Size |
5120 bytes |
| Type |
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5 |
76bd79f774ae892fd6a30b6463050a91 |
| SHA1 |
4d7a60bd1fb3677a553f26d95430c107c8485129 |
| SHA256 |
9b23bfc35b18ed80104c496b2aa722b3e56ff9ceb9dae60d1aff7230321c1d12 |
| SHA512 |
67e0046db0b565a1ac1862bbd536016c3ea984f8fceadaa31b4c99e7a8b434b170d5badbb10c2c25e264b17bbf2f97576f252e7ef74279b3b845b1553cef9829 |
| ssdeep |
48:6DhamfhRd4tvDo4Xbgj/aarU3LT88VMM8UX8i02+KfANbU7gjBRd1trWO8lGO+3L:m+5DoAbgfU88Spi0oANbsgjMPYp3XII |
| Entropy |
4.004964 |
Antivirus
| Ahnlab |
Trojan/Win32.Black |
| Antiy |
Trojan/Win32.AGeneric |
| BitDefender |
Trojan.GenericKD.30369417 |
| ClamAV |
Win.Trojan.Agent-6538241-0 |
| Cyren |
W32/Trojan.URRI-3517 |
| ESET |
a variant of MSIL/Runner.N trojan |
| Emsisoft |
Trojan.GenericKD.30369417 (B) |
| Ikarus |
Ransom.MSIL.Samas |
| K7 |
Riskware ( 0040eff71 ) |
| McAfee |
Ransomware-GJY!76BD79F774AE |
| Microsoft Security Essentials |
Ransom:MSIL/Samas.D |
| NANOAV |
Trojan.Win32.Runner.ffvfbl |
| Sophos |
Troj/Samas-F |
| Symantec |
Trojan.Gen.2 |
| Systweak |
trojan.downloader |
| TrendMicro |
TROJ_STUBDCRYP.A |
| TrendMicro House Call |
TROJ_STUBDCRYP.A |
Yara Rules
No matches found.
ssdeep Matches
No matches found.
PE Metadata
| Compile Date |
2018-01-28 06:09:15-05:00 |
| Import Hash |
dae02f32a21e03ce65412f6e56942daa |
| File Description |
ClassLibrary1 |
| Internal Name |
ClassLibrary1.dll |
| Legal Copyright |
Copyright © 2018 |
| Original Filename |
ClassLibrary1.dll |
| Product Name |
ClassLibrary1 |
| Product Version |
1.0.0.0 |
PE Sections
| MD5 |
Name |
Raw Size |
Entropy |
| 34943f18fd2a99cc3f5cabe43b4765f8 |
header |
512 |
2.547920 |
| 06219fe6e30e15dce12688ca2b434890 |
.text |
3072 |
4.856670 |
| 11b58fc9ac45168b871cc50399b7c86c |
.rsrc |
1024 |
2.888335 |
| ec45a535f38fb6dc4ac4ed7cbf63b754 |
.reloc |
512 |
0.081539 |
Description
This file is a .NET Class Library module designed to decrypt the encrypted data file with a ".stubbin” extension using a Rijndael encryption algorithm.
Displayed below is the encryption key and the initialization vector used for decryption.
--Begin encryption information--
rijndael.Key = hdfgkhioiugyfyghdseertdfygu
rijndael.IV = ghtrfdfdewsdfgtyhgjgghfdg
--End encryption information--
738c95f5bfe63a530b200a0d73f363d46c5671c1fcbb69c217e15a3516501a86
Tags
ransomwaretrojan
Details
| Name |
mswinupdate.exe |
| Size |
6144 bytes |
| Type |
PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5 |
b96620d8a08fa436ea22ef480dd883ce |
| SHA1 |
a1ab74d2f06a542e77ea2c6d641aae4ed163a2da |
| SHA256 |
738c95f5bfe63a530b200a0d73f363d46c5671c1fcbb69c217e15a3516501a86 |
| SHA512 |
2a9f4ebb025c8e7b4e074d301477656ffad66318da5ea35ddc8363c17f4bdbf501778539133261adbb9f441066a1e2b79240306ad1877f5ef17009c8f05ff4a6 |
| ssdeep |
48:6ZMMEikGAgS7zfMFmZUX7OLbqMMou6ZVqsPIUlf41cjGPRMfNFrbvZiJY527qnfF:/ikGAgS7b0807M+And6c6mBiJYPezNt |
| Entropy |
4.238961 |
Antivirus
| Ahnlab |
Trojan/Win32.Samas |
| Antiy |
Trojan[Ransom]/MSIL.Samas |
| Avira |
TR/Samas.qybuh |
| BitDefender |
Trojan.GenericKD.30367991 |
| Cyren |
W32/Trojan.VYAP-2611 |
| ESET |
a variant of MSIL/Runner.N trojan |
| Emsisoft |
Trojan.GenericKD.30367991 (B) |
| Ikarus |
Ransom.MSIL.Samas |
| K7 |
Riskware ( 0040eff71 ) |
| McAfee |
Ransomware-GJX!B96620D8A08F |
| Microsoft Security Essentials |
Ransom:MSIL/Samas |
| NANOAV |
Trojan.Win32.Generic.eymsce |
| NetGate |
Malware.Generic |
| Sophos |
Mal/Kryptik-BV |
| Symantec |
Trojan.Gen.2 |
| Systweak |
malware.shuriken |
| TrendMicro |
TROJ_RUNNER.GBB |
| TrendMicro House Call |
TROJ_RUNNER.GBB |
| Zillya! |
Trojan.Samas.Win32.32 |
Yara Rules
No matches found.
ssdeep Matches
No matches found.
PE Metadata
| Compile Date |
2018-01-28 06:09:17-05:00 |
| Import Hash |
f34d5f2d4577ed6d9ceec516c1f5a744 |
| Company Name |
oiauoyqtfhqiwur578q26trgqiwue ffh iufiuqwytf 78wt8 |
| File Description |
dkhjkasyfafa udfiu asd fuiysfd fiusdfh oiafiuay |
| Internal Name |
rock2.exe |
| Legal Copyright |
iusy ergy8wej udg uy |
| Original Filename |
rock2.exe |
| Product Name |
98y4798t qiy er998ergg iuery 8 o8uieyfui qewhfiuoyafibuwy ey7fq iuyi |
| Product Version |
76.7.99.12 |
PE Sections
| MD5 |
Name |
Raw Size |
Entropy |
| 7f1dc4bd716bc037dea251c4dff12cdd |
header |
512 |
2.538579 |
| c8076584486a2745281e4945da9b8b13 |
.text |
3072 |
4.946272 |
| 1efe88aa4756d059ec1d3b49e342de5d |
.rsrc |
2048 |
3.917395 |
| 7048daac38c935b38e086adcd8035d2a |
.reloc |
512 |
0.081539 |
Packers/Compilers/Cryptors
| Microsoft Visual C# v7.0 / Basic .NET |
Description
This file is a PE32 .NET executable designed to search and load an encrypted data file with a ".stubbin" extension onto the victim's system. If the file exists, it will utilize the Rijndael algorithm in the Class Library file (ClassLibrary1.dll) to decrypt the data file. After decryption, the file deletes the encrypted data file. The encrypted file with a ".stubbin" extension was not available for analysis.
bbd4102fe25e73c0815d0c020d60d47dbbfbe79ef1e490e7b4f97640dd932b58
Tags
ransomwaretrojan
Details
| Name |
g04inst.bat |
| Size |
276 bytes |
| Type |
ASCII text, with CRLF line terminators |
| MD5 |
02c19bbf8e19bb69fc7870ec872d355e |
| SHA1 |
cc76586ef94122329e825c78aad2ecb9ac064343 |
| SHA256 |
bbd4102fe25e73c0815d0c020d60d47dbbfbe79ef1e490e7b4f97640dd932b58 |
| SHA512 |
283681b5b8e78440bf474c8e50504e6e82f25bd3f6240d5e70600e43fc9fd609a78ee7b837c9b68aa25ed13f2ee735f360a18e614ded15e11bb62043cd028c99 |
| ssdeep |
6:JF1ZzA+QragXsoNLYjClAVyXHI+CIwZALICLA9XEUXR/JgW:L1J4aSJF+dyXo+Bb0LEUhyW |
| Entropy |
4.962735 |
Antivirus
| McAfee |
BAT/Starter.h |
| Microsoft Security Essentials |
Ransom:BAT/Samas |
| Sophos |
Troj/RansRun-A |
| Symantec |
Trojan.Malscript |
Yara Rules
No matches found.
ssdeep Matches
No matches found.
Description
This file is a batch file designed to execute mswinupdate.exe with predefined arguments. Displayed below are the arguments:
--Begin arguments--
Format: %myrunner% %password% %path% %totalprice% %priceperhost%
Sample: mswinupdate.exe <password> juxtapositional 5 0.8
--End arguments--
Recommendations
NCCIC would like to remind users and administrators to consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
- Maintain up-to-date antivirus signatures and engines.
- Keep operating system patches up-to-date.
- Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
- Enforce a strong password policy and implement regular password changes.
- Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
- Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
- Disable unnecessary services on agency workstations and servers.
- Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
- Monitor users' web browsing habits; restrict access to sites with unfavorable content.
- Exercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.).
- Scan all software downloaded from the Internet prior to executing.
- Maintain situational awareness of the latest threats and implement appropriate ACLs.
Additional information on malware incident prevention and handling can be found in NIST's Special Publication 800-83, Guide to Malware Incident Prevention & Handling for Desktops and Laptops.
Contact Information
NCCIC continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/
Document FAQ
What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact US-CERT and provide information regarding the level of desired analysis.
What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact US-CERT and provide information regarding the level of desired analysis.
Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the NCCIC at 1-888-282-0870 or soc@us-cert.gov.
Can I submit malware to NCCIC? Malware samples can be submitted via three methods:
NCCIC encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on US-CERT's homepage at www.us-cert.gov.
|
