Click the links below to jump to a specific report:
- Black Ruby Ransomware
- Excel File Drops Malicious Payload
- Cobalt Strike Beacon Dropped by HTML Application (HTA)
Report Name: Black Ruby Ransomware
February 6, 2018
For some malware authors, one attack type isn’t enough. Black Ruby includes a bonus cryptominer in addition to its standard ransomware capabilities. Not only does this malware encrypt the user’s files and demand a ransom but it also deploys a coin mining module to generate digital cryptocurrency.
Black Ruby’s capabilities are easy to identify from the function log (Figure 1).
Another observation is that Black Ruby will only encrypt a user’s machine if the user is not in Iran. The ransomware does this by checking the IP address using freegeoip.net to determine the user’s location.
To make matters worse, Black Ruby adds the cryptominer to the startup routine for persistence, as is indicated in the list of Threat Indicators (Figure 2).
Report Name: Excel File Drops Malicious Payload
February 13, 2018
This is a classic case of ‘VBA macro in a Microsoft Office document’. This malware sample downloads the payload via a macro script inside Excel and executes it.
The embedded VBA code can also be seen in the analysis report without the need for a separate local extraction.
In the VTI section of the analysis report, the VTI rule “Download File” reveals the malicious payload “val.exe” was downloaded and renamed to “heidi.exe” (Figure 4).
In addition, the Network tab indicates the contacted host is already blacklisted and is based in Malaysia (Figure 5)
February 15, 2018
HTML applications (HTA) are not often used as malware. In this case, the HTA file is used to download and execute a malicious payload.
February 28, 2018
Once downloaded, the malicious payload “roamingeox20.exe” is executed and is added to the startup routine.