VMRay Malware Analysis Report Recap – January 2018

Welcome to the VMRay Malware Analysis Report Recap. Every month our Research Team provides a recap of the malware analysis reports posted to the VMRay Twitter account. This past January, our team analyzed a variant of BigEyes/Lime ransomware, GandCrab ransomware and Lotus Blossom malspam.

Click the links below to jump to a specific report:

Report Name: Malicious Word Doc Uses Multiple Sandbox Evasion Techniques

Date Released:

January 10, 2018



This malicious Word document uses several techniques to detect the presence of security tools such as Sandboxes and Anti-virus software. All of these techniques are detected by VMRay Analyzer and listed as potential threats in the VTI section of the report (Figure 1).

Techniques used to detect the presence of a Sandbox, Anti-Virus and Firewall - VMRay Malware Analysis Recap
Figure 1. Techniques used to detect the presence of a Sandbox, Anti-Virus and Firewall

In the Network Tab (Figure 2), we can see the Word document using a VBA Macro to connect to a known malicious domain and Dropbox (using bitsadmin) to download the payload.

Connection to blacklisted hosts and URLS - VMRay Malware Analysis Recap
Figure 2: Network Map shows connections to
blacklisted hosts and URLs to download the payload

The payload uses common techniques like process injection and adding an entry into the Windows startup for persistence. Both of these can be seen in the process graph (Figure 3), with persistence resulting in an automatic reboot.

Injection and Persistence - VMRay Malware Analysis Recap
Figure 3: Process Graph highlighting Injection and persistence

The malware then goes on to steal credentials from Mozilla Firefox, Google Chrome and Internet Explorer as well as system data (Figure 4).

Information Stealing - VMRay Malware Analysis Recap
Figure 4: Stealing information and credentials

Report Name: BigEyes/Lime Ransomware Drops Decryption Key to C:\microsoft\hash in Plaintext

Date Released:

January 17, 2018



BigEyes/Lime ransomware is written in .NET and directly starts to encrypt the files on the computer. To be quick it only encrypts files of the current user. This means that only files in the Documents, Pictures, Music, Videos and Desktop folders are affected.

BigEyes/Lime Ransomware encrypts files - VMRay Malware Analysis Recap
Figure 5: BigEyes/Lime Ransomware encrypts files only in certain folders

Every encrypted file gets the suffix “.lime” and the system wallpaper displays the ransom note.

BigEyes/Lime Ransom Note - VMRay Malware Analysis Recap
Figure 6: BigEyes/Lime ransom note displayed as wallpaper

The ransom note demands 100$ in Bitcoin for the decryption key. This key is needed for the program named “#Decryptor.exe” (shown in figure 7) which is dropped to the desktop and decrypts the encrypted files. However, our analysis shows that the decryption key is also dropped in “C:\microsoft\hash” in plain text. The malware authors made it relatively easy to decrypt the files without paying the ransom.

BigEyes/Lime Ransomware Decryptor - VMRay Malware Analysis Recap
Figure 7: BigEyes/Lime Ransomware decryptor
Lime Ransomware Key Dropped - VMRay Malware Analysis Recap
Figure 8: BigEyes/Lime Ransomware decryption key dropped in “C:\microsoft\hash”

Report Name: GandCrab Ransomware

Date Released:

January 26, 2018



This file exhibits typical ransomware behavior i.e. it encrypts all files on the user’s system and demands a ransom payment for the decoder key. To ensure that the user cannot restore files, it deletes all snapshots created by the Volume Shadow Copy Service.

GandCrab Ransomware Detected Threats - VMRay Malware Analysis Recap
Figure 9: GandCrab Ransomware behavior exhibited by the sample

All encrypted files have the suffix “.GDCB” as shown in the accompanying figure.

GandCrab Encrypts .GDCB - VMRay Malware Analysis Recap
Figure 10: Encrypted files with the suffix “.GDCB”

The ransom note with further instructions on how to decrypt the user’s files is shown after a reboot.

GandCrab Process Graph - VMRay Malware Analysis Recap
Figure 11: GandCrab Process Graph highlighting the behavior after the reboot process
GandCrab Ransom Note - VMRay Malware Analysis Recap
Figure 12: GandCrab ransom note shown after reboot

Report Name: Lotus Blossom Malspam

Date Released:

January 31, 2018



This malware uses the CVE-2017-11882 vulnerability, which is an MS Word exploit. This exploit allows the malware authors to run their own program code instead of the original. In this scenario, a DLL is dropped in “\appdata\roaming\microsoft\windows\chaches\navshext.dll” and injected into the browser (Internet Explorer).

Lotus Blossom Dropped DLL - VMRay Malware Analysis Recap
Figure 13: Dropped DLL file that is injected into Internet Explorer

The filename “navshext.dll” suggests that the file is a legitimate DLL from Norton Security Antivirus software. After injection, the DLL checks if its run in a debugger and creates a mutex “donotbotherme”.

Lotus Blossom Mutex Created - VMRay Malware Analysis Recap
Figure 14: Mutex created by the DLL

It then proceeds to create a system startup routine.

Lotus Blossom Startup Routine - VMRay Malware Analysis Recap
Figure 15: Startup routine created by the Lotus Blossom

Next, the malware tries to connect to its Command and Control (C2) Server. If this isn’t successful the malware will sleep forever (roughly 19 years). If it is successful it uploads information about the victim’s system and waits for commands.

Lotus Blossom User Information Uploaded - VMRay Malware Analysis Recap
Figure 16: Victim’s system information uploaded to the C2 server

All of these behavior patterns are indicators of an Information Stealer or a Trojan. Some analysts have concluded this is part of a targeted attack against ASEAN members.