Blog

VMRay Malware Analysis Report Recap – November ’17

Welcome to the VMRay Malware Analysis Report Recap. Every month our Research Team provides a recap of the malware analysis reports posted to the VMRay Twitter account. This past November, our team analyzed a malicious Javascript file, the Ordinypt wiper, and a variant of the XZZX Cryptomix ransomware.

Click the links below to jump to a specific report:


Report Name: Malicious Javascript from MYOB Email Attack

Date Released:

November 7, 2017

SHA256:

24139566e338de0e3c54fba4668eab701caa9ee7c8853b2ab2e2746277c57857

Malware written in JavaScript is usually a ‘dropper’ that only downloads and runs the actual malicious executable. Looking at the VTI section of the report, the file used in the MYOB Email attack does exactly that (Figure 1).

Typical Dropper - VMRay Malware Analysis Recap
Figure 1: Typical ‘Dropper’ behavior displayed by malicious JavaScript file

More interestingly, the downloaded executable uses an evasion technique, checking to see if it’s running in a virtual machine. VMRay Analyzer is designed to deal with evasive malware and makes sure that these detection attempts are dealt with appropriately.

The malicious executable continues to inject into the process of “c:\windows\syswow64\dllhost.exe” with the goal of hiding its tracks (Figure 2).

Evasion Javascript File - VMRay Malware Analysis Recap
Figure 2: Evasive behavior and code injection associated with malicious JavaScript file

Report Name: Ordinypt Wiper

Date Released:

November 10, 2017

SHA256:

085256b114079911b64f5826165f85a28a2a4ddc2ce0d935fa8545651ce5ab09

Sometimes malware authors just want to watch the world burn. In this analysis, the Ordinypt Wiper acts like it encrypts user files but instead just deletes them.

We can see in Figure 3, this file triggers VTI Rules for user file deletion as well as file creation. This behavior is in many ways similar to ransomware.

File Dropper Ordinypt Wiper - VMRay Malware Analysis Recap

The “Behavior Information – Sequential View” (Figure 4), shows more of the file’s behavior. We can observe that files are deleted but never read – without reading a file it is obviously not possible to encrypt it.

However, this file tries to hide this fact, by creating a new file with a random name for each deleted file. These actions are repeated over and over again, for each user file. We can also see that the file simply deletes the file “Wo_sind_meine_dateien.html” (German for “where are my files”) and writes it again each time.

File Deletion Ordinypt Wiper - Malware Analysis Recap
Figure 4: Behavior Section of the report showing file deletion

Report Name: XZZX Cryptomix Ransomware Variant

Date Released:

November 14, 2017

SHA256:

33a60a16e50b8df2a731023951475ff0f973fc66334d2cfa6ce30aa36bb36414

This variant of XZZX Cryptomix ransomware only starts encrypting files after a restart.

XZZX Cryptomix Ransom Note - VMRay Malware Analysis Recap
Figure 5: Ransomware note created by the XZZX Cryptomix Ransomware variant

On initial infection this file simply hides its presence using various methods: changing folder appearances, using an alternate data stream and turning off essential Windows security services.

To stay in control after a reboot the file adds an entry to the windows startup registry.

Sandbox Evasion XZZX Cryptomix - VMRay Malware Analysis Recap
Figure 6: Evasive behavior, critical system service disablement and persistence shown by XZZX Cryptomix Ransomware variant

After a reboot, the sample starts to encrypt user files. We can see this behavior in the process graph (Figure 7). Initially, only cmd.exe processes are created to hide the sample’s tracks, followed by a reboot where the actual encryption takes place. We can also see the process then spawns “notepad.exe” to provide the message shown in Figure 5.

Process Graph XZZX Cryptomix - VMRay Malware Analysis Recap
Figure 7: Process graph of the XZZX Cryptomix Ransomware variant

Report Name: Malicious Microsoft Word Document

Date Released:

November 28, 2017

SHA256:

607aa428401fe8e6d66583cdfc43a7879b1173c0d116a1e53ebd4e044511bfd1

Documents are often used as the first stage of a malware infection. Most of these documents simply use embedded macros for further infection. However, since macros are usually not executed by default, the malware needs try to trick the user into enabling the execution:

Word Doc Execute Macros - VMRay Malware Analysis Recap
Figure 8: Execution of macros is disabled by default. Malware tries to trick users into enabling them.

In this case, the macro first decodes a Powershell script which in turn downloads and executes a packed PE file named “3292.exe”. This file goes through several unpacking stages and finally executes the actual payload. This fairly complicated execution process can clearly be seen in the process graph:

Process Graph Malware Unpacking - VMRay Malware Analysis Recap
Figure 9: Process graph of the malware sample’s unpacking stages.

Fully unpacked, the malware sample starts communicating with its control server by sending information about the operating system, hardware, and active processes and then waiting for further commands.

Report Name: Suspected Zeus Panda Banking Trojan

Date Released:

November 30, 2017

SHA256:

b34abadaa54fa828fc3d1b1540004f5dd94873918d5b3f2a3eab49272b67415b

This sample appears to be a variant of the “Zeus Panda” banking Trojan, which is well known for its awareness of the environment in which it is executed. This Trojan uses several heuristics to determine if it is being executed on a user machine or an analysis machine. The sample typically looks for vendor artifacts on the system, running processes, etc.:

Zeus Panda Banking Trojan VTI Score - VMRay Malware Analysis Recap
Figure 10: Zeus Panda banking trojan detected threats

This malware sample is a good illustration of the importance of an agentless approach to dynamic analysis. Since VMRay Analyzer does not modify the environment in which the malware sample is executed, it cannot be detected by looking for such artifacts.