VMRay Malware Analysis Report Recap – November ’17
Click the links below to jump to a specific report:
- Ordinypt Wiper
- XZZX Cryptomix Ransomware Variant
- Malicious Microsoft Word Document
- Suspected Zeus Panda Banking Trojan
November 7, 2017
The malicious executable continues to inject into the process of “c:\windows\syswow64\dllhost.exe” with the goal of hiding its tracks (Figure 2).
Report Name: Ordinypt Wiper
November 10, 2017
Sometimes malware authors just want to watch the world burn. In this analysis, the Ordinypt Wiper acts like it encrypts user files but instead just deletes them.
We can see in Figure 3, this file triggers VTI Rules for user file deletion as well as file creation. This behavior is in many ways similar to ransomware.
The “Behavior Information – Sequential View” (Figure 4), shows more of the file’s behavior. We can observe that files are deleted but never read – without reading a file it is obviously not possible to encrypt it.
However, this file tries to hide this fact, by creating a new file with a random name for each deleted file. These actions are repeated over and over again, for each user file. We can also see that the file simply deletes the file “Wo_sind_meine_dateien.html” (German for “where are my files”) and writes it again each time.
Report Name: XZZX Cryptomix Ransomware Variant
November 14, 2017
This variant of XZZX Cryptomix ransomware only starts encrypting files after a restart.
To stay in control after a reboot the file adds an entry to the windows startup registry.
After a reboot, the sample starts to encrypt user files. We can see this behavior in the process graph (Figure 7). Initially, only cmd.exe processes are created to hide the sample’s tracks, followed by a reboot where the actual encryption takes place. We can also see the process then spawns “notepad.exe” to provide the message shown in Figure 5.
Report Name: Malicious Microsoft Word Document
November 28, 2017
Documents are often used as the first stage of a malware infection. Most of these documents simply use embedded macros for further infection. However, since macros are usually not executed by default, the malware needs try to trick the user into enabling the execution:
Fully unpacked, the malware sample starts communicating with its control server by sending information about the operating system, hardware, and active processes and then waiting for further commands.
Report Name: Suspected Zeus Panda Banking Trojan
November 30, 2017
This sample appears to be a variant of the “Zeus Panda” banking Trojan, which is well known for its awareness of the environment in which it is executed. This Trojan uses several heuristics to determine if it is being executed on a user machine or an analysis machine. The sample typically looks for vendor artifacts on the system, running processes, etc.: