VMRay Malware Analysis Report Recap – November ’17December 5, 2017 | Malware Analysis
Click the links below to jump to a specific report:
- Ordinypt Wiper
- XZZX Cryptomix Ransomware Variant
- Malicious Microsoft Word Document
- Suspected Zeus Panda Banking Trojan
November 7, 2017
More interestingly, the downloaded executable uses an evasion technique, checking to see if it’s running in a virtual machine. VMRay Analyzer is designed to deal with evasive malware and makes sure that these detection attempts are dealt with appropriately.
The malicious executable continues to inject into the process of “c:\windows\syswow64\dllhost.exe” with the goal of hiding its tracks (Figure 2).
Report Name: Ordinypt Wiper
November 10, 2017
Sometimes malware authors just want to watch the world burn. In this analysis, the Ordinypt Wiper acts like it encrypts user files but instead just deletes them.
We can see in Figure 3, this file triggers VTI Rules for user file deletion as well as file creation. This behavior is in many ways similar to ransomware.
The “Behavior Information – Sequential View” (Figure 4), shows more of the file’s behavior. We can observe that files are deleted but never read – without reading a file it is obviously not possible to encrypt it.
However, this file tries to hide this fact, by creating a new file with a random name for each deleted file. These actions are repeated over and over again, for each user file. We can also see that the file simply deletes the file “Wo_sind_meine_dateien.html” (German for “where are my files”) and writes it again each time.
Report Name: XZZX Cryptomix Ransomware Variant
November 14, 2017
This variant of XZZX Cryptomix ransomware only starts encrypting files after a restart.
On initial infection this file simply hides its presence using various methods: changing folder appearances, using an alternate data stream and turning off essential Windows security services.
To stay in control after a reboot the file adds an entry to the windows startup registry.
After a reboot, the sample starts to encrypt user files. We can see this behavior in the process graph (Figure 7). Initially, only cmd.exe processes are created to hide the sample’s tracks, followed by a reboot where the actual encryption takes place. We can also see the process then spawns “notepad.exe” to provide the message shown in Figure 5.
Report Name: Malicious Microsoft Word Document
November 28, 2017
Documents are often used as the first stage of a malware infection. Most of these documents simply use embedded macros for further infection. However, since macros are usually not executed by default, the malware needs try to trick the user into enabling the execution:
In this case, the macro first decodes a Powershell script which in turn downloads and executes a packed PE file named “3292.exe”. This file goes through several unpacking stages and finally executes the actual payload. This fairly complicated execution process can clearly be seen in the process graph:
Fully unpacked, the malware sample starts communicating with its control server by sending information about the operating system, hardware, and active processes and then waiting for further commands.
Report Name: Suspected Zeus Panda Banking Trojan
November 30, 2017
This sample appears to be a variant of the “Zeus Panda” banking Trojan, which is well known for its awareness of the environment in which it is executed. This Trojan uses several heuristics to determine if it is being executed on a user machine or an analysis machine. The sample typically looks for vendor artifacts on the system, running processes, etc.:
This malware sample is a good illustration of the importance of an agentless approach to dynamic analysis. Since VMRay Analyzer does not modify the environment in which the malware sample is executed, it cannot be detected by looking for such artifacts.