SlashNext Labs SlashNext Labs

JS based PHP Ransomware

September 30th 2017

JS based PHP Ransomware

Malicious spam campaigns are among hackers’ favorite delivery channels for spreading malware to their targets. Recently, we have observed a malspam campaign delivering ransomware by spam email attachments containing a “.js” file named “UPS-Receipt-01878098.doc.js”. On execution, this “.js” script downloads a PHP file which infects the user’s computer with ransomware. So, we named this ransomware PHP Ransomware.

PHP Ransomware is a new type of ransomware. Its intent is the same as any other ransomware but its implementation is rather different, in that it is rare to use PHP script for encryption. First, it uses an AES-128 bit key for file encryption and then it encrypts the AES key with an RSA-2048 algorithm.

After encryption, the ransomware changes the desktop background, delivering a pop-up message via a “.hta” file with a ransom note. The ransomware note asks the victim to create a bitcoin wallet with which to send a specific amount of bitcoins to the given address.

Working Behavior

Once the “.js” file is executed, Windows Service (Wscript.exe) executes JavaScript code and downloads the following files in a %temp% directory.

Note: File names are the bitcoin addresses to pay the ransom.

The files above are downloaded from the following CnC:

Right after adding the malicious files the ransomware opens a word document to distract the victim and executes a file named “1FYGEnWh2ahGeqpkdV2Ata4vpQwPBRFzt2.exe” in the background. The word document contains the below mentioned dialog:

The file “1FYGEnWh2ahGeqpkdV2Ata4vpQwPBRFzt2.exe” parses a PHP script and then executes it by passing these three command line arguments:

  1. bitcoin_address
  2. ransom price
  3. RSA Public Key

These are the steps followed by the actual PHP script responsible for encryption.

1. First it scans all system drives based on the following file extensions:

2. Then it parses all of the files one after another. For each file, it generates a unique AES-128 bit key and encrypts the first 100KB of that file with the generated key. This repeats every time a new key is generated to encrypt each file.

3. In the next step, the attack encrypts AES key with a RSA-2048 algorithm.

4. After RSA_2048 encryption of the file, the ransomware then writes the name of the encrypted file, encrypted AES key and the first 100 KB of the file encoded with base64 encoding, in the “.db” file. The “.db” file is named “1FYGEnWh2ahGeqpkdV2Ata4vpQwPBRFzt2.db”, which later used for decryption. Every record is written in a separate line in the “.db” file. The following Code snippet is responsible for encryption.

5. After encryption, it creates a “.hta” and then places it on the Desktop.

6. The ransomware then creates a “.bmp” image file and changes the desktop background with it.

7. Then it creates two registries of “.hta” and “.bmp” file extensions and deletes all of the shadow copies.


SHA1 Hashes

  • 35d6faf81a561ab6fecc38ec114d3524755afffe 1FYGEnWh2ahGeqpkdV2Ata4vpQwPBRFzt2.php
  • 521fd3420a3939cfd10b181a41d6334728f41cd1 1FYGEnWh2ahGeqpkdV2Ata4vpQwPBRFzt2.exe
  • 8fe7fcb238995fd55aabfdfa467ff0e648699fe0 1FYGEnWh2ahGeqpkdV2Ata4vpQwPBRFzt2.doc
  • d3fec52813340d943dcfbfc4a3e7083938ff92fe 1FYGEnWh2ahGeqpkdV2Ata4vpQwPBRFzt2.bmp
  • 85a0368ae3d18af98cda7f05ed487d00a0193809 1FYGEnWh2ahGeqpkdV2Ata4vpQwPBRFzt2.hta

Files Associated

  • C:\Users\Administrator\AppData\Local\Temp\1FYGEnWh2ahGeqpkdV2Ata4vpQwPBRFzt2.bmp
  • C:\Users\Administrator\AppData\Local\Temp\1FYGEnWh2ahGeqpkdV2Ata4vpQwPBRFzt2.db
  • C:\Users\Administrator\AppData\Local\Temp\1FYGEnWh2ahGeqpkdV2Ata4vpQwPBRFzt2.doc
  • C:\Users\Administrator\AppData\Local\Temp\1FYGEnWh2ahGeqpkdV2Ata4vpQwPBRFzt2.exe
  • C:\Users\Administrator\AppData\Local\Temp\1FYGEnWh2ahGeqpkdV2Ata4vpQwPBRFzt2.hta
  • C:\Users\Administrator\AppData\Local\Temp\1FYGEnWh2ahGeqpkdV2Ata4vpQwPBRFzt2.php