Upon deleting the repetitive keywords, we retrieved the following urls:
If the (.js) file is executed, the Windows Script (Wscript) host will execute code that tries to download a file “1.dat” from two urls (see above). When downloaded, the file renames itself to “[random_string].exe” which, when executed, will infect a computer with ransomware.
The screenshot below shows the “1.dat” file downloaded. Then we see the response includes a magic number “MZ” which indicates that the downloaded file is an executable.
How the Executable Operates
Once executed, it creates a child process in suspended state. Then, when the child process resumes its execution, it runs a (.bat) script which removes all Shadow Volume copies so that the victim will not be able to restore encrypted files. This script also removes Remote Desktop information from the system registry and then sets it to default RDP configurations. Contents of batch file are shown below:
Before it starts encrypting the data, it calls “taskkill.exe” to shut down some running processes like “word”, “powerpoint”, “Notepad” etc. so that it can encrypt the data currently in use. The screenshot below shows the complete process tree:
When the encryption starts, it follows the steps below:
1. Generates a “Personal ID” for the current system it is encrypting
2. Scans all the drives and folders available of an infected machine but excludes folders having following substrings in their name:
- program files
- program files (x86)
3. Reads the files one by one and encrypt the file contents
4. Writes the encrypted data to a new file
5. Appends “Personal ID” in the encrypted content
6. Deletes the original file
Note: It uses AES and RSA 1024 encryption.
Screenshot of encrypted file contents and personal ID.
It also adds “.ocean” extension at the end of each encrypted filename.
After encrypting files, it adds an HTML file “!back_files!.html” in each folder where the files are encrypted. That HTML file tells a victim that “All your files have been encrypted!” and provides instructions on how to recover the encrypted files. At the end of HTML file it shows your “Personal ID”.
HYPERLINK “http://filmcoffee.win/support.php?f=1.dat” http://filmcoffee.win/support.php?f=1.dat
HYPERLINK “http://cabeiriscout.faith/support.php?f=1.dat” http://cabeiriscout.faith/support.php?f=1.dat
FILE ATTACHMENTS (ZIP ARCHIVES):
- 45c0a3a39459334c25bc82f2c9da40f7837750f28414d4ab667fd619c225e36e – EMAIL_20688570373232_[recipient].zip
- e4a210b6a0c9b3bcb5d43880ec150a5f3a42206c31ec553c9309c4b336419a24 – EMAIL_25183581302350_[recipient].zip
- fd474697a5a81c82589012a859318f0232717575476f7819af8b4c7f50acc21f – EMAIL_29947_[recipient].zip
- a23cb27fd3354d2e0f5ad898ad482196ab32fb571ab7edb02fba50fe35f718b5 – EMAIL_537710951959_[recipient].zip
- a52b3db623f2b2a9cedf0e4c0a6358a0791d65e50cb0229425c4bacd0888f361 – EMAIL_709519255837_[recipient].zip
EXTRACTED .JS FILES:
- 9b5697e2341ccb16a9c70f15daf3e0b6d890e974ccd3c6a594daa7753aec050e – DIy.js
- b335f7e2416d76f457147ce1550560890e7582840a246d95cdf08d64f0384056 – WywP.js
- d5afe2e525f2d8810cfbdec709353e79a21b5f7b2c9999fc108a4a0bbb0ceb45 – bToVk9U5.js
- ef1f4c5a5581333f3091fa13cec4a1fc94609bad92e2de3c7cd045329e34bf45 – jPWwTL89A.js
- 5141a89e6fed2838a8107c83b218b2dd158a03623cd12b3e781bdb3342d559c8 – sowga.js
BTCWARE (OCEAN VARIANT) RANSOMWARE SAMPLE:
File description: BTCware from cabeiriscout.faith