SlashNext Labs SlashNext Labs

SyncCrypt Ransomware

September 30th 2017

SyncCrypt Ransomware

SlashNext has observed a major increase in malicious spam (malspam), email based attacks that distribute ransomware through email attachments. In fact, a new ransomware was discovered just last week distributing spam attachments containing Windows Script File (WSF).

Windows Script File (WSF) allows a mix of scripting languages like Jscript and VBScript within a single file. This file is executed/run by Microsoft Windows Script (WScript) Host, meaning it’s launched like an executable file.

How WSF Files Work

Once (.wsf) file is executed, Windows Script (WScript) Host will execute the JScript that creates a directory “BackupClient” in %temp% and try to download an image(.jpg) file in %temp% directory from one of following three urls:

In our case, an image is downloaded from the very first URL, which communicates over secure protocol (HTTPS/SSL). When the file is downloaded, it is renamed with a random string.

An interesting aspect of this ransomware is its steganography technique, whereby a ZIP file is embedded in a (.jpg) image file that holds the necessary files to infect a computer with ransomware. In the example below, “PK” is the magic number that indicates a ZIP file:

This ZIP file contains three more files:

  • sync.exe (responsible for encryption)
  • readme.png & readme.html (ransom note)

After downloading the image file, it extracts a ZIP file from it. Here is the code that extracts the ZIP file:

  1. Creates outfile variable with the value: [image_file_name].zip.jpg
  2. Creates stream object.
  3. Loads stream from image file at given position
  4. Writes magic number “50 4b 03 04 [PK]” and loaded stream in “[image_file_name].zip.jpg

Now a ZIP file is created in the same %temp% directory where it is extracted in the %temp%\BackupClient\ folder.

After extracting these files, it deletes (.jpg) and (.zip) file from %temp% directory and creates a Windows scheduled task named “sync” to run after 1 minute of scheduling.

Right after scheduling the task, a pop-up message box appears to distract the victim’s attention.

How SyncCrypt Executable Works

Once sync.exe is executed:

1. It moves readme.html and readme.png file to the %Desktop%/README/ folder.

2. It runs “net view” command to list all shared computers in the current network.

3. After getting the list, it uses windows “dir” command to generate a list of all files and stores it in a file with random name like “DAQMFFKBAM” in the current directory.

4. Then it scans the “DAQMFFKBAM” file against certain file types and stores the matched file paths in a new file with a random name like “BHNNEZFRQW” in the same directory.

Note: While scanning, it skips following folders:

  • Program Files\
  • Program Files (x86)\
  • %temp%\BackupClient\
  • %Desktop%\README\

5. It reads the “BHNNEZFRQW” file line by line and starts encrypting files. It then appends “.kk” extension to the filename of encrypted files.

6. When the encryption is finished, it adds two more files: “AMMOUNT.txt” and “KEY” in a %Desktop%/README folder.

  • AMMOUNT.txt contains ransom amount 0.1001783 BTC
  • KEY is the encrypted decryption key. All files are encrypted with the AES encryption key, which is encrypted with the RSA-4096 public encryption key.

7. SyncCrypt opens and displays readme.html (ransom note) in default browser of victim.

8. After the ransom note is served, the file removes itself by running “tmp.bat” script.

These are the complete execution steps of sync.exe:


SHA256 Hashes:

  • 3049A568C1C1CD4D225F8F333BF05E4560C8F9DE5F167201253FEDF35142FE3E (.wsf)
  • C6565D22146045E52110FD0A13EBA3B6B63FBF6583C444D7A5B4E3A368CC4B0D (image file)
  • 877488D8F43548C6E3016ABD33E2D593A44D450F1910084733B3F369CBDCAE85 (sync.exe)

Associated Files:

  • %UserProfile%\AppData\Local\Temp\BackupClient\sync.exe
  • %UserProfile%\AppData\Local\Temp\BackupClient\tmp.bat
  • %UserProfile%\AppData\Local\Temp\BackupClient\readme.html
  • %UserProfile%\AppData\Local\Temp\BackupClient\readme.png
  • %UserProfile%\Desktop\README\AMMOUNT.txt
  • %UserProfile%\Desktop\README\KEY
  • %UserProfile%\Desktop\README\readme.html
  • %UserProfile%\Desktop\README\readme.png
  • C:\Windows\System32\Tasks\sync


  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FE99549B-A4F1-4534-9658-2AEAAE683D25}\Path \sync