MENUMenuIcon OUR STORY

SLASHNEXT LABS

THE KNOWLEDGE CENTER

BLOG

VIEW CATEGORIESHIDE CATEGORIES
SlashNext Labs SlashNext Labs

Malspam Pushing BTCWare (OCEAN VARIANT) Ransomware

September 12th 2017

Malspam Pushing BTCWare (OCEAN VARIANT) Ransomware

We recently observed a Malicious Spam campaign that pushes ransomware targeting Windows hosts. The adversary sends a zip archive in email without text in the message body. This zip archive is double coated – a zip archive within a zip archive. The second zip archive includes a JavaScript (.js) file which contains malicious content.
The adversary obfuscated the JavaScript to trick Malware Analysts. It contains some repeating keywords in the screen shot below:

Upon deleting the repetitive keywords, we retrieved the following urls:

If the (.js) file is executed, the Windows Script (Wscript) host will execute code that tries to download a file “1.dat” from two urls (see above). When downloaded, the file renames itself to “[random_string].exe” which, when executed, will infect a computer with ransomware.

The screenshot below shows the “1.dat” file downloaded. Then we see the response includes a magic number “MZ” which indicates that the downloaded file is an executable.

How the Executable Operates

Once executed, it creates a child process in suspended state. Then, when the child process resumes its execution, it runs a (.bat) script which removes all Shadow Volume copies so that the victim will not be able to restore encrypted files. This script also removes Remote Desktop information from the system registry and then sets it to default RDP configurations. Contents of batch file are shown below:

Before it starts encrypting the data, it calls “taskkill.exe”  to shut down some running processes like “word”, “powerpoint”, “Notepad” etc. so that it can encrypt the data currently in use. The screenshot below shows the complete process tree:

Encryption Process

When the encryption starts, it follows the steps below:

1. Generates a “Personal ID” for the current system it is encrypting

2. Scans all the drives and folders available of an infected machine but excludes folders having following substrings in their name:

  • appdata
  • program files
  • program files (x86)
  • ProgramData
  • Temp
  • windows

3. Reads the files one by one and encrypt the file contents

4. Writes the encrypted data to a new file

5. Appends “Personal ID” in the encrypted content

6. Deletes the original file

Note: It uses AES and RSA 1024 encryption.

Screenshot of encrypted file contents and personal ID.

It also adds “.ocean” extension at the end of each encrypted filename.

After encrypting files, it adds an HTML file “!back_files!.html” in each folder where the files are encrypted. That HTML file tells a victim that “All your files have been encrypted!” and provides instructions on how to recover the encrypted files. At the end of HTML file it shows your “Personal ID”.

IOCs

HYPERLINK “http://filmcoffee.win/support.php?f=1.dat” http://filmcoffee.win/support.php?f=1.dat

HYPERLINK “http://cabeiriscout.faith/support.php?f=1.dat” http://cabeiriscout.faith/support.php?f=1.dat

SHA256 HASHES

FILE ATTACHMENTS (ZIP ARCHIVES):

  • 45c0a3a39459334c25bc82f2c9da40f7837750f28414d4ab667fd619c225e36e – EMAIL_20688570373232_[recipient].zip
  • e4a210b6a0c9b3bcb5d43880ec150a5f3a42206c31ec553c9309c4b336419a24 – EMAIL_25183581302350_[recipient].zip
  • fd474697a5a81c82589012a859318f0232717575476f7819af8b4c7f50acc21f – EMAIL_29947_[recipient].zip
  • a23cb27fd3354d2e0f5ad898ad482196ab32fb571ab7edb02fba50fe35f718b5 – EMAIL_537710951959_[recipient].zip
  • a52b3db623f2b2a9cedf0e4c0a6358a0791d65e50cb0229425c4bacd0888f361 – EMAIL_709519255837_[recipient].zip

EXTRACTED .JS FILES:

  • 9b5697e2341ccb16a9c70f15daf3e0b6d890e974ccd3c6a594daa7753aec050e – DIy.js

  • b335f7e2416d76f457147ce1550560890e7582840a246d95cdf08d64f0384056 – WywP.js
  • d5afe2e525f2d8810cfbdec709353e79a21b5f7b2c9999fc108a4a0bbb0ceb45 – bToVk9U5.js
  • ef1f4c5a5581333f3091fa13cec4a1fc94609bad92e2de3c7cd045329e34bf45 – jPWwTL89A.js
  • 5141a89e6fed2838a8107c83b218b2dd158a03623cd12b3e781bdb3342d559c8 – sowga.js

BTCWARE (OCEAN VARIANT) RANSOMWARE SAMPLE:

SHA256 hash:

8c137b7ea011e0ecd9e7ad76536e6c50c29bea3a0f277a132bfe48af1b7b8958
File description:  BTCware from cabeiriscout.faith