Select Page

We recently observed a Malicious Spam campaign that pushes ransomware targeting Windows hosts. The adversary sends a zip archive in email without text in the message body. This zip archive is double coated – a zip archive within a zip archive. The second zip archive includes a JavaScript (.js) file which contains malicious content.
The adversary obfuscated the JavaScript to trick Malware Analysts. It contains some repeating keywords in the screen shot below:

Upon deleting the repetitive keywords, we retrieved the following urls:

If the (.js) file is executed, the Windows Script (Wscript) host will execute code that tries to download a file “1.dat” from two urls (see above). When downloaded, the file renames itself to “[random_string].exe” which, when executed, will infect a computer with ransomware.

The screenshot below shows the “1.dat” file downloaded. Then we see the response includes a magic number “MZ” which indicates that the downloaded file is an executable.

How the Executable Operates

Once executed, it creates a child process in suspended state. Then, when the child process resumes its execution, it runs a (.bat) script which removes all Shadow Volume copies so that the victim will not be able to restore encrypted files. This script also removes Remote Desktop information from the system registry and then sets it to default RDP configurations. Contents of batch file are shown below:

Before it starts encrypting the data, it calls “taskkill.exe”  to shut down some running processes like “word”, “powerpoint”, “Notepad” etc. so that it can encrypt the data currently in use. The screenshot below shows the complete process tree:

Encryption Process

When the encryption starts, it follows the steps below:

1. Generates a “Personal ID” for the current system it is encrypting

2. Scans all the drives and folders available of an infected machine but excludes folders having following substrings in their name:

  • appdata
  • program files
  • program files (x86)
  • ProgramData
  • Temp
  • windows

3. Reads the files one by one and encrypt the file contents

4. Writes the encrypted data to a new file

5. Appends “Personal ID” in the encrypted content

6. Deletes the original file

Note: It uses AES and RSA 1024 encryption.

Screenshot of encrypted file contents and personal ID.

It also adds “.ocean” extension at the end of each encrypted filename.

After encrypting files, it adds an HTML file “!back_files!.html” in each folder where the files are encrypted. That HTML file tells a victim that “All your files have been encrypted!” and provides instructions on how to recover the encrypted files. At the end of HTML file it shows your “Personal ID”.






  • 45c0a3a39459334c25bc82f2c9da40f7837750f28414d4ab667fd619c225e36e – EMAIL_20688570373232_[recipient].zip
  • e4a210b6a0c9b3bcb5d43880ec150a5f3a42206c31ec553c9309c4b336419a24 – EMAIL_25183581302350_[recipient].zip
  • fd474697a5a81c82589012a859318f0232717575476f7819af8b4c7f50acc21f – EMAIL_29947_[recipient].zip
  • a23cb27fd3354d2e0f5ad898ad482196ab32fb571ab7edb02fba50fe35f718b5 – EMAIL_537710951959_[recipient].zip
  • a52b3db623f2b2a9cedf0e4c0a6358a0791d65e50cb0229425c4bacd0888f361 – EMAIL_709519255837_[recipient].zip


  • 9b5697e2341ccb16a9c70f15daf3e0b6d890e974ccd3c6a594daa7753aec050e – DIy.js

  • b335f7e2416d76f457147ce1550560890e7582840a246d95cdf08d64f0384056 – WywP.js
  • d5afe2e525f2d8810cfbdec709353e79a21b5f7b2c9999fc108a4a0bbb0ceb45 – bToVk9U5.js
  • ef1f4c5a5581333f3091fa13cec4a1fc94609bad92e2de3c7cd045329e34bf45 – jPWwTL89A.js
  • 5141a89e6fed2838a8107c83b218b2dd158a03623cd12b3e781bdb3342d559c8 – sowga.js


SHA256 hash:

File description:  BTCware from